syzbot

 sign-in | mailing list | source | docs
🐞 Open [196] 🐞 Fixed [42] 🐞 Invalid [470] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

kernel BUG at ./include/linux/skbuff.h:LINE! (2)

Status: public: reported syz repro on 2019/08/16 10:13
Reported-by: syzbot+b750abcaa3fc29d7a510@syzkaller.appspotmail.com
First crash: 1715d, last: 1695d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-414 kernel BUG at ./include/linux/skbuff.h:LINE! syz 27 1695d 1721d 0/1 public: reported syz repro on 2019/08/10 08:48
upstream kernel BUG at ./include/linux/skbuff.h:LINE! (2) net C 5 2248d 2226d 5/26 fixed on 2018/04/06 16:37
linux-4.14 kernel BUG at ./include/linux/skbuff.h:LINE! C done 16 1695d 1721d 1/1 fixed on 2019/12/05 10:31
android-49 kernel BUG at ./include/linux/skbuff.h:LINE! C 3 2253d 2406d 0/3 closed as invalid on 2019/03/06 00:11
upstream kernel BUG at ./include/linux/skbuff.h:LINE! net C 4502 2291d 2303d 4/26 fixed on 2018/01/22 13:19

Sample crash report:
audit: type=1400 audit(1567642076.803:5): avc:  denied  { associate } for  pid=2063 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:1294!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.9.190+ #0
task: 0000000070381f19 task.stack: 00000000a7dc603c
RIP: 0010:[<ffffffff8252c406>]  [<00000000d117d43b>] skb_queue_prev include/linux/skbuff.h:1294 [inline]
RIP: 0010:[<ffffffff8252c406>]  [<00000000d117d43b>] tcp_write_queue_prev include/net/tcp.h:1563 [inline]
RIP: 0010:[<ffffffff8252c406>]  [<00000000d117d43b>] tcp_rtx_queue_tail include/net/tcp.h:1616 [inline]
RIP: 0010:[<ffffffff8252c406>]  [<00000000d117d43b>] tcp_fragment+0x1266/0x1390 net/ipv4/tcp_output.c:1195
RSP: 0018:ffff8801db707b90  EFLAGS: 00010206
RAX: ffff8801da6b2f80 RBX: ffff8801d1dd1f80 RCX: 1ffff1003a3ba46d
RDX: 0000000000000100 RSI: ffffffff8252c406 RDI: ffff8801d6318788
RBP: ffff8801db707be0 R08: 0000000002080020 R09: ffff8801d63187a8
R10: ffff88021fffd050 R11: 0000000728739f87 R12: 0000000000000000
R13: ffff8801d1dd2170 R14: ffff8801d6318780 R15: ffff8801d1dd21c4
FS:  0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000075c000 CR3: 00000001ce8fc000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801d6318780 ffff8801d1dd2170 ffff8801d63187f8 ffff880102080020
 000068000000ffcb 0000000000006800 ffff8801d1dd1f80 ffff8801d6318780
 000000000000ffcb ffff8801d63187b4 ffff8801db707c30 ffffffff8253fd65
Call Trace:
 <IRQ> [   28.911115]  [<000000008483bde3>] tcp_write_wakeup+0x345/0x5b0 net/ipv4/tcp_output.c:3613
 [<00000000241d255c>] tcp_send_probe0+0x4b/0x400 net/ipv4/tcp_output.c:3641
 [<000000009106866d>] tcp_probe_timer net/ipv4/tcp_timer.c:379 [inline]
 [<000000009106866d>] tcp_write_timer_handler+0x6a0/0x7a0 net/ipv4/tcp_timer.c:596
 [<00000000f14fd341>] tcp_write_timer+0xc5/0x190 net/ipv4/tcp_timer.c:610
 [<0000000061a26068>] call_timer_fn+0x167/0x6d0 kernel/time/timer.c:1319
 [<00000000058f6cd0>] expire_timers+0x25b/0x5c0 kernel/time/timer.c:1359
 [<00000000862c4bdf>] __run_timers kernel/time/timer.c:1674 [inline]
 [<00000000862c4bdf>] run_timer_softirq+0x1ff/0x620 kernel/time/timer.c:1687
 [<000000004b1d3e78>] __do_softirq+0x22d/0x964 kernel/softirq.c:288
 [<00000000ad5c7daf>] invoke_softirq kernel/softirq.c:368 [inline]
 [<00000000ad5c7daf>] irq_exit+0x119/0x160 kernel/softirq.c:409
 [<000000003131a9f6>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
 [<000000003131a9f6>] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:962
 [<00000000ffe8199a>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:653
 <EOI> [   29.064974]  [<00000000ee8a0d44>] ? native_safe_halt+0x41/0x60 arch/x86/include/asm/irqflags.h:59
 [<0000000038862f40>] arch_safe_halt arch/x86/include/asm/paravirt.h:104 [inline]
 [<0000000038862f40>] default_idle+0x56/0x370 arch/x86/kernel/process.c:500
 [<00000000c277a15e>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:491
 [<00000000fb262793>] default_idle_call+0x36/0x60 kernel/sched/idle.c:97
 [<00000000a6e56543>] cpuidle_idle_call kernel/sched/idle.c:155 [inline]
 [<00000000a6e56543>] cpu_idle_loop kernel/sched/idle.c:248 [inline]
 [<00000000a6e56543>] cpu_startup_entry+0x283/0x3a0 kernel/sched/idle.c:303
 [<000000006168022d>] start_secondary+0x31c/0x410 arch/x86/kernel/smpboot.c:251
Code: c1 ea 03 80 3c 02 00 0f 85 3a 01 00 00 4c 8b ab f8 01 00 00 ba 00 00 00 00 4c 3b 6d b8 4c 0f 44 ea e9 f9 fc ff ff e8 6a 5f df fe <0f> 0b e8 f3 20 fd fe e9 6e f0 ff ff e8 e9 20 fd fe e9 68 f3 ff 
RIP  [<00000000d117d43b>] skb_queue_prev include/linux/skbuff.h:1294 [inline]
RIP  [<00000000d117d43b>] tcp_write_queue_prev include/net/tcp.h:1563 [inline]
RIP  [<00000000d117d43b>] tcp_rtx_queue_tail include/net/tcp.h:1616 [inline]
RIP  [<00000000d117d43b>] tcp_fragment+0x1266/0x1390 net/ipv4/tcp_output.c:1195
 RSP <ffff8801db707b90>
---[ end trace 8b72927ac5457728 ]---

Crashes (16):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/05 00:11 https://android.googlesource.com/kernel/common android-4.9 d342ee64906f 040fda58 .config console log report syz ci-android-49-kasan-gce-root
2019/09/03 07:53 https://android.googlesource.com/kernel/common android-4.9 1488597c127f 14544a56 .config console log report syz ci-android-49-kasan-gce-root
2019/08/25 13:23 https://android.googlesource.com/kernel/common android-4.9 bb6401356c78 d21c5d9d .config console log report syz ci-android-49-kasan-gce-root
2019/08/23 12:54 https://android.googlesource.com/kernel/common android-4.9 9e50cb052183 ca6f3cfa .config console log report syz ci-android-49-kasan-gce-root
2019/08/21 13:49 https://android.googlesource.com/kernel/common android-4.9 9e50cb052183 4ea67ff8 .config console log report syz ci-android-49-kasan-gce-root
2019/08/19 20:38 https://android.googlesource.com/kernel/common android-4.9 10c44c01f78e ee12860b .config console log report syz ci-android-49-kasan-gce-root
2019/08/18 16:46 https://android.googlesource.com/kernel/common android-4.9 10c44c01f78e 55bf8926 .config console log report syz ci-android-49-kasan-gce-root
2019/08/18 16:17 https://android.googlesource.com/kernel/common android-4.9 10c44c01f78e 55bf8926 .config console log report syz ci-android-49-kasan-gce-root
2019/08/18 08:08 https://android.googlesource.com/kernel/common android-4.9 10c44c01f78e 55bf8926 .config console log report syz ci-android-49-kasan-gce-root
2019/08/16 09:12 https://android.googlesource.com/kernel/common android-4.9 d1f8a9bb810e 8fd428a1 .config console log report syz ci-android-49-kasan-gce-root
2019/09/04 23:36 https://android.googlesource.com/kernel/common android-4.9 d342ee64906f 040fda58 .config console log report ci-android-49-kasan-gce-root
2019/09/03 07:28 https://android.googlesource.com/kernel/common android-4.9 1488597c127f 14544a56 .config console log report ci-android-49-kasan-gce-root
2019/08/25 09:07 https://android.googlesource.com/kernel/common android-4.9 bb6401356c78 d21c5d9d .config console log report ci-android-49-kasan-gce-root
2019/08/23 12:38 https://android.googlesource.com/kernel/common android-4.9 9e50cb052183 ca6f3cfa .config console log report ci-android-49-kasan-gce-root
2019/08/21 20:34 https://android.googlesource.com/kernel/common android-4.9 9e50cb052183 4ea67ff8 .config console log report ci-android-49-kasan-gce-root
2019/08/18 15:29 https://android.googlesource.com/kernel/common android-4.9 10c44c01f78e 55bf8926 .config console log report ci-android-49-kasan-gce-root
* Struck through repros no longer work on HEAD.