[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001a114aaca6b900660564d4d613@google.com>
Date: Fri, 09 Feb 2018 21:23:01 -0800
From: syzbot <syzbot+b2bf2652983d23734c5c@...kaller.appspotmail.com>
To: davem@...emloft.net, kuznet@....inr.ac.ru,
linux-kernel@...r.kernel.org, linux-sctp@...r.kernel.org,
netdev@...r.kernel.org, nhorman@...driver.com,
syzkaller-bugs@...glegroups.com, vyasevich@...il.com,
yoshfuji@...ux-ipv6.org
Subject: kernel BUG at net/core/skbuff.c:LINE! (3)
syzbot has found reproducer for the following crash on upstream commit
f9f1e414128ea58d8e848a0275db0f644c9e9f45 (Fri Feb 9 18:07:39 2018 +0000)
Merge tag 'for-linus-4.16-rc1-tag' of
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
So far this crash happened 2 times on net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b2bf2652983d23734c5c@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed.
skbuff: skb_over_panic: text:000000008799e2ef len:1584 put:1584
head:0000000049a6d341 data:0000000017b26397 tail:0x6c8 end:0x6c0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:104!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4169 Comm: syzkaller206231 Not tainted 4.15.0+ #306
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:skb_panic+0x162/0x1f0 net/core/skbuff.c:100
RSP: 0018:ffff8801b13c6fd8 EFLAGS: 00010282
RAX: 000000000000008b RBX: ffff8801b66c4dc0 RCX: 0000000000000000
RDX: 000000000000008b RSI: 1ffff10036278db0 RDI: ffffed0036278def
RBP: ffff8801b13c7040 R08: 1ffff10036278d47 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000000 R12: ffffffff86405e60
R13: ffffffff84c3af4c R14: 0000000000000630 R15: ffffffff864056a0
FS: 0000000000763880(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020024000 CR3: 00000001b2752005 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
skb_over_panic net/core/skbuff.c:109 [inline]
skb_put+0x18d/0x1d0 net/core/skbuff.c:1695
__ip6_append_data.isra.44+0x1edc/0x3390 net/ipv6/ip6_output.c:1443
ip6_append_data+0x189/0x290 net/ipv6/ip6_output.c:1571
rawv6_sendmsg+0x1e09/0x40c0 net/ipv6/raw.c:928
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x4456c9
RSP: 002b:00007ffe43f8afa8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004456c9
RDX: 0000000000008000 RSI: 0000000020000000 RDI: 0000000000000004
RBP: 00000000004a7273 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402800
R13: 0000000000402890 R14: 0000000000000000 R15: 0000000000000000
Code: 04 01 84 c0 74 04 3c 03 7e 23 8b 8b 80 00 00 00 41 57 48 c7 c7 e0 56
40 86 52 56 4c 89 ea 41 50 4c 89 e6 45 89 f0 e8 d6 63 22 fd <0f> 0b 4c 89
4d b8 4c 89 45 c0 48 89 75 c8 48 89 55 d0 e8 f7 0e
RIP: skb_panic+0x162/0x1f0 net/core/skbuff.c:100 RSP: ffff8801b13c6fd8
---[ end trace e2ebe6f48e7f5b6c ]---
View attachment "raw.log.txt" of type "text/plain" (7977 bytes)
View attachment "repro.syz.txt" of type "text/plain" (9578 bytes)
View attachment "repro.c.txt" of type "text/plain" (33125 bytes)
View attachment "config.txt" of type "text/plain" (136385 bytes)
Powered by blists - more mailing lists