general protection fault in tun_net_xmit
13 views
Skip to first unread message
syzbot
Jan 26, 2018, 4:58:07 PM1/26/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on net-next commit
9515a2e082f91457db0ecff4b65371d0fb5d9aad (Thu Jan 25 03:37:38 2018 +0000)
net/ipv4: Allow send to local broadcast from a socket bound to a VRF
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
CC: [Linyu...@alcatel-sbell.com.cn da...@davemloft.net
edum...@google.com jaso...@redhat.com linux-...@vger.kernel.org
net...@vger.kernel.org peterp...@gmail.com wil...@google.com
xiyou.w...@gmail.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bf7f8a...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3662 Comm: syz-fuzzer Not tainted 4.15.0-rc9+ #210
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
RIP: 0010:__ptr_ring_produce include/linux/ptr_ring.h:109 [inline]
RIP: 0010:ptr_ring_produce include/linux/ptr_ring.h:132 [inline]
RIP: 0010:tun_net_xmit+0xf4a/0x18e0 drivers/net/tun.c:1116
RSP: 0000:ffff8801db206720 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801bf1f0dc0 RCX: ffffffff83b436ff
RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff8801b06929c0
RBP: ffff8801db2068f8 R08: 0000000000000000 R09: ffffffff85caee00
R10: ffff8801db2065d8 R11: dffffc0000000000 R12: ffff8801afd88400
R13: ffff8801b06927a8 R14: ffff8801b06929c8 R15: 0000000000000010
FS: 000000c4200883e8(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000011b9978 CR3: 00000001bc76d001 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__netdev_start_xmit include/linux/netdevice.h:4058 [inline]
netdev_start_xmit include/linux/netdevice.h:4067 [inline]
xmit_one net/core/dev.c:3019 [inline]
dev_hard_start_xmit+0x24e/0xac0 net/core/dev.c:3035
sch_direct_xmit+0x40d/0x1140 net/sched/sch_generic.c:327
qdisc_restart net/sched/sch_generic.c:393 [inline]
__qdisc_run+0x57d/0x19c0 net/sched/sch_generic.c:401
__dev_xmit_skb net/core/dev.c:3210 [inline]
__dev_queue_xmit+0xd5e/0x2f30 net/core/dev.c:3510
dev_queue_xmit+0x17/0x20 net/core/dev.c:3575
arp_xmit_finish net/ipv4/arp.c:634 [inline]
NF_HOOK include/linux/netfilter.h:288 [inline]
arp_xmit+0xd6/0x550 net/ipv4/arp.c:643
arp_send_dst.part.18+0x19b/0x280 net/ipv4/arp.c:321
arp_send_dst net/ipv4/arp.c:394 [inline]
arp_solicit+0x86a/0x1320 net/ipv4/arp.c:393
neigh_probe+0xc3/0x100 net/core/neighbour.c:899
neigh_timer_handler+0x382/0xd60 net/core/neighbour.c:980
call_timer_fn+0x228/0x820 kernel/time/timer.c:1318
expire_timers kernel/time/timer.c:1355 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1658
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937
</IRQ>
RIP: 0033:0x724782
RSP: 002b:000000c427c5f838 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff11
RAX: 0000000001925300 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000009 RDI: 000000000087f5c7
RBP: 000000c427c5f928 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000007244f0 R11: 00000000ffffffff R12: 000000c4290c3763
R13: 0000000000000001 R14: 00000000000000df R15: 0000000000000000
Code: 3c 03 0f 8e 4f 08 00 00 48 8b 85 70 fe ff ff 48 63 80 80 06 00 00 4d
8d 3c c7 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02 00
0f 85 e7 07 00 00 49 83 3f 00 0f 85 e5 f6 ff ff e8
RIP: __ptr_ring_produce include/linux/ptr_ring.h:109 [inline] RSP:
ffff8801db206720
RIP: ptr_ring_produce include/linux/ptr_ring.h:132 [inline] RSP:
ffff8801db206720
RIP: tun_net_xmit+0xf4a/0x18e0 drivers/net/tun.c:1116 RSP: ffff8801db206720
general protection fault: 0000 [#2] SMP KASAN
---[ end trace 1df87dec2ddd8177 ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on net-next commit
9515a2e082f91457db0ecff4b65371d0fb5d9aad (Thu Jan 25 03:37:38 2018 +0000)
