syzbot


general protection fault in sctp_inet6addr_event

Status: auto-closed as invalid on 2021/11/25 08:09
Reported-by: syzbot+58c582458e6157200f1e@syzkaller.appspotmail.com
First crash: 430d, last: 430d

Sample crash report:
general protection fault, probably for non-canonical address 0xeeeeeaeeeeeeeeee: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x7777777777777770-0x7777777777777777]
CPU: 0 PID: 8622 Comm: kworker/u4:8 Not tainted 5.15.0-rc2-next-20210924-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:sctp_inet6addr_event+0x16c/0x910 net/sctp/ipv6.c:100
Code: 00 00 00 00 fc ff df 48 89 04 24 48 c1 e8 03 4c 01 e8 48 89 44 24 18 eb 31 e8 a0 f9 17 f9 4c 89 e0 48 c1 e8 03 4c 89 64 24 38 <42> 80 3c 28 00 0f 85 99 05 00 00 4c 39 64 24 40 4c 89 e3 49 8b 04
RSP: 0018:ffffc90016def578 EFLAGS: 00010207
RAX: 0eeeeeeeeeeeeeee RBX: ffff88800014a500 RCX: 0000000000000000
RDX: ffff88803e703a00 RSI: ffffffff885e47a0 RDI: 0000000000000003
RBP: ffffc90016def5e8 R08: 0000000000000000 R09: 000000000000000a
R10: ffffffff885e487b R11: 000000000000000a R12: 7777777777777777
R13: dffffc0000000000 R14: ffff888079296400 R15: 000000000000000a
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000007018e000 CR4: 00000000001526f0
Call Trace:
 <TASK>
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 atomic_notifier_call_chain+0x70/0x180 kernel/notifier.c:198
 addrconf_ifdown.isra.0+0xa58/0x1630 net/ipv6/addrconf.c:3836
 addrconf_notify+0xeb/0x1bb0 net/ipv6/addrconf.c:3646
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1996
 call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
 call_netdevice_notifiers net/core/dev.c:2022 [inline]
 dev_close_many+0x2ff/0x620 net/core/dev.c:1597
 dev_close net/core/dev.c:1619 [inline]
 dev_close+0x16d/0x210 net/core/dev.c:1613
 cfg80211_shutdown_all_interfaces+0x96/0x1f0 net/wireless/core.c:273
 ieee80211_remove_interfaces+0xed/0x820 net/mac80211/iface.c:2122
 ieee80211_unregister_hw+0x47/0x1f0 net/mac80211/main.c:1391
 mac80211_hwsim_del_radio drivers/net/wireless/mac80211_hwsim.c:3457 [inline]
 hwsim_exit_net+0x50e/0xca0 drivers/net/wireless/mac80211_hwsim.c:4217
 ops_exit_list+0xb0/0x160 net/core/net_namespace.c:168
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:593
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Modules linked in:
---[ end trace c2246c19a22e9c81 ]---
RIP: 0010:sctp_inet6addr_event+0x16c/0x910 net/sctp/ipv6.c:100
Code: 00 00 00 00 fc ff df 48 89 04 24 48 c1 e8 03 4c 01 e8 48 89 44 24 18 eb 31 e8 a0 f9 17 f9 4c 89 e0 48 c1 e8 03 4c 89 64 24 38 <42> 80 3c 28 00 0f 85 99 05 00 00 4c 39 64 24 40 4c 89 e3 49 8b 04
RSP: 0018:ffffc90016def578 EFLAGS: 00010207
RAX: 0eeeeeeeeeeeeeee RBX: ffff88800014a500 RCX: 0000000000000000
RDX: ffff88803e703a00 RSI: ffffffff885e47a0 RDI: 0000000000000003
RBP: ffffc90016def5e8 R08: 0000000000000000 R09: 000000000000000a
R10: ffffffff885e487b R11: 000000000000000a R12: 7777777777777777
R13: dffffc0000000000 R14: ffff888079296400 R15: 000000000000000a
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000007018e000 CR4: 00000000001526f0
----------------
Code disassembly (best guess), 6 bytes skipped:
   0:	df 48 89             	fisttps -0x77(%rax)
   3:	04 24                	add    $0x24,%al
   5:	48 c1 e8 03          	shr    $0x3,%rax
   9:	4c 01 e8             	add    %r13,%rax
   c:	48 89 44 24 18       	mov    %rax,0x18(%rsp)
  11:	eb 31                	jmp    0x44
  13:	e8 a0 f9 17 f9       	callq  0xf917f9b8
  18:	4c 89 e0             	mov    %r12,%rax
  1b:	48 c1 e8 03          	shr    $0x3,%rax
  1f:	4c 89 64 24 38       	mov    %r12,0x38(%rsp)
* 24:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  29:	0f 85 99 05 00 00    	jne    0x5c8
  2f:	4c 39 64 24 40       	cmp    %r12,0x40(%rsp)
  34:	4c 89 e3             	mov    %r12,%rbx
  37:	49                   	rex.WB
  38:	8b                   	.byte 0x8b
  39:	04                   	.byte 0x4

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-linux-next-kasan-gce-root 2021/09/26 08:08 linux-next 5a5d008887b4 8cac236e .config log report info general protection fault in sctp_inet6addr_event
* Struck through repros no longer work on HEAD.