general protection fault in ipv6_chk_acast_dev
6 views
Skip to first unread message
syzbot
Apr 10, 2020, 10:55:15 AM4/10/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4520f06b Linux 4.14.175
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16c10b2be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=93cf891381c0c347
dashboard link: https://syzkaller.appspot.com/bug?extid=3624b6c6a4cd95b74d8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3624b6...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 28793 Comm: syz-executor.0 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8882130fc340 task.stack: ffff888203968000
RIP: 0010:__read_once_size include/linux/compiler.h:183 [inline]
RIP: 0010:__in6_dev_get include/net/addrconf.h:302 [inline]
RIP: 0010:ipv6_chk_acast_dev+0x2d/0x230 net/ipv6/anycast.c:375
kasan: CONFIG_KASAN_INLINE enabled
RSP: 0018:ffff88820396f240 EFLAGS: 00010206
kasan: GPF could be caused by NULL-ptr deref or user memory access
RAX: dffffc0000000000 RBX: ffffffffffffffb0 RCX: ffffc90005a88000
RDX: 000000000000005c RSI: ffffffff856e8725 RDI: 00000000000002e0
RBP: ffff8882012a8066 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880510141b8
R13: dffffc0000000000 R14: ffff888051014040 R15: ffff8880a59e8404
FS: 00007f8d5d9eb700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000480 CR3: 0000000211a71000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ipv6_chk_acast_addr+0x143/0x1f0 net/ipv6/anycast.c:400
icmp6_send+0x966/0x1ea0 net/ipv6/icmp.c:458
icmpv6_send+0xa6/0x1a0 net/ipv6/ip6_icmp.c:43
ip6_pkt_drop+0x15e/0x410 net/ipv6/route.c:2755
dst_input include/net/dst.h:468 [inline]
ip6_rcv_finish+0x23b/0x790 net/ipv6/ip6_input.c:71
NF_HOOK include/linux/netfilter.h:250 [inline]
NF_HOOK include/linux/netfilter.h:244 [inline]
ipv6_rcv+0xe5c/0x1c30 net/ipv6/ip6_input.c:218
__netif_receive_skb_core+0x1e50/0x2c00 net/core/dev.c:4477
__netif_receive_skb+0x27/0x1a0 net/core/dev.c:4515
netif_receive_skb_internal+0xd7/0x580 net/core/dev.c:4588
tun_rx_batched.isra.0+0x46c/0x7a0 drivers/net/tun.c:1221
tun_get_user+0xcde/0x3880 drivers/net/tun.c:1581
tun_chr_write_iter+0xcf/0x179 drivers/net/tun.c:1608
call_write_iter include/linux/fs.h:1778 [inline]
do_iter_readv_writev+0x3df/0x600 fs/read_write.c:675
do_iter_write fs/read_write.c:954 [inline]
do_iter_write+0x152/0x550 fs/read_write.c:935
vfs_writev+0x170/0x2a0 fs/read_write.c:999
do_writev+0xfc/0x2c0 fs/read_write.c:1034
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c741
RSP: 002b:00007f8d5d9eabc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000000004e RCX: 000000000045c741
RDX: 0000000000000001 RSI: 00007f8d5d9eabf0 RDI: 00000000000000f0
RBP: 0000000020000480 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000829 R11: 0000000000000293 R12: 00000000ffffffff
R13: 0000000000000bb0 R14: 00000000004cdda9 R15: 000000000076bf0c
Code: 41 56 41 55 41 54 55 48 89 f5 53 48 89 fb e8 7b bf eb fb 48 8d bb 30 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 ec 01 00 00 48 8b 9b 30 03 00 00 e8 bd 6c dc
RIP: __read_once_size include/linux/compiler.h:183 [inline] RSP: ffff88820396f240
RIP: __in6_dev_get include/net/addrconf.h:302 [inline] RSP: ffff88820396f240
RIP: ipv6_chk_acast_dev+0x2d/0x230 net/ipv6/anycast.c:375 RSP: ffff88820396f240
general protection fault: 0000 [#2] PREEMPT SMP KASAN
---[ end trace 72e6bf7fb075de40 ]---
Modules linked in:
