WARNING in wiphy_register
38 views
Skip to first unread message
syzbot
Jan 13, 2018, 5:37:39 PM1/13/18
to da...@davemloft.net, joha...@sipsolutions.net, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzkaller hit the following crash on
c92a9a461dff6140c539c61e457aa97df29517d6
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8dd905...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
audit: type=1400 audit(1515870599.842:7): avc: denied { map } for
pid=3649 comm="syzkaller283614" path="/root/syzkaller283614583" dev="sda1"
ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
netlink: 'syzkaller283614': attribute type 9 has an invalid length.
WARNING: CPU: 1 PID: 3649 at net/wireless/core.c:549
wiphy_verify_combinations net/wireless/core.c:548 [inline]
WARNING: CPU: 1 PID: 3649 at net/wireless/core.c:549
wiphy_register+0xfc3/0x2050 net/wireless/core.c:728
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3649 Comm: syzkaller283614 Not tainted 4.15.0-rc7+ #260
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1079
RIP: 0010:wiphy_verify_combinations net/wireless/core.c:548 [inline]
RIP: 0010:wiphy_register+0xfc3/0x2050 net/wireless/core.c:728
RSP: 0018:ffff8801bc307080 EFLAGS: 00010293
RAX: ffff8801bc19c040 RBX: 000000000000000c RCX: ffffffff8517dd33
RDX: 0000000000000000 RSI: ffff8801c2963246 RDI: ffff8801c2963230
RBP: ffff8801bc307200 R08: ffffed003852c115 R09: ffffed003852c115
R10: 0000000000000001 R11: ffffed003852c114 R12: ffff8801c2963234
R13: dffffc0000000000 R14: ffff8801c29608a0 R15: ffff8801c29608d0
ieee80211_register_hw+0x1162/0x3100 net/mac80211/main.c:1038
mac80211_hwsim_new_radio+0x1b2e/0x2b90
drivers/net/wireless/mac80211_hwsim.c:2700
hwsim_new_radio_nl+0x5b7/0x7c0 drivers/net/wireless/mac80211_hwsim.c:3152
genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2408
genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline]
netlink_unicast+0x4ee/0x700 net/netlink/af_netlink.c:1301
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1864
sock_sendmsg_nosec net/socket.c:638 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:648
___sys_sendmsg+0x767/0x8b0 net/socket.c:2028
__sys_sendmsg+0xe5/0x210 net/socket.c:2062
SYSC_sendmsg net/socket.c:2073 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2069
entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x43fd79
RSP: 002b:00007ffeea412a48 EFLAGS: 00000203 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd79
RDX: 0000000000000000 RSI: 0000000020b3dfc8 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004016e0
R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
c92a9a461dff6140c539c61e457aa97df29517d6
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8dd905...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
audit: type=1400 audit(1515870599.842:7): avc: denied { map } for
pid=3649 comm="syzkaller283614" path="/root/syzkaller283614583" dev="sda1"
ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
netlink: 'syzkaller283614': attribute type 9 has an invalid length.
WARNING: CPU: 1 PID: 3649 at net/wireless/core.c:549
wiphy_verify_combinations net/wireless/core.c:548 [inline]
WARNING: CPU: 1 PID: 3649 at net/wireless/core.c:549
wiphy_register+0xfc3/0x2050 net/wireless/core.c:728
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3649 Comm: syzkaller283614 Not tainted 4.15.0-rc7+ #260
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1079
RIP: 0010:wiphy_verify_combinations net/wireless/core.c:548 [inline]
RIP: 0010:wiphy_register+0xfc3/0x2050 net/wireless/core.c:728
RSP: 0018:ffff8801bc307080 EFLAGS: 00010293
RAX: ffff8801bc19c040 RBX: 000000000000000c RCX: ffffffff8517dd33
RDX: 0000000000000000 RSI: ffff8801c2963246 RDI: ffff8801c2963230
RBP: ffff8801bc307200 R08: ffffed003852c115 R09: ffffed003852c115
R10: 0000000000000001 R11: ffffed003852c114 R12: ffff8801c2963234
R13: dffffc0000000000 R14: ffff8801c29608a0 R15: ffff8801c29608d0
ieee80211_register_hw+0x1162/0x3100 net/mac80211/main.c:1038
mac80211_hwsim_new_radio+0x1b2e/0x2b90
drivers/net/wireless/mac80211_hwsim.c:2700
hwsim_new_radio_nl+0x5b7/0x7c0 drivers/net/wireless/mac80211_hwsim.c:3152
genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
netlink_rcv_skb+0x224/0x470 net/netlink/af_netlink.c:2408
genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
netlink_unicast_kernel net/netlink/af_netlink.c:1275 [inline]
netlink_unicast+0x4ee/0x700 net/netlink/af_netlink.c:1301
netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1864
sock_sendmsg_nosec net/socket.c:638 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:648
___sys_sendmsg+0x767/0x8b0 net/socket.c:2028
__sys_sendmsg+0xe5/0x210 net/socket.c:2062
SYSC_sendmsg net/socket.c:2073 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2069
entry_SYSCALL_64_fastpath+0x23/0x9a
RIP: 0033:0x43fd79
RSP: 002b:00007ffeea412a48 EFLAGS: 00000203 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd79
RDX: 0000000000000000 RSI: 0000000020b3dfc8 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004016e0
R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Johannes Berg
Jan 15, 2018, 3:22:48 AM1/15/18
to syzbot, da...@davemloft.net, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com
Hi syzbot maintainers,
Thanks for the report.
