syzbot


kernel BUG in pskb_expand_head
Status: upstream: reported C repro on 2021/11/15 08:38
Reported-by: syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com
Fix commit: 5f33a09e769a can: isotp: convert struct tpcon::{idx,len} to unsigned int
Patched on: [], missing on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 197d, last: 14h50m

Cause bisection: introduced by (bisect log) :
commit e4b8954074f6d0db01c8c97d338a67f9389c042f
Author: Eric Dumazet <edumazet@google.com>
Date: Tue Dec 7 01:30:37 2021 +0000

  netlink: add net device refcount tracker to struct ethnl_req_info

Crash: WARNING in ref_tracker_dir_exit (log)
Repro: syz .config
similar bugs (15):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream kernel BUG in llc_sap_action_send_xid_c C error 61 199d 413d 22/22 fixed on 2021/11/10 00:50
android-44 kernel BUG at net/core/skbuff.c:LINE! C 79 917d 1142d 0/2 public: reported C repro on 2019/04/11 08:44
linux-4.19 kernel BUG at net/core/skbuff.c:LINE! C unreliable 492 123d 1126d 0/1 upstream: reported C repro on 2019/04/27 20:12
android-54 kernel BUG in pfkey_send_acquire syz 32 467d 495d 0/2 upstream: reported syz repro on 2021/01/17 15:19
upstream kernel BUG at net/core/skbuff.c:LINE! (2) C 562 1581d 1670d 4/22 fixed on 2018/01/29 03:39
android-5-10 kernel BUG in add_grec C error 83 60d 134d 2/2 fixed on 2022/03/29 10:01
android-54 kernel BUG at net/core/skbuff.c:LINE! C 191 2d13h 866d 0/2 upstream: reported C repro on 2020/01/12 09:43
android-414 kernel BUG at net/core/skbuff.c:LINE! C 2743 905d 1142d 0/1 public: reported C repro on 2019/04/11 00:00
android-5-10 kernel BUG in add_grec (2) 231 24m 59d 0/2 premoderation: reported on 2022/03/29 11:58
android-5-10 kernel BUG in cdc_ncm_fill_tx_frame C error 40 152d 218d 1/2 fixed on 2021/12/29 12:20
upstream kernel BUG at net/core/skbuff.c:LINE! (3) C done 4399 459d 1576d 21/22 fixed on 2021/03/10 01:48
upstream kernel BUG at net/core/skbuff.c:LINE! 5 1676d 1746d 3/22 fixed on 2017/10/27 10:10
linux-4.19 kernel BUG in pfkey_send_acquire C done 56 466d 495d 1/1 fixed on 2021/03/18 08:30
linux-4.14 kernel BUG at net/core/skbuff.c:LINE! C 2843 28d 1141d 0/1 upstream: reported C repro on 2019/04/12 15:43
android-49 kernel BUG at net/core/skbuff.c:LINE! C 391 906d 1141d 0/3 public: reported C repro on 2019/04/12 00:00

Sample crash report:
netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
skbuff: skb_over_panic: text:ffffffff87e897ed len:65575 put:65575 head:ffff88801e389000 data:ffff88801e3890a8 tail:0x100cf end:0x6c0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 3596 Comm: syz-executor432 Not tainted 5.16.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113
Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 e0 eb ae 8a ff 74 24 10 ff 74 24 20 e8 8c 4c c1 ff <0f> 0b e8 55 d9 30 f8 4c 8b 64 24 18 e8 ab 14 78 f8 48 c7 c1 80 f8
RSP: 0018:ffffc90001a7f430 EFLAGS: 00010282
RAX: 000000000000008f RBX: ffff888021e33280 RCX: 0000000000000000
RDX: ffff888022225700 RSI: ffffffff815f9dd8 RDI: fffff5200034fe78
RBP: ffffffff8aaef8c0 R08: 000000000000008f R09: 0000000000000000
R10: ffffffff815f3b3e R11: 0000000000000000 R12: ffffffff87e897ed
R13: 0000000000010027 R14: ffffffff8aaeeba0 R15: 00000000000006c0
