syzbot


BUG: corrupted list in team_nl_cmd_options_set

Status: fixed on 2018/05/08 18:30
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
Fix commit: 4fb0534fb7bb team: avoid adding twice the same option to the event list
First crash: 2178d, last: 2174d
Discussions (20)
Title Replies (including bot) Last reply
[PATCH 3.16 000/202] 3.16.66-rc1 review 205 (205) 2019/04/28 15:45
[PATCH 3.16 000/366] 3.16.60-rc1 review 370 (370) 2019/03/29 15:47
[PATCH 3.18 000/134] 3.18.137-stable review 149 (149) 2019/03/28 13:21
[PATCH 4.4 000/230] 4.4.177-stable review 235 (235) 2019/03/24 12:02
[PATCH AUTOSEL 3.18 1/6] s390/dasd: fix using offset into zero size array error 6 (6) 2019/03/11 19:59
[PATCH AUTOSEL 4.4 1/8] gpu: ipu-v3: Fix i.MX51 CSI control registers offset 8 (8) 2019/03/11 19:59
[PATCH 4.20 000/183] 4.20.13-stable review 198 (198) 2019/02/27 09:05
[PATCH 4.9 00/63] 4.9.161-stable review 69 (69) 2019/02/26 18:18
[PATCH 4.19 000/152] 4.19.26-stable review 157 (157) 2019/02/26 17:47
[PATCH 4.14 00/71] 4.14.104-stable review 77 (77) 2019/02/26 17:46
[Patch net] team: avoid complex list operations in team_nl_cmd_options_set() 4 (4) 2019/02/12 19:21
[PATCH 4.4 00/50] 4.4.130-stable review 69 (69) 2018/05/12 19:44
[lkp-robot] 486ad79630 [ 15.532543] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 5 (5) 2018/05/03 18:02
486ad79630 ("origin"): BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 1 (1) 2018/05/03 03:47
[PATCH 4.16 00/81] 4.16.6-stable review 88 (88) 2018/04/28 15:52
[PATCH 4.14 00/80] 4.14.38-stable review 90 (90) 2018/04/28 14:28
[PATCH 4.9 00/74] 4.9.97-stable review 80 (80) 2018/04/28 14:26
[PATCH 3.18 00/24] 3.18.107-stable review 36 (36) 2018/04/28 14:24
[PATCH net] team: avoid adding twice the same option to the event list 4 (4) 2018/04/16 15:03
BUG: corrupted list in team_nl_cmd_options_set 0 (1) 2018/04/11 21:02

Sample crash report:
8021q: adding VLAN 0 to HW filter on device team0
netlink: 'syzkaller211959': attribute type 3 has an invalid length.
netlink: 'syzkaller211959': attribute type 3 has an invalid length.
list_add double add: new=ffff8801d39f2890, prev=ffff8801b169f3a0, next=ffff8801d39f2890.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:31!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4482 Comm: syzkaller211959 Not tainted 4.16.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29
RSP: 0018:ffff8801b169f248 EFLAGS: 00010286
RAX: 0000000000000058 RBX: ffff8801d39f2890 RCX: 0000000000000000
RDX: 0000000000000058 RSI: ffffffff815fa5a1 RDI: ffffed00362d3e3f
RBP: ffff8801b169f260 R08: ffff8801ad0946c0 R09: ffffed003b604f90
R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801d39f2890
R13: ffff8801d39f2890 R14: dffffc0000000000 R15: 0000000000000000
FS:  0000000001069880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000180 CR3: 00000001ad7be000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_add include/linux/list.h:60 [inline]
 list_add include/linux/list.h:79 [inline]
 team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571
 genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599
 genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624
 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x805/0x940 net/socket.c:2117
 __sys_sendmsg+0x115/0x270 net/socket.c:2155
 SYSC_sendmsg net/socket.c:2164 [inline]
 SyS_sendmsg+0x29/0x30 net/socket.c:2162
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x447039
RSP: 002b:00007ffc1ab20408 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a9218 RCX: 0000000000447039
RDX: 0000000024008040 RSI: 0000000020000300 RDI: 0000000000000003
RBP: 0000000020000a74 R08: 00000000004a90b0 R09: 0000000000000000
R10: 00000000004a9178 R11: 0000000000000213 R12: 0000000000404150
R13: 00000000004041e0 R14: 0000000000000000 R15: 0000000000000000
Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 61 f6 7a fe 48 8b 75 e8 eb bb 48 89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 c2 d8 87 e8 4a d0 27 fe <0f> 0b 0f 1f 40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41 
RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b169f248
---[ end trace 2f467a250cb68ba4 ]---

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/04/15 11:20 upstream 18b7fd1c93e5 7a67784c .config console log report syz C ci-upstream-kasan-gce-root
2018/04/11 14:32 upstream b284d4d5a678 8b8de427 .config console log report syz C ci-upstream-kasan-gce-root
* Struck through repros no longer work on HEAD.