kernel BUG in ip6_mc_hdr
8 views
Skip to first unread message
syzbot
Nov 30, 2022, 12:44:37 PM11/30/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1776af53880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=14cc0480d2fb8d135f2f
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+14cc04...@syzkaller.appspotmail.com
skbuff: skb_over_panic: text:0000000010c1e234 len:40 put:40 head:0000000024a85e38 data:0000000095f9f409 tail:0x128 end:0xc0 dev:ip6erspan0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:104!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 11840 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:skb_panic+0x172/0x174 net/core/skbuff.c:104
Code: 4c 24 10 8b 8b 80 00 00 00 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 60 4f 4c 89 ff 74 24 10 ff 74 24 20 e8 f1 18 e2 ff <0f> 0b e8 7f e7 50 f9 4c 8b 64 24 18 e8 c5 aa 86 f9 48 c7 c1 c0 58
RSP: 0018:ffff8880ba107940 EFLAGS: 00010282
RAX: 000000000000008a RBX: ffff88809e6ffcc0 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffffffff814dff01 RDI: ffffed1017420f1a
RBP: ffffffff894c5900 R08: 000000000000008a R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: ffffffff870ddb3f
R13: 0000000000000028 R14: ffff888092b6ae80 R15: 00000000000000c0
FS: 0000555556646400(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd03faee6be CR3: 000000004162c000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
skb_over_panic net/core/skbuff.c:109 [inline]
skb_put.cold+0x24/0x24 net/core/skbuff.c:1711
ip6_mc_hdr.constprop.0+0x11f/0x5a0 net/ipv6/mcast.c:1578
mld_newpack+0x3d0/0x760 net/ipv6/mcast.c:1626
add_grhead+0x265/0x330 net/ipv6/mcast.c:1712
add_grec+0xe3c/0x10b0 net/ipv6/mcast.c:1843
mld_send_cr net/ipv6/mcast.c:1969 [inline]
mld_ifc_timer_expire+0x5a2/0xdf0 net/ipv6/mcast.c:2476
call_timer_fn+0x177/0x700 kernel/time/timer.c:1338
expire_timers+0x243/0x4e0 kernel/time/timer.c:1375
__run_timers kernel/time/timer.c:1696 [inline]
run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1709
__do_softirq+0x265/0x980 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x215/0x260 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
</IRQ>
RIP: 0010:compound_head include/linux/page-flags.h:144 [inline]
RIP: 0010:get_page include/linux/mm.h:931 [inline]
RIP: 0010:copy_one_pte mm/memory.c:1052 [inline]
RIP: 0010:copy_pte_range mm/memory.c:1114 [inline]
RIP: 0010:copy_pmd_range mm/memory.c:1165 [inline]
RIP: 0010:copy_pud_range mm/memory.c:1199 [inline]
RIP: 0010:copy_p4d_range mm/memory.c:1221 [inline]
RIP: 0010:copy_page_range+0x101c/0x2ff0 mm/memory.c:1283
Code: 85 c0 49 89 c6 0f 84 69 06 00 00 e8 de 12 d6 ff 4d 8d 7e 08 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 a1 19 00 00 49 8b 46 08 <31> ff 4c 89 f5 49 89 c4 48 89 84 24 e8 00 00 00 41 83 e4 01 4c 89
ieee802154 phy0 wpan0: encryption failed: -22
RSP: 0018:ffff888091657a28 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dead000000000100 RBX: 0000000000000010 RCX: ffffffff818b840c
RDX: 0000000000000000 RSI: ffffffff818c7292 RDI: 0000000000000006
RBP: 80000000a0f92007 R08: 0000000000000001 R09: 000000000023ffff
R10: 0000000000000006 R11: 00000000d2cc1d79 R12: 8000000000000007
R13: dffffc0000000000 R14: ffffea000283e480 R15: ffffea000283e488
ieee802154 phy1 wpan1: encryption failed: -22
dup_mmap kernel/fork.c:549 [inline]
dup_mm kernel/fork.c:1285 [inline]
copy_mm kernel/fork.c:1341 [inline]
copy_process.part.0+0x5b22/0x8260 kernel/fork.c:1913
copy_process kernel/fork.c:1710 [inline]
_do_fork+0x22f/0xf30 kernel/fork.c:2219
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fd03eea2e0b
Code: ed 0f 85 60 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d 91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 89 00 00 00 41 89 c5 85 c0 0f 85 90 00 00
RSP: 002b:00007ffdf92f72e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd03eea2e0b
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000555556646400
R10: 00005555566466d0 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000001 R15: 00007ffdf92f73c0
Modules linked in:
---[ end trace 55f51a3515faab32 ]---
RIP: 0010:skb_panic+0x172/0x174 net/core/skbuff.c:104
Code: 4c 24 10 8b 8b 80 00 00 00 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 60 4f 4c 89 ff 74 24 10 ff 74 24 20 e8 f1 18 e2 ff <0f> 0b e8 7f e7 50 f9 4c 8b 64 24 18 e8 c5 aa 86 f9 48 c7 c1 c0 58
RSP: 0018:ffff8880ba107940 EFLAGS: 00010282
RAX: 000000000000008a RBX: ffff88809e6ffcc0 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffffffff814dff01 RDI: ffffed1017420f1a
RBP: ffffffff894c5900 R08: 000000000000008a R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: ffffffff870ddb3f
R13: 0000000000000028 R14: ffff888092b6ae80 R15: 00000000000000c0
FS: 0000555556646400(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd03faee6be CR3: 000000004162c000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 c0 test %eax,%eax
2: 49 89 c6 mov %rax,%r14
5: 0f 84 69 06 00 00 je 0x674
b: e8 de 12 d6 ff callq 0xffd612ee
10: 4d 8d 7e 08 lea 0x8(%r14),%r15
14: 4c 89 f8 mov %r15,%rax
17: 48 c1 e8 03 shr $0x3,%rax
1b: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
20: 0f 85 a1 19 00 00 jne 0x19c7
26: 49 8b 46 08 mov 0x8(%r14),%rax
* 2a: 31 ff xor %edi,%edi <-- trapping instruction
2c: 4c 89 f5 mov %r14,%rbp
2f: 49 89 c4 mov %rax,%r12
32: 48 89 84 24 e8 00 00 mov %rax,0xe8(%rsp)
39: 00
3a: 41 83 e4 01 and $0x1,%r12d
3e: 4c rex.WR
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1776af53880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=14cc0480d2fb8d135f2f
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+14cc04...@syzkaller.appspotmail.com
skbuff: skb_over_panic: text:0000000010c1e234 len:40 put:40 head:0000000024a85e38 data:0000000095f9f409 tail:0x128 end:0xc0 dev:ip6erspan0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:104!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 11840 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:skb_panic+0x172/0x174 net/core/skbuff.c:104
Code: 4c 24 10 8b 8b 80 00 00 00 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 60 4f 4c 89 ff 74 24 10 ff 74 24 20 e8 f1 18 e2 ff <0f> 0b e8 7f e7 50 f9 4c 8b 64 24 18 e8 c5 aa 86 f9 48 c7 c1 c0 58
RSP: 0018:ffff8880ba107940 EFLAGS: 00010282
RAX: 000000000000008a RBX: ffff88809e6ffcc0 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffffffff814dff01 RDI: ffffed1017420f1a
RBP: ffffffff894c5900 R08: 000000000000008a R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: ffffffff870ddb3f
R13: 0000000000000028 R14: ffff888092b6ae80 R15: 00000000000000c0
FS: 0000555556646400(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd03faee6be CR3: 000000004162c000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
skb_over_panic net/core/skbuff.c:109 [inline]
skb_put.cold+0x24/0x24 net/core/skbuff.c:1711
ip6_mc_hdr.constprop.0+0x11f/0x5a0 net/ipv6/mcast.c:1578
mld_newpack+0x3d0/0x760 net/ipv6/mcast.c:1626
add_grhead+0x265/0x330 net/ipv6/mcast.c:1712
add_grec+0xe3c/0x10b0 net/ipv6/mcast.c:1843
mld_send_cr net/ipv6/mcast.c:1969 [inline]
mld_ifc_timer_expire+0x5a2/0xdf0 net/ipv6/mcast.c:2476
call_timer_fn+0x177/0x700 kernel/time/timer.c:1338
expire_timers+0x243/0x4e0 kernel/time/timer.c:1375
__run_timers kernel/time/timer.c:1696 [inline]
run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1709
__do_softirq+0x265/0x980 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x215/0x260 kernel/softirq.c:412
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
</IRQ>
RIP: 0010:compound_head include/linux/page-flags.h:144 [inline]
RIP: 0010:get_page include/linux/mm.h:931 [inline]
RIP: 0010:copy_one_pte mm/memory.c:1052 [inline]
RIP: 0010:copy_pte_range mm/memory.c:1114 [inline]
RIP: 0010:copy_pmd_range mm/memory.c:1165 [inline]
RIP: 0010:copy_pud_range mm/memory.c:1199 [inline]
RIP: 0010:copy_p4d_range mm/memory.c:1221 [inline]
RIP: 0010:copy_page_range+0x101c/0x2ff0 mm/memory.c:1283
Code: 85 c0 49 89 c6 0f 84 69 06 00 00 e8 de 12 d6 ff 4d 8d 7e 08 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 a1 19 00 00 49 8b 46 08 <31> ff 4c 89 f5 49 89 c4 48 89 84 24 e8 00 00 00 41 83 e4 01 4c 89
ieee802154 phy0 wpan0: encryption failed: -22
RSP: 0018:ffff888091657a28 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dead000000000100 RBX: 0000000000000010 RCX: ffffffff818b840c
RDX: 0000000000000000 RSI: ffffffff818c7292 RDI: 0000000000000006
RBP: 80000000a0f92007 R08: 0000000000000001 R09: 000000000023ffff
R10: 0000000000000006 R11: 00000000d2cc1d79 R12: 8000000000000007
R13: dffffc0000000000 R14: ffffea000283e480 R15: ffffea000283e488
ieee802154 phy1 wpan1: encryption failed: -22
dup_mmap kernel/fork.c:549 [inline]
dup_mm kernel/fork.c:1285 [inline]
copy_mm kernel/fork.c:1341 [inline]
copy_process.part.0+0x5b22/0x8260 kernel/fork.c:1913
copy_process kernel/fork.c:1710 [inline]
_do_fork+0x22f/0xf30 kernel/fork.c:2219
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fd03eea2e0b
Code: ed 0f 85 60 01 00 00 64 4c 8b 0c 25 10 00 00 00 45 31 c0 4d 8d 91 d0 02 00 00 31 d2 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 89 00 00 00 41 89 c5 85 c0 0f 85 90 00 00
RSP: 002b:00007ffdf92f72e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd03eea2e0b
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000555556646400
R10: 00005555566466d0 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000001 R15: 00007ffdf92f73c0
Modules linked in:
---[ end trace 55f51a3515faab32 ]---
RIP: 0010:skb_panic+0x172/0x174 net/core/skbuff.c:104
Code: 4c 24 10 8b 8b 80 00 00 00 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 60 4f 4c 89 ff 74 24 10 ff 74 24 20 e8 f1 18 e2 ff <0f> 0b e8 7f e7 50 f9 4c 8b 64 24 18 e8 c5 aa 86 f9 48 c7 c1 c0 58
RSP: 0018:ffff8880ba107940 EFLAGS: 00010282
RAX: 000000000000008a RBX: ffff88809e6ffcc0 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffffffff814dff01 RDI: ffffed1017420f1a
RBP: ffffffff894c5900 R08: 000000000000008a R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: ffffffff870ddb3f
R13: 0000000000000028 R14: ffff888092b6ae80 R15: 00000000000000c0
FS: 0000555556646400(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd03faee6be CR3: 000000004162c000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 c0 test %eax,%eax
2: 49 89 c6 mov %rax,%r14
5: 0f 84 69 06 00 00 je 0x674
b: e8 de 12 d6 ff callq 0xffd612ee
10: 4d 8d 7e 08 lea 0x8(%r14),%r15
14: 4c 89 f8 mov %r15,%rax
17: 48 c1 e8 03 shr $0x3,%rax
1b: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
20: 0f 85 a1 19 00 00 jne 0x19c7
26: 49 8b 46 08 mov 0x8(%r14),%rax
* 2a: 31 ff xor %edi,%edi <-- trapping instruction
2c: 4c 89 f5 mov %r14,%rbp
2f: 49 89 c4 mov %rax,%r12
32: 48 89 84 24 e8 00 00 mov %rax,0xe8(%rsp)
39: 00
3a: 41 83 e4 01 and $0x1,%r12d
3e: 4c rex.WR
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Reply all
Reply to author
Forward
0 new messages