syzbot


general protection fault in macvlan_hard_header

Status: upstream: reported C repro on 2020/02/23 13:51
Reported-by: syzbot+c0e07b64d14e9220fbf8@syzkaller.appspotmail.com
First crash: 1606d, last: 1030d
Fix bisection: failed (error log, bisect log)
  
Fix bisection attempts (21)
Created Duration User Patch Repo Result
2021/10/23 00:18 15m bisect fix linux-4.19.y error job log
2021/09/22 00:40 28m bisect fix linux-4.19.y OK (0) job log log
2021/08/22 20:48 28m bisect fix linux-4.19.y OK (0) job log log
2021/07/23 20:13 29m bisect fix linux-4.19.y OK (0) job log log
2021/06/23 19:47 26m bisect fix linux-4.19.y OK (0) job log log
2021/05/24 19:17 29m bisect fix linux-4.19.y OK (0) job log log
2021/04/24 17:42 31m bisect fix linux-4.19.y OK (0) job log log
2021/03/25 08:53 23m bisect fix linux-4.19.y OK (0) job log log
2021/02/23 07:18 23m bisect fix linux-4.19.y OK (0) job log log
2021/02/19 03:56 19m bisect fix linux-4.19.y error job log
2021/01/18 21:59 22m bisect fix linux-4.19.y OK (0) job log log
2020/12/19 21:02 24m bisect fix linux-4.19.y OK (0) job log log
2020/11/19 19:59 24m bisect fix linux-4.19.y OK (0) job log log
2020/10/20 19:32 26m bisect fix linux-4.19.y OK (0) job log log
2020/09/20 19:07 24m bisect fix linux-4.19.y OK (0) job log log
2020/08/21 18:22 30m bisect fix linux-4.19.y OK (0) job log log
2020/07/22 17:50 26m bisect fix linux-4.19.y OK (0) job log log
2020/06/22 17:25 24m bisect fix linux-4.19.y OK (0) job log log
2020/05/23 17:00 24m bisect fix linux-4.19.y OK (0) job log log
2020/04/23 16:34 25m bisect fix linux-4.19.y OK (0) job log log
2020/03/24 14:44 28m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
team0: Port device sit1 removed
netlink: 'syz-executor551': attribute type 10 has an invalid length.
team0: Device macvtap0 is up. Set it down before adding it as a team port
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8456 Comm: modprobe Not tainted 4.19.105-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
netlink: 8 bytes leftover after parsing attributes in process `syz-executor551'.
RIP: 0010:dev_hard_header include/linux/netdevice.h:2890 [inline]
RIP: 0010:macvlan_hard_header+0xae/0x160 drivers/net/macvlan.c:587
Code: 49 8b bd 20 02 00 00 48 85 ff 74 6d 48 89 7d c0 e8 d7 9d 02 fd 48 8b 7d c0 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8f 00 00 00 48 8b 07 48 85 c0 48 89 45 c0 74 39
IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready
RSP: 0018:ffff8880ae907748 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff88809b4b8910 RCX: ffff88809f736ef8
RDX: 0007800400078007 RSI: ffffffff84683ee9 RDI: 003c0020003c003c
RBP: ffff8880ae907788 R08: 0000000000000000 R09: 0000000000000038
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a7148c40
R13: ffffffff8a0b13e0 R14: ffff88809f736ef8 R15: 0000000000000038
FS:  00007ff0f9096700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff0f8a019c0 CR3: 0000000097b97000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 dev_hard_header include/linux/netdevice.h:2893 [inline]
 neigh_resolve_output net/core/neighbour.c:1369 [inline]
 neigh_resolve_output+0x569/0x9b0 net/core/neighbour.c:1354
 neigh_output include/net/neighbour.h:501 [inline]
 ip6_finish_output2+0xb7f/0x2560 net/ipv6/ip6_output.c:120
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
 ip6_finish_output+0x574/0xbe0 net/ipv6/ip6_output.c:154
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip6_output+0x235/0x7c0 net/ipv6/ip6_output.c:171
 dst_output include/net/dst.h:447 [inline]
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ndisc_send_skb+0xf3b/0x1460 net/ipv6/ndisc.c:491
 ndisc_send_rs+0x136/0x6e0 net/ipv6/ndisc.c:685
 addrconf_rs_timer+0x30f/0x680 net/ipv6/addrconf.c:3825
