syzbot


general protection fault in __ipv6_get_lladdr

Status: auto-closed as invalid on 2022/05/22 09:53
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 428d, last: 289d

Sample crash report:
general protection fault, probably for non-canonical address 0xfbd59c0000000007: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xdead000000000038-0xdead00000000003f]
CPU: 0 PID: 3790 Comm: kworker/0:4 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: mld mld_ifc_work
RIP: 0010:__ipv6_get_lladdr+0xa8/0x230 net/ipv6/addrconf.c:1849
Code: 01 00 00 48 8b 83 60 01 00 00 48 8d 98 a8 fe ff ff 49 39 c6 0f 84 30 01 00 00 e8 53 d7 90 f9 48 8d 7b 72 48 89 f8 48 c1 e8 03 <42> 0f b6 14 28 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc900042bfa08 EFLAGS: 00010a03
RAX: 1bd5a00000000007 RBX: deacffffffffffca RCX: 0000000000000000
RDX: ffff88801933e280 RSI: ffffffff87e5fced RDI: dead00000000003c
RBP: ffffc900042bfa38 R08: 0000000000000000 R09: 0000000000000020
R10: ffffffff87e5fd87 R11: 0000000000000020 R12: 0000000000000040
R13: dffffc0000000000 R14: ffff888046c1e008 R15: 0000000000000040
FS:  0000000000000000(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0aad517004 CR3: 0000000019b42000 CR4: 0000000000150ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 mld_newpack+0x3ad/0x770 net/ipv6/mcast.c:1762
 add_grhead+0x265/0x330 net/ipv6/mcast.c:1857
 add_grec+0x1053/0x14e0 net/ipv6/mcast.c:1995
 mld_send_cr net/ipv6/mcast.c:2121 [inline]
 mld_ifc_work+0x452/0xdc0 net/ipv6/mcast.c:2659
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Modules linked in:
---[ end trace f41c04f825c8504c ]---
RIP: 0010:__ipv6_get_lladdr+0xa8/0x230 net/ipv6/addrconf.c:1849
Code: 01 00 00 48 8b 83 60 01 00 00 48 8d 98 a8 fe ff ff 49 39 c6 0f 84 30 01 00 00 e8 53 d7 90 f9 48 8d 7b 72 48 89 f8 48 c1 e8 03 <42> 0f b6 14 28 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc900042bfa08 EFLAGS: 00010a03
RAX: 1bd5a00000000007 RBX: deacffffffffffca RCX: 0000000000000000
RDX: ffff88801933e280 RSI: ffffffff87e5fced RDI: dead00000000003c
RBP: ffffc900042bfa38 R08: 0000000000000000 R09: 0000000000000020
R10: ffffffff87e5fd87 R11: 0000000000000020 R12: 0000000000000040
R13: dffffc0000000000 R14: ffff888046c1e008 R15: 0000000000000040
FS:  0000000000000000(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f51522ec018 CR3: 000000001c67b000 CR4: 0000000000150ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	00 00                	add    %al,(%rax)
   2:	48 8b 83 60 01 00 00 	mov    0x160(%rbx),%rax
   9:	48 8d 98 a8 fe ff ff 	lea    -0x158(%rax),%rbx
  10:	49 39 c6             	cmp    %rax,%r14
  13:	0f 84 30 01 00 00    	je     0x149
  19:	e8 53 d7 90 f9       	callq  0xf990d771
  1e:	48 8d 7b 72          	lea    0x72(%rbx),%rdi
  22:	48 89 f8             	mov    %rdi,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	42 0f b6 14 28       	movzbl (%rax,%r13,1),%edx <-- trapping instruction
  2e:	48 89 f8             	mov    %rdi,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 01             	add    $0x1,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 08                	jl     0x43
  3b:	84 d2                	test   %dl,%dl
  3d:	0f                   	.byte 0xf
  3e:	85                   	.byte 0x85

Crashes (18):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu-upstream 2021/11/30 22:00 upstream d58071a8a76d 80270552 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-kasan-gce-smack-root 2021/10/11 22:58 upstream 64570fbc14f8 838e7e2c .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-kasan-gce 2021/10/11 15:07 upstream 64570fbc14f8 838e7e2c .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-kasan-gce-386 2021/11/26 14:50 upstream a4849f6000e2 63eeac02 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-kasan-gce-386 2021/11/18 07:16 upstream 42eb8fdac2fc cafff8b6 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-kasan-gce-386 2021/10/07 16:36 upstream 5af4055fa813 efe0f24d .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-bpf-kasan-gce 2022/02/17 03:57 bpf 45ce4b4f9009 2bea8a27 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-net-this-kasan-gce 2022/01/21 20:45 net 67ab55956e64 214351e1 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-net-this-kasan-gce 2021/10/05 23:09 net a56d447f196f 0a63fd36 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-bpf-next-kasan-gce 2022/02/21 09:51 bpf-next e5313968c41b 3cd800e4 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-bpf-next-kasan-gce 2022/02/04 17:39 bpf-next 227a0713b319 e13a05ed .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-bpf-next-kasan-gce 2022/01/17 21:38 bpf-next e80f2a0d1946 731a2d23 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-bpf-next-kasan-gce 2022/01/17 19:00 bpf-next e80f2a0d1946 731a2d23 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-bpf-next-kasan-gce 2022/01/16 03:15 bpf-next e80f2a0d1946 723cfaf0 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-bpf-next-kasan-gce 2022/01/15 14:06 bpf-next 000daa0e075e 723cfaf0 .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-linux-next-kasan-gce-root 2021/12/14 09:58 linux-next ea922272cbe5 5d14b1ea .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-linux-next-kasan-gce-root 2021/11/22 05:07 linux-next 5191249f8803 4eb20a4e .config log report info general protection fault in __ipv6_get_lladdr
ci-upstream-kasan-gce-selinux-root 2021/11/17 14:23 upstream 8ab774587903 cafff8b6 .config log report info KASAN: use-after-free Read in __ipv6_get_lladdr
* Struck through repros no longer work on HEAD.