> hwsim_new_radio_nl+0x5b7/0x7c0 drivers/net/wireless/mac80211_hwsim.c:3152
> genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
> genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
You're getting into the kernel via generic netlink receive, so just as
an FYI - the generic netlink numbers aren't stable across systems, so
your reproducer has a quite good chance of not working without your
kernel .config and (virt) hardware environment.
I'll take a look at this and the rfkill one, I assume that there are
some sanity checks missing in hwsim generic netlink when it builds a
radio struct.
However, I can't really promise that I'll be able to validate the
changes against your reproducer.
johannes
Thanks for the report.
> hwsim_new_radio_nl+0x5b7/0x7c0 drivers/net/wireless/mac80211_hwsim.c:3152
> genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
> genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
an FYI - the generic netlink numbers aren't stable across systems, so
your reproducer has a quite good chance of not working without your
kernel .config and (virt) hardware environment.
I'll take a look at this and the rfkill one, I assume that there are
some sanity checks missing in hwsim generic netlink when it builds a
radio struct.
However, I can't really promise that I'll be able to validate the
changes against your reproducer.
johannes
Dmitry Vyukov
Jan 15, 2018, 4:00:44 AM1/15/18
to Johannes Berg, syzbot, David Miller, LKML, linux-w...@vger.kernel.org, netdev, syzkall...@googlegroups.com
On Mon, Jan 15, 2018 at 9:22 AM, Johannes Berg
<joha...@sipsolutions.net> wrote:
> Hi syzbot maintainers,
>
> Thanks for the report.
>
>> hwsim_new_radio_nl+0x5b7/0x7c0 drivers/net/wireless/mac80211_hwsim.c:3152
>> genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
>> genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
>
> You're getting into the kernel via generic netlink receive, so just as
> an FYI - the generic netlink numbers aren't stable across systems, so
> your reproducer has a quite good chance of not working without your
> kernel .config and (virt) hardware environment.
Hi Johannes,
<joha...@sipsolutions.net> wrote:
> Hi syzbot maintainers,
>
> Thanks for the report.
>
>> hwsim_new_radio_nl+0x5b7/0x7c0 drivers/net/wireless/mac80211_hwsim.c:3152
>> genl_family_rcv_msg+0x7b7/0xfb0 net/netlink/genetlink.c:599
>> genl_rcv_msg+0xb2/0x140 net/netlink/genetlink.c:624
>
> You're getting into the kernel via generic netlink receive, so just as
> an FYI - the generic netlink numbers aren't stable across systems, so
> your reproducer has a quite good chance of not working without your
> kernel .config and (virt) hardware environment.
Thanks for the feeback.
syzbot tests within a net namespace (which is free of eth0 and other
stuff) and does setup of devices in that namespace. For bugs, it first
tries to reproduce them in that environment and if that succeeds it
tries to simplify the reproducer by stripping namespace/device setup
(which is quite verbose), and if that succeeds it provides this
simplified reproducer.
In this case it decided that namespace setup is not important. .config
is still important, but it is provided.
Are you able to reproduce the WARNING with the provided config? If
not, we can look as to how to improve this.
> I'll take a look at this and the rfkill one, I assume that there are
> some sanity checks missing in hwsim generic netlink when it builds a
> radio struct.
>
> However, I can't really promise that I'll be able to validate the
> changes against your reproducer.
>
> johannes
>
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1516004561.410.3.camel%40sipsolutions.net.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages