syzbot


kernel BUG at net/core/dev.c:LINE! (2)

Status: fixed on 2018/10/18 14:43
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 52b5d6f5dcf0 net: make skb_partial_csum_set() more robust against overflows
First crash: 1353d, last: 1353d
similar bugs (8):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 kernel BUG at net/core/dev.c:LINE! (2) C error 87 7d14h 560d 0/1 upstream: reported C repro on 2020/12/11 13:29
linux-4.14 kernel BUG in validate_xmit_skb 1 499d 499d 0/1 auto-closed as invalid on 2021/06/10 04:03
upstream kernel BUG in netem_enqueue 2 14d 51d 21/22 internal: reported on 2022/05/04 17:12
linux-4.19 kernel BUG at net/core/dev.c:LINE! 4 790d 793d 0/1 auto-closed as invalid on 2020/08/23 07:17
upstream kernel BUG at net/core/dev.c:LINE! (4) C done done 432 191d 579d 22/22 fixed on 2022/03/08 16:11
upstream kernel BUG at net/core/dev.c:LINE! C 5 1671d 1675d 3/22 fixed on 2017/12/08 02:32
linux-4.14 kernel BUG at net/core/dev.c:LINE! C inconclusive 3 542d 811d 1/1 fixed on 2021/01/17 13:53
upstream kernel BUG at net/core/dev.c:LINE! (3) C done 979 660d 804d 17/22 fixed on 2020/09/16 22:51

Sample crash report:
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
------------[ cut here ]------------
kernel BUG at net/core/dev.c:2880!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7330 Comm: syz-executor4 Not tainted 4.19.0-rc6+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
FS:  00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kobject: 'loop0' (000000006fe71a88): kobject_uevent_env
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kobject: 'loop0' (000000006fe71a88): fill_kobj_path: path = '/devices/virtual/block/loop0'
Call Trace:
 skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
 validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
 __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
kobject: 'loop2' (00000000a73c97bc): kobject_uevent_env
kobject: 'loop2' (00000000a73c97bc): fill_kobj_path: path = '/devices/virtual/block/loop2'
kobject: 'loop3' (00000000d4c12978): kobject_uevent_env
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
kobject: 'loop3' (00000000d4c12978): fill_kobj_path: path = '/devices/virtual/block/loop3'
 packet_snd net/packet/af_packet.c:2928 [inline]
 packet_sendmsg+0x422d/0x64c0 net/packet/af_packet.c:2953
------------[ cut here ]------------
kernel BUG at net/core/dev.c:2880!
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 __sys_sendto+0x3d7/0x670 net/socket.c:1788
 __do_sys_sendto net/socket.c:1800 [inline]
 __se_sys_sendto net/socket.c:1796 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457579
Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1a66db4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457579
RDX: 000000000000000b RSI: 0000000020000040 RDI: 0000000000000003
RBP: 000000000072bf00 R08: 0000000020000080 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1a66db56d4
R13: 00000000004c3935 R14: 00000000004d57d8 R15: 00000000ffffffff
Modules linked in:
invalid opcode: 0000 [#2] PREEMPT SMP KASAN
---[ end trace 2a4ecc0b5902c9a7 ]---
CPU: 0 PID: 7358 Comm: syz-executor3 Tainted: G      D           4.19.0-rc6+ #253
RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
RSP: 0018:ffff8801cb92ef60 EFLAGS: 00010293
RAX: ffff8801cc7b0040 RBX: ffff8801ce7437c0 RCX: ffffffff8608c6d7
RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
RBP: ffff8801cb92f068 R08: ffff8801cc7b0040 R09: 0000000000000000
R10: ffff8801cb92f6d8 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
FS:  00007f36dcf61700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020006ffc CR3: 00000001d8a00000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
 skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
 validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
 __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
FS:  00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-net-kasan-gce 2018/10/10 04:06 net-next b18719157762 8b311eaf .config log report syz
ci-upstream-net-kasan-gce 2018/10/10 03:24 net-next b18719157762 8b311eaf .config log report