kernel BUG in pfkey_send

kernel BUG in pfkey_send_acquire
Status: upstream: reported syz repro on 2021/01/17 15:19
Reported-by: syzbot+6de5df89079c9ffe8cac@syzkaller.appspotmail.com
First crash: 321d, last: 294d

similar bugs (13):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	kernel BUG at net/core/skbuff.c:LINE! (3)	C	done		4399	285d	1402d	21/22	fixed on 2021/03/10 01:48
linux-4.19	kernel BUG in pfkey_send_acquire	C		done	56	292d	321d	1/1	fixed on 2021/03/18 08:30
linux-4.14	kernel BUG at net/core/skbuff.c:LINE!	C			2829	18d	967d	0/1	upstream: reported C repro on 2019/04/12 15:43
android-44	kernel BUG at net/core/skbuff.c:LINE!	C			79	743d	968d	0/2	public: reported C repro on 2019/04/11 08:44
linux-4.19	kernel BUG at net/core/skbuff.c:LINE!	C		unreliable	490	25d	952d	0/1	upstream: reported C repro on 2019/04/27 20:12
upstream	kernel BUG at net/core/skbuff.c:LINE! (2)	C			562	1407d	1496d	4/22	fixed on 2018/01/29 03:39
android-54	kernel BUG at net/core/skbuff.c:LINE!	C			120	11h31m	692d	0/1	upstream: reported C repro on 2020/01/12 09:43
android-414	kernel BUG at net/core/skbuff.c:LINE!	C			2743	731d	969d	0/1	public: reported C repro on 2019/04/11 00:00
android-5-10	kernel BUG in cdc_ncm_fill_tx_frame	C	error		34	4d16h	44d	0/1	internal: reported C repro on 2021/10/21 20:18
upstream	kernel BUG at net/core/skbuff.c:LINE!				5	1502d	1573d	3/22	fixed on 2017/10/27 10:10
upstream	kernel BUG in llc_sap_action_send_xid_c	C	error		61	25d	239d	22/22	fixed on 2021/11/10 00:50
upstream	kernel BUG in pskb_expand_head				14	2d09h	19d	0/22	upstream: reported on 2021/11/15 08:38
android-49	kernel BUG at net/core/skbuff.c:LINE!	C			391	732d	968d	0/3	public: reported C repro on 2019/04/12 00:00

Sample crash report:

skbuff: skb_over_panic: text:00000000dc1b3dfa len:736 put:72 head:000000001fe18f9d data:000000001fe18f9d tail:0x2e0 end:0x2c0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:109!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 439 Comm: syz-executor.5 Not tainted 5.4.92-syzkaller-00491-g73d140dc8abe #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_panic+0x14d/0x150 net/core/skbuff.c:105
Code: 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 49 89 e9 b8 00 00 00 00 53 41 55 41 54 41 57 e8 03 1a dc fd 48 83 c4 20 <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 70 4c 89 cb 4c 89
RSP: 0018:ffff8881e51c6ca0 EFLAGS: 00010286
RAX: 0000000000000088 RBX: ffffffff8529fbde RCX: d56ea109826bdf00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff8881e5132000 R08: ffffffff814e45f1 R09: ffffed103ee25e08
R10: ffffed103ee25e08 R11: 0000000000000000 R12: 00000000000002e0
R13: 00000000000002c0 R14: dffffc0000000000 R15: ffff8881e5132000
FS:  00007f3c31075700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200089b8 CR3: 00000001e55a3000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 skb_over_panic+0x25/0x30 net/core/skbuff.c:114
 skb_put+0x1e0/0x1e0 net/core/skbuff.c:1873
 dump_esp_combs net/key/af_key.c:3006 [inline]
 pfkey_send_acquire+0x18ee/0x2d60 net/key/af_key.c:3227
 km_query net/xfrm/xfrm_state.c:2200 [inline]
 xfrm_state_find+0x2e3f/0x4820 net/xfrm/xfrm_state.c:1136
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2381 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2426 [inline]
 xfrm_resolve_and_create_bundle+0x6a3/0x2ec0 net/xfrm/xfrm_policy.c:2717
 xfrm_lookup_with_ifid+0x93c/0x2080 net/xfrm/xfrm_policy.c:3040
 xfrm_lookup net/xfrm/xfrm_policy.c:3164 [inline]
 xfrm_lookup_route+0x37/0x170 net/xfrm/xfrm_policy.c:3175
 ip_route_output_flow+0x20c/0x340 net/ipv4/route.c:2733
 udp_sendmsg+0x180c/0x2f60 net/ipv4/udp.c:1147
 sock_sendmsg_nosec net/socket.c:638 [inline]
 sock_sendmsg net/socket.c:658 [inline]
 ____sys_sendmsg+0x587/0x8d0 net/socket.c:2298
 ___sys_sendmsg net/socket.c:2352 [inline]
 __sys_sendmmsg+0x39a/0x700 net/socket.c:2455
 __do_sys_sendmmsg net/socket.c:2484 [inline]
 __se_sys_sendmmsg net/socket.c:2481 [inline]
 __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2481
 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e219
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3c31074c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000045e219
RDX: 000000000800001d RSI: 0000000020007fc0 RDI: 0000000000000003
RBP: 000000000119c070 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034
R13: 00007fffa52f145f R14: 00007f3c310759c0 R15: 000000000119c034
Modules linked in:
RIP: 0010:skb_panic+0x14d/0x150 net/core/skbuff.c:105
Code: 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 49 89 e9 b8 00 00 00 00 53 41 55 41 54 41 57 e8 03 1a dc fd 48 83 c4 20 <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 70 4c 89 cb 4c 89
RSP: 0018:ffff8881e51c6ca0 EFLAGS: 00010286
RAX: 0000000000000088 RBX: ffffffff8529fbde RCX: d56ea109826bdf00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffff8881e5132000 R08: ffffffff814e45f1 R09: ffffed103ee25e08
R10: ffffed103ee25e08 R11: 0000000000000000 R12: 00000000000002e0
R13: 00000000000002c0 R14: dffffc0000000000 R15: ffff8881e5132000
FS:  00007f3c31075700(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3c31053db8 CR3: 00000001e55a3000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (32):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	VM info	Title
ci2-android-5-4-kasan	2021/01/27 07:52	android12-5.4	73d140dc8abe	a0ebf917	.config	log	report	syz		kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/27 02:39	android12-5.4	73d140dc8abe	55a7d4df	.config	log	report	syz		kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/14 03:54	android12-5.4	dbfedfa31471	98682e5e	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/13 18:31	android12-5.4	dbfedfa31471	98682e5e	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/13 17:22	android12-5.4	dbfedfa31471	98682e5e	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/13 16:42	android12-5.4	dbfedfa31471	98682e5e	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/13 07:25	android12-5.4	dbfedfa31471	98682e5e	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/13 02:25	android12-5.4	57b3f4830fb6	98682e5e	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/12 17:15	android12-5.4	57b3f4830fb6	a5f86b15	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/11 11:37	android12-5.4	82c67a98c749	a52ee10a	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/11 11:19	android12-5.4	82c67a98c749	a52ee10a	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/09 12:46	android12-5.4	7a1cafd7d4ac	2bd9619f	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/06 14:34	android12-5.4	3e99096f6219	0655e081	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/04 02:49	android12-5.4	1e5f5a14faba	624dad51	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/03 00:19	android12-5.4	1e5f5a14faba	624dad51	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/02 09:49	android12-5.4	1e5f5a14faba	19e09687	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/02/01 16:09	android12-5.4	1e5f5a14faba	e6b95f32	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/28 10:29	android12-5.4	5f5bfa0cfcb5	eefc07f2	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/27 19:49	android12-5.4	eb4c92393810	a57db36f	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/27 09:33	android12-5.4	3bd26bb0aaee	a0ebf917	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/27 06:17	android12-5.4	73d140dc8abe	a0ebf917	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/27 06:13	android12-5.4	73d140dc8abe	a0ebf917	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/27 02:23	android12-5.4	73d140dc8abe	55a7d4df	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/26 14:07	android12-5.4	ecfe49f9ef4c	52e37319	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/26 00:55	android12-5.4	18b1db92afb1	52e37319	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/25 16:01	android12-5.4	18b1db92afb1	52e37319	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/24 08:34	android12-5.4	18b1db92afb1	52e37319	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/21 22:15	android12-5.4	15cec007c4a8	d4f4eca5	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/21 04:56	android12-5.4	8fb07f60a84d	d4f4eca5	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/19 15:01	android12-5.4	445b69a6f3d9	63631df1	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/19 00:37	android12-5.4	41724582d2a8	63631df1	.config	log	report		info	kernel BUG in pfkey_send_acquire
ci2-android-5-4-kasan	2021/01/17 15:18	android12-5.4	dc04463953b2	fd103621	.config	log	report		info	kernel BUG in pfkey_send_acquire