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 4520f06b Linux 4.14.175
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16c10b2be00000
kernel config: https://syzkaller.appspot.com/x/.config?x=93cf891381c0c347
dashboard link: https://syzkaller.appspot.com/bug?extid=3624b6c6a4cd95b74d8a
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3624b6...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 28793 Comm: syz-executor.0 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8882130fc340 task.stack: ffff888203968000
RIP: 0010:__read_once_size include/linux/compiler.h:183 [inline]
RIP: 0010:__in6_dev_get include/net/addrconf.h:302 [inline]
RIP: 0010:ipv6_chk_acast_dev+0x2d/0x230 net/ipv6/anycast.c:375
kasan: CONFIG_KASAN_INLINE enabled
RSP: 0018:ffff88820396f240 EFLAGS: 00010206
kasan: GPF could be caused by NULL-ptr deref or user memory access
RAX: dffffc0000000000 RBX: ffffffffffffffb0 RCX: ffffc90005a88000
RDX: 000000000000005c RSI: ffffffff856e8725 RDI: 00000000000002e0
RBP: ffff8882012a8066 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880510141b8
R13: dffffc0000000000 R14: ffff888051014040 R15: ffff8880a59e8404
FS: 00007f8d5d9eb700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000480 CR3: 0000000211a71000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ipv6_chk_acast_addr+0x143/0x1f0 net/ipv6/anycast.c:400
icmp6_send+0x966/0x1ea0 net/ipv6/icmp.c:458
icmpv6_send+0xa6/0x1a0 net/ipv6/ip6_icmp.c:43
ip6_pkt_drop+0x15e/0x410 net/ipv6/route.c:2755
dst_input include/net/dst.h:468 [inline]
ip6_rcv_finish+0x23b/0x790 net/ipv6/ip6_input.c:71
NF_HOOK include/linux/netfilter.h:250 [inline]
NF_HOOK include/linux/netfilter.h:244 [inline]
ipv6_rcv+0xe5c/0x1c30 net/ipv6/ip6_input.c:218
__netif_receive_skb_core+0x1e50/0x2c00 net/core/dev.c:4477
__netif_receive_skb+0x27/0x1a0 net/core/dev.c:4515
netif_receive_skb_internal+0xd7/0x580 net/core/dev.c:4588
tun_rx_batched.isra.0+0x46c/0x7a0 drivers/net/tun.c:1221
tun_get_user+0xcde/0x3880 drivers/net/tun.c:1581
tun_chr_write_iter+0xcf/0x179 drivers/net/tun.c:1608
call_write_iter include/linux/fs.h:1778 [inline]
do_iter_readv_writev+0x3df/0x600 fs/read_write.c:675
do_iter_write fs/read_write.c:954 [inline]
do_iter_write+0x152/0x550 fs/read_write.c:935
vfs_writev+0x170/0x2a0 fs/read_write.c:999
do_writev+0xfc/0x2c0 fs/read_write.c:1034
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c741
RSP: 002b:00007f8d5d9eabc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000000004e RCX: 000000000045c741
RDX: 0000000000000001 RSI: 00007f8d5d9eabf0 RDI: 00000000000000f0
RBP: 0000000020000480 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000829 R11: 0000000000000293 R12: 00000000ffffffff
R13: 0000000000000bb0 R14: 00000000004cdda9 R15: 000000000076bf0c
Code: 41 56 41 55 41 54 55 48 89 f5 53 48 89 fb e8 7b bf eb fb 48 8d bb 30 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 ec 01 00 00 48 8b 9b 30 03 00 00 e8 bd 6c dc
RIP: __read_once_size include/linux/compiler.h:183 [inline] RSP: ffff88820396f240
RIP: __in6_dev_get include/net/addrconf.h:302 [inline] RSP: ffff88820396f240
RIP: ipv6_chk_acast_dev+0x2d/0x230 net/ipv6/anycast.c:375 RSP: ffff88820396f240
general protection fault: 0000 [#2] PREEMPT SMP KASAN
---[ end trace 72e6bf7fb075de40 ]---
Modules linked in:
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Sep 30, 2020, 2:53:17 AM9/30/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages