syzbot


kernel BUG at include/linux/skbuff.h:LINE! (2)

Status: fixed on 2019/10/15 23:40
Reported-by: syzbot+eb349eeee854e389c36d@syzkaller.appspotmail.com
Fix commit: c7a42eb49212 net: ipv6: fix listify ip6_rcv_finish in case of forwarding
First crash: 1139d, last: 1129d

Cause bisection: introduced by (bisect log) :
commit bc389fd101e57b36aacfaec2df8fe479eabb44ea
Author: David S. Miller <davem@davemloft.net>
Date: Tue Jul 2 21:12:30 2019 +0000

  Merge branch 'macsec-fix-some-bugs-in-the-receive-path'

Crash: WARNING: ODEBUG bug in netdev_freemem (log)
Repro: C syz .config
similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 kernel BUG at include/linux/skbuff.h:LINE! C 3 1673d 1677d 0/2 closed as invalid on 2019/04/03 06:33
upstream kernel BUG at include/linux/skbuff.h:LINE! 3 1528d 1536d 12/24 fixed on 2018/10/31 02:03
linux-4.14 kernel BUG at include/linux/skbuff.h:LINE! C 100 2d02h 630d 0/1 upstream: reported C repro on 2021/01/06 05:53
upstream kernel BUG in __skb_gso_segment C done 11 118d 116d 23/24 upstream: reported C repro on 2022/06/04 01:02