 call_timer_fn+0x18d/0x720 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers kernel/time/timer.c:1684 [inline]
 __run_timers kernel/time/timer.c:1652 [inline]
 run_timer_softirq+0x64f/0x16a0 kernel/time/timer.c:1697
 __do_softirq+0x25c/0x921 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x180/0x1d0 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:544 [inline]
 smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1094
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:893
 </IRQ>
RIP: 0010:quarantine_reduce+0x8/0x1a0 mm/kasan/quarantine.c:213
Code: b1 05 e9 14 ff ff ff 4c 89 23 e9 ef fe ff ff 0f 0b 0f 0b e8 7a ca 9b ff 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 55 41 54 <48> 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 45 e8 31 c0 48 c7 45
RSP: 0018:ffff888094d6f850 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: ffff888094f13f80 RBX: 00000000006080c0 RCX: 0000000000200000
RDX: 0000000000000040 RSI: 0000000000000040 RDI: ffff88812c31c340
RBP: ffff888094d6f860 R08: ffff88809f8c0240 R09: ffff888094f13f80
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000006080c0
R13: ffff888094f13f80 R14: 00000000006080c0 R15: ffff88812c31c340
 kasan_kmalloc+0xa0/0xf0 mm/kasan/kasan.c:538
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc mm/slab.c:3397 [inline]
 __do_kmalloc mm/slab.c:3725 [inline]
 __kmalloc+0x146/0x750 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 ext4_htree_store_dirent+0x8a/0x650 fs/ext4/dir.c:458
 htree_dirblock_to_tree+0x2d2/0x660 fs/ext4/namei.c:1037
 ext4_htree_fill_tree+0x252/0xa50 fs/ext4/namei.c:1114
 ext4_dx_readdir fs/ext4/dir.c:582 [inline]
 ext4_readdir+0x16b9/0x3120 fs/ext4/dir.c:125
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
netlink: 'syz-executor551': attribute type 10 has an invalid length.
team0: Device macvtap0 is up. Set it down before adding it as a team port
 iterate_dir+0x47f/0x5c0 fs/readdir.c:51
 __do_sys_getdents fs/readdir.c:268 [inline]
 __se_sys_getdents fs/readdir.c:249 [inline]
 __x64_sys_getdents+0x1dd/0x370 fs/readdir.c:249
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7ff0f8986575
Code: 83 c7 13 e9 ed 53 fd ff 90 90 90 90 90 90 90 90 90 90 90 90 90 41 56 49 89 f0 48 63 ff b8 4e 00 00 00 41 55 41 54 55 53 0f 05 <48> 3d 00 f0 ff ff 77 58 4d 8d 24 00 49 89 c5 4d 39 e0 73 40 4c 89
RSP: 002b:00007ffe876cdef0 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 0000560785adc1d0 RCX: 00007ff0f8986575
RDX: 0000000000008000 RSI: 0000560785adc200 RDI: 0000000000000000
RBP: 00007ffe876ce190 R08: 0000560785adc200 R09: 00007ff0f8a01070
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe876ce068
R13: ffffffffffffffa8 R14: 0000000000000002 R15: 00055facc5da8780
Modules linked in:
---[ end trace bb40564e55e55f3e ]---
RIP: 0010:dev_hard_header include/linux/netdevice.h:2890 [inline]
RIP: 0010:macvlan_hard_header+0xae/0x160 drivers/net/macvlan.c:587
Code: 49 8b bd 20 02 00 00 48 85 ff 74 6d 48 89 7d c0 e8 d7 9d 02 fd 48 8b 7d c0 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8f 00 00 00 48 8b 07 48 85 c0 48 89 45 c0 74 39
RSP: 0018:ffff8880ae907748 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff88809b4b8910 RCX: ffff88809f736ef8
RDX: 0007800400078007 RSI: ffffffff84683ee9 RDI: 003c0020003c003c
RBP: ffff8880ae907788 R08: 0000000000000000 R09: 0000000000000038
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a7148c40
R13: ffffffff8a0b13e0 R14: ffff88809f736ef8 R15: 0000000000000038
FS:  00007ff0f9096700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff0f8a019c0 CR3: 0000000097b97000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/02/23 13:50 linux-4.19.y 4fccc2503536 2c36e7a7 .config console log report syz C ci2-linux-4-19
* Struck through repros no longer work on HEAD.