[Android 5.10] kernel BUG in vlan_get_protocol_dgram
4 views
Skip to first unread message
syzbot
Sep 18, 2024, 10:58:33 PM9/18/24
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8d23314f588a Merge 5.10.225 into android13-5.10-lts
git tree: android13-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=14d4a4a9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=889d6bbfedaebd06
dashboard link: https://syzkaller.appspot.com/bug?extid=f463da0823e4a4db9763
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d4a4a9980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=174aa69f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09c1893905da/disk-8d23314f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5294d841c477/vmlinux-8d23314f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a9c3f12eb021/bzImage-8d23314f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f463da...@syzkaller.appspotmail.com
skbuff: skb_under_panic: text:ffffffff843e0a63 len:29 put:14 head:ffff888120152c00 data:ffff888120152bf4 tail:0x11 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:111!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 347 Comm: syz-executor326 Not tainted 5.10.225-syzkaller-00513-g8d23314f588a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:skb_panic net/core/skbuff.c:111 [inline]
RIP: 0010:skb_under_panic+0x14c/0x150 net/core/skbuff.c:121
Code: c0 e8 8d 85 48 c7 c6 5d d8 d8 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 2e 29 ed 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 41 89 f6 49 89
RSP: 0018:ffffc90000c376b0 EFLAGS: 00010282
RAX: 0000000000000086 RBX: ffffffff858de940 RCX: 4d4a0bba1b312700
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000c376f0 R08: ffffffff81522098 R09: ffffed103ee0a5f8
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000011
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff888120152bf4
FS: 00007fb884a7d6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb884a5cd58 CR3: 000000011fc6c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
skb_push+0xf3/0x120 net/core/skbuff.c:1946
vlan_get_protocol_dgram+0x123/0x220 net/packet/af_packet.c:550
packet_recvmsg+0x5df/0x1cd0 net/packet/af_packet.c:3521
____sys_recvmsg+0x286/0x530
___sys_recvmsg+0x1ec/0x690 net/socket.c:2637
do_recvmmsg+0x407/0x920 net/socket.c:2731
__sys_recvmmsg net/socket.c:2810 [inline]
__do_sys_recvmmsg net/socket.c:2833 [inline]
__se_sys_recvmmsg net/socket.c:2826 [inline]
__x64_sys_recvmmsg+0x195/0x240 net/socket.c:2826
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fb884ac02a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb884a7d228 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fb884b47408 RCX: 00007fb884ac02a9
RDX: 0000000000000001 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 00007fb884b47400 R08: 0000000000000000 R09: 00007fb884a7d6c0
R10: 0000000000010022 R11: 0000000000000246 R12: 00007fb884b140d8
R13: 83a88896d4b9b107 R14: 07c6c9333d389ca9 R15: 00007ffde007ad78
Modules linked in:
---[ end trace 07a7f28717492588 ]---
RIP: 0010:skb_panic net/core/skbuff.c:111 [inline]
RIP: 0010:skb_under_panic+0x14c/0x150 net/core/skbuff.c:121
Code: c0 e8 8d 85 48 c7 c6 5d d8 d8 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 2e 29 ed 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 41 89 f6 49 89
RSP: 0018:ffffc90000c376b0 EFLAGS: 00010282
RAX: 0000000000000086 RBX: ffffffff858de940 RCX: 4d4a0bba1b312700
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000c376f0 R08: ffffffff81522098 R09: ffffed103ee0a5f8
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000011
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff888120152bf4
FS: 00007fb884a7d6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb884a5cd58 CR3: 000000011fc6c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8d23314f588a Merge 5.10.225 into android13-5.10-lts
git tree: android13-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=14d4a4a9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=889d6bbfedaebd06
dashboard link: https://syzkaller.appspot.com/bug?extid=f463da0823e4a4db9763
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d4a4a9980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=174aa69f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09c1893905da/disk-8d23314f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5294d841c477/vmlinux-8d23314f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a9c3f12eb021/bzImage-8d23314f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f463da...@syzkaller.appspotmail.com
skbuff: skb_under_panic: text:ffffffff843e0a63 len:29 put:14 head:ffff888120152c00 data:ffff888120152bf4 tail:0x11 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:111!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 347 Comm: syz-executor326 Not tainted 5.10.225-syzkaller-00513-g8d23314f588a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:skb_panic net/core/skbuff.c:111 [inline]
RIP: 0010:skb_under_panic+0x14c/0x150 net/core/skbuff.c:121
Code: c0 e8 8d 85 48 c7 c6 5d d8 d8 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 2e 29 ed 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 41 89 f6 49 89
RSP: 0018:ffffc90000c376b0 EFLAGS: 00010282
RAX: 0000000000000086 RBX: ffffffff858de940 RCX: 4d4a0bba1b312700
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000c376f0 R08: ffffffff81522098 R09: ffffed103ee0a5f8
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000011
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff888120152bf4
FS: 00007fb884a7d6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb884a5cd58 CR3: 000000011fc6c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
skb_push+0xf3/0x120 net/core/skbuff.c:1946
vlan_get_protocol_dgram+0x123/0x220 net/packet/af_packet.c:550
packet_recvmsg+0x5df/0x1cd0 net/packet/af_packet.c:3521
____sys_recvmsg+0x286/0x530
___sys_recvmsg+0x1ec/0x690 net/socket.c:2637
do_recvmmsg+0x407/0x920 net/socket.c:2731
__sys_recvmmsg net/socket.c:2810 [inline]
__do_sys_recvmmsg net/socket.c:2833 [inline]
__se_sys_recvmmsg net/socket.c:2826 [inline]
__x64_sys_recvmmsg+0x195/0x240 net/socket.c:2826
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fb884ac02a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb884a7d228 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007fb884b47408 RCX: 00007fb884ac02a9
RDX: 0000000000000001 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 00007fb884b47400 R08: 0000000000000000 R09: 00007fb884a7d6c0
R10: 0000000000010022 R11: 0000000000000246 R12: 00007fb884b140d8
R13: 83a88896d4b9b107 R14: 07c6c9333d389ca9 R15: 00007ffde007ad78
Modules linked in:
---[ end trace 07a7f28717492588 ]---
RIP: 0010:skb_panic net/core/skbuff.c:111 [inline]
RIP: 0010:skb_under_panic+0x14c/0x150 net/core/skbuff.c:121
Code: c0 e8 8d 85 48 c7 c6 5d d8 d8 85 48 8b 55 c0 8b 4d d4 44 8b 45 d0 4c 8b 4d c8 53 41 55 41 54 41 57 e8 2e 29 ed 00 48 83 c4 20 <0f> 0b 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 41 89 f6 49 89
RSP: 0018:ffffc90000c376b0 EFLAGS: 00010282
RAX: 0000000000000086 RBX: ffffffff858de940 RCX: 4d4a0bba1b312700
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90000c376f0 R08: ffffffff81522098 R09: ffffed103ee0a5f8
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000011
R13: 0000000000000080 R14: dffffc0000000000 R15: ffff888120152bf4
FS: 00007fb884a7d6c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb884a5cd58 CR3: 000000011fc6c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Feb 11, 2025, 7:05:03 PMFeb 11
to syzkaller-a...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1
Author: Eric Dumazet <edum...@google.com>
Date: Mon Dec 30 16:10:04 2024 +0000
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f10aa4580000
start commit: e5e5644ea27f Revert "udf: Avoid excessive partition lengths"
git tree: android13-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=d3a5f406b765d0a
dashboard link: https://syzkaller.appspot.com/bug?extid=f463da0823e4a4db9763
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13bfcf27980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1583745f980000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 0d3fa6c3c9ca7aa255696150f5b759ac4a4974e1
Author: Eric Dumazet <edum...@google.com>
Date: Mon Dec 30 16:10:04 2024 +0000
af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f10aa4580000
start commit: e5e5644ea27f Revert "udf: Avoid excessive partition lengths"
git tree: android13-5.10-lts
kernel config: https://syzkaller.appspot.com/x/.config?x=d3a5f406b765d0a
dashboard link: https://syzkaller.appspot.com/bug?extid=f463da0823e4a4db9763
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13bfcf27980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1583745f980000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Apr 21, 2025, 10:39:15 PMApr 21
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages