syzbot


possible deadlock in ipv6_frag_rcv

Status: auto-closed as invalid on 2019/04/28 09:29
Reported-by: syzbot+0e59e1313df5c853dd45@syzkaller.appspotmail.com
First crash: 2219d, last: 2219d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 possible deadlock in ipv6_frag_rcv (2) 1 1876d 1876d 0/2 auto-closed as invalid on 2020/02/02 17:12

Sample crash report:
audit: type=1400 audit(1540609746.234:518): avc:  denied  { create } for  pid=21523 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0

======================================================
[ INFO: possible circular locking dependency detected ]
input: syz1 as /devices/virtual/input/input83
4.4.162+ #7 Not tainted
-------------------------------------------------------
syz-executor2/21528 is trying to acquire lock:
input: syz1 as /devices/virtual/input/input84
 (_xmit_NETROM){+.-...}, at: [  512.056907] audit: type=1400 audit(1540609746.274:519): avc:  denied  { create } for  pid=21523 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
[<ffffffff8229e5a3>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff8229e5a3>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
[<ffffffff8229e5a3>] sch_direct_xmit+0x233/0x6c0 net/sched/sch_generic.c:163

but task is already holding lock:
 (&(&q->lock)->rlock){+.-...}, at: [<ffffffff826298fb>] spin_lock include/linux/spinlock.h:302 [inline]
 (&(&q->lock)->rlock){+.-...}, at: [<ffffffff826298fb>] ipv6_frag_rcv+0x5eb/0x4f80 net/ipv6/reassembly.c:560

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

       [<ffffffff81202cde>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff8270551a>] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline]
       [<ffffffff8270551a>] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175
       [<ffffffff825d7fcd>] spin_lock_bh include/linux/spinlock.h:307 [inline]
       [<ffffffff825d7fcd>] icmp6_dst_alloc+0x39d/0x620 net/ipv6/route.c:1630
       [<ffffffff825f0382>] ndisc_send_skb+0x2b2/0x10e0 net/ipv6/ndisc.c:451
       [<ffffffff825f412b>] ndisc_send_ns+0x4fb/0x6f0 net/ipv6/ndisc.c:595
audit: type=1400 audit(1540609746.274:520): avc:  denied  { set_context_mgr } for  pid=21537 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0
binder: 21537:21538 ioctl 40046207 0 returned -13
binder: 21537:21538 transaction failed 29189/-22, size 24-8 line 3014
binder: 21537:21538 unknown command 0
binder: 21537:21538 ioctl c0306201 200003c0 returned -22
binder_alloc: binder_alloc_mmap_handler: 21537 20001000-20004000 already mapped failed -16
audit: type=1400 audit(1540609746.274:521): avc:  denied  { set_context_mgr } for  pid=21537 comm="syz-executor4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0
binder: 21537:21538 ioctl 40046207 0 returned -13
binder: 21537:21539 transaction failed 29189/-22, size 24-8 line 3014
       [<ffffffff825f45c0>] ndisc_solicit+0x2a0/0x420 net/ipv6/ndisc.c:686
       [<ffffffff8224778a>] neigh_probe+0xca/0x100 net/core/neighbour.c:871
       [<ffffffff822592eb>] neigh_timer_handler+0x26b/0xa50 net/core/neighbour.c:952
       [<ffffffff812553bc>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185
       [<ffffffff812560a5>] __run_timers kernel/time/timer.c:1261 [inline]
       [<ffffffff812560a5>] run_timer_softirq+0x605/0xbb0 kernel/time/timer.c:1444
       [<ffffffff827091dc>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
       [<ffffffff810e1dbd>] invoke_softirq kernel/softirq.c:350 [inline]
       [<ffffffff810e1dbd>] irq_exit+0x10d/0x140 kernel/softirq.c:391
       [<ffffffff82708941>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
       [<ffffffff82708941>] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:926
       [<ffffffff82707c9d>] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:741
       [<ffffffff811597cf>] ___might_sleep+0x1ff/0x260 kernel/sched/core.c:7956
       [<ffffffff811598c0>] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948
       [<ffffffff8142b99f>] __might_fault+0xaf/0x1d0 mm/memory.c:3858
       [<ffffffff81f73fb5>] copy_from_user arch/x86/include/asm/uaccess.h:729 [inline]
       [<ffffffff81f73fb5>] input_event_from_user+0x135/0x290 drivers/input/input-compat.c:23
       [<ffffffff81f818cf>] evdev_write+0x20f/0x3b0 drivers/input/evdev.c:553
       [<ffffffff81490c1c>] __vfs_write+0x11c/0x3e0 fs/read_write.c:489
       [<ffffffff814928ce>] vfs_write+0x17e/0x4e0 fs/read_write.c:538
       [<ffffffff81494f09>] SYSC_write fs/read_write.c:585 [inline]
       [<ffffffff81494f09>] SyS_write+0xd9/0x1c0 fs/read_write.c:577
       [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
       [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
       [<ffffffff82707a50>] sysenter_flags_fixed+0xd/0x1a

       [<ffffffff811ff0fc>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
       [<ffffffff811ff0fc>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
       [<ffffffff811ff0fc>] validate_chain kernel/locking/lockdep.c:2144 [inline]
       [<ffffffff811ff0fc>] __lock_acquire+0x3e6c/0x5f10 kernel/locking/lockdep.c:3213
       [<ffffffff81202cde>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff82705426>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
       [<ffffffff82705426>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
       [<ffffffff8229e5a3>] spin_lock include/linux/spinlock.h:302 [inline]
       [<ffffffff8229e5a3>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
       [<ffffffff8229e5a3>] sch_direct_xmit+0x233/0x6c0 net/sched/sch_generic.c:163
       [<ffffffff82232995>] __dev_xmit_skb net/core/dev.c:2979 [inline]
       [<ffffffff82232995>] __dev_queue_xmit+0xf95/0x1c30 net/core/dev.c:3197
       [<ffffffff82233647>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3263
       [<ffffffff82253b10>] neigh_resolve_output+0x600/0x780 net/core/neighbour.c:1329
       [<ffffffff8258cdb4>] dst_neigh_output include/net/dst.h:461 [inline]
       [<ffffffff8258cdb4>] ip6_finish_output2+0xb94/0x1ca0 net/ipv6/ip6_output.c:113
       [<ffffffff8259d53e>] ip6_finish_output+0x2ee/0x750 net/ipv6/ip6_output.c:131
       [<ffffffff8259db4f>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
       [<ffffffff8259db4f>] ip6_output+0x1af/0x520 net/ipv6/ip6_output.c:145
       [<ffffffff825f0a42>] dst_output include/net/dst.h:498 [inline]
       [<ffffffff825f0a42>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
       [<ffffffff825f0a42>] NF_HOOK include/linux/netfilter.h:249 [inline]
       [<ffffffff825f0a42>] ndisc_send_skb+0x972/0x10e0 net/ipv6/ndisc.c:471
       [<ffffffff825f412b>] ndisc_send_ns+0x4fb/0x6f0 net/ipv6/ndisc.c:595
       [<ffffffff825f45c0>] ndisc_solicit+0x2a0/0x420 net/ipv6/ndisc.c:686
       [<ffffffff8224778a>] neigh_probe+0xca/0x100 net/core/neighbour.c:871
       [<ffffffff82252b80>] __neigh_event_send+0x2a0/0xc30 net/core/neighbour.c:1027
       [<ffffffff82253b39>] neigh_event_send include/net/neighbour.h:431 [inline]
       [<ffffffff82253b39>] neigh_resolve_output+0x629/0x780 net/core/neighbour.c:1313
       [<ffffffff8258cdb4>] dst_neigh_output include/net/dst.h:461 [inline]
       [<ffffffff8258cdb4>] ip6_finish_output2+0xb94/0x1ca0 net/ipv6/ip6_output.c:113
       [<ffffffff8259d53e>] ip6_finish_output+0x2ee/0x750 net/ipv6/ip6_output.c:131
       [<ffffffff8259db4f>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
       [<ffffffff8259db4f>] ip6_output+0x1af/0x520 net/ipv6/ip6_output.c:145
       [<ffffffff826ae55b>] dst_output include/net/dst.h:498 [inline]
       [<ffffffff826ae55b>] ip6_local_out+0x9b/0x180 net/ipv6/output_core.c:169
       [<ffffffff8259fbb1>] ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1725
       [<ffffffff8259ff03>] ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1745
       [<ffffffff8260eaa5>] icmpv6_push_pending_frames+0x335/0x530 net/ipv6/icmp.c:276
       [<ffffffff82610293>] icmp6_send+0x15f3/0x1b70 net/ipv6/icmp.c:537
       [<ffffffff82611c19>] icmpv6_param_prob+0x29/0x40 net/ipv6/icmp.c:551
       [<ffffffff8262ceb5>] ip6_frag_queue net/ipv6/reassembly.c:228 [inline]
       [<ffffffff8262ceb5>] ipv6_frag_rcv+0x3ba5/0x4f80 net/ipv6/reassembly.c:562
       [<ffffffff825a0f1d>] ip6_input_finish+0x57d/0x1510 net/ipv6/ip6_input.c:248
       [<ffffffff825a3cb6>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
       [<ffffffff825a3cb6>] NF_HOOK include/linux/netfilter.h:249 [inline]
       [<ffffffff825a3cb6>] ip6_input+0xf6/0x200 net/ipv6/ip6_input.c:280
       [<ffffffff825a047e>] dst_input include/net/dst.h:504 [inline]
       [<ffffffff825a047e>] ip6_rcv_finish+0x14e/0x670 net/ipv6/ip6_input.c:62
       [<ffffffff82680a7b>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
       [<ffffffff82680a7b>] ipv6_defrag+0x33b/0x5c0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:78
       [<ffffffff822e52f2>] nf_iterate+0x182/0x210 net/netfilter/core.c:274
       [<ffffffff822e5536>] nf_hook_slow+0x1b6/0x340 net/netfilter/core.c:306
       [<ffffffff825a3305>] nf_hook_thresh include/linux/netfilter.h:187 [inline]
       [<ffffffff825a3305>] NF_HOOK_THRESH include/linux/netfilter.h:224 [inline]
       [<ffffffff825a3305>] NF_HOOK include/linux/netfilter.h:249 [inline]
       [<ffffffff825a3305>] ipv6_rcv+0x1455/0x1d10 net/ipv6/ip6_input.c:186
       [<ffffffff8221c078>] __netif_receive_skb_core+0x12c8/0x2820 net/core/dev.c:4041
       [<ffffffff8222472b>] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4076
       [<ffffffff8222baca>] process_backlog+0x20a/0x670 net/core/dev.c:4669
       [<ffffffff8222aed7>] napi_poll net/core/dev.c:4907 [inline]
       [<ffffffff8222aed7>] net_rx_action+0x367/0xd50 net/core/dev.c:4972
       [<ffffffff827091dc>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
       [<ffffffff827073dc>] do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:929
       [<ffffffff810e1a84>] do_softirq.part.2+0x54/0x60 kernel/softirq.c:317
       [<ffffffff810e1bd9>] do_softirq+0x19/0x20 kernel/softirq.c:320
       [<ffffffff8221a6dc>] netif_rx_ni+0xec/0x3a0 net/core/dev.c:3675
       [<ffffffff81e0f53a>] tun_get_user+0xf3a/0x2690 drivers/net/tun.c:1264
       [<ffffffff81e10ea5>] tun_chr_write_iter+0xd5/0x190 drivers/net/tun.c:1283
       [<ffffffff81491c33>] do_iter_readv_writev+0x133/0x1d0 fs/read_write.c:664
       [<ffffffff814937b7>] compat_do_readv_writev+0x337/0x6f0 fs/read_write.c:982
       [<ffffffff81493f11>] compat_writev+0xe1/0x150 fs/read_write.c:1090
       [<ffffffff81496228>] C_SYSC_writev fs/read_write.c:1110 [inline]
       [<ffffffff81496228>] compat_SyS_writev+0xd8/0x1c0 fs/read_write.c:1099
       [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
       [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
       [<ffffffff82707a50>] sysenter_flags_fixed+0xd/0x1a

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&(&q->lock)->rlock);
                               lock(_xmit_NETROM);
                               lock(&(&q->lock)->rlock);
  lock(_xmit_NETROM);

 *** DEADLOCK ***

10 locks held by syz-executor2/21528:
 #0:  (rcu_read_lock){......}, at: [<ffffffff8222ba66>] __skb_unlink include/linux/skbuff.h:1643 [inline]
 #0:  (rcu_read_lock){......}, at: [<ffffffff8222ba66>] __skb_dequeue include/linux/skbuff.h:1659 [inline]
 #0:  (rcu_read_lock){......}, at: [<ffffffff8222ba66>] process_backlog+0x1a6/0x670 net/core/dev.c:4666
 #1:  (rcu_read_lock){......}, at: [<ffffffff822e5380>] nf_hook_slow+0x0/0x340 net/netfilter/core.c:267
 #2:  (rcu_read_lock){......}, at: [<ffffffff825a09a0>] ip6_input_finish+0x0/0x1510 include/linux/skbuff.h:2037
 #3:  (&(&q->lock)->rlock){+.-...}, at: [<ffffffff826298fb>] spin_lock include/linux/spinlock.h:302 [inline]
 #3:  (&(&q->lock)->rlock){+.-...}, at: [<ffffffff826298fb>] ipv6_frag_rcv+0x5eb/0x4f80 net/ipv6/reassembly.c:560
 #4:  (slock-AF_INET6){+.-...}, at: [<ffffffff8260f47b>] spin_trylock include/linux/spinlock.h:312 [inline]
 #4:  (slock-AF_INET6){+.-...}, at: [<ffffffff8260f47b>] icmpv6_xmit_lock net/ipv6/icmp.c:120 [inline]
 #4:  (slock-AF_INET6){+.-...}, at: [<ffffffff8260f47b>] icmp6_send+0x7db/0x1b70 net/ipv6/icmp.c:485
 #5:  (rcu_read_lock){......}, at: [<ffffffff8260fc02>] icmp6_send+0xf62/0x1b70 net/ipv6/icmp.c:517
 #6:  (rcu_read_lock_bh){......}, at: [<ffffffff8258c419>] ip6_finish_output2+0x1f9/0x1ca0 net/ipv6/ip6_output.c:71
 #7:  (rcu_read_lock){......}, at: [<ffffffff825f081d>] ip6_nd_hdr net/ipv6/ndisc.c:427 [inline]
 #7:  (rcu_read_lock){......}, at: [<ffffffff825f081d>] ndisc_send_skb+0x74d/0x10e0 net/ipv6/ndisc.c:465
 #8:  (rcu_read_lock_bh){......}, at: [<ffffffff8258c419>] ip6_finish_output2+0x1f9/0x1ca0 net/ipv6/ip6_output.c:71
 #9:  (rcu_read_lock_bh){......}, at: [<ffffffff82231bd7>] __dev_queue_xmit+0x1d7/0x1c30 net/core/dev.c:3161

stack backtrace:
CPU: 0 PID: 21528 Comm: syz-executor2 Not tainted 4.4.162+ #7
 0000000000000000 40b5003a3b1deb90 ffff8801db606138 ffffffff81a994bd
 ffffffff83acd330 ffffffff83adb8b0 ffffffff83acd330 ffff8801c20c2120
 ffff8801c20c17c0 ffff8801db606180 ffffffff813a834a 0000000000000004
Call Trace:
 <IRQ>  [<ffffffff81a994bd>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff81a994bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff813a834a>] print_circular_bug.cold.34+0x2f7/0x432 kernel/locking/lockdep.c:1226
 [<ffffffff811ff0fc>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
 [<ffffffff811ff0fc>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
 [<ffffffff811ff0fc>] validate_chain kernel/locking/lockdep.c:2144 [inline]
 [<ffffffff811ff0fc>] __lock_acquire+0x3e6c/0x5f10 kernel/locking/lockdep.c:3213
 [<ffffffff81202cde>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
 [<ffffffff82705426>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<ffffffff82705426>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
 [<ffffffff8229e5a3>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff8229e5a3>] __netif_tx_lock include/linux/netdevice.h:3306 [inline]
 [<ffffffff8229e5a3>] sch_direct_xmit+0x233/0x6c0 net/sched/sch_generic.c:163
 [<ffffffff82232995>] __dev_xmit_skb net/core/dev.c:2979 [inline]
 [<ffffffff82232995>] __dev_queue_xmit+0xf95/0x1c30 net/core/dev.c:3197
 [<ffffffff82233647>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3263
 [<ffffffff82253b10>] neigh_resolve_output+0x600/0x780 net/core/neighbour.c:1329
 [<ffffffff8258cdb4>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff8258cdb4>] ip6_finish_output2+0xb94/0x1ca0 net/ipv6/ip6_output.c:113
 [<ffffffff8259d53e>] ip6_finish_output+0x2ee/0x750 net/ipv6/ip6_output.c:131
 [<ffffffff8259db4f>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff8259db4f>] ip6_output+0x1af/0x520 net/ipv6/ip6_output.c:145
 [<ffffffff825f0a42>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff825f0a42>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff825f0a42>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff825f0a42>] ndisc_send_skb+0x972/0x10e0 net/ipv6/ndisc.c:471
 [<ffffffff825f412b>] ndisc_send_ns+0x4fb/0x6f0 net/ipv6/ndisc.c:595
 [<ffffffff825f45c0>] ndisc_solicit+0x2a0/0x420 net/ipv6/ndisc.c:686
 [<ffffffff8224778a>] neigh_probe+0xca/0x100 net/core/neighbour.c:871
 [<ffffffff82252b80>] __neigh_event_send+0x2a0/0xc30 net/core/neighbour.c:1027
 [<ffffffff82253b39>] neigh_event_send include/net/neighbour.h:431 [inline]
 [<ffffffff82253b39>] neigh_resolve_output+0x629/0x780 net/core/neighbour.c:1313
 [<ffffffff8258cdb4>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff8258cdb4>] ip6_finish_output2+0xb94/0x1ca0 net/ipv6/ip6_output.c:113
 [<ffffffff8259d53e>] ip6_finish_output+0x2ee/0x750 net/ipv6/ip6_output.c:131
 [<ffffffff8259db4f>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff8259db4f>] ip6_output+0x1af/0x520 net/ipv6/ip6_output.c:145
 [<ffffffff826ae55b>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff826ae55b>] ip6_local_out+0x9b/0x180 net/ipv6/output_core.c:169
 [<ffffffff8259fbb1>] ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1725
 [<ffffffff8259ff03>] ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1745
 [<ffffffff8260eaa5>] icmpv6_push_pending_frames+0x335/0x530 net/ipv6/icmp.c:276
 [<ffffffff82610293>] icmp6_send+0x15f3/0x1b70 net/ipv6/icmp.c:537
binder: 21564:21565 transaction failed 29189/-22, size 24-8 line 3014
binder: 21564:21566 transaction failed 29189/-22, size 24-8 line 3014
 [<ffffffff82611c19>] icmpv6_param_prob+0x29/0x40 net/ipv6/icmp.c:551
 [<ffffffff8262ceb5>] ip6_frag_queue net/ipv6/reassembly.c:228 [inline]
 [<ffffffff8262ceb5>] ipv6_frag_rcv+0x3ba5/0x4f80 net/ipv6/reassembly.c:562
 [<ffffffff825a0f1d>] ip6_input_finish+0x57d/0x1510 net/ipv6/ip6_input.c:248
 [<ffffffff825a3cb6>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff825a3cb6>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff825a3cb6>] ip6_input+0xf6/0x200 net/ipv6/ip6_input.c:280
 [<ffffffff825a047e>] dst_input include/net/dst.h:504 [inline]
 [<ffffffff825a047e>] ip6_rcv_finish+0x14e/0x670 net/ipv6/ip6_input.c:62
 [<ffffffff82680a7b>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff82680a7b>] ipv6_defrag+0x33b/0x5c0 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:78
 [<ffffffff822e52f2>] nf_iterate+0x182/0x210 net/netfilter/core.c:274
 [<ffffffff822e5536>] nf_hook_slow+0x1b6/0x340 net/netfilter/core.c:306
 [<ffffffff825a3305>] nf_hook_thresh include/linux/netfilter.h:187 [inline]
 [<ffffffff825a3305>] NF_HOOK_THRESH include/linux/netfilter.h:224 [inline]
 [<ffffffff825a3305>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff825a3305>] ipv6_rcv+0x1455/0x1d10 net/ipv6/ip6_input.c:186
 [<ffffffff8221c078>] __netif_receive_skb_core+0x12c8/0x2820 net/core/dev.c:4041
 [<ffffffff8222472b>] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4076
 [<ffffffff8222baca>] process_backlog+0x20a/0x670 net/core/dev.c:4669
 [<ffffffff8222aed7>] napi_poll net/core/dev.c:4907 [inline]
 [<ffffffff8222aed7>] net_rx_action+0x367/0xd50 net/core/dev.c:4972
 [<ffffffff827091dc>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
 [<ffffffff827073dc>] do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:929
 <EOI>  [<ffffffff810e1a84>] do_softirq.part.2+0x54/0x60 kernel/softirq.c:317
 [<ffffffff810e1bd9>] do_softirq+0x19/0x20 kernel/softirq.c:320
 [<ffffffff8221a6dc>] netif_rx_ni+0xec/0x3a0 net/core/dev.c:3675
 [<ffffffff81e0f53a>] tun_get_user+0xf3a/0x2690 drivers/net/tun.c:1264
 [<ffffffff81e10ea5>] tun_chr_write_iter+0xd5/0x190 drivers/net/tun.c:1283
 [<ffffffff81491c33>] do_iter_readv_writev+0x133/0x1d0 fs/read_write.c:664
 [<ffffffff814937b7>] compat_do_readv_writev+0x337/0x6f0 fs/read_write.c:982
 [<ffffffff81493f11>] compat_writev+0xe1/0x150 fs/read_write.c:1090
 [<ffffffff81496228>] C_SYSC_writev fs/read_write.c:1110 [inline]
 [<ffffffff81496228>] compat_SyS_writev+0xd8/0x1c0 fs/read_write.c:1099
 [<ffffffff8100629e>] do_syscall_32_irqs_on arch/x86/entry/common.c:396 [inline]
 [<ffffffff8100629e>] do_fast_syscall_32+0x31e/0xa80 arch/x86/entry/common.c:463
 [<ffffffff82707a50>] sysenter_flags_fixed+0xd/0x1a
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!
input: syz1 as /devices/virtual/input/input85
audit: type=1400 audit(1540609750.074:522): avc:  denied  { create } for  pid=21640 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
input: syz1 as /devices/virtual/input/input86
audit: type=1400 audit(1540609750.264:523): avc:  denied  { create } for  pid=21640 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(1540609750.764:524): avc:  denied  { create } for  pid=21664 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(1540609750.824:525): avc:  denied  { create } for  pid=21664 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
netlink: 188 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 188 bytes leftover after parsing attributes in process `syz-executor4'.
audit: type=1400 audit(1540609752.894:526): avc:  denied  { create } for  pid=21762 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=0
audit: type=1400 audit(1540609753.064:527): avc:  denied  { create } for  pid=21762 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_fib_lookup_socket permissive=0
audit: type=1400 audit(1540609753.454:528): avc:  denied  { create } for  pid=21790 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(1540609753.514:529): avc:  denied  { create } for  pid=21790 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(1540609753.594:530): avc:  denied  { create } for  pid=21790 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(1540609753.624:531): avc:  denied  { create } for  pid=21790 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(1540609754.284:532): avc:  denied  { create } for  pid=21832 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket
audit: type=1400 audit(1540609754.414:533): avc:  denied  { create } for  pid=21832 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket
audit: type=1400 audit(1540609755.004:534): avc:  denied  { set_context_mgr } for  pid=21872 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0
binder: 21872:21874 ioctl 40046207 0 returned -13
binder: 21872:21877 transaction failed 29189/-22, size 4608-8 line 3014
binder_alloc: binder_alloc_mmap_handler: 21872 20000000-20002000 already mapped failed -16
binder: 21872:21877 transaction failed 29189/-22, size 4608-8 line 3014
audit: type=1400 audit(1540609755.104:535): avc:  denied  { set_context_mgr } for  pid=21872 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=0
binder: 21872:21874 ioctl 40046207 0 returned -13
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
ip6_tunnel: ip6tnl1 xmit: Local address not yet configured!

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/10/27 03:09 https://android.googlesource.com/kernel/common android-4.4 c4b00eb70496 a8292de9 .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.