Sample crash report:
------------[ cut here ]------------
kernel BUG at include/linux/skbuff.h:2225!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8575 Comm: syz-executor067 Not tainted 5.3.0-rc3+ #139
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__skb_pull include/linux/skbuff.h:2225 [inline]
RIP: 0010:__skb_pull include/linux/skbuff.h:2222 [inline]
RIP: 0010:skb_pull_inline include/linux/skbuff.h:2231 [inline]
RIP: 0010:skb_pull+0xea/0x110 net/core/skbuff.c:1902
Code: 9d c8 00 00 00 49 89 dc 49 89 9d c8 00 00 00 e8 9c d5 dd fb 4c 89 e0 5b 41 5c 41 5d 41 5e 5d c3 45 31 e4 eb ea e8 86 d5 dd fb <0f> 0b e8 df 03 18 fc e9 44 ff ff ff e8 d5 03 18 fc eb 8a e8 ee 03
RSP: 0018:ffff88809893ee10 EFLAGS: 00010293
RAX: ffff8880940bc180 RBX: 0000000000000004 RCX: ffffffff8594b3a6
RDX: 0000000000000000 RSI: ffffffff8594b3fa RDI: 0000000000000004
RBP: ffff88809893ee30 R08: ffff8880940bc180 R09: fffffbfff14a914f
R10: fffffbfff14a914e R11: ffffffff8a548a77 R12: 000000008e9ad98c
R13: ffff88809893f478 R14: 00000000ffff8880 R15: ffff88809893f478
FS:  0000555556fe1880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 00000000a056c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 sctp_inq_pop+0x2f1/0xd80 net/sctp/inqueue.c:202
 sctp_endpoint_bh_rcv+0x184/0x8d0 net/sctp/endpointola.c:385
 sctp_inq_push+0x1e4/0x280 net/sctp/inqueue.c:80
 sctp_rcv+0x2807/0x3590 net/sctp/input.c:256
 sctp6_rcv+0x17/0x30 net/sctp/ipv6.c:1049
 ip6_protocol_deliver_rcu+0x2fe/0x1660 net/ipv6/ip6_input.c:397
 ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:438
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ip6_input+0xe4/0x3f0 net/ipv6/ip6_input.c:447
 dst_input include/net/dst.h:442 [inline]
 ip6_sublist_rcv_finish+0x98/0x1e0 net/ipv6/ip6_input.c:84
 ip6_list_rcv_finish net/ipv6/ip6_input.c:118 [inline]
 ip6_sublist_rcv+0x80c/0xcf0 net/ipv6/ip6_input.c:282
 ipv6_list_rcv+0x373/0x4b0 net/ipv6/ip6_input.c:316
 __netif_receive_skb_list_ptype net/core/dev.c:5049 [inline]
 __netif_receive_skb_list_core+0x5fc/0x9d0 net/core/dev.c:5097
 __netif_receive_skb_list net/core/dev.c:5149 [inline]
 netif_receive_skb_list_internal+0x7eb/0xe60 net/core/dev.c:5244
 gro_normal_list.part.0+0x1e/0xb0 net/core/dev.c:5757
 gro_normal_list net/core/dev.c:5755 [inline]
 gro_normal_one net/core/dev.c:5769 [inline]
 napi_frags_finish net/core/dev.c:5782 [inline]
 napi_gro_frags+0xa6a/0xea0 net/core/dev.c:5855
 tun_get_user+0x2e98/0x3fa0 drivers/net/tun.c:1974
 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2020
 call_write_iter include/linux/fs.h:1870 [inline]
 do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
 do_iter_write fs/read_write.c:970 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:951
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
 do_writev+0x15b/0x330 fs/read_write.c:1058
 __do_sys_writev fs/read_write.c:1131 [inline]
 __se_sys_writev fs/read_write.c:1128 [inline]
 __x64_sys_writev+0x75/0xb0 fs/read_write.c:1128
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441b10
Code: 05 48 3d 01 f0 ff ff 0f 83 5d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 01 95 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 34 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
RSP: 002b:00007ffd62a1d0a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007ffd62a1d0c0 RCX: 0000000000441b10
RDX: 0000000000000001 RSI: 00007ffd62a1d0f0 RDI: 00000000000000f0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000004
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000f466
R13: 0000000000402960 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 89c934079baa0274 ]---
RIP: 0010:__skb_pull include/linux/skbuff.h:2225 [inline]
RIP: 0010:__skb_pull include/linux/skbuff.h:2222 [inline]
RIP: 0010:skb_pull_inline include/linux/skbuff.h:2231 [inline]
RIP: 0010:skb_pull+0xea/0x110 net/core/skbuff.c:1902
Code: 9d c8 00 00 00 49 89 dc 49 89 9d c8 00 00 00 e8 9c d5 dd fb 4c 89 e0 5b 41 5c 41 5d 41 5e 5d c3 45 31 e4 eb ea e8 86 d5 dd fb <0f> 0b e8 df 03 18 fc e9 44 ff ff ff e8 d5 03 18 fc eb 8a e8 ee 03
RSP: 0018:ffff88809893ee10 EFLAGS: 00010293
RAX: ffff8880940bc180 RBX: 0000000000000004 RCX: ffffffff8594b3a6
RDX: 0000000000000000 RSI: ffffffff8594b3fa RDI: 0000000000000004
RBP: ffff88809893ee30 R08: ffff8880940bc180 R09: fffffbfff14a914f
R10: fffffbfff14a914e R11: ffffffff8a548a77 R12: 000000008e9ad98c
R13: ffff88809893f478 R14: 00000000ffff8880 R15: ffff88809893f478
FS:  0000555556fe1880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 00000000a056c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (58):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-net-kasan-gce 2019/08/19 23:22 net-next 20e79a0a2cfd ee12860b .config log report syz C
ci-upstream-net-kasan-gce 2019/08/18 07:21 net-next d83d508b74c4 55bf8926 .config log report syz C
ci-upstream-net-kasan-gce 2019/08/16 16:11 net-next 459c5fb44379 8fd428a1 .config log report syz C
ci-upstream-net-kasan-gce 2019/08/16 15:44 net-next 459c5fb44379 8fd428a1 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/08/24 14:53 linux-next 9733a7c62c66 78ded196 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/08/24 10:09 linux-next 9733a7c62c66 78ded196 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/08/20 01:32 linux-next da6570438d9b ee12860b .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/08/17 23:20 linux-next 0c3d3d648b3e 55bf8926 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/08/16 20:22 linux-next 0c3d3d648b3e 8fd428a1 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/08/16 15:47 linux-next 17da61ae48ec 8fd428a1 .config log report syz C
ci-upstream-net-kasan-gce 2019/08/23 19:28 net-next 6d24e1414005 78ded196 .config log report
ci-upstream-net-kasan-gce 2019/08/22 13:47 net-next 4f830a5af7b5 984250d5 .config log report
ci-upstream-net-kasan-gce 2019/08/21 18:56 net-next ac2eb56e7504 4ea67ff8 .config log report
ci-upstream-net-kasan-gce 2019/08/20 23:41 net-next 932630fa9028 cfc9868f .config log report
ci-upstream-net-kasan-gce 2019/08/19 15:44 net-next 10086b345385 b8ceabfc .config log report
ci-upstream-net-kasan-gce 2019/08/19 08:55 net-next 10086b345385 b8ceabfc .config log report
ci-upstream-net-kasan-gce 2019/08/19 08:55 net-next 10086b345385 b8ceabfc .config log report
ci-upstream-net-kasan-gce 2019/08/19 08:54 net-next 10086b345385 b8ceabfc .config log report
ci-upstream-net-kasan-gce 2019/08/19 07:42 net-next 10086b345385 b8ceabfc .config log report
ci-upstream-net-kasan-gce 2019/08/18 21:19 net-next 10086b345385 55bf8926 .config log report
ci-upstream-net-kasan-gce 2019/08/18 09:38 net-next d83d508b74c4 55bf8926 .config log report
ci-upstream-net-kasan-gce 2019/08/17 18:59 net-next a4d2113e46c1 55bf8926 .config log report
ci-upstream-net-kasan-gce 2019/08/17 18:54 net-next a4d2113e46c1 55bf8926 .config log report
ci-upstream-net-kasan-gce 2019/08/17 18:46 net-next a4d2113e46c1 55bf8926 .config log report
ci-upstream-net-kasan-gce 2019/08/17 18:41 net-next a4d2113e46c1 55bf8926 .config log report
ci-upstream-net-kasan-gce 2019/08/17 18:31 net-next a4d2113e46c1 55bf8926 .config log report
ci-upstream-net-kasan-gce 2019/08/16 15:27 net-next 459c5fb44379 8fd428a1 .config log report
ci-upstream-net-kasan-gce 2019/08/16 15:23 net-next 459c5fb44379 8fd428a1 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/26 12:22 linux-next 9733a7c62c66 d21c5d9d .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/25 22:18 linux-next 9733a7c62c66 d21c5d9d .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/25 18:56 linux-next 9733a7c62c66 d21c5d9d .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/24 09:12 linux-next 9733a7c62c66 78ded196 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/24 06:07 linux-next 9733a7c62c66 78ded196 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/22 03:53 linux-next a34a6117538e 984250d5 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/21 14:18 linux-next 54c851a8cc73 4ea67ff8 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/21 01:53 linux-next 54c851a8cc73 cfc9868f .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/20 23:48 linux-next 54c851a8cc73 cfc9868f .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/20 05:51 linux-next da6570438d9b ee12860b .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 21:57 linux-next da6570438d9b ee12860b .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 21:51 linux-next da6570438d9b ee12860b .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 21:50 linux-next da6570438d9b ee12860b .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 21:49 linux-next da6570438d9b ee12860b .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 16:04 linux-next da6570438d9b b8ceabfc .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 09:21 linux-next 0c3d3d648b3e b8ceabfc .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 09:15 linux-next 0c3d3d648b3e b8ceabfc .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 08:51 linux-next 0c3d3d648b3e b8ceabfc .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 08:50 linux-next 0c3d3d648b3e b8ceabfc .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/19 08:01 linux-next 0c3d3d648b3e b8ceabfc .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/18 21:06 linux-next 0c3d3d648b3e 55bf8926 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/18 09:43 linux-next 0c3d3d648b3e 55bf8926 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/17 20:48 linux-next 0c3d3d648b3e 55bf8926 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/17 18:44 linux-next 0c3d3d648b3e 55bf8926 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/16 15:24 linux-next 17da61ae48ec 8fd428a1 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/08/16 15:23 linux-next 17da61ae48ec 8fd428a1 .config log report
* Struck through repros no longer work on HEAD.