net/ipv4: Allow send to local broadcast from a socket bound to a VRF
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
CC: [Linyu...@alcatel-sbell.com.cn da...@davemloft.net
edum...@google.com jaso...@redhat.com linux-...@vger.kernel.org
net...@vger.kernel.org peterp...@gmail.com wil...@google.com
xiyou.w...@gmail.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bf7f8a...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3662 Comm: syz-fuzzer Not tainted 4.15.0-rc9+ #210
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
RIP: 0010:__ptr_ring_produce include/linux/ptr_ring.h:109 [inline]
RIP: 0010:ptr_ring_produce include/linux/ptr_ring.h:132 [inline]
RIP: 0010:tun_net_xmit+0xf4a/0x18e0 drivers/net/tun.c:1116
RSP: 0000:ffff8801db206720 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801bf1f0dc0 RCX: ffffffff83b436ff
RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff8801b06929c0
RBP: ffff8801db2068f8 R08: 0000000000000000 R09: ffffffff85caee00
R10: ffff8801db2065d8 R11: dffffc0000000000 R12: ffff8801afd88400
R13: ffff8801b06927a8 R14: ffff8801b06929c8 R15: 0000000000000010
FS: 000000c4200883e8(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000011b9978 CR3: 00000001bc76d001 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__netdev_start_xmit include/linux/netdevice.h:4058 [inline]
netdev_start_xmit include/linux/netdevice.h:4067 [inline]
xmit_one net/core/dev.c:3019 [inline]
dev_hard_start_xmit+0x24e/0xac0 net/core/dev.c:3035
sch_direct_xmit+0x40d/0x1140 net/sched/sch_generic.c:327
qdisc_restart net/sched/sch_generic.c:393 [inline]
__qdisc_run+0x57d/0x19c0 net/sched/sch_generic.c:401
__dev_xmit_skb net/core/dev.c:3210 [inline]
__dev_queue_xmit+0xd5e/0x2f30 net/core/dev.c:3510
dev_queue_xmit+0x17/0x20 net/core/dev.c:3575
arp_xmit_finish net/ipv4/arp.c:634 [inline]
NF_HOOK include/linux/netfilter.h:288 [inline]
arp_xmit+0xd6/0x550 net/ipv4/arp.c:643
arp_send_dst.part.18+0x19b/0x280 net/ipv4/arp.c:321
arp_send_dst net/ipv4/arp.c:394 [inline]
arp_solicit+0x86a/0x1320 net/ipv4/arp.c:393
neigh_probe+0xc3/0x100 net/core/neighbour.c:899
neigh_timer_handler+0x382/0xd60 net/core/neighbour.c:980
call_timer_fn+0x228/0x820 kernel/time/timer.c:1318
expire_timers kernel/time/timer.c:1355 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1658
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937
</IRQ>
RIP: 0033:0x724782
RSP: 002b:000000c427c5f838 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff11
RAX: 0000000001925300 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000009 RDI: 000000000087f5c7
RBP: 000000c427c5f928 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000007244f0 R11: 00000000ffffffff R12: 000000c4290c3763
R13: 0000000000000001 R14: 00000000000000df R15: 0000000000000000
Code: 3c 03 0f 8e 4f 08 00 00 48 8b 85 70 fe ff ff 48 63 80 80 06 00 00 4d
8d 3c c7 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02 00
0f 85 e7 07 00 00 49 83 3f 00 0f 85 e5 f6 ff ff e8
RIP: __ptr_ring_produce include/linux/ptr_ring.h:109 [inline] RSP:
ffff8801db206720
RIP: ptr_ring_produce include/linux/ptr_ring.h:132 [inline] RSP:
ffff8801db206720
RIP: tun_net_xmit+0xf4a/0x18e0 drivers/net/tun.c:1116 RSP: ffff8801db206720
general protection fault: 0000 [#2] SMP KASAN
---[ end trace 1df87dec2ddd8177 ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Apr 11, 2018, 2:41:09 PM4/11/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Happened once 75 days ago. There was a bunch of bugs in tun fixed since then.
#syz invalid
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/94eb2c07fd4c92c9ac0563b4fd51%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/94eb2c07fd4c92c9ac0563b4fd51%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages