general protection fault in hsr_addr_is_self
11 views
Skip to first unread message
syzbot
Feb 11, 2020, 10:31:09 AM2/11/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 35766839 Linux 4.19.103
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13d4c65ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=84f14e7b6cbc7d27
dashboard link: https://syzkaller.appspot.com/bug?extid=a390393df7043d087d18
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a39039...@syzkaller.appspotmail.com
device batadv0 entered promiscuous mode
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 34 Comm: kworker/u4:2 Not tainted 4.19.103-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_dat_purge
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:64
Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 1b e8 20 fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
RSP: 0018:ffff8880ae807a90 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff874ae1bd
RDX: 0000000000000006 RSI: ffffffff874a4655 RDI: 0000000000000000
RBP: ffff8880ae807b20 R08: ffff8880a9a0a180 R09: ffffed1015d04733
R10: ffffed1015d04732 R11: ffff8880ae823993 R12: ffff8880825c4348
R13: 1ffff11015d00f53 R14: 0000000000000030 R15: ffff8880ae807af8
FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f260ccc0ea0 CR3: 00000000708b9000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
hsr_handle_frame+0x2e8/0x660 net/hsr/hsr_slave.c:38
__netif_receive_skb_core+0xec3/0x2e80 net/core/dev.c:4876
__netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4945
__netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5059
process_backlog+0x23a/0x7a0 net/core/dev.c:5841
napi_poll net/core/dev.c:6264 [inline]
net_rx_action+0x4f5/0x1070 net/core/dev.c:6330
__do_softirq+0x25c/0x921 kernel/softirq.c:292
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1091
</IRQ>
do_softirq.part.0+0x11a/0x170 kernel/softirq.c:336
do_softirq kernel/softirq.c:328 [inline]
__local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:176 [inline]
_raw_spin_unlock_bh+0x31/0x40 kernel/locking/spinlock.c:200
spin_unlock_bh include/linux/spinlock.h:374 [inline]
__batadv_dat_purge.isra.0.part.0+0x25e/0x370 net/batman-adv/distributed-arp-table.c:151
__batadv_dat_purge net/batman-adv/distributed-arp-table.c:132 [inline]
batadv_dat_purge+0x4e/0x70 net/batman-adv/distributed-arp-table.c:170
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
---[ end trace 831fb35c9e8a8a48 ]---
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:64
Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 1b e8 20 fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
RSP: 0018:ffff8880ae807a90 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff874ae1bd
RDX: 0000000000000006 RSI: ffffffff874a4655 RDI: 0000000000000000
RBP: ffff8880ae807b20 R08: ffff8880a9a0a180 R09: ffffed1015d04733
R10: ffffed1015d04732 R11: ffff8880ae823993 R12: ffff8880825c4348
R13: 1ffff11015d00f53 R14: 0000000000000030 R15: ffff8880ae807af8
FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f260ccc0ea0 CR3: 00000000708b9000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 35766839 Linux 4.19.103
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13d4c65ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=84f14e7b6cbc7d27
dashboard link: https://syzkaller.appspot.com/bug?extid=a390393df7043d087d18
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a39039...@syzkaller.appspotmail.com
device batadv0 entered promiscuous mode
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 34 Comm: kworker/u4:2 Not tainted 4.19.103-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_dat_purge
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:64
Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 1b e8 20 fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
RSP: 0018:ffff8880ae807a90 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff874ae1bd
RDX: 0000000000000006 RSI: ffffffff874a4655 RDI: 0000000000000000
RBP: ffff8880ae807b20 R08: ffff8880a9a0a180 R09: ffffed1015d04733
R10: ffffed1015d04732 R11: ffff8880ae823993 R12: ffff8880825c4348
R13: 1ffff11015d00f53 R14: 0000000000000030 R15: ffff8880ae807af8
FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f260ccc0ea0 CR3: 00000000708b9000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
hsr_handle_frame+0x2e8/0x660 net/hsr/hsr_slave.c:38
__netif_receive_skb_core+0xec3/0x2e80 net/core/dev.c:4876
__netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4945
__netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5059
process_backlog+0x23a/0x7a0 net/core/dev.c:5841
napi_poll net/core/dev.c:6264 [inline]
net_rx_action+0x4f5/0x1070 net/core/dev.c:6330
__do_softirq+0x25c/0x921 kernel/softirq.c:292
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1091
</IRQ>
do_softirq.part.0+0x11a/0x170 kernel/softirq.c:336
do_softirq kernel/softirq.c:328 [inline]
__local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:176 [inline]
_raw_spin_unlock_bh+0x31/0x40 kernel/locking/spinlock.c:200
spin_unlock_bh include/linux/spinlock.h:374 [inline]
__batadv_dat_purge.isra.0.part.0+0x25e/0x370 net/batman-adv/distributed-arp-table.c:151
__batadv_dat_purge net/batman-adv/distributed-arp-table.c:132 [inline]
batadv_dat_purge+0x4e/0x70 net/batman-adv/distributed-arp-table.c:170
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Modules linked in:
---[ end trace 831fb35c9e8a8a48 ]---
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:64
Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 1b e8 20 fa 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
RSP: 0018:ffff8880ae807a90 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff874ae1bd
RDX: 0000000000000006 RSI: ffffffff874a4655 RDI: 0000000000000000
RBP: ffff8880ae807b20 R08: ffff8880a9a0a180 R09: ffffed1015d04733
R10: ffffed1015d04732 R11: ffff8880ae823993 R12: ffff8880825c4348
R13: 1ffff11015d00f53 R14: 0000000000000030 R15: ffff8880ae807af8
FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f260ccc0ea0 CR3: 00000000708b9000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jul 17, 2020, 8:22:09 PM7/17/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages