Hello,
syzbot found the following crash on:
HEAD commit: 5424ea27390f netns: get more entropy from net_hash_mix()
git tree: net-next
console output:
https://syzkaller.appspot.com/x/log.txt?x=128da088400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0
dashboard link:
https://syzkaller.appspot.com/bug?extid=faaee297fb2235dc339e
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [
ak...@linux-foundation.org gre...@linuxfoundation.org
hmcla...@fb.com j...@perches.com kste...@linuxfoundation.org
linux-...@vger.kernel.org linu...@kvack.org mho...@suse.com
tg...@linutronix.de]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+faaee2...@syzkaller.appspotmail.com
kasan: CONFIG_KASAN_INLINE enabled
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
kasan: GPF could be caused by NULL-ptr deref or user memory access
CPU: 1 PID: 22578 Comm: syz-executor6 Not tainted 4.18.0-rc1+ #87
general protection fault: 0000 [#1] SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
CPU: 0 PID: 22583 Comm: syz-executor5 Not tainted 4.18.0-rc1+ #87
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:smc_tx_prepared_sends+0x2c3/0x550 net/smc/smc_tx.h:27
Code: 48
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149
89
f8 48
c1
e8 03
80
3c 10
00
0f 85
11 02
00
00
48
b8
00 00
00
00 00
fc
ff
df
4d
8b
76 38
49 8d
7e 20
48 89
__should_failslab+0x124/0x180 mm/failslab.c:32
fa 48
should_failslab+0x9/0x14 mm/slab_common.c:1553
c1 ea
slab_pre_alloc_hook mm/slab.h:423 [inline]
slab_alloc_node mm/slab.c:3299 [inline]
kmem_cache_alloc_node_trace+0x5a/0x770 mm/slab.c:3661
03
__do_kmalloc_node mm/slab.c:3681 [inline]
__kmalloc_node_track_caller+0x33/0x70 mm/slab.c:3696
<0f> b6
__kmalloc_reserve.isra.40+0x3a/0xe0 net/core/skbuff.c:137
04 02
__alloc_skb+0x155/0x790 net/core/skbuff.c:205
84
c0
74
08
3c 03
0f
8e
de
alloc_skb include/linux/skbuff.h:987 [inline]
alloc_skb_with_frags+0x13f/0x770 net/core/skbuff.c:5266
01
00
00 41
sock_alloc_send_pskb+0x89b/0xb10 net/core/sock.c:2095
8b 46 20
49
8d
RSP: 0018:ffff8801a8ce7568 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff1003519ceaf RCX: dffffc0000000000
RDX: 0000000000000004 RSI: 1ffff1003519cebb RDI: 0000000000000020
RBP: ffff8801a8ce7740 R08: ffffed003519cebc R09: ffffed003519cebb
R10: ffffed003519cebb R11: ffff8801a8ce75df R12: ffff8801a8ce7718
R13: ffff8801a8ce75d8 R14: 0000000000000000 R15: ffff8801a8ce7598
FS: 00007f1b932f0700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2112
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000705414 CR3: 00000001c56b7000 CR4: 00000000001406f0
__ip6_append_data.isra.47+0x2134/0x3a20 net/ipv6/ip6_output.c:1420
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
smc_ioctl+0xb11/0xd00 net/smc/af_smc.c:1515
sock_do_ioctl+0xe4/0x3e0 net/socket.c:973
ip6_make_skb+0x397/0x600 net/ipv6/ip6_output.c:1776
sock_ioctl+0x30d/0x680 net/socket.c:1097
udpv6_sendmsg+0x2c90/0x35f0 net/ipv6/udp.c:1376
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
__do_sys_ioctl fs/ioctl.c:708 [inline]
__se_sys_ioctl fs/ioctl.c:706 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
sock_sendmsg_nosec net/socket.c:645 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:655
sock_write_iter+0x362/0x5c0 net/socket.c:924
call_write_iter include/linux/fs.h:1795 [inline]
do_iter_readv_writev+0x897/0xa90 fs/read_write.c:680
entry_SYSCALL_64_after_hwframe+0x49/0xbe
do_iter_write+0x185/0x5f0 fs/read_write.c:959
RIP: 0033:0x455a99
Code:
1d
vfs_writev+0x1f1/0x360 fs/read_write.c:1004
ba
fb
ff c3
66
2e 0f
1f 84
00
00 00
00
do_writev+0x11a/0x310 fs/read_write.c:1039
00
66
__do_sys_writev fs/read_write.c:1112 [inline]
__se_sys_writev fs/read_write.c:1109 [inline]
__x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
90
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
48
89
f8 48
89
f7 48
89
entry_SYSCALL_64_after_hwframe+0x49/0xbe
d6
RIP: 0033:0x455a99
48 89
Code:
ca
1d
4d
ba fb
89
ff
c2
c3
4d
66
89 c8
2e
4c
0f
8b
1f
4c
84
24 08
00
0f
00
05
00 00
<48>
00
3d
66 90
01 f0
48
ff
89
ff
f8
0f
48
83
89
eb
f7
b9
48 89
fb
d6
ff c3
48 89
66
ca
2e
4d
0f 1f
89 c2
84
4d
00
89
00
c8
00
4c
00
8b 4c
24
RSP: 002b:00007f1b932efc68 EFLAGS: 00000246
08 0f
ORIG_RAX: 0000000000000010
05
RAX: ffffffffffffffda RBX: 00007f1b932f06d4 RCX: 0000000000455a99
<48>
RDX: 00000000200000c0 RSI: 000000000000894b RDI: 0000000000000016
3d 01
RBP: 000000000072bf48 R08: 0000000000000000 R09: 0000000000000000
f0 ff
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004bfad1 R14: 00000000004cec88 R15: 0000000000000001
ff 0f
Modules linked in:
83
eb
Dumping ftrace buffer:
b9
(ftrace buffer empty)
fb ff
---[ end trace 0cdc902a3f8c13ae ]---
c3 66 2e 0f 1f
RIP: 0010:smc_tx_prepared_sends+0x2c3/0x550 net/smc/smc_tx.h:27
84 00 00 00 00
Code:
RSP: 002b:00007f26d1062c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007f26d10636d4 RCX: 0000000000455a99
48
RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000013
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015
89
R13: 00000000004c06f3 R14: 00000000004d3e60 R15: 0000000000000001
kernel msg: ebtables bug: please report to author: Entries_size never zero
f8 48 c1 e8 03 80 3c 10 00 0f 85 11 02 00 00 48 b8 00 00 00 00 00 fc ff df
4d 8b 76 38 49 8d 7e 20 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c
03 0f 8e de 01 00 00 41 8b 46 20 49 8d
RSP: 0018:ffff8801a8ce7568 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff1003519ceaf RCX: dffffc0000000000
RDX: 0000000000000004 RSI: 1ffff1003519cebb RDI: 0000000000000020
RBP: ffff8801a8ce7740 R08: ffffed003519cebc R09: ffffed003519cebb
R10: ffffed003519cebb R11: ffff8801a8ce75df R12: ffff8801a8ce7718
R13: ffff8801a8ce75d8 R14: 0000000000000000 R15: ffff8801a8ce7598
FS: 00007f1b932f0700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000705414 CR3: 00000001c56b7000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.