syzbot


WARNING in dev_change_net_namespace
Status: fixed on 2022/05/20 00:27
Reported-by: syzbot+830c6dbfc71edc4f0b8f@syzkaller.appspotmail.com
Fix commit: f123cffdd8fe net: netlink: af_netlink: Prevent empty skb by adding a check on len.
First crash: 835d, last: 186d

Cause bisection: introduced by (bisect log) :
commit 13dc4d836179444f0ca90188cfccd23f9cd9ff05
Author: Will Deacon <will@kernel.org>
Date: Tue Apr 21 14:29:18 2020 +0000

  arm64: cpufeature: Remove redundant call to id_aa64pfr0_32bit_el0()

Crash: WARNING in dev_change_net_namespace (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) :
commit f123cffdd8fe8ea6c7fded4b88516a42798797d0
Author: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Date: Mon Nov 29 17:53:27 2021 +0000

  net: netlink: af_netlink: Prevent empty skb by adding a check on len.

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 WARNING in dev_change_net_namespace C error 10 195d 864d 0/1 upstream: reported C repro on 2020/01/13 08:39
linux-4.14 WARNING in dev_change_net_namespace 1 714d 714d 0/1 auto-closed as invalid on 2020/10/08 22:13

Sample crash report:
RAX: ffffffffffffffda RBX: 000000000002c0c0 RCX: 000000000045d249
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000005
RBP: 00007ffe16244750 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000016
R13: 0000000000000000 R14: 0000000000000b03 R15: 000000000118cf4c
------------[ cut here ]------------
WARNING: CPU: 1 PID: 7826 at net/core/dev.c:10559 dev_change_net_namespace+0x15bb/0x1710 net/core/dev.c:10559
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7826 Comm: syz-executor.0 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 panic+0x264/0x7a0 kernel/panic.c:231
 __warn+0x227/0x250 kernel/panic.c:600
 report_bug+0x1b1/0x2e0 lib/bug.c:198
 handle_bug+0x42/0x80 arch/x86/kernel/traps.c:234
 exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:254
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:dev_change_net_namespace+0x15bb/0x1710 net/core/dev.c:10559
Code: 1d 17 03 01 48 c7 c7 fd dc 0a 89 48 c7 c6 c3 ae 29 89 ba e8 28 00 00 31 c0 e8 41 d8 d2 fa 0f 0b e9 f5 ea ff ff e8 e5 3c 01 fb <0f> 0b e9 fb fd ff ff e8 d9 3c 01 fb 0f 0b e9 1b fe ff ff e8 cd 3c
RSP: 0018:ffffc900088f7180 EFLAGS: 00010293
RAX: ffffffff8673c4fb RBX: 00000000fffffff4 RCX: ffff88809610c480
RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000
RBP: ffffc900088f7290 R08: ffffffff8673c2e6 R09: fffffbfff167d0a4
R10: fffffbfff167d0a4 R11: 0000000000000000 R12: ffff88808f1360b8
R13: ffff88808f136b78 R14: dffffc0000000000 R15: dffffc0000000000
 do_setlink+0x19f/0x3be0 net/core/rtnetlink.c:2611
 __rtnl_newlink net/core/rtnetlink.c:3374 [inline]
 rtnl_newlink+0x1566/0x1c10 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x889/0xd40 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x786/0x940 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0xa57/0xd70 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:671 [inline]
 ____sys_sendmsg+0x519/0x800 net/socket.c:2359
 ___sys_sendmsg net/socket.c:2413 [inline]
 __sys_sendmsg+0x2b1/0x360 net/socket.c:2446
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d249
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe16244728 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002c0c0 RCX: 000000000045d249
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000005
RBP: 00007ffe16244750 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000016
R13: 0000000000000000 R14: 0000000000000b03 R15: 000000000118cf4c
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (8):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2020/08/14 04:53 upstream 990f227371a4 54ce1ed6 .config log report syz
ci-upstream-kasan-gce-smack-root 2020/06/06 10:20 upstream 7ae77150d94d e6b89e4e .config log report syz
ci-upstream-kasan-gce-smack-root 2020/08/14 03:55 upstream 990f227371a4 54ce1ed6 .config log report
ci-upstream-kasan-gce-smack-root 2020/06/06 09:19 upstream 7ae77150d94d e6b89e4e .config log report
ci-upstream-kasan-gce-smack-root 2020/05/25 00:49 upstream caffb99b6929 bd28eb9d .config log report
ci-upstream-kasan-gce-smack-root 2020/05/15 04:24 upstream 8c1684bb81f1 2d572622 .config log report
ci-upstream-kasan-gce-smack-root 2020/04/07 06:17 upstream 7e63420847ae 99a96044 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/11 08:44 upstream 0a679e13ea30 084454ae .config log report