FS:  0000555555a39300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6724185300 CR3: 0000000071f2f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 skb_over_panic net/core/skbuff.c:118 [inline]
 skb_put.cold+0x24/0x24 net/core/skbuff.c:1988
 __ip6_append_data.isra.0+0x1e1d/0x3bc0 net/ipv6/ip6_output.c:1656
 ip6_append_data+0x207/0x350 net/ipv6/ip6_output.c:1804
 rawv6_sendmsg+0x14e7/0x3a10 net/ipv6/raw.c:949
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 ____sys_sendmsg+0x331/0x810 net/socket.c:2413
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
 __sys_sendmmsg+0x195/0x470 net/socket.c:2553
 __do_sys_sendmmsg net/socket.c:2582 [inline]
 __se_sys_sendmmsg net/socket.c:2579 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2579
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff57e5d63f9
Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe5adb02d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007ffe5adb02e8 RCX: 00007ff57e5d63f9
RDX: 0000000000000001 RSI: 00000000200002c0 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000fe80 R11: 0000000000000246 R12: 00007ffe5adb02f0
R13: 00007ffe5adb0310 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113
Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 e0 eb ae 8a ff 74 24 10 ff 74 24 20 e8 8c 4c c1 ff <0f> 0b e8 55 d9 30 f8 4c 8b 64 24 18 e8 ab 14 78 f8 48 c7 c1 80 f8
RSP: 0018:ffffc90001a7f430 EFLAGS: 00010282
RAX: 000000000000008f RBX: ffff888021e33280 RCX: 0000000000000000
RDX: ffff888022225700 RSI: ffffffff815f9dd8 RDI: fffff5200034fe78
RBP: ffffffff8aaef8c0 R08: 000000000000008f R09: 0000000000000000
R10: ffffffff815f3b3e R11: 0000000000000000 R12: ffffffff87e897ed
R13: 0000000000010027 R14: ffffffff8aaeeba0 R15: 00000000000006c0
FS:  0000555555a39300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 0000000071f2f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (69):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2022/01/22 05:47 upstream 9b57f4589857 214351e1 .config log report syz C kernel BUG in __ip6_append_data
ci-upstream-kasan-gce 2022/01/05 11:20 upstream c9e6606c7fe9 0a2584dd .config log report syz C kernel BUG in isotp_rcv
ci-upstream-net-this-kasan-gce 2022/01/20 08:03 net ff9fc0a31d85 5da9499f .config log report syz C kernel BUG in __ip6_append_data
ci-upstream-net-this-kasan-gce 2022/01/05 11:26 net 1d5a47424040 0a2584dd .config log report syz C kernel BUG in isotp_rcv
ci-upstream-net-kasan-gce 2022/01/20 17:06 net-next fe8152b38d3a b838eb76 .config log report syz C kernel BUG in __ip6_append_data
ci-upstream-kasan-gce 2022/01/05 11:44 upstream c9e6606c7fe9 0a2584dd .config log report syz kernel BUG in isotp_rcv
ci-upstream-kasan-gce-selinux-root 2022/01/05 08:29 upstream c9e6606c7fe9 0a2584dd .config log report syz kernel BUG in isotp_rcv
ci-upstream-net-this-kasan-gce 2021/12/20 11:57 net 60ec7fcfe768 021b36cb .config log report syz kernel BUG in isotp_rcv
ci-upstream-net-kasan-gce 2021/12/20 00:18 net-next 434ed2138994 44068e19 .config log report syz kernel BUG in isotp_rcv
ci-qemu-upstream 2022/05/21 10:45 upstream 3b5e1590a267 7268fa62 .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2022/04/19 20:30 upstream b7f73403a3e9 c334415e .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2022/04/15 15:37 upstream 028192fea1de 8bcc32a6 .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2022/04/06 14:46 upstream 3e732ebf7316 86b4b7f8 .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2022/03/07 08:20 upstream ffb217a13a2e 7bdd8b2c .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2022/02/23 02:10 upstream 917bbdb107f8 6e821dbf .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2022/02/16 18:28 upstream c5d9ae265b10 50221962 .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2021/12/06 04:05 upstream 944207047ca4 a617004c .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2021/12/02 21:25 upstream a51e3ac43ddb 61f86278 .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2021/11/30 23:35 upstream 58e1100fdc59 80270552 .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream 2021/11/11 08:22 upstream debe436e77c7 75b04091 .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream-386 2022/05/17 08:15 upstream 42226c989789 744a39e2 .config log report info kernel BUG in pskb_expand_head
ci-qemu-upstream-386 2022/05/11 22:44 upstream feb9c5e19e91 beb0b407 .config log report info kernel BUG in pskb_expand_head
ci-upstream-net-this-kasan-gce 2021/12/14 06:12 net 884d2b845477 5d14b1ea .config log report info kernel BUG in pskb_expand_head
ci-upstream-net-kasan-gce 2022/04/24 22:50 net-next cfc1d91a7d78 131df97d .config log report info kernel BUG in pskb_expand_head
ci-upstream-net-kasan-gce 2022/04/24 10:14 net-next cfc1d91a7d78 131df97d .config log report info kernel BUG in pskb_expand_head
ci-upstream-net-kasan-gce 2022/04/23 14:42 net-next 31693d02b06e 131df97d .config log report info kernel BUG in pskb_expand_head
ci-upstream-net-kasan-gce 2022/04/23 00:46 net-next f70925bf9940 131df97d .config log report info kernel BUG in pskb_expand_head
ci-upstream-net-kasan-gce 2021/12/05 13:58 net-next ce83278f313c a617004c .config log report info kernel BUG in pskb_expand_head
ci-upstream-kasan-gce-smack-root 2022/03/23 02:28 upstream b47d5a4f6b8d d88ef0c5 .config log report info kernel BUG in ipgre_header
ci-upstream-kasan-gce 2022/03/13 00:39 upstream aad611a868d1 9e8eaa75 .config log report info kernel BUG in __ip6_append_data
ci-upstream-kasan-gce 2022/01/24 10:19 upstream dd81e1c7d5fb 214351e1 .config log report info kernel BUG in isotp_rcv
ci-upstream-kasan-gce-selinux-root 2022/01/05 08:01 upstream c9e6606c7fe9 0a2584dd .config log report info kernel BUG in isotp_rcv
ci-upstream-kasan-gce-selinux-root 2021/12/31 10:33 upstream 74c78b4291b4 36bd2e48 .config log report info kernel BUG in isotp_rcv
ci-upstream-kasan-gce 2021/12/19 18:29 upstream 3f667b5d4053 44068e19 .config log report info kernel BUG in isotp_rcv
ci-upstream-kasan-gce-smack-root 2021/12/17 01:30 upstream fa36bbe6d43f 8dd6a5e3 .config log report info kernel BUG in isotp_rcv
ci-upstream-kasan-gce 2021/12/17 00:39 upstream fa36bbe6d43f 8dd6a5e3 .config log report info kernel BUG in isotp_rcv
ci-upstream-kasan-gce-selinux-root 2021/11/14 06:52 upstream a9b9669d9822 83f5c9b5 .config log report info kernel BUG in isotp_rcv
ci-qemu-upstream-386 2022/02/09 21:10 upstream f4bc5bbb5fef 0b33604d .config log report info kernel BUG in isotp_rcv
ci-qemu-upstream-386 2022/02/09 03:17 upstream e6251ab4551f 0b33604d .config log report info kernel BUG in isotp_rcv
ci-upstream-kasan-gce-386 2021/12/28 17:57 upstream a8ad9a2434dc 76c8cf06 .config log report info kernel BUG in isotp_rcv
ci-upstream-kasan-gce-386 2021/12/02 09:21 upstream 58e1100fdc59 61f86278 .config log report info kernel BUG in isotp_rcv
ci-qemu-upstream-386 2021/11/23 06:21 upstream 136057256686 545ab074 .config log report info kernel BUG in isotp_rcv
ci-upstream-net-this-kasan-gce 2022/05/13 03:40 net 810c2f0a3f86 9ad6612a .config log report info kernel BUG in ip6_mc_hdr
ci-upstream-net-this-kasan-gce 2022/01/18 18:31 net 5765cee119bf 731a2d23 .config log report info kernel BUG in ip6_mc_hdr
ci-upstream-net-this-kasan-gce 2022/01/15 08:15 net 9d6d7f1cb67c 723cfaf0 .config log report info kernel BUG in nsh_gso_segment
ci-upstream-net-this-kasan-gce 2022/01/10 12:16 net dd3ca4c5184e 2ca0d385 .config log report info kernel BUG in isotp_rcv
ci-upstream-net-this-kasan-gce 2022/01/05 07:32 net 1d5a47424040 0a2584dd .config log report info kernel BUG in isotp_rcv
ci-upstream-net-this-kasan-gce 2021/12/31 10:22 net 74c78b4291b4 36bd2e48 .config log report info kernel BUG in isotp_rcv
ci-upstream-net-this-kasan-gce 2021/11/27 06:20 net 32c54497545e 63eeac02 .config log report info kernel BUG in fou_build_udp
ci-upstream-net-this-kasan-gce 2021/11/15 23:12 net 10a2308ffb8c 83f5c9b5 .config log report info kernel BUG in fou_build_udp
ci-upstream-net-this-kasan-gce 2021/11/12 13:41 net 5833291ab6de 75b04091 .config log report info kernel BUG in fou_build_udp
ci-upstream-net-this-kasan-gce 2021/11/11 18:11 net d336509cb9d0 75b04091 .config log report info kernel BUG in ip6_mc_hdr
ci-upstream-net-kasan-gce 2022/04/09 16:06 net-next 626a5aaa5067 e22c3da3 .config log report info kernel BUG in ip6gre_header
ci-upstream-net-kasan-gce 2022/03/05 03:20 net-next 1039135aedfc 45a13a73 .config log report info kernel BUG in ip6_mc_hdr
ci-upstream-net-kasan-gce 2022/03/02 23:56 net-next a577223a97df 45a13a73 .config log report info kernel BUG in ip6gre_header
ci-upstream-net-kasan-gce 2022/02/20 12:42 net-next 48c77bdf729a 3cd800e4 .config log report info kernel BUG in ax25_hard_header
ci-upstream-net-kasan-gce 2022/02/17 13:48 net-next 5a8fb33e5305 3cd800e4 .config log report info kernel BUG in ip6gre_header
ci-upstream-net-kasan-gce 2022/01/30 01:00 net-next ff58831fa02d 495e00c5 .config log report info kernel BUG in isotp_rcv
ci-upstream-net-kasan-gce 2022/01/08 08:53 net-next 82192cb497f9 2ca0d385 .config log report info kernel BUG in isotp_rcv
ci-upstream-net-kasan-gce 2022/01/02 09:55 net-next e63a02348958 e1768e9c .config log report info kernel BUG in isotp_rcv
ci-upstream-net-kasan-gce 2021/12/19 22:15 net-next 434ed2138994 44068e19 .config log report info kernel BUG in isotp_rcv
ci-upstream-net-kasan-gce 2021/11/29 08:04 net-next d40ce48cb3a6 63eeac02 .config log report info kernel BUG in __pskb_pull_tail
ci-upstream-net-kasan-gce 2021/11/18 09:31 net-next 75082e7f4680 cafff8b6 .config log report info kernel BUG in ax25_hard_header
ci-upstream-net-kasan-gce 2021/11/14 20:40 net-next 1274a4eb318d 83f5c9b5 .config log report info kernel BUG in ip6gre_header
ci-upstream-net-kasan-gce 2021/11/12 10:44 net-next 5833291ab6de 75b04091 .config log report info kernel BUG in ip6gre_header
ci-upstream-linux-next-kasan-gce-root 2022/05/27 07:33 linux-next d3fde8ff50ab 3037caa9 .config log report info kernel BUG in pfkey_send_acquire