general protection fault in skb_set_owner_w
8 views
Skip to first unread message
syzbot
May 29, 2020, 11:29:14 PM5/29/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 2d16cf48 Linux 4.19.125
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14afb191100000
kernel config: https://syzkaller.appspot.com/x/.config?x=60c13d6e8857c508
dashboard link: https://syzkaller.appspot.com/bug?extid=05f406211530f0bbd584
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+05f406...@syzkaller.appspotmail.com
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
(syz-executor.4,30977,0):ocfs2_fill_super:1023 ERROR: superblock probe failed!
(syz-executor.4,30977,0):ocfs2_fill_super:1225 ERROR: status = -22
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 30980 Comm: syz-executor.3 Not tainted 4.19.125-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sk_fullsock include/net/sock.h:2453 [inline]
RIP: 0010:skb_set_owner_w+0xa8/0x340 net/core/sock.c:1843
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 4c 02 00 00 48 8d 7d 12 48 89 6b 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 f2 01 00 00
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
RSP: 0018:ffff888087356f88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88808f917040 RCX: ffffc9000c107000
RDX: 0000000000000002 RSI: ffffffff85957714 RDI: 0000000000000012
RBP: 0000000000000000 R08: ffff888095d5c180 R09: ffffed100c012da5
R10: ffffed100c012da4 R11: ffff888060096d23 R12: ffff88808f917058
R13: ffff88808f9170a0 R14: ffff88809219bdc0 R15: ffff888031dce718
FS: 00007f4b3ca16700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000078c000 CR3: 000000009fc10000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sctp_packet_transmit+0x31e/0x3360 net/sctp/output.c:589
sctp_outq_flush_transports net/sctp/outqueue.c:1165 [inline]
sctp_outq_flush+0x2b2/0x2350 net/sctp/outqueue.c:1213
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
sctp_do_sm+0x4d6/0x4ed0 net/sctp/sm_sideeffect.c:1170
sctp_assoc_bh_rcv+0x345/0x660 net/sctp/associola.c:1073
sctp_inq_push+0x1da/0x270 net/sctp/inqueue.c:95
sctp_backlog_rcv+0x1e6/0x11b0 net/sctp/input.c:356
sk_backlog_rcv include/net/sock.h:946 [inline]
__release_sock+0x134/0x3a0 net/core/sock.c:2342
release_sock+0x54/0x1c0 net/core/sock.c:2858
sctp_wait_for_connect+0x2ed/0x4f0 net/sctp/socket.c:8632
sctp_sendmsg_to_asoc+0x128c/0x1640 net/sctp/socket.c:1986
sctp_sendmsg+0xf60/0x15d0 net/sctp/socket.c:2132
inet_sendmsg+0x12e/0x590 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ca69
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4b3ca15c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004fc7c0 RCX: 000000000045ca69
RDX: 0000000000000000 RSI: 000000002001afc8 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008e5 R14: 00000000004cbad3 R15: 00007f4b3ca166d4
Modules linked in:
---[ end trace 7acee12cb46b4b6c ]---
RIP: 0010:sk_fullsock include/net/sock.h:2453 [inline]
RIP: 0010:skb_set_owner_w+0xa8/0x340 net/core/sock.c:1843
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 4c 02 00 00 48 8d 7d 12 48 89 6b 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 f2 01 00 00
RSP: 0018:ffff888087356f88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88808f917040 RCX: ffffc9000c107000
RDX: 0000000000000002 RSI: ffffffff85957714 RDI: 0000000000000012
RBP: 0000000000000000 R08: ffff888095d5c180 R09: ffffed100c012da5
R10: ffffed100c012da4 R11: ffff888060096d23 R12: ffff88808f917058
R13: ffff88808f9170a0 R14: ffff88809219bdc0 R15: ffff888031dce718
kasan: CONFIG_KASAN_INLINE enabled
FS: 00007f4b3ca16700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
kasan: GPF could be caused by NULL-ptr deref or user memory access
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
general protection fault: 0000 [#2] PREEMPT SMP KASAN
CR2: 00005631c98ba918 CR3: 000000009fc10000 CR4: 00000000001406f0
CPU: 1 PID: 12013 Comm: kworker/u4:7 Tainted: G D 4.19.125-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
RIP: 0010:batadv_iv_ogm_aggr_packet net/batman-adv/bat_iv_ogm.c:511 [inline]
RIP: 0010:batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:538 [inline]
RIP: 0010:batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:604 [inline]
RIP: 0010:batadv_iv_send_outstanding_bat_ogm_packet+0x408/0x7a0 net/batman-adv/bat_iv_ogm.c:1857
Code: 24 3b 00 48 89 44 24 30 48 89 cd 4c 89 74 24 20 e8 3d e3 68 fa 48 8d 7d 16 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 4d
RSP: 0018:ffff888058227ce0 EFLAGS: 00010203
RAX: 0000000000000002 RBX: ffff88802f6ba948 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffffff86fea793 RDI: 0000000000000016
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 2d16cf48 Linux 4.19.125
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14afb191100000
kernel config: https://syzkaller.appspot.com/x/.config?x=60c13d6e8857c508
dashboard link: https://syzkaller.appspot.com/bug?extid=05f406211530f0bbd584
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+05f406...@syzkaller.appspotmail.com
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'.
(syz-executor.4,30977,0):ocfs2_fill_super:1023 ERROR: superblock probe failed!
(syz-executor.4,30977,0):ocfs2_fill_super:1225 ERROR: status = -22
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 30980 Comm: syz-executor.3 Not tainted 4.19.125-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sk_fullsock include/net/sock.h:2453 [inline]
RIP: 0010:skb_set_owner_w+0xa8/0x340 net/core/sock.c:1843
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 4c 02 00 00 48 8d 7d 12 48 89 6b 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 f2 01 00 00
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'.
RSP: 0018:ffff888087356f88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88808f917040 RCX: ffffc9000c107000
RDX: 0000000000000002 RSI: ffffffff85957714 RDI: 0000000000000012
RBP: 0000000000000000 R08: ffff888095d5c180 R09: ffffed100c012da5
R10: ffffed100c012da4 R11: ffff888060096d23 R12: ffff88808f917058
R13: ffff88808f9170a0 R14: ffff88809219bdc0 R15: ffff888031dce718
FS: 00007f4b3ca16700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000078c000 CR3: 000000009fc10000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sctp_packet_transmit+0x31e/0x3360 net/sctp/output.c:589
sctp_outq_flush_transports net/sctp/outqueue.c:1165 [inline]
sctp_outq_flush+0x2b2/0x2350 net/sctp/outqueue.c:1213
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
sctp_do_sm+0x4d6/0x4ed0 net/sctp/sm_sideeffect.c:1170
sctp_assoc_bh_rcv+0x345/0x660 net/sctp/associola.c:1073
sctp_inq_push+0x1da/0x270 net/sctp/inqueue.c:95
sctp_backlog_rcv+0x1e6/0x11b0 net/sctp/input.c:356
sk_backlog_rcv include/net/sock.h:946 [inline]
__release_sock+0x134/0x3a0 net/core/sock.c:2342
release_sock+0x54/0x1c0 net/core/sock.c:2858
sctp_wait_for_connect+0x2ed/0x4f0 net/sctp/socket.c:8632
sctp_sendmsg_to_asoc+0x128c/0x1640 net/sctp/socket.c:1986
sctp_sendmsg+0xf60/0x15d0 net/sctp/socket.c:2132
inet_sendmsg+0x12e/0x590 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ca69
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4b3ca15c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004fc7c0 RCX: 000000000045ca69
RDX: 0000000000000000 RSI: 000000002001afc8 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008e5 R14: 00000000004cbad3 R15: 00007f4b3ca166d4
Modules linked in:
---[ end trace 7acee12cb46b4b6c ]---
RIP: 0010:sk_fullsock include/net/sock.h:2453 [inline]
RIP: 0010:skb_set_owner_w+0xa8/0x340 net/core/sock.c:1843
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 4c 02 00 00 48 8d 7d 12 48 89 6b 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 f2 01 00 00
RSP: 0018:ffff888087356f88 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88808f917040 RCX: ffffc9000c107000
RDX: 0000000000000002 RSI: ffffffff85957714 RDI: 0000000000000012
RBP: 0000000000000000 R08: ffff888095d5c180 R09: ffffed100c012da5
R10: ffffed100c012da4 R11: ffff888060096d23 R12: ffff88808f917058
R13: ffff88808f9170a0 R14: ffff88809219bdc0 R15: ffff888031dce718
kasan: CONFIG_KASAN_INLINE enabled
FS: 00007f4b3ca16700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
kasan: GPF could be caused by NULL-ptr deref or user memory access
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
general protection fault: 0000 [#2] PREEMPT SMP KASAN
CR2: 00005631c98ba918 CR3: 000000009fc10000 CR4: 00000000001406f0
CPU: 1 PID: 12013 Comm: kworker/u4:7 Tainted: G D 4.19.125-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
RIP: 0010:batadv_iv_ogm_aggr_packet net/batman-adv/bat_iv_ogm.c:511 [inline]
RIP: 0010:batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:538 [inline]
RIP: 0010:batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:604 [inline]
RIP: 0010:batadv_iv_send_outstanding_bat_ogm_packet+0x408/0x7a0 net/batman-adv/bat_iv_ogm.c:1857
Code: 24 3b 00 48 89 44 24 30 48 89 cd 4c 89 74 24 20 e8 3d e3 68 fa 48 8d 7d 16 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 4d
RSP: 0018:ffff888058227ce0 EFLAGS: 00010203
RAX: 0000000000000002 RBX: ffff88802f6ba948 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffffff86fea793 RDI: 0000000000000016
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 26, 2020, 11:29:14 PM9/26/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages