Re: KASAN: use-after-free Read in lock_sock_nested
syzbot has found a reproducer for the following crash on: HEAD commit:3ea54d9b Merge tag 'docs-5.3-1' of git://git.lwn.net/linux git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16a6656460 kernel config: https://syzkaller.appspot.com/x/.config?x=195ab3ca46c2e324 dashboard link: https://syzkaller.appspot.com/bug?extid=500c69d1e21d970e461b compiler: clang version 9.0.0 (/home/glider/llvm/clang 80fee25776c2fb61e74c1ecb1a523375c2500b69) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=145318b460 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ac7b7860 Bisection is inconclusive: the bug happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11c610a720 final crash:https://syzkaller.appspot.com/x/report.txt?x=13c610a720 console output: https://syzkaller.appspot.com/x/log.txt?x=15c610a720 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+500c69d1e21d970e4...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock+0x295/0x3a0 kernel/locking/spinlock_debug.c:112 Read of size 4 at addr 88809f0acf0c by task syz-executor847/10804 CPU: 0 PID: 10804 Comm: syz-executor847 Not tainted 5.3.0-rc1+ #51 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113 print_address_description+0x75/0x5b0 mm/kasan/report.c:351 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:482 kasan_report+0x26/0x50 mm/kasan/common.c:612 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x295/0x3a0 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:136 [inline] _raw_spin_lock_bh+0x40/0x50 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:343 [inline] lock_sock_nested+0x45/0x120 net/core/sock.c:2917 lock_sock include/net/sock.h:1522 [inline] nr_getname+0x5b/0x220 net/netrom/af_netrom.c:838 __sys_accept4+0x63a/0x9a0 net/socket.c:1759 __do_sys_accept4 net/socket.c:1789 [inline] __se_sys_accept4 net/socket.c:1786 [inline] __x64_sys_accept4+0x9a/0xb0 net/socket.c:1786 do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4480e9 Code: e8 ac e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f43bf6ced88 EFLAGS: 0246 ORIG_RAX: 0120 RAX: ffda RBX: 006ddc38 RCX: 004480e9 RDX: RSI: 2b00 RDI: 0004 RBP: 006ddc30 R08: R09: R10: R11: 0246 R12: 006ddc3c R13: 7ffd18de174f R14: 7f43bf6cf9c0 R15: 006ddc3c Allocated by task 0: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:487 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x254/0x340 mm/slab.c:3664 kmalloc include/linux/slab.h:557 [inline] sk_prot_alloc+0xb0/0x290 net/core/sock.c:1603 sk_alloc+0x38/0x950 net/core/sock.c:1657 nr_make_new net/netrom/af_netrom.c:476 [inline] nr_rx_frame+0xabc/0x1e40 net/netrom/af_netrom.c:959 nr_loopback_timer+0x6a/0x140 net/netrom/nr_loopback.c:59 call_timer_fn+0xec/0x200 kernel/time/timer.c:1322 expire_timers kernel/time/timer.c:1366 [inline] __run_timers+0x7cd/0x9c0 kernel/time/timer.c:1685 run_timer_softirq+0x4a/0x90 kernel/time/timer.c:1698 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:778 Freed by task 10804: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:449 kasan_slab_free+0xe/0x10 mm/kasan/common.c:457 __cache_free mm/slab.c:3425 [inline] kfree+0x115/0x200 mm/slab.c:3756 sk_prot_free net/core/sock.c:1640 [inline] __sk_destruct+0x567/0x660 net/core/sock.c:1726 sk_destruct net/core/sock.c:1734 [inline] __sk_free+0x317/0x3e0 net/core/sock.c:1745 sk_free net/core/sock.c:1756 [inline] sock_put include/net/sock.h:1725 [inline] sock_efree+0x60/0x80 net/core/sock.c:2042 skb_release_head_state+0x100/0x220 net/core/skbuff.c:652 skb_release_all net/core/skbuff.c:663 [inline] __kfree_skb+0x25/0x170 net/core/skbuff.c:679 kfree_skb+0x6f/0xb0 net/core/skbuff.c:697 nr_accept+0x4ef/0x650 net/netrom/af_netrom.c:819 __sys_accept4+0x5bc/0x9a0 net/socket.c:1754 __do
kernel BUG at net/core/dev.c:NUM!
Hello,
syzbot found the following issue on:
HEAD commit:c49243e8 Merge branch 'net-fix-issues-around-register_netd..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=11da7ba8d0
kernel config: https://syzkaller.appspot.com/x/.config?x=bacfc914704718d3
dashboard link: https://syzkaller.appspot.com/bug?extid=2393580080a2da190f04
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13704c3f50
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160cc35750
The issue was bisected to:
commit c269a24ce057abfc31130960e96ab197ef6ab196
Author: Jakub Kicinski
Date: Wed Jan 6 18:40:06 2021 +
net: make free_netdev() more lenient with unregistering devices
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13901b50d0
final oops: https://syzkaller.appspot.com/x/report.txt?x=10501b50d0
console output: https://syzkaller.appspot.com/x/log.txt?x=17901b50d0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2393580080a2da190...@syzkaller.appspotmail.com
Fixes: c269a24ce057 ("net: make free_netdev() more lenient with unregistering
devices")
[ cut here ]
kernel BUG at net/core/dev.c:10661!
invalid opcode: [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8459 Comm: syz-executor375 Not tainted 5.11.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:free_netdev+0x4b3/0x5e0 net/core/dev.c:10661
Code: c0 01 38 d0 7c 08 84 d2 0f 85 1a 01 00 00 0f b7 83 32 02 00 00 48 29 c3
48 89 df e8 d7 77 ac fa e9 47 ff ff ff e8 3d 1e 80 fa <0f> 0b e8 36 1e 80 fa 0f
b6 2d 39 e1 e8 05 31 ff 89 ee e8 a6 24 80
RSP: 0018:c9000163f1a0 EFLAGS: 00010293
RAX: RBX: 88802814a000 RCX:
RDX: 888021678000 RSI: 86f25763 RDI: 0003
RBP: 0001 R08: 0001 R09: 0001
R10: 86f25683 R11: 0003 R12: 888028149ef8
R13: 88802814a058 R14: dc00 R15: 888028149ef8
FS: 010bf880() GS:8880b9f0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 55ade220a6d8 CR3: 12719000 CR4: 001506e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
__rtnl_newlink+0x1484/0x16e0 net/core/rtnetlink.c:3447
rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
sys_sendmsg+0x6e8/0x810 net/socket.c:2345
___sys_sendmsg+0xf3/0x170 net/socket.c:2399
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4404b9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7fff3e934f98 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 004404b9
RDX: RSI: 20c0 RDI: 0003
RBP: 006ca018 R08: 0014 R09: 004002c8
R10: 0001 R11: 0246 R12: 00401cc0
R13: 00401d50 R14: R15:
Modules linked in:
---[ end trace ec4d68ff94a95202 ]---
RIP: 0010:free_netdev+0x4b3/0x5e0 net/core/dev.c:10661
Code: c0 01 38 d0 7c 08 84 d2 0f 85 1a 01 00 00 0f b7 83 32 02 00 00 48 29 c3
48 89 df e8 d7 77 ac fa e9 47 ff ff ff e8 3d 1e 80 fa <0f> 0b e8 36 1e 80 fa 0f
b6 2d 39 e1 e8 05 31 ff 89 ee e8 a6 24 80
RSP: 0018:c9000163f1a0 EFLAGS: 00010293
RAX: RBX: 88802814a000 RCX:
RDX: 888021678000 RSI: 86f25763 RDI: 0003
RBP: 0001 R08: 0001 R09: 0001
R10: 86f25683 R11: 0003 R12: 888028149ef8
R13: 88802814a058 R14: dc00 R15: 888028149ef8
FS: 010bf880() GS:8880b9e0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 7fd33803e118 CR3: 12719000 CR4: 001506f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
s
KASAN: use-after-free Read in skb_release_head_state
Hello, syzbot found the following issue on: HEAD commit:996e435f Merge tag 'zonefs-5.11-rc3' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=149f3770d0 kernel config: https://syzkaller.appspot.com/x/.config?x=bacfc914704718d3 dashboard link: https://syzkaller.appspot.com/bug?extid=60c13361d933487eed83 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+60c13361d933487ee...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in skb_dst_drop include/net/dst.h:269 [inline] BUG: KASAN: use-after-free in skb_release_head_state+0x223/0x250 net/core/skbuff.c:653 Read of size 8 at addr 888020b57a58 by task syz-executor.3/23125 CPU: 0 PID: 23125 Comm: syz-executor.3 Not tainted 5.11.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 skb_dst_drop include/net/dst.h:269 [inline] skb_release_head_state+0x223/0x250 net/core/skbuff.c:653 skb_release_all net/core/skbuff.c:667 [inline] __kfree_skb net/core/skbuff.c:683 [inline] kfree_skb net/core/skbuff.c:701 [inline] kfree_skb+0xfa/0x3f0 net/core/skbuff.c:695 hci_dev_do_open+0xa4a/0x1a00 net/bluetooth/hci_core.c:1619 hci_dev_open+0x132/0x300 net/bluetooth/hci_core.c:1685 hci_sock_ioctl+0x5b6/0x840 net/bluetooth/hci_sock.c:1025 sock_do_ioctl+0xcb/0x2d0 net/socket.c:1037 sock_ioctl+0x477/0x6a0 net/socket.c:1177 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e087 Code: 48 83 c4 08 48 89 d8 5b 5d c3 66 0f 1f 84 00 00 00 00 00 48 89 e8 48 f7 d8 48 39 c3 0f 92 c0 eb 92 66 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 6d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fff4e2da0d8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0003 RCX: 0045e087 RDX: RSI: 400448c9 RDI: 0003 RBP: 7fff4e2da0f0 R08: R09: 7fd7d2806700 R10: 7fd7d28069d0 R11: 0246 R12: 02df8914 R13: 0004 R14: R15: Allocated by task 8520: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kasan_slab_alloc include/linux/kasan.h:205 [inline] slab_post_alloc_hook mm/slab.h:512 [inline] slab_alloc_node mm/slub.c:2891 [inline] slab_alloc mm/slub.c:2899 [inline] kmem_cache_alloc+0x1c6/0x440 mm/slub.c:2904 skb_clone+0x14f/0x3c0 net/core/skbuff.c:1449 hci_cmd_work+0x18f/0x390 net/bluetooth/hci_core.c:5007 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Freed by task 8519: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356 kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362 kasan_slab_free include/linux/kasan.h:188 [inline] slab_free_hook mm/slub.c:1547 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 slab_free mm/slub.c:3142 [inline] kmem_cache_free+0x82/0x350 mm/slub.c:3158 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:627 __kfree_skb net/core/skbuff.c:684 [inline] kfree_skb net/core/skbuff.c:701 [inline] kfree_skb+0x140/0x3f0 net/core/skbuff.c:695 hci_cmd_work+0x182/0x390 net/bluetooth/hci_core.c:5005 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the object at 888020b57a00 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 88 bytes inside of 232-byte region [888020b57a00, 888020b57ae8) The buggy address belongs to the page: page:508c5c1a refcount:1 mapcount:0 mapping: index:0x888020b57140 pfn:0x20b57 flags: 0xfff200(slab) raw: 00fff200 ea8b8b88 ea98cd48 888010e75640 raw: 888020b57140 000c000b 0001 page
KMSAN: uninit-value in ip_route_output_key_hash_rcu (4)
Hello, syzbot found the following issue on: HEAD commit:73d62e81 kmsan: random: prevent boot-time reports in _mix_.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=10998e9350 kernel config: https://syzkaller.appspot.com/x/.config?x=2cdf4151c9653e32 dashboard link: https://syzkaller.appspot.com/bug?extid=549e451574ba8bfd0fd6 compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+549e451574ba8bfd0...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in ip_route_output_key_hash_rcu+0xe77/0x1f20 net/ipv4/route.c:2588 CPU: 1 PID: 8547 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 ip_route_output_key_hash_rcu+0xe77/0x1f20 net/ipv4/route.c:2588 ip_route_output_key_hash+0x21b/0x2d0 net/ipv4/route.c:2507 __ip_route_output_key include/net/route.h:126 [inline] xfrmi_xmit+0x4cb/0x1fd0 net/xfrm/xfrm_interface.c:376 __netdev_start_xmit include/linux/netdevice.h:4718 [inline] netdev_start_xmit include/linux/netdevice.h:4732 [inline] xmit_one+0x2b9/0x770 net/core/dev.c:3564 dev_hard_start_xmit net/core/dev.c:3580 [inline] __dev_queue_xmit+0x33f2/0x4520 net/core/dev.c:4140 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173 packet_snd net/packet/af_packet.c:2992 [inline] packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmmsg+0xa56/0x1060 net/socket.c:2497 __do_sys_sendmmsg net/socket.c:2526 [inline] __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2523 __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2523 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f2026f42c68 EFLAGS: 0246 ORIG_RAX: 0133 RAX: ffda RBX: 0004 RCX: 0045e219 RDX: 0001 RSI: 200066c0 RDI: 0003 RBP: 0119c070 R08: R09: R10: R11: 0246 R12: 0119c034 R13: 016afb5f R14: 7f2026f439c0 R15: 0119c034 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289 __msan_chain_origin+0x57/0xa0 mm/kmsan/kmsan_instr.c:147 decode_session4 net/xfrm/xfrm_policy.c:3285 [inline] __xfrm_decode_session+0x15d5/0x3890 net/xfrm/xfrm_policy.c:3481 xfrm_decode_session include/net/xfrm.h:1137 [inline] xfrmi_xmit+0x243/0x1fd0 net/xfrm/xfrm_interface.c:369 __netdev_start_xmit include/linux/netdevice.h:4718 [inline] netdev_start_xmit include/linux/netdevice.h:4732 [inline] xmit_one+0x2b9/0x770 net/core/dev.c:3564 dev_hard_start_xmit net/core/dev.c:3580 [inline] __dev_queue_xmit+0x33f2/0x4520 net/core/dev.c:4140 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173 packet_snd net/packet/af_packet.c:2992 [inline] packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmmsg+0xa56/0x1060 net/socket.c:2497 __do_sys_sendmmsg net/socket.c:2526 [inline] __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2523 __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2523 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104 kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76 slab_alloc_node mm/slub.c:2906 [inline] __kmalloc_node_track_caller+0xc61/0x15f0 mm/slub.c:4512 __kmalloc_reserve net/core/skbuff.c:142 [inline] __alloc_skb+0x309/0xae0 net/core/skbuff.c:210 alloc_skb include/linux/skbuff.h:1094 [inline] alloc_skb_with_frags+0x1f3/0xc20 net/core/skbuff.c:5832 sock_alloc_send_pskb+0xc73/0xe40 net/core/sock.c:2329 packet_alloc_skb net/packet/af_packet.c:2840 [inline] packet_snd net/packet/af_packet.c:2935 [inline] packet_sendmsg+0x6aa3
Re: kernel BUG at net/core/dev.c:NUM!
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+2393580080a2da190...@syzkaller.appspotmail.com Tested on: commit: 3a30363e net: sit: unregister_netdevice on newlink's error.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kuba/linux.git sit-fix kernel config: https://syzkaller.appspot.com/x/.config?x=bacfc914704718d3 dashboard link: https://syzkaller.appspot.com/bug?extid=2393580080a2da190f04 compiler: gcc (GCC) 10.1.0-syz 20200507 Note: testing is done by a robot and is best-effort only.
KMSAN: uninit-value in nf_conntrack_udplite_packet (2)
Hello, syzbot found the following issue on: HEAD commit:73d62e81 kmsan: random: prevent boot-time reports in _mix_.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=11eb6ce750 kernel config: https://syzkaller.appspot.com/x/.config?x=2cdf4151c9653e32 dashboard link: https://syzkaller.appspot.com/bug?extid=e5b49f0d1e69d0c0fcb4 compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13922a3f50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11c6c2f750 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+e5b49f0d1e69d0c0f...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in udplite_error net/netfilter/nf_conntrack_proto_udp.c:162 [inline] BUG: KMSAN: uninit-value in nf_conntrack_udplite_packet+0x7b2/0x12d0 net/netfilter/nf_conntrack_proto_udp.c:188 CPU: 1 PID: 8615 Comm: syz-executor710 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 udplite_error net/netfilter/nf_conntrack_proto_udp.c:162 [inline] nf_conntrack_udplite_packet+0x7b2/0x12d0 net/netfilter/nf_conntrack_proto_udp.c:188 nf_conntrack_handle_packet net/netfilter/nf_conntrack_core.c:1768 [inline] nf_conntrack_in+0x10fb/0x298f net/netfilter/nf_conntrack_core.c:1846 ipv4_conntrack_local+0x225/0x3b0 net/netfilter/nf_conntrack_proto.c:200 nf_hook_entry_hookfn include/linux/netfilter.h:136 [inline] nf_hook_slow+0x17b/0x460 net/netfilter/core.c:589 nf_hook include/linux/netfilter.h:256 [inline] __ip_local_out+0x7a6/0x860 net/ipv4/ip_output.c:115 ip_local_out net/ipv4/ip_output.c:124 [inline] ip_send_skb+0xb3/0x340 net/ipv4/ip_output.c:1568 udp_send_skb+0x1568/0x1be0 net/ipv4/udp.c:948 udp_push_pending_frames net/ipv4/udp.c:976 [inline] udp_sendpage+0x805/0xb90 net/ipv4/udp.c:1347 inet_sendpage+0x1da/0x2f0 net/ipv4/af_inet.c:831 kernel_sendpage+0x47a/0x590 net/socket.c:3646 sock_sendpage+0x15e/0x1a0 net/socket.c:944 pipe_to_sendpage+0x3f4/0x530 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x5e3/0xff0 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0x1d5/0x2d0 fs/splice.c:743 do_splice_from fs/splice.c:764 [inline] do_splice+0x2365/0x3550 fs/splice.c:1059 __do_splice fs/splice.c:1137 [inline] __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice+0x8f8/0xb40 fs/splice.c:1325 __x64_sys_splice+0x6e/0x90 fs/splice.c:1325 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x444059 Code: e8 6c 05 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffd20373dd8 EFLAGS: 0246 ORIG_RAX: 0113 RAX: ffda RBX: 0003 RCX: 00444059 RDX: 0005 RSI: RDI: 0004 RBP: 7ffd20373df0 R08: 8000 R09: R10: R11: 0246 R12: 00024bb2 R13: R14: R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289 __msan_chain_origin+0x57/0xa0 mm/kmsan/kmsan_instr.c:147 udp_send_skb+0x17aa/0x1be0 net/ipv4/udp.c:943 udp_push_pending_frames net/ipv4/udp.c:976 [inline] udp_sendpage+0x805/0xb90 net/ipv4/udp.c:1347 inet_sendpage+0x1da/0x2f0 net/ipv4/af_inet.c:831 kernel_sendpage+0x47a/0x590 net/socket.c:3646 sock_sendpage+0x15e/0x1a0 net/socket.c:944 pipe_to_sendpage+0x3f4/0x530 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x5e3/0xff0 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0x1d5/0x2d0 fs/splice.c:743 do_splice_from fs/splice.c:764 [inline] do_splice+0x2365/0x3550 fs/splice.c:1059 __do_splice fs/splice.c:1137 [inline] __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice+0x8f8/0xb40 fs/splice.c:1325 __x64_sys_splice+0x6e/0x90 fs/splice.c:1325 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289 kmsan_memcpy_memmove_metadata+0x25e/0x2d0 mm/kmsan/kmsan.c:226 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan
general protection fault in xsk_recvmsg
Hello,
syzbot found the following issue on:
HEAD commit:df542285 Merge branch 'xdp-preferred-busy-polling'
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1142680950
kernel config: https://syzkaller.appspot.com/x/.config?x=6774dc081604c527
dashboard link: https://syzkaller.appspot.com/bug?extid=b974d32294d1dffbea36
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1648b0e550
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=125af4ad50
The issue was bisected to:
commit dcd479e10a0510522a5d88b29b8f79ea3467d501
Author: Johannes Berg
Date: Fri Oct 9 12:17:11 2020 +
mac80211: always wind down STA state
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12356d1d50
final oops: https://syzkaller.appspot.com/x/report.txt?x=11356d1d50
console output: https://syzkaller.appspot.com/x/log.txt?x=16356d1d50
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b974d32294d1dffbe...@syzkaller.appspotmail.com
Fixes: dcd479e10a05 ("mac80211: always wind down STA state")
general protection fault, probably for non-canonical address
0xdc45: [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0228-0x022f]
CPU: 1 PID: 8481 Comm: syz-executor119 Not tainted 5.10.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:xsk_recvmsg+0x79/0x5e0 net/xdp/xsk.c:563
Code: 03 80 3c 02 00 0f 85 00 05 00 00 48 8b 9d c8 04 00 00 48 b8 00 00 00 00
00 fc ff df 48 8d bb 28 02 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08
3c 03 0f 8e 9c 04 00 00 8b 9b 28 02 00 00
RSP: 0018:c9000165fae0 EFLAGS: 00010202
RAX: dc00 RBX: RCX: 4000
RDX: 0045 RSI: 88a6a995 RDI: 0228
RBP: 88801a14 R08: 4000 R09:
R10: R11: R12: 4000
R13: 4000 R14: c9000165fe98 R15:
FS: 007fd880() GS:8880b9f0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 20004880 CR3: 1f1bd000 CR4: 001506e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
sock_recvmsg_nosec net/socket.c:885 [inline]
sock_recvmsg net/socket.c:903 [inline]
sock_recvmsg net/socket.c:899 [inline]
sys_recvmsg+0x2c4/0x600 net/socket.c:2576
___sys_recvmsg+0x127/0x200 net/socket.c:2618
__sys_recvmsg+0xe2/0x1a0 net/socket.c:2654
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440269
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7ffdbb92b6c8 EFLAGS: 0246 ORIG_RAX: 002f
RAX: ffda RBX: 004002c8 RCX: 00440269
RDX: 4000 RSI: 20004880 RDI: 0003
RBP: 006ca018 R08: R09: 004002c8
R10: R11: 0246 R12: 00401a70
R13: 00401b00 R14: R15:
Modules linked in:
---[ end trace 184efc29c05fd9c5 ]---
RIP: 0010:xsk_recvmsg+0x79/0x5e0 net/xdp/xsk.c:563
Code: 03 80 3c 02 00 0f 85 00 05 00 00 48 8b 9d c8 04 00 00 48 b8 00 00 00 00
00 fc ff df 48 8d bb 28 02 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08
3c 03 0f 8e 9c 04 00 00 8b 9b 28 02 00 00
RSP: 0018:c9000165fae0 EFLAGS: 00010202
RAX: dc00 RBX: RCX: 4000
RDX: 0045 RSI: 88a6a995 RDI: 0228
RBP: 88801a14 R08: 4000 R09:
R10: R11: R12: 4000
R13: 4000 R14: c9000165fe98 R15:
FS: 007fd880() GS:8880b9e0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 7f66a803d058 CR3: 1f1bd000 CR4: 001506f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Re: INFO: rcu detected stall in sock_close (3)
syzbot suspects this issue was fixed by commit: commit 98b89b649fce39dacb9dc036d6d0fdb8caff73f7 Author: Jens Axboe Date: Fri Oct 9 22:03:01 2020 + signal: kill JOBCTL_TASK_WORK bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14b99c20d0 start commit: 7cc2a8ea Merge tag 'block-5.8-2020-07-01' of git://git.ker.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=183dd243398ba7ec dashboard link: https://syzkaller.appspot.com/bug?extid=4168fa4c45be33afa73c syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112223b710 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=154793a310 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: signal: kill JOBCTL_TASK_WORK For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: WARNING in io_disable_sqo_submit
syzbot has bisected this issue to:
commit dcd479e10a0510522a5d88b29b8f79ea3467d501
Author: Johannes Berg
Date: Fri Oct 9 12:17:11 2020 +
mac80211: always wind down STA state
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13b8b83b50
start commit: a1339d63 Merge tag 'powerpc-5.11-4' of git://git.kernel.or..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1078b83b50
console output: https://syzkaller.appspot.com/x/log.txt?x=17b8b83b50
kernel config: https://syzkaller.appspot.com/x/.config?x=c60c9ff9cc916cbc
dashboard link: https://syzkaller.appspot.com/bug?extid=2f5d1785dc624932da78
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10f207c750
Reported-by: syzbot+2f5d1785dc624932d...@syzkaller.appspotmail.com
Fixes: dcd479e10a05 ("mac80211: always wind down STA state")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
WARNING in cfg80211_bss_update
Hello, syzbot found the following issue on: HEAD commit:66c55602 skbuff: back tiny skbs with kmalloc() in __netdev.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=121bf89f50 kernel config: https://syzkaller.appspot.com/x/.config?x=c60c9ff9cc916cbc dashboard link: https://syzkaller.appspot.com/bug?extid=95c52e652a2fac1fcdf5 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+95c52e652a2fac1fc...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 25700 at net/wireless/scan.c:1565 cfg80211_combine_bsses net/wireless/scan.c:1565 [inline] WARNING: CPU: 1 PID: 25700 at net/wireless/scan.c:1565 cfg80211_bss_update+0x16cd/0x1c60 net/wireless/scan.c:1746 Modules linked in: CPU: 1 PID: 25700 Comm: kworker/u4:15 Not tainted 5.11.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy12 ieee80211_iface_work RIP: 0010:cfg80211_combine_bsses net/wireless/scan.c:1565 [inline] RIP: 0010:cfg80211_bss_update+0x16cd/0x1c60 net/wireless/scan.c:1746 Code: 00 48 c7 c7 20 8c 61 8a c6 05 88 7d b9 04 01 e8 a7 15 83 00 e9 27 ff ff ff e8 8f f0 3c f9 0f 0b e9 c2 f4 ff ff e8 83 f0 3c f9 <0f> 0b 4c 89 f7 e8 89 be 8c fb 31 ff 89 c6 88 44 24 70 e8 ec f6 3c RSP: :c90002e46f50 EFLAGS: 00010212 RAX: 26ce RBX: 0001 RCX: c90015d6 RDX: 0004 RSI: 8835d93d RDI: 0003 RBP: 88802f58fc00 R08: R09: R10: 8835d08d R11: R12: 888022182c68 R13: 0005 R14: 88802f58fc10 R15: 888022182c00 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 001b2ee27000 CR3: 144e2000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: cfg80211_inform_single_bss_frame_data+0x6e2/0xe90 net/wireless/scan.c:2400 cfg80211_inform_bss_frame_data+0xa7/0xb10 net/wireless/scan.c:2433 ieee80211_bss_info_update+0x3ce/0xb20 net/mac80211/scan.c:190 ieee80211_rx_bss_info net/mac80211/ibss.c:1126 [inline] ieee80211_rx_mgmt_probe_beacon+0xccd/0x16b0 net/mac80211/ibss.c:1615 ieee80211_ibss_rx_queued_mgmt+0xe3e/0x1870 net/mac80211/ibss.c:1642 ieee80211_iface_work+0x761/0x9e0 net/mac80211/iface.c:1423 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
WARNING in kmalloc_array
Hello, syzbot found the following issue on: HEAD commit:0da0a8a0 Merge tag 'scsi-fixes' of git://git.kernel.org/pu.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1293e1f750 kernel config: https://syzkaller.appspot.com/x/.config?x=ee2266946ed36986 dashboard link: https://syzkaller.appspot.com/bug?extid=5d578be9b4bfe1b6bbd6 compiler: clang version 11.0.1 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+5d578be9b4bfe1b6b...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 15540 at mm/page_alloc.c:4977 __alloc_pages_nodemask+0x4e5/0x5a0 mm/page_alloc.c:5021 Modules linked in: CPU: 1 PID: 15540 Comm: syz-executor.2 Not tainted 5.11.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__alloc_pages_nodemask+0x4e5/0x5a0 mm/page_alloc.c:5021 Code: ab 09 00 e9 dd fd ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c eb fd ff ff 4c 89 ef e8 f4 aa 09 00 8b 74 24 18 e9 da fd ff ff <0f> 0b e9 f3 fd ff ff a9 00 00 08 00 75 16 8b 4c 24 1c 89 cb 81 e3 RSP: 0018:c90016bff620 EFLAGS: 00010246 RAX: c90016bff6a0 RBX: c90016bff6a0 RCX: RDX: 0028 RSI: RDI: c90016bff6c8 RBP: c90016bff758 R08: dc00 R09: c90016bff6a0 R10: f52002d7fed9 R11: R12: dc00 R13: 0018 R14: 192002d7fed0 R15: 00040dc0 FS: 7fc7102ae700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 00749138 CR3: 25dd7000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0600 Call Trace: alloc_pages include/linux/gfp.h:547 [inline] kmalloc_order+0x40/0x130 mm/slab_common.c:837 kmalloc_order_trace+0x15/0x70 mm/slab_common.c:853 kmalloc_large include/linux/slab.h:481 [inline] __kmalloc+0x257/0x330 mm/slub.c:3959 kmalloc_array+0x2d/0x40 include/linux/slab.h:593 kcalloc include/linux/slab.h:621 [inline] rds_rdma_extra_size+0x84/0x300 net/rds/rdma.c:568 rds_rm_size net/rds/send.c:928 [inline] rds_sendmsg+0xfad/0x3210 net/rds/send.c:1265 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg net/socket.c:672 [inline] sys_sendmsg+0x5a2/0x900 net/socket.c:2345 ___sys_sendmsg net/socket.c:2399 [inline] __sys_sendmsg+0x319/0x400 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e219 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fc7102adc68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0003 RCX: 0045e219 RDX: RSI: 20001600 RDI: 0003 RBP: 0119bfc0 R08: R09: R10: R11: 0246 R12: 0119bf8c R13: 7ffd4cf1c0cf R14: 7fc7102ae9c0 R15: 0119bf8c --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run7
syzbot has found a reproducer for the following issue on: HEAD commit:7d68e382 bpf: Permit size-0 datasec git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=1418c3c750 kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7843b8af99dff dashboard link: https://syzkaller.appspot.com/bug?extid=fad5d91c7158ce568634 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1224daa4d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13dfabd0d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+fad5d91c7158ce568...@syzkaller.appspotmail.com == BUG: KASAN: vmalloc-out-of-bounds in __bpf_trace_run kernel/trace/bpf_trace.c:2088 [inline] BUG: KASAN: vmalloc-out-of-bounds in bpf_trace_run7+0x411/0x420 kernel/trace/bpf_trace.c:2130 Read of size 8 at addr c9e5c030 by task syz-executor460/8508 CPU: 1 PID: 8508 Comm: syz-executor460 Not tainted 5.11.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 __bpf_trace_run kernel/trace/bpf_trace.c:2088 [inline] bpf_trace_run7+0x411/0x420 kernel/trace/bpf_trace.c:2130 __bpf_trace_percpu_alloc_percpu+0x1dc/0x220 include/trace/events/percpu.h:10 __traceiter_percpu_alloc_percpu+0x97/0xf0 include/trace/events/percpu.h:10 trace_percpu_alloc_percpu include/trace/events/percpu.h:10 [inline] pcpu_alloc+0xba6/0x16f0 mm/percpu.c:1844 bpf_prog_alloc+0x78/0x250 kernel/bpf/core.c:117 bpf_prog_load+0x656/0x1f40 kernel/bpf/syscall.c:2152 __do_sys_bpf+0x1251/0x4f00 kernel/bpf/syscall.c:4380 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x441659 Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffebad746f8 EFLAGS: 0246 ORIG_RAX: 0141 RAX: ffda RBX: RCX: 00441659 RDX: 0078 RSI: 2200 RDI: 0005 RBP: 0001191b R08: R09: R10: R11: 0246 R12: 00402470 R13: 00402500 R14: R15: Memory state around the buggy address: c9e5bf00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c9e5bf80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >c9e5c000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ c9e5c080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c9e5c100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==
Re: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run7
syzbot has bisected this issue to:
commit 8b401f9ed2441ad9e219953927a842d24ed051fc
Author: Yonghong Song
Date: Thu May 23 21:47:45 2019 +
bpf: implement bpf_send_signal() helper
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=123408e750
start commit: 7d68e382 bpf: Permit size-0 datasec
git tree: bpf-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=113408e750
console output: https://syzkaller.appspot.com/x/log.txt?x=163408e750
kernel config: https://syzkaller.appspot.com/x/.config?x=e0c7843b8af99dff
dashboard link: https://syzkaller.appspot.com/bug?extid=fad5d91c7158ce568634
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1224daa4d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13dfabd0d0
Reported-by: syzbot+fad5d91c7158ce568...@syzkaller.appspotmail.com
Fixes: 8b401f9ed244 ("bpf: implement bpf_send_signal() helper")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
UBSAN: array-index-out-of-bounds in decode_data
Hello, syzbot found the following issue on: HEAD commit:9791581c Merge tag 'for-5.11-rc4-tag' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11970b20d0 kernel config: https://syzkaller.appspot.com/x/.config?x=39701af622f054a9 dashboard link: https://syzkaller.appspot.com/bug?extid=70ba6cae2f44c82dcb76 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+70ba6cae2f44c82dc...@syzkaller.appspotmail.com UBSAN: array-index-out-of-bounds in drivers/net/hamradio/6pack.c:845:16 index 400 is out of range for type 'unsigned char [400]' CPU: 0 PID: 24 Comm: kworker/u4:1 Not tainted 5.11.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound flush_to_ldisc Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356 decode_data.part.0+0x2c8/0x2e0 drivers/net/hamradio/6pack.c:845 decode_data drivers/net/hamradio/6pack.c:965 [inline] sixpack_decode drivers/net/hamradio/6pack.c:968 [inline] sixpack_receive_buf drivers/net/hamradio/6pack.c:458 [inline] sixpack_receive_buf+0xd8c/0x1320 drivers/net/hamradio/6pack.c:435 tty_ldisc_receive_buf+0x14a/0x190 drivers/tty/tty_buffer.c:465 tty_port_default_receive_buf+0x6e/0xa0 drivers/tty/tty_port.c:38 receive_buf drivers/tty/tty_buffer.c:481 [inline] flush_to_ldisc+0x20d/0x380 drivers/tty/tty_buffer.c:533 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 24 Comm: kworker/u4:1 Not tainted 5.11.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound flush_to_ldisc Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 panic+0x306/0x73d kernel/panic.c:231 ubsan_epilogue+0x54/0x5a lib/ubsan.c:162 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356 decode_data.part.0+0x2c8/0x2e0 drivers/net/hamradio/6pack.c:845 decode_data drivers/net/hamradio/6pack.c:965 [inline] sixpack_decode drivers/net/hamradio/6pack.c:968 [inline] sixpack_receive_buf drivers/net/hamradio/6pack.c:458 [inline] sixpack_receive_buf+0xd8c/0x1320 drivers/net/hamradio/6pack.c:435 tty_ldisc_receive_buf+0x14a/0x190 drivers/tty/tty_buffer.c:465 tty_port_default_receive_buf+0x6e/0xa0 drivers/tty/tty_port.c:38 receive_buf drivers/tty/tty_buffer.c:481 [inline] flush_to_ldisc+0x20d/0x380 drivers/tty/tty_buffer.c:533 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: UBSAN: array-index-out-of-bounds in decode_data
syzbot has found a reproducer for the following issue on: HEAD commit:9791581c Merge tag 'for-5.11-rc4-tag' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13cd09a4d0 kernel config: https://syzkaller.appspot.com/x/.config?x=39701af622f054a9 dashboard link: https://syzkaller.appspot.com/bug?extid=70ba6cae2f44c82dcb76 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=133d8030d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+70ba6cae2f44c82dc...@syzkaller.appspotmail.com UBSAN: array-index-out-of-bounds in drivers/net/hamradio/6pack.c:845:16 index 400 is out of range for type 'unsigned char [400]' CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.11.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound flush_to_ldisc Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356 decode_data.part.0+0x2c8/0x2e0 drivers/net/hamradio/6pack.c:845 decode_data drivers/net/hamradio/6pack.c:965 [inline] sixpack_decode drivers/net/hamradio/6pack.c:968 [inline] sixpack_receive_buf drivers/net/hamradio/6pack.c:458 [inline] sixpack_receive_buf+0xd8c/0x1320 drivers/net/hamradio/6pack.c:435 tty_ldisc_receive_buf+0x14a/0x190 drivers/tty/tty_buffer.c:465 tty_port_default_receive_buf+0x6e/0xa0 drivers/tty/tty_port.c:38 receive_buf drivers/tty/tty_buffer.c:481 [inline] flush_to_ldisc+0x20d/0x380 drivers/tty/tty_buffer.c:533 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.11.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound flush_to_ldisc Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 panic+0x306/0x73d kernel/panic.c:231 ubsan_epilogue+0x54/0x5a lib/ubsan.c:162 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356 decode_data.part.0+0x2c8/0x2e0 drivers/net/hamradio/6pack.c:845 decode_data drivers/net/hamradio/6pack.c:965 [inline] sixpack_decode drivers/net/hamradio/6pack.c:968 [inline] sixpack_receive_buf drivers/net/hamradio/6pack.c:458 [inline] sixpack_receive_buf+0xd8c/0x1320 drivers/net/hamradio/6pack.c:435 tty_ldisc_receive_buf+0x14a/0x190 drivers/tty/tty_buffer.c:465 tty_port_default_receive_buf+0x6e/0xa0 drivers/tty/tty_port.c:38 receive_buf drivers/tty/tty_buffer.c:481 [inline] flush_to_ldisc+0x20d/0x380 drivers/tty/tty_buffer.c:533 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Kernel Offset: disabled Rebooting in 86400 seconds..
linux-next test error: WARNING in cfg80211_netdev_notifier_call
Hello, syzbot found the following issue on: HEAD commit:226871e2 Add linux-next specific files for 20210122 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1076afe750 kernel config: https://syzkaller.appspot.com/x/.config?x=40930d62519ae2bd dashboard link: https://syzkaller.appspot.com/bug?extid=8b083f465893fa214377 compiler: gcc (GCC) 10.1.0-syz 20200507 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8b083f465893fa214...@syzkaller.appspotmail.com device veth1_macvtap left promiscuous mode device veth0_macvtap left promiscuous mode device veth1_vlan left promiscuous mode device veth0_vlan left promiscuous mode [ cut here ] WARNING: CPU: 0 PID: 270 at net/wireless/core.c:1455 cfg80211_netdev_notifier_call+0xd48/0x1460 net/wireless/core.c:1455 Modules linked in: CPU: 0 PID: 270 Comm: kworker/u4:7 Not tainted 5.11.0-rc4-next-20210122-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:cfg80211_netdev_notifier_call+0xd48/0x1460 net/wireless/core.c:1455 Code: ce e4 3c f9 49 8d 7d 68 be ff ff ff ff e8 b0 cd c6 00 31 ff 89 c3 89 c6 e8 35 ec 3c f9 85 db 0f 85 64 f9 ff ff e8 a8 e4 3c f9 <0f> 0b e9 58 f9 ff ff e8 9c e4 3c f9 49 8d 7d 68 be ff ff ff ff e8 RSP: 0018:c900016af720 EFLAGS: 00010293 RAX: RBX: RCX: RDX: 88801135b800 RSI: 883638b8 RDI: 0003 RBP: 888035622000 R08: R09: 88362ccd R10: 883638ab R11: 0006 R12: 1920002d5ee9 R13: 888144628580 R14: 88803563 R15: 0002 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 00a9b158 CR3: 111dc000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040 call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] unregister_netdevice_many+0x943/0x1750 net/core/dev.c:10704 default_device_exit_batch+0x2fa/0x3c0 net/core/dev.c:11224 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: WARNING in io_disable_sqo_submit
syzbot has found a reproducer for the following issue on:
HEAD commit:9f29bd8b Merge tag 'fs_for_v5.11-rc5' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=169f4e9f50
kernel config: https://syzkaller.appspot.com/x/.config?x=39701af622f054a9
dashboard link: https://syzkaller.appspot.com/bug?extid=2f5d1785dc624932da78
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1156bd20d0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15ce819f50
The issue was bisected to:
commit dcd479e10a0510522a5d88b29b8f79ea3467d501
Author: Johannes Berg
Date: Fri Oct 9 12:17:11 2020 +
mac80211: always wind down STA state
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13b8b83b50
final oops: https://syzkaller.appspot.com/x/report.txt?x=1078b83b50
console output: https://syzkaller.appspot.com/x/log.txt?x=17b8b83b50
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2f5d1785dc624932d...@syzkaller.appspotmail.com
Fixes: dcd479e10a05 ("mac80211: always wind down STA state")
[ cut here ]
WARNING: CPU: 0 PID: 8572 at fs/io_uring.c:8917
io_disable_sqo_submit+0x13d/0x180 fs/io_uring.c:8917
Modules linked in:
CPU: 1 PID: 8572 Comm: syz-executor518 Not tainted 5.11.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:io_disable_sqo_submit+0x13d/0x180 fs/io_uring.c:8917
Code: e0 07 83 c0 03 38 d0 7c 04 84 d2 75 2e 83 8b 14 01 00 00 01 4c 89 e7 e8
d1 6d 25 07 5b 5d 41 5c e9 48 22 9b ff e8 43 22 9b ff <0f> 0b e9 00 ff ff ff e8
87 a1 dd ff e9 37 ff ff ff e8 4d a1 dd ff
RSP: 0018:c90001c17df0 EFLAGS: 00010293
RAX: RBX: 88801c409000 RCX:
RDX: 8880287e8040 RSI: 81d7aa8d RDI: 88801c4090d0
RBP: 8880198a1780 R08: R09: 12c8a801
R10: 81d7ad45 R11: 0001 R12: 88801c409000
R13: 888012c8a801 R14: 88801c409040 R15: 88801c4090d0
FS: 7f60e950b700() GS:8880b9f0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 7f60e950adb8 CR3: 15b41000 CR4: 001506e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
io_uring_flush+0x28b/0x3a0 fs/io_uring.c:9134
filp_close+0xb4/0x170 fs/open.c:1280
do_dup2+0x294/0x520 fs/file.c:1024
ksys_dup3+0x22f/0x360 fs/file.c:1136
__do_sys_dup2 fs/file.c:1162 [inline]
__se_sys_dup2 fs/file.c:1150 [inline]
__x64_sys_dup2+0x71/0x3a0 fs/file.c:1150
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x447019
Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7f60e950ace8 EFLAGS: 0246 ORIG_RAX: 0021
RAX: ffda RBX: 006dbc38 RCX: 00447019
RDX: 00447019 RSI: 0003 RDI: 0005
RBP: 006dbc30 R08: R09:
R10: R11: 0246 R12: 006dbc3c
R13: 7ffc5b18d21f R14: 7f60e950b9c0 R15: 006dbc30
Re: KASAN: use-after-free Read in dump_schedule
syzbot suspects this issue was fixed by commit: commit cc00bcaa589914096edef7fb87ca5cee4a166b5c Author: Subash Abhinov Kasiviswanathan Date: Wed Nov 25 18:27:22 2020 + netfilter: x_tables: Switch synchronization to RCU bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10879d68d0 start commit: 59126901 Merge tag 'perf-tools-fixes-for-v5.9-2020-09-03' .. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=3c5f6ce8d5b68299 dashboard link: https://syzkaller.appspot.com/bug?extid=621fd33c0b53d15ee8de syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152c3af990 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12213b7190 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: netfilter: x_tables: Switch synchronization to RCU For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: memory leak in bpf
syzbot has found a reproducer for the following issue on: HEAD commit:a68a0262 mm/madvise: remove racy mm ownership check git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11facf1750 kernel config: https://syzkaller.appspot.com/x/.config?x=4305fa9ea70c7a9f dashboard link: https://syzkaller.appspot.com/bug?extid=f3694595248708227d35 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=159a961350 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11bf712350 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f3694595248708227...@syzkaller.appspotmail.com Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. executing program executing program executing program BUG: memory leak unreferenced object 0x88810efccc80 (size 64): comm "syz-executor334", pid 8460, jiffies 4294945724 (age 13.850s) hex dump (first 32 bytes): c0 cb 14 04 00 ea ff ff c0 c2 11 04 00 ea ff ff c0 56 3f 04 00 ea ff ff 40 18 38 04 00 ea ff ff .V?.@.8. backtrace: [<36ae98a7>] kmalloc_node include/linux/slab.h:575 [inline] [<36ae98a7>] bpf_ringbuf_area_alloc kernel/bpf/ringbuf.c:94 [inline] [<36ae98a7>] bpf_ringbuf_alloc kernel/bpf/ringbuf.c:135 [inline] [<36ae98a7>] ringbuf_map_alloc kernel/bpf/ringbuf.c:183 [inline] [<36ae98a7>] ringbuf_map_alloc+0x1be/0x410 kernel/bpf/ringbuf.c:150 [<d2cb93ae>] find_and_alloc_map kernel/bpf/syscall.c:122 [inline] [<d2cb93ae>] map_create kernel/bpf/syscall.c:825 [inline] [<d2cb93ae>] __do_sys_bpf+0x7d0/0x30a0 kernel/bpf/syscall.c:4381 [<8feaf393>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<e1f53cfd>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
possible deadlock in zd_chip_disable_rxtx
Hello,
syzbot found the following issue on:
HEAD commit:8010622c USB: UAS: introduce a quirk to set no_write_same
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=131e6adf50
kernel config: https://syzkaller.appspot.com/x/.config?x=d24ee9ecd7ce968e
dashboard link: https://syzkaller.appspot.com/bug?extid=0ec3d1a6cf1fbe79c153
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d7246b50
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172c240f50
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0ec3d1a6cf1fbe79c...@syzkaller.appspotmail.com
usb 1-1: reset high-speed USB device number 2 using dummy_hcd
usb 1-1: device descriptor read/64, error -71
usb 1-1: Using ep0 maxpacket: 32
usb 1-1: unable to get BOS descriptor or descriptor too short
zd1211rw 1-1:5.118: phy1
zd1211rw 1-1:5.114: error ioread32(CR_REG1): -11
WARNING: possible recursive locking detected
5.10.0-rc7-syzkaller #0 Not tainted
kworker/1:2/2618 is trying to acquire lock:
888102cbdd10 (&chip->mutex){+.+.}-{3:3}, at: zd_chip_disable_rxtx+0x1c/0x40
drivers/net/wireless/zydas/zd1211rw/zd_chip.c:1465
but task is already holding lock:
888101d9dd10 (&chip->mutex){+.+.}-{3:3}, at: pre_reset+0x217/0x290
drivers/net/wireless/zydas/zd1211rw/zd_usb.c:1504
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
lock(&chip->mutex);
lock(&chip->mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
6 locks held by kworker/1:2/2618:
#0: 888103bff538 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888103bff538 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888103bff538 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888103bff538 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 888103bff538 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888103bff538 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
process_one_work+0x821/0x1520 kernel/workqueue.c:2243
#1: c91c7da8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at:
process_one_work+0x854/0x1520 kernel/workqueue.c:2247
#2: 88810802a218 (&dev->mutex){}-{3:3}, at: device_lock
include/linux/device.h:731 [inline]
#2: 88810802a218 (&dev->mutex){}-{3:3}, at: hub_event+0x1c5/0x42d0
drivers/usb/core/hub.c:5537
#3: 8881013cd218 (&dev->mutex){}-{3:3}, at: device_lock
include/linux/device.h:731 [inline]
#3: 8881013cd218 (&dev->mutex){}-{3:3}, at: __device_attach+0x7a/0x4a0
drivers/base/dd.c:887
#4: 88810ed8c1a8 (&dev->mutex){}-{3:3}, at: device_lock
include/linux/device.h:731 [inline]
#4: 88810ed8c1a8 (&dev->mutex){}-{3:3}, at: __device_attach+0x7a/0x4a0
drivers/base/dd.c:887
#5: 888101d9dd10 (&chip->mutex){+.+.}-{3:3}, at: pre_reset+0x217/0x290
drivers/net/wireless/zydas/zd1211rw/zd_usb.c:1504
stack backtrace:
CPU: 1 PID: 2618 Comm: kworker/1:2 Not tainted 5.10.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
print_deadlock_bug kernel/locking/lockdep.c:2761 [inline]
check_deadlock kernel/locking/lockdep.c:2804 [inline]
validate_chain kernel/locking/lockdep.c:3595 [inline]
__lock_acquire.cold+0x15e/0x3b0 kernel/locking/lockdep.c:4832
lock_acquire kernel/locking/lockdep.c:5437 [inline]
lock_acquire+0x288/0x700 kernel/locking/lockdep.c:5402
__mutex_lock_common kernel/locking/mutex.c:956 [inline]
__mutex_lock+0x134/0x10a0 kernel/locking/mutex.c:1103
zd_chip_disable_rxtx+0x1c/0x40
drivers/net/wireless/zydas/zd1211rw/zd_chip.c:1465
zd_op_stop+0x60/0x190 drivers/net/wireless/zydas/zd1211rw/zd_mac.c:343
zd_usb_stop drivers/net/wireless/zydas/zd1211rw/zd_usb.c:1479 [inline]
pre_reset+0x19d/0x290 drivers/net/wireless/zydas/zd1211rw/zd_usb.c:1502
usb_reset_device+0x379/0x9a0 drivers/usb/core/hub.c:5959
probe+0x10f/0x590 drivers/net/wireless/zydas/zd1211rw/zd_usb.c:1371
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
really_probe+0x291/0xde0 drivers/base/dd.c:554
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:738
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:844
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:
INFO: task can't die in inet_twsk_purge
Hello, syzbot found the following issue on: HEAD commit:a9e26cb5 Add linux-next specific files for 20201208 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=161a961350 kernel config: https://syzkaller.appspot.com/x/.config?x=e259434a8eaf0206 dashboard link: https://syzkaller.appspot.com/bug?extid=4c1b0c5364346e7beafa compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=109cf70350 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1587c92350 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4c1b0c5364346e7be...@syzkaller.appspotmail.com INFO: task syz-executor343:8498 can't die for more than 143 seconds. task:syz-executor343 state:R running task stack:25920 pid: 8498 ppid: 8495 flags:0x4006 Call Trace: context_switch kernel/sched/core.c:4325 [inline] __schedule+0x8eb/0x21b0 kernel/sched/core.c:5076 preempt_schedule_irq+0x4e/0x90 kernel/sched/core.c:5338 rcu_read_unlock include/linux/rcupdate.h:694 [inline] inet_twsk_purge+0x57f/0x810 net/ipv4/inet_timewait_sock.c:299 INFO: task syz-executor343:8743 can't die for more than 145 seconds. task:syz-executor343 state:R running task stack:25768 pid: 8743 ppid: 8494 flags:0x4006 Call Trace: context_switch kernel/sched/core.c:4325 [inline] __schedule+0x8eb/0x21b0 kernel/sched/core.c:5076 preempt_schedule_notrace+0x5b/0xd0 kernel/sched/core.c:5309 INFO: task syz-executor343:8744 can't die for more than 147 seconds. task:syz-executor343 state:R running task stack:25784 pid: 8744 ppid: 8490 flags:0x4006 Call Trace: context_switch kernel/sched/core.c:4325 [inline] __schedule+0x8eb/0x21b0 kernel/sched/core.c:5076 INFO: task syz-executor343:8745 can't die for more than 148 seconds. task:syz-executor343 state:D stack:25864 pid: 8745 ppid: 8491 flags:0x4006 Call Trace: context_switch kernel/sched/core.c:4325 [inline] __schedule+0x8eb/0x21b0 kernel/sched/core.c:5076 schedule+0xcf/0x270 kernel/sched/core.c:5155 synchronize_rcu_expedited+0x458/0x620 kernel/rcu/tree_exp.h:852 synchronize_rcu+0xee/0x190 kernel/rcu/tree.c:3729 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190 setup_net+0x508/0x850 net/core/net_namespace.c:365 copy_net_ns+0x376/0x7b0 net/core/net_namespace.c:483 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xbd/0x230 kernel/nsproxy.c:231 ksys_unshare+0x445/0x8e0 kernel/fork.c:2958 __do_sys_unshare kernel/fork.c:3026 [inline] __se_sys_unshare kernel/fork.c:3024 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3024 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4414a9 RSP: 002b:7ffd8be6e998 EFLAGS: 0246 ORIG_RAX: 0110 RAX: ffda RBX: RCX: 004414a9 RDX: 004414a9 RSI: RDI: 4000 RBP: 0007851d R08: 00c2 R09: 00c2 R10: R11: 0246 R12: 004021a0 R13: 00402230 R14: R15: INFO: task syz-executor343:8748 can't die for more than 151 seconds. task:syz-executor343 state:R running task stack:25784 pid: 8748 ppid: 8493 flags:0x4006 Call Trace: context_switch kernel/sched/core.c:4325 [inline] __schedule+0x8eb/0x21b0 kernel/sched/core.c:5076 native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline] arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline] lock_is_held_type+0xc2/0x100 kernel/locking/lockdep.c:5478 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: INFO: task hung in linkwatch_event (2)
syzbot has found a reproducer for the following issue on:
HEAD commit:a7105e34 Merge branch 'hns3-next'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=155af80f50
kernel config: https://syzkaller.appspot.com/x/.config?x=2ac2dabe250b3a58
dashboard link: https://syzkaller.appspot.com/bug?extid=96ff6cfc4551fcc29342
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11bc7b1350
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1674046b50
The issue was bisected to:
commit 386d4716fd91869e07c731657f2cde5a33086516
Author: Luo bin
Date: Thu Feb 27 06:34:44 2020 +
hinic: fix a bug of rss configuration
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16626fcfe0
final oops: https://syzkaller.appspot.com/x/report.txt?x=15626fcfe0
console output: https://syzkaller.appspot.com/x/log.txt?x=11626fcfe0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+96ff6cfc4551fcc29...@syzkaller.appspotmail.com
Fixes: 386d4716fd91 ("hinic: fix a bug of rss configuration")
INFO: task kworker/0:2:3004 blocked for more than 143 seconds.
Not tainted 5.10.0-rc6-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:2 state:D stack:28448 pid: 3004 ppid: 2 flags:0x4000
Workqueue: events linkwatch_event
Call Trace:
context_switch kernel/sched/core.c:3779 [inline]
__schedule+0x893/0x2130 kernel/sched/core.c:4528
schedule+0xcf/0x270 kernel/sched/core.c:4606
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4665
__mutex_lock_common kernel/locking/mutex.c:1033 [inline]
__mutex_lock+0x3e2/0x10e0 kernel/locking/mutex.c:1103
linkwatch_event+0xb/0x60 net/core/link_watch.c:250
process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
INFO: task kworker/0:0:8837 blocked for more than 143 seconds.
Not tainted 5.10.0-rc6-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:0 state:D stack:29768 pid: 8837 ppid: 2 flags:0x4000
Workqueue: ipv6_addrconf addrconf_verify_work
Call Trace:
context_switch kernel/sched/core.c:3779 [inline]
__schedule+0x893/0x2130 kernel/sched/core.c:4528
schedule+0xcf/0x270 kernel/sched/core.c:4606
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4665
__mutex_lock_common kernel/locking/mutex.c:1033 [inline]
__mutex_lock+0x3e2/0x10e0 kernel/locking/mutex.c:1103
addrconf_verify_work+0xa/0x20 net/ipv6/addrconf.c:4569
process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Showing all locks held in the system:
1 lock held by khungtaskd/1655:
#0: 8b337a20 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6254
3 locks held by kworker/0:2/3004:
#0: 888010064d38 ((wq_completion)events){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888010064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888010064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set
include/asm-generic/atomic-long.h:41 [inline]
#0: 888010064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data
kernel/workqueue.c:616 [inline]
#0: 888010064d38 ((wq_completion)events){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888010064d38 ((wq_completion)events){+.+.}-{0:0}, at:
process_one_work+0x821/0x15a0 kernel/workqueue.c:2243
#1: c90001dafda8 ((linkwatch_work).work){+.+.}-{0:0}, at:
process_one_work+0x854/0x15a0 kernel/workqueue.c:2247
#2: 8c92d448 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xb/0x60
net/core/link_watch.c:250
1 lock held by in:imklog/8186:
#0: 888017c900f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:932
2 locks held by syz-executor047/8830:
3 locks held by kworker/0:0/8837:
#0: 888147499138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888147499138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888147499138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888147499138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 888147499138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
set_work_pool_
INFO: task can't die in corrupted (2)
Hello,
syzbot found the following issue on:
HEAD commit:0eedceaf Add linux-next specific files for 20201201
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12db3b4b50
kernel config: https://syzkaller.appspot.com/x/.config?x=55aec7153b7827ea
dashboard link: https://syzkaller.appspot.com/bug?extid=61cb1d04bf13f0c631b1
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1798554550
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+61cb1d04bf13f0c63...@syzkaller.appspotmail.com
INFO: task syz-executor.0:9776 can't die for more than 143 seconds.
task:syz-executor.0 state:R running task stack:25800 pid: 9776 ppid:
8572 flags:0x4006
Call Trace:
context_switch kernel/sched/core.c:4325 [inline]
__schedule+0x8cd/0x2150 kernel/sched/core.c:5076
Showing all locks held in the system:
4 locks held by kworker/u4:4/359:
#0: 8881407ab138 ((wq_completion)netns){+.+.}-{0:0}, at: arch_atomic64_set
arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 8881407ab138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 8881407ab138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic_long_set
include/asm-generic/atomic-long.h:41 [inline]
#0: 8881407ab138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_data
kernel/workqueue.c:616 [inline]
#0: 8881407ab138 ((wq_completion)netns){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 8881407ab138 ((wq_completion)netns){+.+.}-{0:0}, at:
process_one_work+0x871/0x15f0 kernel/workqueue.c:2243
#1: c900014efda8 (net_cleanup_work){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x15f0 kernel/workqueue.c:2247
#2: 8c92ed90 (pernet_ops_rwsem){}-{3:3}, at:
cleanup_net+0x9b/0xb10 net/core/net_namespace.c:566
#3: 8c940f88 (rtnl_mutex){+.+.}-{3:3}, at: netdev_run_todo+0x90a/0xdd0
net/core/dev.c:10316
1 lock held by khungtaskd/1663:
#0: 8b33a7a0 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6254
1 lock held by in:imklog/8233:
#0: 88801f67e370 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:923
3 locks held by kworker/0:2/8537:
#0: 888010062d38 ((wq_completion)events){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888010062d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888010062d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set
include/asm-generic/atomic-long.h:41 [inline]
#0: 888010062d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data
kernel/workqueue.c:616 [inline]
#0: 888010062d38 ((wq_completion)events){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888010062d38 ((wq_completion)events){+.+.}-{0:0}, at:
process_one_work+0x871/0x15f0 kernel/workqueue.c:2243
#1: c9000c297da8 ((linkwatch_work).work){+.+.}-{0:0}, at:
process_one_work+0x8a5/0x15f0 kernel/workqueue.c:2247
#2: 8c940f88 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xb/0x60
net/core/link_watch.c:250
2 locks held by kworker/u4:3/9739:
1 lock held by syz-executor.1/9765:
1 lock held by syz-executor.0/9776:
1 lock held by syz-executor.3/10296:
1 lock held by syz-executor.5/10299:
4 locks held by syz-executor.4/10323:
4 locks held by syz-executor.2/10542:
=
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
memory leak in pcan_usb_fd_init
Hello, syzbot found the following issue on: HEAD commit:0477e928 Linux 5.10-rc7 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16dacc1350 kernel config: https://syzkaller.appspot.com/x/.config?x=4305fa9ea70c7a9f dashboard link: https://syzkaller.appspot.com/bug?extid=91adee8d9ebb9193d22d compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e1d00f50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=153ac2cb50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+91adee8d9ebb9193d...@syzkaller.appspotmail.com BUG: memory leak unreferenced object 0x88810f4cc200 (size 128): comm "kworker/1:1", pid 34, jiffies 4294942277 (age 8.590s) hex dump (first 32 bytes): 40 09 42 12 81 88 ff ff 00 00 00 00 00 00 00 00 @.B. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<a24b3bdd>] kmalloc include/linux/slab.h:552 [inline] [<a24b3bdd>] kzalloc include/linux/slab.h:664 [inline] [<a24b3bdd>] pcan_usb_fd_init+0x156/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:865 [<7ba29c7f>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:850 [inline] [<7ba29c7f>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:948 [<ea93b2ea>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<1ee8e05e>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<10c7fe39>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<20e41d8d>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 [<0272c5fa>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<d3b1aa42>] __device_attach+0x122/0x250 drivers/base/dd.c:912 [<a0b053c3>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<dfb5e550>] device_add+0x5ac/0xc30 drivers/base/core.c:2936 [<d6321aa6>] usb_set_configuration+0x9de/0xb90 drivers/usb/core/message.c:2159 [<3d1efb2f>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<0a7312a8>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<1ee8e05e>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<10c7fe39>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<20e41d8d>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 BUG: memory leak unreferenced object 0x88810f7a4800 (size 512): comm "kworker/1:1", pid 34, jiffies 4294942277 (age 8.590s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<9ddd23ca>] kmalloc include/linux/slab.h:552 [inline] [<9ddd23ca>] kzalloc include/linux/slab.h:664 [inline] [<9ddd23ca>] pcan_usb_fd_init+0x181/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:870 [<7ba29c7f>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:850 [inline] [<7ba29c7f>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:948 [<ea93b2ea>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<1ee8e05e>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<10c7fe39>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<20e41d8d>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 [<0272c5fa>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<d3b1aa42>] __device_attach+0x122/0x250 drivers/base/dd.c:912 [<a0b053c3>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<dfb5e550>] device_add+0x5ac/0xc30 drivers/base/core.c:2936 [<d6321aa6>] usb_set_configuration+0x9de/0xb90 drivers/usb/core/message.c:2159 [<3d1efb2f>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<0a7312a8>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<1ee8e05e>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<10c7fe39>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<20e41d8d>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
KASAN: slab-out-of-bounds Read in rtl_fw_do_work
Hello, syzbot found the following issue on: HEAD commit:3db4c21c usb: typec: tcpm: Update vbus_vsafe0v on init git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=179809f350 kernel config: https://syzkaller.appspot.com/x/.config?x=d24ee9ecd7ce968e dashboard link: https://syzkaller.appspot.com/bug?extid=7b774a105bad5f282322 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+7b774a105bad5f282...@syzkaller.appspotmail.com usb 1-1: Direct firmware load for rtlwifi/rtl8192cufw.bin failed with error -2 == BUG: KASAN: slab-out-of-bounds in rtl_fw_do_work+0x407/0x430 drivers/net/wireless/realtek/rtlwifi/core.c:87 Read of size 8 at addr 888142b2ff58 by task kworker/0:6/7385 CPU: 0 PID: 7385 Comm: kworker/0:6 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 rtl_fw_do_work+0x407/0x430 drivers/net/wireless/realtek/rtlwifi/core.c:87 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1079 process_one_work+0x933/0x1520 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x38c/0x460 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 16159: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 kmalloc include/linux/slab.h:557 [inline] tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_number_perm+0x1d5/0x590 security/tomoyo/file.c:723 security_file_ioctl+0x50/0xb0 security/security.c:1481 __do_sys_ioctl fs/ioctl.c:747 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0xb3/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 16159: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577 slab_free mm/slub.c:3142 [inline] kfree+0xe5/0x5e0 mm/slub.c:4124 tomoyo_realpath_from_path+0x191/0x620 security/tomoyo/realpath.c:291 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_number_perm+0x1d5/0x590 security/tomoyo/file.c:723 security_file_ioctl+0x50/0xb0 security/security.c:1481 __do_sys_ioctl fs/ioctl.c:747 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0xb3/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at 888142b2e000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3928 bytes to the right of 4096-byte region [888142b2e000, 888142b2f000) The buggy address belongs to the page: page:104f6cd2 refcount:1 mapcount:0 mapping: index:0x0 pfn:0x142b28 head:104f6cd2 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x2010200(slab|head) raw: 02010200 dead0100 dead0122 888100042140 raw: 00040004 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 888142b2fe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 888142b2fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >888142b2ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ 888142b2ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 888142b3: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
INFO: task can't die in connmark_exit_net
Hello,
syzbot found the following issue on:
HEAD commit:15ac8fdb Add linux-next specific files for 20201207
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15fbf86b50
kernel config: https://syzkaller.appspot.com/x/.config?x=3696b8138207d24d
dashboard link: https://syzkaller.appspot.com/bug?extid=b3b63b6bff456bd95294
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1312128750
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b3b63b6bff456bd95...@syzkaller.appspotmail.com
INFO: task syz-executor.4:13889 can't die for more than 143 seconds.
task:syz-executor.4 state:D stack:26200 pid:13889 ppid: 12369 flags:0x4006
Call Trace:
context_switch kernel/sched/core.c:4325 [inline]
__schedule+0x8eb/0x21b0 kernel/sched/core.c:5076
schedule+0xcf/0x270 kernel/sched/core.c:5155
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:5214
__mutex_lock_common kernel/locking/mutex.c:1033 [inline]
__mutex_lock+0x81a/0x1110 kernel/locking/mutex.c:1103
tc_action_net_exit include/net/act_api.h:147 [inline]
connmark_exit_net+0x20/0x130 net/sched/act_connmark.c:241
ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190
setup_net+0x508/0x850 net/core/net_namespace.c:365
copy_net_ns+0x376/0x7b0 net/core/net_namespace.c:483
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
copy_namespaces+0x3e5/0x4d0 kernel/nsproxy.c:179
copy_process+0x2aa7/0x6fe0 kernel/fork.c:2103
kernel_clone+0xe7/0xad0 kernel/fork.c:2465
__do_sys_clone+0xc8/0x110 kernel/fork.c:2582
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e0f9
RSP: 002b:7fd04901bc68 EFLAGS: 0246 ORIG_RAX: 0038
RAX: ffda RBX: 0005 RCX: 0045e0f9
RDX: RSI: RDI: e900e57c
RBP: 0119c078 R08: R09:
R10: R11: 0246 R12: 0119c034
R13: 7fff629a5d7f R14: 7fd04901c9c0 R15: 0119c034
INFO: task syz-executor.1:13932 can't die for more than 143 seconds.
task:syz-executor.1 state:D stack:26320 pid:13932 ppid: 12371 flags:0x4006
Call Trace:
context_switch kernel/sched/core.c:4325 [inline]
__schedule+0x8eb/0x21b0 kernel/sched/core.c:5076
schedule+0xcf/0x270 kernel/sched/core.c:5155
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:5214
__mutex_lock_common kernel/locking/mutex.c:1033 [inline]
__mutex_lock+0x81a/0x1110 kernel/locking/mutex.c:1103
tc_action_net_exit include/net/act_api.h:147 [inline]
gate_exit_net+0x20/0x130 net/sched/act_gate.c:624
ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190
setup_net+0x508/0x850 net/core/net_namespace.c:365
copy_net_ns+0x376/0x7b0 net/core/net_namespace.c:483
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
copy_namespaces+0x3e5/0x4d0 kernel/nsproxy.c:179
copy_process+0x2aa7/0x6fe0 kernel/fork.c:2103
kernel_clone+0xe7/0xad0 kernel/fork.c:2465
__do_sys_clone+0xc8/0x110 kernel/fork.c:2582
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e0f9
RSP: 002b:7fd373ed4c68 EFLAGS: 0246 ORIG_RAX: 0038
RAX: ffda RBX: 0005 RCX: 0045e0f9
RDX: RSI: RDI: e900e57c
RBP: 0119c120 R08: R09:
R10: R11: 0246 R12: 0119c0dc
R13: 7ffc4464352f R14: 7fd373ed59c0 R15: 0119c0dc
Showing all locks held in the system:
3 locks held by kworker/0:2/8:
3 locks held by kworker/1:1/35:
#0: 8881473fb538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 8881473fb538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 8881473fb538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 8881473fb538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 8881473fb538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 8881473fb538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
process_one_work+0x871/0x1630 kernel/workqueue.c:2246
#1: c9e6fda8 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0},
at: process_one_work+0x8a5/0x1630 kernel/workqueue.c:2250
#2: 8d0d70c8 (rtnl_mutex){+.+.}-{3:3}, at:
addrconf_dad_work+0xa3/0x1280 net/ipv6/addrconf.c:4028
1 lock held by khungtaskd/1655:
#0: 8b78db60 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x28c kernel/locking/lockdep.c:6254
1 lock held by in:imklog/8192:
UBSAN: shift-out-of-bounds in strset_parse_request
Hello,
syzbot found the following issue on:
HEAD commit:a9e26cb5 Add linux-next specific files for 20201208
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1752cf1750
kernel config: https://syzkaller.appspot.com/x/.config?x=e259434a8eaf0206
dashboard link: https://syzkaller.appspot.com/bug?extid=96523fb438937cd01220
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16edd00f50
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10b7223750
The issue was bisected to:
commit 71921690f9745fef60a2bad425f30adf8cdc9da0
Author: Michal Kubecek
Date: Fri Dec 27 14:55:43 2019 +
ethtool: provide string sets with STRSET_GET request
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=108cd43350
final oops: https://syzkaller.appspot.com/x/report.txt?x=128cd43350
console output: https://syzkaller.appspot.com/x/log.txt?x=148cd43350
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+96523fb438937cd01...@syzkaller.appspotmail.com
Fixes: 71921690f974 ("ethtool: provide string sets with STRSET_GET request")
UBSAN: shift-out-of-bounds in net/ethtool/strset.c:191:28
shift exponent 3476603555 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 8488 Comm: syz-executor226 Not tainted
5.10.0-rc7-next-20201208-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
strset_parse_request.cold+0x3b/0x40 net/ethtool/strset.c:191
ethnl_default_parse+0xda/0x130 net/ethtool/netlink.c:282
ethnl_default_start+0x21c/0x570 net/ethtool/netlink.c:501
genl_start+0x3cc/0x670 net/netlink/genetlink.c:604
__netlink_dump_start+0x5a7/0x920 net/netlink/af_netlink.c:2363
genl_family_rcv_msg_dumpit+0x1c9/0x310 net/netlink/genetlink.c:697
genl_family_rcv_msg net/netlink/genetlink.c:780 [inline]
genl_rcv_msg+0x43c/0x590 net/netlink/genetlink.c:800
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
sys_sendmsg+0x6e8/0x810 net/socket.c:2345
___sys_sendmsg+0xf3/0x170 net/socket.c:2399
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4409d9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
5b 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7ffc89faeb48 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 004409d9
RDX: RSI: 2fc0 RDI: 0003
RBP: 006ca018 R08: 000c R09: 004002c8
R10: 0001 R11: 0246 R12: 00401fc0
R13: 00402050 R14: R15:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
memory leak in xskq_create
Hello, syzbot found the following issue on: HEAD commit:a68a0262 mm/madvise: remove racy mm ownership check git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=165b941350 kernel config: https://syzkaller.appspot.com/x/.config?x=4305fa9ea70c7a9f dashboard link: https://syzkaller.appspot.com/bug?extid=cfa88ddd0655afa88763 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1180a23750 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=114067cf50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+cfa88ddd0655afa88...@syzkaller.appspotmail.com Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. executing program executing program BUG: memory leak unreferenced object 0x88810f897940 (size 64): comm "syz-executor991", pid 8502, jiffies 4294942194 (age 14.080s) hex dump (first 32 bytes): 7f 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 a0 37 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ..7. backtrace: [<639d0dd1>] xskq_create+0x23/0xd0 include/linux/slab.h:552 [<b680b035>] xsk_init_queue net/xdp/xsk.c:508 [inline] [<b680b035>] xsk_setsockopt+0x1c4/0x590 net/xdp/xsk.c:875 [<2b302260>] __sys_setsockopt+0x1b0/0x360 net/socket.c:2132 [<ae03723e>] __do_sys_setsockopt net/socket.c:2143 [inline] [<ae03723e>] __se_sys_setsockopt net/socket.c:2140 [inline] [<ae03723e>] __x64_sys_setsockopt+0x22/0x30 net/socket.c:2140 [<05c2b4a0>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<03db140f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x88810f8979c0 (size 64): comm "syz-executor991", pid 8503, jiffies 4294942194 (age 14.080s) hex dump (first 32 bytes): ff 03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 13 12 81 88 ff ff 00 00 00 00 00 00 00 00 backtrace: [<639d0dd1>] xskq_create+0x23/0xd0 include/linux/slab.h:552 [<b680b035>] xsk_init_queue net/xdp/xsk.c:508 [inline] [<b680b035>] xsk_setsockopt+0x1c4/0x590 net/xdp/xsk.c:875 [<2b302260>] __sys_setsockopt+0x1b0/0x360 net/socket.c:2132 [<ae03723e>] __do_sys_setsockopt net/socket.c:2143 [inline] [<ae03723e>] __se_sys_setsockopt net/socket.c:2140 [inline] [<ae03723e>] __x64_sys_setsockopt+0x22/0x30 net/socket.c:2140 [<05c2b4a0>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<03db140f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
INFO: task hung in netdev_run_todo (2)
Hello, syzbot found the following issue on: HEAD commit:7575fdda Merge tag 'platform-drivers-x86-v5.9-2' of git://.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1110b33f90 kernel config: https://syzkaller.appspot.com/x/.config?x=c06bcf3cc963d91c dashboard link: https://syzkaller.appspot.com/bug?extid=9d77543f47951a63d5c1 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9d77543f47951a63d...@syzkaller.appspotmail.com INFO: task kworker/u4:2:26 blocked for more than 143 seconds. Not tainted 5.9.0-rc8-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u4:2state:D stack:24024 pid: 26 ppid: 2 flags:0x4000 Workqueue: netns cleanup_net Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0xec9/0x2280 kernel/sched/core.c:4527 schedule+0xd0/0x2a0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x3e2/0x10e0 kernel/locking/mutex.c:1103 netdev_run_todo+0x8f8/0xdb0 net/core/dev.c:10183 ip6gre_exit_batch_net+0x516/0x750 net/ipv6/ip6_gre.c:1610 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:189 cleanup_net+0x4ea/0xa00 net/core/net_namespace.c:603 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/0:4:8175 blocked for more than 143 seconds. Not tainted 5.9.0-rc8-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:4 state:D stack:25936 pid: 8175 ppid: 2 flags:0x4000 Workqueue: events linkwatch_event Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0xec9/0x2280 kernel/sched/core.c:4527 schedule+0xd0/0x2a0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x3e2/0x10e0 kernel/locking/mutex.c:1103 linkwatch_event+0xb/0x60 net/core/link_watch.c:250 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task syz-executor.5:8896 blocked for more than 144 seconds. Not tainted 5.9.0-rc8-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.5 state:D stack:27440 pid: 8896 ppid: 6920 flags:0x4004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0xec9/0x2280 kernel/sched/core.c:4527 schedule+0xd0/0x2a0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x3e2/0x10e0 kernel/locking/mutex.c:1103 tc_new_tfilter+0x928/0x2130 net/sched/cls_api.c:2020 rtnetlink_rcv_msg+0x80f/0xad0 net/core/rtnetlink.c:5554 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x331/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmmsg+0x195/0x480 net/socket.c:2497 __do_sys_sendmmsg net/socket.c:2526 [inline] __se_sys_sendmmsg net/socket.c:2523 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2523 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45de29 Code: Bad RIP value. RSP: 002b:7f9e84d3cc78 EFLAGS: 0246 ORIG_RAX: 0133 RAX: ffda RBX: 00027f40 RCX: 0045de29 RDX: 04924924924926d3 RSI: 2200 RDI: 0005 RBP: 0118c160 R08: R09: R10: R11: 0246 R12: 0118c124 R13: 7ffdec73781f R14: 7f9e84d3d9c0 R15: 0118c124 INFO: task syz-executor.3:8909 blocked for more than 145 seconds. Not tainted 5.9.0-rc8-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.3 state:D stack:26800 pid: 8909 ppid: 6916 flags:0x4004 Call Trace: context_switch kernel/sched/core.c:3778 [inline] __schedule+0xec9/0x2280 kernel/sched/core.c:4527 schedule+0xd0/0x2a0 kernel/sched/core.c:4602 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4661 __mutex_lock_common kernel/locking/mutex.c:1
UBSAN: shift-out-of-bounds in hash_mac_create
Hello, syzbot found the following issue on: HEAD commit:a9e26cb5 Add linux-next specific files for 20201208 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=16f0512350 kernel config: https://syzkaller.appspot.com/x/.config?x=e259434a8eaf0206 dashboard link: https://syzkaller.appspot.com/bug?extid=d66bfadebca46cf61a2b compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13afdcbd50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b14b3750 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d66bfadebca46cf61...@syzkaller.appspotmail.com UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 8498 Comm: syz-executor519 Not tainted 5.10.0-rc7-next-20201208-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline] hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524 ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115 nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 sys_sendmsg+0x6e8/0x810 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x440419 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffd29571ba8 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 00440419 RDX: RSI: 2040 RDI: 0003 RBP: 006ca018 R08: 0009 R09: 004002c8 R10: 0004 R11: 0246 R12: 00401c20 R13: 00401cb0 R14: R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
INFO: task hung in cfg80211_event_work
Hello,
syzbot found the following issue on:
HEAD commit:a68a0262 mm/madvise: remove racy mm ownership check
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15bb941350
kernel config: https://syzkaller.appspot.com/x/.config?x=59df2a4dced5f928
dashboard link: https://syzkaller.appspot.com/bug?extid=84fea7179610ae50a9c7
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1169fa1350
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1240f12350
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+84fea7179610ae50a...@syzkaller.appspotmail.com
INFO: task kworker/u4:2:58 blocked for more than 161 seconds.
Not tainted 5.10.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:2state:D stack:23600 pid: 58 ppid: 2 flags:0x4000
Workqueue: cfg80211 cfg80211_event_work
Call Trace:
context_switch kernel/sched/core.c:3779 [inline]
__schedule+0x893/0x2130 kernel/sched/core.c:4528
schedule+0xcf/0x270 kernel/sched/core.c:4606
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4665
__mutex_lock_common kernel/locking/mutex.c:1033 [inline]
__mutex_lock+0x3e2/0x10e0 kernel/locking/mutex.c:1103
cfg80211_event_work+0xe/0x20 net/wireless/core.c:321
process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Showing all locks held in the system:
2 locks held by kworker/0:0/5:
#0: 888010066538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888010066538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888010066538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: atomic_long_set
include/asm-generic/atomic-long.h:41 [inline]
#0: 888010066538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: set_work_data
kernel/workqueue.c:616 [inline]
#0: 888010066538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888010066538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at:
process_one_work+0x821/0x15a0 kernel/workqueue.c:2243
#1: c9ca7da8 ((work_completion)(&rew.rew_work)){+.+.}-{0:0}, at:
process_one_work+0x854/0x15a0 kernel/workqueue.c:2247
3 locks held by kworker/1:0/17:
3 locks held by kworker/u4:2/58:
#0: 888141147138 ((wq_completion)cfg80211){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888141147138 ((wq_completion)cfg80211){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888141147138 ((wq_completion)cfg80211){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888141147138 ((wq_completion)cfg80211){+.+.}-{0:0}, at: set_work_data
kernel/workqueue.c:616 [inline]
#0: 888141147138 ((wq_completion)cfg80211){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888141147138 ((wq_completion)cfg80211){+.+.}-{0:0}, at:
process_one_work+0x821/0x15a0 kernel/workqueue.c:2243
#1: c9f2fda8 ((work_completion)(&rdev->event_work)){+.+.}-{0:0}, at:
process_one_work+0x854/0x15a0 kernel/workqueue.c:2247
#2: 8c927908 (rtnl_mutex){+.+.}-{3:3}, at:
cfg80211_event_work+0xe/0x20 net/wireless/core.c:321
1 lock held by khungtaskd/1657:
#0: 8b3378e0 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6254
1 lock held by khugepaged/1664:
#0: 8b4062a8 (lock#5){+.+.}-{3:3}, at: lru_add_drain_all+0x5f/0x6f0
mm/swap.c:801
1 lock held by in:imklog/8161:
#0: 88801c8459f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:932
2 locks held by syz-executor702/8473:
#0: 8c9aec50 (cb_lock){}-{3:3}, at: genl_rcv+0x15/0x40
net/netlink/genetlink.c:810
#1: 8c927908 (rtnl_mutex){+.+.}-{3:3}, at:
nl80211_pre_doit+0x34f/0x630 net/wireless/nl80211.c:14579
2 locks held by syz-executor702/8474:
#0: 8c9aec50 (cb_lock){}-{3:3}, at: genl_rcv+0x15/0x40
net/netlink/genetlink.c:810
#1: 8c9aed08 (genl_mutex){+.+.}-{3:3}, at: genl_lock
net/netlink/genetlink.c:33 [inline]
#1: 8c9aed08 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg+0x3e0/0x580
net/netlink/genetlink.c:798
2 locks held by syz-executor702/8476:
#0: 8c9aec50 (cb_lock){}-{3:3}, at: genl_rcv+0x15/0x40
net/netlink/genetlink.c:810
#1: 8c9aed08 (genl_mutex){+.+.}-{3:3}, at: genl_lock
net/netlink/genetlink.c:33 [inline]
#1: 8c9aed08 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg+0x3e0/0x580
net/netlink/genetlink.c:798
3 locks held by syz-executor702/8477:
#0:
Re: BUG: soft lockup in mac80211_hwsim_beacon
syzbot has found a reproducer for the following issue on: HEAD commit:2c85ebc5 Linux 5.10 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=148fcc1350 kernel config: https://syzkaller.appspot.com/x/.config?x=8aff533d6c635e6 dashboard link: https://syzkaller.appspot.com/bug?extid=d6219cf21f26bdfcc22e compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1102527b50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d6219cf21f26bdfcc...@syzkaller.appspotmail.com watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor.4:10844] Modules linked in: irq event stamp: 16682675 hardirqs last enabled at (16682674): [] asm_sysvec_irq_work+0x12/0x20 arch/x86/include/asm/idtentry.h:657 hardirqs last disabled at (16682675): [] sysvec_apic_timer_interrupt+0xc/0x100 arch/x86/kernel/apic/apic.c:1091 softirqs last enabled at (11305198): [] asm_call_irq_on_stack+0xf/0x20 softirqs last disabled at (11305201): [] asm_call_irq_on_stack+0xf/0x20 CPU: 1 PID: 10844 Comm: syz-executor.4 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__iterate_interfaces+0x14b/0x520 net/mac80211/util.c:786 Code: 31 ff 44 89 fe e8 05 a8 1d f9 45 85 ff 0f 84 9a 01 00 00 e8 a7 af 1d f9 48 8d bb 50 06 00 00 48 89 f8 48 c1 e8 03 0f b6 04 28 <84> c0 74 08 3c 03 0f 8e a8 03 00 00 8b 83 50 06 00 00 31 ff 83 e0 RSP: 0018:c9d90a68 EFLAGS: 0212 RAX: RBX: 8880276ccc00 RCX: 885254eb RDX: 8880213c3480 RSI: 885254f9 RDI: 8880276cd250 RBP: dc00 R08: R09: 8ebb0667 R10: R11: R12: 8880276cde18 R13: R14: 88803d37a5b8 R15: 0002 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 016b9e60 CR3: 3ca03000 CR4: 00350ee0 Call Trace: ieee80211_iterate_active_interfaces_atomic+0x8d/0x170 net/mac80211/util.c:828 mac80211_hwsim_addr_match+0x128/0x180 drivers/net/wireless/mac80211_hwsim.c:1060 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb3d/0x1330 drivers/net/wireless/mac80211_hwsim.c:1498 mac80211_hwsim_tx_frame+0x14f/0x1e0 drivers/net/wireless/mac80211_hwsim.c:1705 mac80211_hwsim_beacon_tx+0x4ba/0x910 drivers/net/wireless/mac80211_hwsim.c:1759 __iterate_interfaces+0x1e5/0x520 net/mac80211/util.c:792 ieee80211_iterate_active_interfaces_atomic+0x8d/0x170 net/mac80211/util.c:828 mac80211_hwsim_beacon+0xd5/0x1a0 drivers/net/wireless/mac80211_hwsim.c:1782 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x693/0xea0 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x200 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0010:mm_update_next_owner+0x432/0x7a0 kernel/exit.c:387 Code: 8d ad 00 fc ff ff 48 81 fd 80 b3 09 8b 0f 84 65 01 00 00 e8 00 01 2e 00 48 8d bd 24 fc ff ff 48 89 f8 48 c1 e8 03 0f b6 14 18 <48> 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 b5 02 00 00 44 RSP: 0018:c90001bafb28 EFLAGS: 0213 RAX: 1110035d4004 RBX: dc00 RCX: 814203df RDX: RSI: 814203a0 RDI: 88801aea0024 RBP: 88801aea0400 R08: 0001 R09: 8b00a083 R10: R11: R12: 88802f0c6c00 R13: 88801aea R14: 0020 R15: 888140758010 exit_mm kernel/exit.c:485 [inline] do_exit+0xa6a/0x29b0 kernel/exit.c:796 do_group_exit+0x125/0x310 kernel/exit.c:906 get_signal+0x42a/0x1f10 kernel/signal.c:2758 arch_do_signal+0x82/0x2390 arch/x86/kernel/signal.c:811 exit_to_user_mode_loop kernel/entry/common.c:161 [inline] exit_to_user_mode_prepare+0x100/0x1a0 kernel/entry/common.c:191 irqentry_exit_to_user_mode+0x5/0x30 kernel/entry/common.c:279 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0033:0x45e159 Code: Unable to access opcode bytes at RIP 0x45e12f. RSP: 002b:7fabdf0dac68 EFLAGS: 0246 RAX: 20ffc000 RBX: 0006 RCX: 0045e159 RDX: RSI: 3000 RDI: 20ffc000 RBP: 0119c080 R08: 0004 R09: R10: 0011 R11: 0246 R12:
general protection fault in taprio_dequeue_soft
Hello, syzbot found the following issue on: HEAD commit:7f376f19 Merge tag 'mtd/fixes-for-5.10-rc8' of git://git.k.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=1384228750 kernel config: https://syzkaller.appspot.com/x/.config?x=3416bb960d5c705d dashboard link: https://syzkaller.appspot.com/bug?extid=8971da381fb5a31f542d compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=128c574550 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a1f12350 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8971da381fb5a31f5...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc00: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x-0x0007] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:taprio_dequeue_soft+0x22e/0xa40 net/sched/sch_taprio.c:544 Code: 24 18 e8 d5 3e 4c fa 48 8b 44 24 10 80 38 00 0f 85 4c 07 00 00 48 8b 93 c0 02 00 00 49 63 c5 4c 8d 24 c2 4c 89 e0 48 c1 e8 03 <80> 3c 28 00 0f 85 3c 07 00 00 4d 8b 24 24 4d 85 e4 0f 84 87 03 00 RSP: 0018:c9d90e08 EFLAGS: 00010246 RAX: RBX: 8880282e3800 RCX: 8723c557 RDX: RSI: 8723c59b RDI: 0005 RBP: dc00 R08: 0001 R09: 8ebaf667 R10: R11: 0001 R12: R13: R14: 0401 R15: 88801917e000 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2600 CR3: 13cdc000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: dequeue_skb net/sched/sch_generic.c:263 [inline] qdisc_restart net/sched/sch_generic.c:366 [inline] __qdisc_run+0x1ae/0x15e0 net/sched/sch_generic.c:384 qdisc_run include/net/pkt_sched.h:131 [inline] qdisc_run include/net/pkt_sched.h:123 [inline] net_tx_action+0x4b9/0xbf0 net/core/dev.c:4915 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x200 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline] RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:79 [inline] RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:169 [inline] RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:112 [inline] RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:517 Code: 5d 07 88 f8 84 db 75 ac e8 44 0f 88 f8 e8 bf cd 8d f8 e9 0c 00 00 00 e8 35 0f 88 f8 0f 00 2d 9e 86 c0 00 e8 29 0f 88 f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 84 07 88 f8 48 85 db RSP: 0018:c9d27d18 EFLAGS: 0293 RAX: RBX: RCX: 119d8e91 RDX: 888010d98000 RSI: 88e7f547 RDI: RBP: 888014e50064 R08: 0001 R09: 0001 R10: R11: 0001 R12: 0001 R13: 888014e5 R14: 888014e50064 R15: 88801747a804 acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:648 cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351 call_cpuidle kernel/sched/idle.c:158 [inline] cpuidle_idle_call kernel/sched/idle.c:239 [inline] do_idle+0x3e1/0x590 kernel/sched/idle.c:299 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:395 start_secondary+0x266/0x340 arch/x86/kernel/smpboot.c:266 secondary_startup_64_no_verify+0xb0/0xbb Modules linked in: ---[ end trace 86b7dd17b9a0a261 ]--- RIP: 0010:taprio_dequeue_soft+0x22e/0xa40 net/sched/sch_taprio.c:544 Code: 24 18 e8 d5 3e 4c fa 48 8b 44 24 10 80 38 00 0f 85 4c 07 00 00 48 8b 93 c0 02 00 00 49 63 c5 4c 8d 24 c2 4c 89 e0 48 c1 e8 03 <80> 3c 28 00 0f 85 3c 07 00 00 4d 8b 24 24 4d 85 e4 0f 84 87 03 00 RSP: 0018:c9d90e08 EFLAGS: 00010246 RAX: RBX: 8880282e3800 RCX: 8723c557 RDX: RSI: 8723c59b RDI: 0005 RBP: dc00 R08: 0001 R09: 8ebaf667 R10: R11: 0001 R12: R13: 00
WARNING: suspicious RCU usage in nf_ct_iterate_cleanup
Hello,
syzbot found the following issue on:
HEAD commit:33dc9614 Merge tag 'ktest-v5.10-rc6' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1200a46b50
kernel config: https://syzkaller.appspot.com/x/.config?x=5ed9af1b47477866
dashboard link: https://syzkaller.appspot.com/bug?extid=dced7c2d89dde957f7dd
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dced7c2d89dde957f...@syzkaller.appspotmail.com
=
WARNING: suspicious RCU usage
5.10.0-rc7-syzkaller #0 Not tainted
-
kernel/sched/core.c:7270 Illegal context switch in RCU-bh read-side critical
section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
2 locks held by kworker/1:8/18355:
#0: 888010063d38 ((wq_completion)events){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888010063d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888010063d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set
include/asm-generic/atomic-long.h:41 [inline]
#0: 888010063d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data
kernel/workqueue.c:616 [inline]
#0: 888010063d38 ((wq_completion)events){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888010063d38 ((wq_completion)events){+.+.}-{0:0}, at:
process_one_work+0x821/0x15a0 kernel/workqueue.c:2243
#1: c90002a6fda8 ((work_completion)(&w->work)#2){+.+.}-{0:0}, at:
process_one_work+0x854/0x15a0 kernel/workqueue.c:2247
stack backtrace:
CPU: 1 PID: 18355 Comm: kworker/1:8 Not tainted 5.10.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Workqueue: events iterate_cleanup_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
___might_sleep+0x220/0x2b0 kernel/sched/core.c:7270
get_next_corpse net/netfilter/nf_conntrack_core.c: [inline]
nf_ct_iterate_cleanup+0x132/0x400 net/netfilter/nf_conntrack_core.c:2244
nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2329 [inline]
nf_ct_iterate_cleanup_net+0x113/0x170 net/netfilter/nf_conntrack_core.c:2314
iterate_cleanup_work+0x45/0x130 net/netfilter/nf_nat_masquerade.c:216
process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
UBSAN: shift-out-of-bounds in xprt_calc_majortimeo
Hello, syzbot found the following issue on: HEAD commit:14240d4c Add linux-next specific files for 20201210 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1321cf1750 kernel config: https://syzkaller.appspot.com/x/.config?x=6dbe20fdaa5aaebe dashboard link: https://syzkaller.appspot.com/bug?extid=ba2e91df8f74809417fa compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174ecb9b50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ff941350 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ba2e91df8f7480941...@syzkaller.appspotmail.com UBSAN: shift-out-of-bounds in net/sunrpc/xprt.c:658:14 shift exponent 536871232 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 8494 Comm: syz-executor211 Not tainted 5.10.0-rc7-next-20201210-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 xprt_calc_majortimeo.isra.0.cold+0x17/0x46 net/sunrpc/xprt.c:658 xprt_init_majortimeo net/sunrpc/xprt.c:686 [inline] xprt_request_init+0x486/0x9e0 net/sunrpc/xprt.c:1805 xprt_do_reserve net/sunrpc/xprt.c:1815 [inline] xprt_reserve+0x18f/0x280 net/sunrpc/xprt.c:1836 __rpc_execute+0x21d/0x1360 net/sunrpc/sched.c:891 rpc_execute+0x230/0x350 net/sunrpc/sched.c:967 rpc_run_task+0x5d0/0x8f0 net/sunrpc/clnt.c:1140 rpc_call_sync+0xc6/0x1a0 net/sunrpc/clnt.c:1169 rpc_ping net/sunrpc/clnt.c:2682 [inline] rpc_create_xprt+0x3f1/0x4a0 net/sunrpc/clnt.c:477 rpc_create+0x354/0x670 net/sunrpc/clnt.c:593 nfs_create_rpc_client+0x4eb/0x680 fs/nfs/client.c:536 nfs_init_client fs/nfs/client.c:653 [inline] nfs_init_client+0x6d/0x100 fs/nfs/client.c:640 nfs_get_client+0xcd7/0x1020 fs/nfs/client.c:430 nfs_init_server.isra.0+0x2c0/0xed0 fs/nfs/client.c:692 nfs_create_server+0x18f/0x650 fs/nfs/client.c:996 nfs_try_get_tree+0x181/0x9f0 fs/nfs/super.c:939 nfs_get_tree+0xaa1/0x1520 fs/nfs/fs_context.c:1350 vfs_get_tree+0x89/0x2f0 fs/super.c:1496 do_new_mount fs/namespace.c:2896 [inline] path_mount+0x12ae/0x1e70 fs/namespace.c:3227 do_mount fs/namespace.c:3240 [inline] __do_sys_mount fs/namespace.c:3448 [inline] __se_sys_mount fs/namespace.c:3425 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x440419 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffe282dde28 EFLAGS: 0246 ORIG_RAX: 00a5 RAX: ffda RBX: 0030656c69662f2e RCX: 00440419 RDX: 20fb5ffc RSI: 20343ff8 RDI: 2100 RBP: 006ca018 R08: 2000a000 R09: R10: R11: 0246 R12: 00401c20 R13: 00401cb0 R14: R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
UBSAN: shift-out-of-bounds in hash_ipmark_create
Hello, syzbot found the following issue on: HEAD commit:15ac8fdb Add linux-next specific files for 20201207 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=156c845b50 kernel config: https://syzkaller.appspot.com/x/.config?x=3696b8138207d24d dashboard link: https://syzkaller.appspot.com/bug?extid=d81819ac03d8c36e3974 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14960f9b50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12be080f50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d81819ac03d8c36e3...@syzkaller.appspotmail.com UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 8473 Comm: syz-executor542 Not tainted 5.10.0-rc6-next-20201207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline] hash_ipmark_create.cold+0x96/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524 ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115 nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 sys_sendmsg+0x6e8/0x810 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x440419 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffdadcbeb88 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 00440419 RDX: RSI: 20c0 RDI: 0003 RBP: 006ca018 R08: 0005 R09: 004002c8 R10: 0001 R11: 0246 R12: 00401c20 R13: 00401cb0 R14: R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: general protection fault in taprio_dequeue_soft
syzbot has bisected this issue to:
commit b5b73b26b3ca34574124ed7ae9c5ba8391a7f176
Author: Vinicius Costa Gomes
Date: Thu Sep 10 00:03:11 2020 +
taprio: Fix allowing too small intervals
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13c8eadf50
start commit: 7f376f19 Merge tag 'mtd/fixes-for-5.10-rc8' of git://git.k..
git tree: net
final oops: https://syzkaller.appspot.com/x/report.txt?x=1028eadf50
console output: https://syzkaller.appspot.com/x/log.txt?x=17c8eadf50
kernel config: https://syzkaller.appspot.com/x/.config?x=3416bb960d5c705d
dashboard link: https://syzkaller.appspot.com/bug?extid=8971da381fb5a31f542d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=128c574550
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17a1f12350
Reported-by: syzbot+8971da381fb5a31f5...@syzkaller.appspotmail.com
Fixes: b5b73b26b3ca ("taprio: Fix allowing too small intervals")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: INFO: task can't die in corrupted (2)
syzbot has found a reproducer for the following issue on:
HEAD commit:9317f948 Add linux-next specific files for 20201215
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=151add9750
kernel config: https://syzkaller.appspot.com/x/.config?x=5c81cc44aa25b5b3
dashboard link: https://syzkaller.appspot.com/bug?extid=61cb1d04bf13f0c631b1
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=177df70350
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1342f30f50
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+61cb1d04bf13f0c63...@syzkaller.appspotmail.com
INFO: task syz-executor656:8498 can't die for more than 143 seconds.
task:syz-executor656 state:R running task stack:27904 pid: 8498 ppid:
8493 flags:0x4006
Call Trace:
Showing all locks held in the system:
1 lock held by khungtaskd/1647:
#0: 8b78f920 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x28c kernel/locking/lockdep.c:6254
1 lock held by in:imklog/8185:
#0: 88801ad9e0f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:923
3 locks held by syz-executor656/8498:
=
Kernel panic - not syncing: hung_task: blocked tasks
CPU: 0 PID: 1647 Comm: khungtaskd Not tainted 5.10.0-next-20201215-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
panic+0x343/0x77f kernel/panic.c:231
check_hung_uninterruptible_tasks kernel/hung_task.c:257 [inline]
watchdog.cold+0x157/0x31d kernel/hung_task.c:338
kthread+0x3b1/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Kernel Offset: disabled
Rebooting in 86400 seconds..
Re: KASAN: use-after-free Write in __sco_sock_close
syzbot suspects this issue was fixed by commit: commit 6dfccd13db2ff2b709ef60a50163925d477549aa Author: Anmol Karn Date: Wed Sep 30 14:18:13 2020 + Bluetooth: Fix null pointer dereference in hci_event_packet() bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14cb845b50 start commit: 47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=e0c783f658542f35 dashboard link: https://syzkaller.appspot.com/bug?extid=077eca30d3cb7c02b273 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=165a89dc90 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=130a8c6290 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: Bluetooth: Fix null pointer dereference in hci_event_packet() For information about bisection process see: https://goo.gl/tpsmEJ#bisection
WARNING: suspicious RCU usage in get_wiphy_regdom
Hello,
syzbot found the following issue on:
HEAD commit:00f7763a Merge tag 'mac80211-next-for-net-next-2020-12-11'..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=160acef350
kernel config: https://syzkaller.appspot.com/x/.config?x=1d8e2f94cac4630
dashboard link: https://syzkaller.appspot.com/bug?extid=db4035751c56c0079282
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=133bc28750
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14ef080f50
The issue was bisected to:
commit beee246951571cc5452176f3dbfe9aa5a10ba2b9
Author: Ilan Peer
Date: Sun Nov 29 15:30:51 2020 +
cfg80211: Save the regulatory domain when setting custom regulatory
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11492ecb50
final oops: https://syzkaller.appspot.com/x/report.txt?x=13492ecb50
console output: https://syzkaller.appspot.com/x/log.txt?x=15492ecb50
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+db4035751c56c0079...@syzkaller.appspotmail.com
Fixes: beee24695157 ("cfg80211: Save the regulatory domain when setting custom
regulatory")
=
WARNING: suspicious RCU usage
5.10.0-rc7-syzkaller #0 Not tainted
-
net/wireless/reg.c:144 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor217/8471:
#0: 8c9b5230 (cb_lock){}-{3:3}, at: genl_rcv+0x15/0x40
net/netlink/genetlink.c:810
#1: 8c9b52e8 (genl_mutex){+.+.}-{3:3}, at: genl_lock
net/netlink/genetlink.c:33 [inline]
#1: 8c9b52e8 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg+0x3e0/0x580
net/netlink/genetlink.c:798
stack backtrace:
CPU: 0 PID: 8471 Comm: syz-executor217 Not tainted 5.10.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
get_wiphy_regdom net/wireless/reg.c:144 [inline]
get_wiphy_regdom+0xc3/0xd0 net/wireless/reg.c:142
wiphy_apply_custom_regulatory+0x234/0x360 net/wireless/reg.c:2574
mac80211_hwsim_new_radio+0x1f45/0x4830
drivers/net/wireless/mac80211_hwsim.c:3247
hwsim_new_radio_nl+0x9a6/0x10b0 drivers/net/wireless/mac80211_hwsim.c:3822
genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:671
sys_sendmsg+0x6e8/0x810 net/socket.c:2331
___sys_sendmsg+0xf3/0x170 net/socket.c:2385
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2418
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440309
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7fff9be21ed8 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 00440309
RDX: 0410 RSI: 21c0 RDI: 0003
RBP: 006ca018 R08: R09: 004002c8
R10: 00401ba0 R11: 0246 R12: 00401b10
R13: 00401ba0 R14: R15:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Re: BUG: unable to handle kernel paging request in smc_nl_handle_smcr_dev
syzbot has found a reproducer for the following issue on: HEAD commit:5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17842c1350 kernel config: https://syzkaller.appspot.com/x/.config?x=503d0089cd701d6d dashboard link: https://syzkaller.appspot.com/bug?extid=600fef7c414ee7e2d71b compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d8e41f50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1796228750 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+600fef7c414ee7e2d...@syzkaller.appspotmail.com infiniband syz1: set active infiniband syz1: added macvtap0 RDS/IB: syz1: added smc: adding ib device syz1 with port count 1 smc:ib device syz1 port 1 has pnetid BUG: unable to handle page fault for address: ff74 #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD b48f067 P4D b48f067 PUD b491067 PMD 0 Oops: [#1] PREEMPT SMP KASAN CPU: 0 PID: 8688 Comm: syz-executor225 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_set_pci_values net/smc/smc_core.h:396 [inline] RIP: 0010:smc_nl_handle_smcr_dev.isra.0+0x4e1/0x1280 net/smc/smc_ib.c:422 Code: fc ff df 48 8d bb 74 ff ff ff 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 29 0d 00 00 <0f> b7 83 74 ff ff ff 48 8d bb 76 ff ff ff 48 89 fa 48 c1 ea 03 66 RSP: 0018:c90001f87220 EFLAGS: 00010246 RAX: 0005 RBX: RCX: RDX: RSI: RDI: ff74 RBP: 8d5ac140 R08: 0001 R09: c90001f87308 R10: f520003f0e64 R11: 11e2db6c R12: 1b556831 R13: 888013e29540 R14: dc00 R15: 88802a360014 FS: 015bf880() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ff74 CR3: 2687b000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: smc_nl_prep_smcr_dev net/smc/smc_ib.c:469 [inline] smcr_nl_get_device+0xdf/0x1f0 net/smc/smc_ib.c:481 genl_lock_dumpit+0x60/0x90 net/netlink/genetlink.c:623 netlink_dump+0x4d9/0xb90 net/netlink/af_netlink.c:2268 __netlink_dump_start+0x665/0x920 net/netlink/af_netlink.c:2373 genl_family_rcv_msg_dumpit+0x2af/0x310 net/netlink/genetlink.c:686 genl_family_rcv_msg net/netlink/genetlink.c:780 [inline] genl_rcv_msg+0x43c/0x590 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 sys_sendmsg+0x6e8/0x810 net/socket.c:2336 ___sys_sendmsg+0xf3/0x170 net/socket.c:2390 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x443fd9 Code: e8 6c 05 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffe909694e8 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0003 RCX: 00443fd9 RDX: RSI: 2180 RDI: 0004 RBP: 7ffe909694f0 R08: 01bb R09: 01bb R10: 01bb R11: 0246 R12: 7ffe90969500 R13: R14: R15: Modules linked in: CR2: ff74 ---[ end trace 45a80c2d5f347bdc ]--- RIP: 0010:smc_set_pci_values net/smc/smc_core.h:396 [inline] RIP: 0010:smc_nl_handle_smcr_dev.isra.0+0x4e1/0x1280 net/smc/smc_ib.c:422 Code: fc ff df 48 8d bb 74 ff ff ff 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 29 0d 00 00 <0f> b7 83 74 ff ff ff 48 8d bb 76 ff ff ff 48 89 fa 48 c1 ea 03 66 RSP: 0018:c90001f87220 EFLAGS: 00010246 RAX: 0005 RBX: RCX: RDX: RSI: RDI: ff74 RBP: 8d5ac140 R08: 0001 R09: c90001f87308 R10: f520003f0e64 R11: 11e2db6c R12: 1b556831 R13: 888013e29540 R14: dc00 R15: 88802a360014 FS: 015bf880() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ff74 CR3: 26
general protection fault in bond_ipsec_add_sa
Hello, syzbot found the following issue on: HEAD commit:6bff9bb8 Merge tag 'scsi-fixes' of git://git.kernel.org/pu.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14aba80f50 kernel config: https://syzkaller.appspot.com/x/.config?x=a438b63f5a7f3806 dashboard link: https://syzkaller.appspot.com/bug?extid=cfd446c119a93741a3c2 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+cfd446c119a93741a...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc00: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x-0x0007] CPU: 3 PID: 10570 Comm: syz-executor.0 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:bond_ipsec_add_sa+0x9e/0x240 drivers/net/bonding/bond_main.c:396 Code: 04 31 ff 89 c3 89 c6 e8 f0 2c d8 fc 85 db 0f 85 f6 00 00 00 e8 93 34 d8 fc 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 5f 01 00 00 48 8d bd d0 02 00 00 49 8b 5d 00 48 RSP: 0018:c90002e47498 EFLAGS: 00010246 RAX: dc00 RBX: 0001 RCX: c90006ee9000 RDX: RSI: 8497d16d RDI: 0001 RBP: 888016539c00 R08: R09: R10: R11: 0001 R12: 88806c23 R13: R14: 888016539ee0 R15: 888016539ee4 FS: 7f5eca4f9700() GS:88802cd0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 007120d0 CR3: 50d1d000 CR4: 00350ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: xfrm_dev_state_add+0x2da/0x7b0 net/xfrm/xfrm_device.c:268 xfrm_state_construct net/xfrm/xfrm_user.c:655 [inline] xfrm_add_sa+0x2166/0x34f0 net/xfrm/xfrm_user.c:684 xfrm_user_rcv_msg+0x42f/0x8b0 net/xfrm/xfrm_user.c:2752 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2764 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x6e8/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45dcd9 Code: bd b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f5eca4f8c78 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0003 RCX: 0045dcd9 RDX: RSI: 2180 RDI: 0003 RBP: 004aae00 R08: R09: R10: R11: 0246 R12: 0075bf40 R13: 7ffcc1582edf R14: 7f5eca4d9000 R15: 0003 Modules linked in: ---[ end trace f71849d5db08409b ]--- RIP: 0010:bond_ipsec_add_sa+0x9e/0x240 drivers/net/bonding/bond_main.c:396 Code: 04 31 ff 89 c3 89 c6 e8 f0 2c d8 fc 85 db 0f 85 f6 00 00 00 e8 93 34 d8 fc 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 5f 01 00 00 48 8d bd d0 02 00 00 49 8b 5d 00 48 RSP: 0018:c90002e47498 EFLAGS: 00010246 RAX: dc00 RBX: 0001 RCX: c90006ee9000 RDX: RSI: 8497d16d RDI: 0001 RBP: 888016539c00 R08: R09: R10: R11: 0001 R12: 88806c23 R13: R14: 888016539ee0 R15: 888016539ee4 FS: 7f5eca4f9700() GS:88802cd0() knlGS: CS: 0010 DS: ES: CR0: 80050033 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: KASAN: slab-out-of-bounds Read in lock_sock_nested
syzbot has found a reproducer for the following issue on: HEAD commit:a409ed15 Merge tag 'gpio-v5.11-1' of git://git.kernel.org/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=174778a750 kernel config: https://syzkaller.appspot.com/x/.config?x=20efebc728efc8ff dashboard link: https://syzkaller.appspot.com/bug?extid=9a0875bc1b2ca466b484 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10a4445b50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9a0875bc1b2ca466b...@syzkaller.appspotmail.com == BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x3da6/0x54b0 kernel/locking/lockdep.c:4702 Read of size 8 at addr 88801938c0a0 by task kworker/1:1/34 CPU: 1 PID: 34 Comm: kworker/1:1 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 __lock_acquire+0x3da6/0x54b0 kernel/locking/lockdep.c:4702 lock_acquire kernel/locking/lockdep.c:5437 [inline] lock_acquire+0x29d/0x750 kernel/locking/lockdep.c:5402 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x3b/0x110 net/core/sock.c:3049 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1520 l2cap_chan_del+0xbc/0xaa0 net/bluetooth/l2cap_core.c:618 l2cap_chan_close+0x1bc/0xaf0 net/bluetooth/l2cap_core.c:823 l2cap_chan_timeout+0x17e/0x2f0 net/bluetooth/l2cap_core.c:436 process_one_work+0x98d/0x1630 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 11222: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 __do_kmalloc mm/slab.c:3659 [inline] __kmalloc+0x18b/0x340 mm/slab.c:3668 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:682 [inline] tomoyo_get_name+0x22b/0x4c0 security/tomoyo/memory.c:173 tomoyo_parse_name_union+0xbc/0x160 security/tomoyo/util.c:260 tomoyo_update_path_acl security/tomoyo/file.c:395 [inline] tomoyo_write_file+0x4c0/0x7f0 security/tomoyo/file.c:1022 tomoyo_write_domain2+0x116/0x1d0 security/tomoyo/common.c:1152 tomoyo_add_entry security/tomoyo/common.c:2042 [inline] tomoyo_supervisor+0xbee/0xf20 security/tomoyo/common.c:2103 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573 tomoyo_path_perm+0x37c/0x3f0 security/tomoyo/file.c:838 tomoyo_path_symlink+0x94/0xe0 security/tomoyo/tomoyo.c:200 security_path_symlink+0xdf/0x150 security/security.c: do_symlinkat+0x123/0x2c0 fs/namei.c:3985 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at 88801938c000 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 32 bytes to the right of 128-byte region [88801938c000, 88801938c080) The buggy address belongs to the page: page:b7b67fec refcount:1 mapcount:0 mapping: index:0x0 pfn:0x1938c flags: 0xfff200(slab) raw: 00fff200 ea4e6508 eaa5cf48 888010840400 raw: 88801938c000 00010010 page dumped because: kasan: bad access detected Memory state around the buggy address: 88801938bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88801938c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >88801938c080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ 88801938c100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88801938c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==
WARNING: suspicious RCU usage in wiphy_apply_custom_regulatory
Hello,
syzbot found the following issue on:
HEAD commit:d635a69d Merge tag 'net-next-5.11' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14502c1350
kernel config: https://syzkaller.appspot.com/x/.config?x=c3556e4856b17a95
dashboard link: https://syzkaller.appspot.com/bug?extid=27771d4abcd9b7a1f5d3
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git
ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1593f70350
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=176dc93750
The issue was bisected to:
commit beee246951571cc5452176f3dbfe9aa5a10ba2b9
Author: Ilan Peer
Date: Sun Nov 29 15:30:51 2020 +
cfg80211: Save the regulatory domain when setting custom regulatory
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12fcc77f50
final oops: https://syzkaller.appspot.com/x/report.txt?x=11fcc77f50
console output: https://syzkaller.appspot.com/x/log.txt?x=16fcc77f50
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+27771d4abcd9b7a1f...@syzkaller.appspotmail.com
Fixes: beee24695157 ("cfg80211: Save the regulatory domain when setting custom
regulatory")
=
WARNING: suspicious RCU usage
5.10.0-syzkaller #0 Not tainted
-
net/wireless/reg.c:144 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor434/8467:
#0: 8cd0bd70 (cb_lock){}-{3:3}, at: genl_rcv+0x15/0x40
net/netlink/genetlink.c:810
#1: 8cd0bc28 (genl_mutex){+.+.}-{3:3}, at: genl_lock
net/netlink/genetlink.c:33 [inline]
#1: 8cd0bc28 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg+0xb1/0x1280
net/netlink/genetlink.c:798
stack backtrace:
CPU: 1 PID: 8467 Comm: syz-executor434 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x137/0x1be lib/dump_stack.c:120
get_wiphy_regdom net/wireless/reg.c:144 [inline]
wiphy_apply_custom_regulatory+0x784/0x910 net/wireless/reg.c:2574
mac80211_hwsim_new_radio+0x1eb3/0x3930
drivers/net/wireless/mac80211_hwsim.c:3247
hwsim_new_radio_nl+0xb07/0xf60 drivers/net/wireless/mac80211_hwsim.c:3822
genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
genl_rcv_msg+0xe4e/0x1280 net/netlink/genetlink.c:800
netlink_rcv_skb+0x190/0x3a0 net/netlink/af_netlink.c:2494
genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x780/0x930 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x9a8/0xd40 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg net/socket.c:672 [inline]
sys_sendmsg+0x519/0x800 net/socket.c:2336
___sys_sendmsg net/socket.c:2390 [inline]
__sys_sendmsg+0x2bc/0x370 net/socket.c:2423
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440309
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7ffeafb01018 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 00440309
RDX: RSI: 21c0 RDI: 0003
RBP: 006ca018 R08: R09: 004002c8
R10: 00401ba0 R11: 0246 R12: 00401b10
R13: 00401ba0 R14: R15:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
WARNING in ext4_evict_inode
Hello, syzbot found the following issue on: HEAD commit:3db1a3fa Merge tag 'staging-5.11-rc1' of git://git.kernel... git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=15c2f30f50 kernel config: https://syzkaller.appspot.com/x/.config?x=2764fc28a92339f9 dashboard link: https://syzkaller.appspot.com/bug?extid=f3e5bd9358af6c9a28c5 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f3e5bd9358af6c9a2...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 8514 at fs/ext4/inode.c:229 ext4_evict_inode+0x112c/0x1800 fs/ext4/inode.c:229 Modules linked in: CPU: 1 PID: 8514 Comm: syz-executor.1 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ext4_evict_inode+0x112c/0x1800 fs/ext4/inode.c:229 Code: 05 72 d6 d3 0a 01 e8 ea 75 ae 06 e9 08 f5 ff ff c7 44 24 2c 06 00 00 00 c7 44 24 28 06 00 00 00 e9 9f f6 ff ff e8 54 29 6b ff <0f> 0b e9 34 f4 ff ff e8 48 29 6b ff e8 73 07 57 ff 31 ff 41 89 c5 RSP: 0018:c9000166fcb8 EFLAGS: 00010293 RAX: RBX: 1920002cdf9e RCX: 8205683e RDX: 8880125fb580 RSI: 8205740c RDI: 0005 RBP: 888059bf0338 R08: R09: R10: R11: R12: 0001 R13: 888015bb1070 R14: 895fec20 R15: 888059bf4b00 FS: 0258e940() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 001b30522000 CR3: 47a9c000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: evict+0x2ed/0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [inline] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 do_unlinkat+0x40b/0x660 fs/namei.c:3903 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45dea7 Code: 00 66 90 b8 58 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fff0cd52098 EFLAGS: 0246 ORIG_RAX: 0057 RAX: ffda RBX: RCX: 0045dea7 RDX: 7fff0cd520b0 RSI: 7fff0cd520b0 RDI: 7fff0cd52140 RBP: 0714 R08: R09: 001b R10: 0015 R11: 0246 R12: 7fff0cd531d0 R13: 0258fa60 R14: R15: 000ab9e5 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
general protection fault in j1939_netdev_notify (2)
Hello,
syzbot found the following issue on:
HEAD commit:d635a69d Merge tag 'net-next-5.11' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1315f12350
kernel config: https://syzkaller.appspot.com/x/.config?x=c3556e4856b17a95
dashboard link: https://syzkaller.appspot.com/bug?extid=5138c4dd15a0401bec7b
compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git
ca2dcbd030eadbf0aa9b660efe864ff08af6e18b)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1295512350
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f2f30f50
The issue was bisected to:
commit 497a5757ce4e8f37219a3989ac6a561eb9a8e6c7
Author: Heiner Kallweit
Date: Sat Nov 7 20:50:56 2020 +
tun: switch to net core provided statistics counters
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=143b845b50
final oops: https://syzkaller.appspot.com/x/report.txt?x=163b845b50
console output: https://syzkaller.appspot.com/x/log.txt?x=123b845b50
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5138c4dd15a0401be...@syzkaller.appspotmail.com
Fixes: 497a5757ce4e ("tun: switch to net core provided statistics counters")
general protection fault, probably for non-canonical address
0xe80fe8c072f1: [#1] PREEMPT SMP KASAN
KASAN: probably user-memory-access in range
[0x607f46039788-0x607f4603978f]
CPU: 1 PID: 8472 Comm: syz-executor635 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:j1939_ndev_to_priv net/can/j1939/main.c:219 [inline]
RIP: 0010:j1939_priv_get_by_ndev_locked net/can/j1939/main.c:231 [inline]
RIP: 0010:j1939_priv_get_by_ndev net/can/j1939/main.c:243 [inline]
RIP: 0010:j1939_netdev_notify+0x115/0x320 net/can/j1939/main.c:353
Code: 00 74 08 48 89 df e8 ba 1e 48 f9 48 8b 1b 48 85 db 0f 84 f0 00 00 00 4c
89 64 24 08 48 81 c3 28 60 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48
89 df e8 8c 1e 48 f9 4c 8b 23 4d 85 e4 0f
RSP: 0018:c9e9fd68 EFLAGS: 00010202
RAX: 0c0fe8c072f1 RBX: 607f46039788 RCX: 88801456d040
RDX: 88801456d040 RSI: 0118 RDI: 0118
RBP: 0118 R08: 8870585d R09: f520001d3fa5
R10: f520001d3fa5 R11: R12: 0010
R13: 11100293e848 R14: dc00 R15: 8880149f4244
FS: 01d13880() GS:8880b9d0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 2080 CR3: 1402f000 CR4: 001506e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xe7/0x170 kernel/notifier.c:410
call_netdevice_notifiers_info net/core/dev.c:2022 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2034 [inline]
call_netdevice_notifiers+0xeb/0x150 net/core/dev.c:2048
__tun_chr_ioctl+0x2337/0x4860 drivers/net/tun.c:3093
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440359
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7fffd37b9c98 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 004002c8 RCX: 00440359
RDX: 0118 RSI: 400454cd RDI: 0003
RBP: 006ca018 R08: 004002c8 R09: 004002c8
R10: R11: 0246 R12: 00401b60
R13: 00401bf0 R14: R15:
Modules linked in:
---[ end trace 7688a2c3c10da2e1 ]---
RIP: 0010:j1939_ndev_to_priv net/can/j1939/main.c:219 [inline]
RIP: 0010:j1939_priv_get_by_ndev_locked net/can/j1939/main.c:231 [inline]
RIP: 0010:j1939_priv_get_by_ndev net/can/j1939/main.c:243 [inline]
RIP: 0010:j1939_netdev_notify+0x115/0x320 net/can/j1939/main.c:353
Code: 00 74 08 48 89 df e8 ba 1e 48 f9 48 8b 1b 48 85 db 0f 84 f0 00 00 00 4c
89 64 24 08 48 81 c3 28 60 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 74 08 48
89 df e8 8c 1e 48 f9 4c 8b 23 4d 85 e4 0f
RSP: 0018:c9e9fd68 EFLAGS: 00010202
RAX: 0c0fe8c072f1 RBX: 607f46039788 RCX: 88801456d040
RDX: 88801456d040 RSI: 0118 RDI: 0118
RBP: 0118 R08: 8870585d R09: f520001d3fa5
R10: f520001d3fa5 R11: R12: 0010
R13: 11100293e848 R14: dc00 R15: 8880149f4244
FS: 01d13880() GS:8880b9d0(000
Re: INFO: rcu detected stall in tipc_release
syzbot suspects this issue was fixed by commit: commit cc00bcaa589914096edef7fb87ca5cee4a166b5c Author: Subash Abhinov Kasiviswanathan Date: Wed Nov 25 18:27:22 2020 + netfilter: x_tables: Switch synchronization to RCU bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1445cb3750 start commit: 7cc2a8ea Merge tag 'block-5.8-2020-07-01' of git://git.ker.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=7be693511b29b338 dashboard link: https://syzkaller.appspot.com/bug?extid=3654c027d861c6df4b06 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1294823310 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11344c0510 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: netfilter: x_tables: Switch synchronization to RCU For information about bisection process see: https://goo.gl/tpsmEJ#bisection
KASAN: global-out-of-bounds Read in smc_nl_get_sys_info
Hello, syzbot found the following issue on: HEAD commit:3db1a3fa Merge tag 'staging-5.11-rc1' of git://git.kernel... git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=121dc93750 kernel config: https://syzkaller.appspot.com/x/.config?x=2764fc28a92339f9 dashboard link: https://syzkaller.appspot.com/bug?extid=f4708c391121cfc58396 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1652228750 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1144680f50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f4708c391121cfc58...@syzkaller.appspotmail.com == BUG: KASAN: global-out-of-bounds in string_nocheck lib/vsprintf.c:611 [inline] BUG: KASAN: global-out-of-bounds in string+0x39c/0x3d0 lib/vsprintf.c:693 Read of size 1 at addr 8faea960 by task syz-executor646/8509 CPU: 0 PID: 8509 Comm: syz-executor646 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 string_nocheck lib/vsprintf.c:611 [inline] string+0x39c/0x3d0 lib/vsprintf.c:693 vsnprintf+0x71b/0x14f0 lib/vsprintf.c:2618 snprintf+0xbb/0xf0 lib/vsprintf.c:2751 smc_nl_get_sys_info+0x493/0x880 net/smc/smc_core.c:249 genl_lock_dumpit+0x60/0x90 net/netlink/genetlink.c:623 netlink_dump+0x4b9/0xb70 net/netlink/af_netlink.c:2268 __netlink_dump_start+0x642/0x900 net/netlink/af_netlink.c:2373 genl_family_rcv_msg_dumpit+0x2af/0x310 net/netlink/genetlink.c:686 genl_family_rcv_msg net/netlink/genetlink.c:780 [inline] genl_rcv_msg+0x434/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 sys_sendmsg+0x6e8/0x810 net/socket.c:2336 ___sys_sendmsg+0xf3/0x170 net/socket.c:2390 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x440299 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fff4b943e58 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 00440299 RDX: RSI: 2180 RDI: 0003 RBP: 006ca018 R08: R09: 004002c8 R10: R11: 0246 R12: 00401aa0 R13: 00401b30 R14: R15: The buggy address belongs to the variable: smc_hostname+0x20/0x40 Memory state around the buggy address: 8faea800: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 8faea880: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 >8faea900: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ^ 8faea980: 04 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 8faeaa00: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: general protection fault in rose_send_frame
syzbot suspects this issue was fixed by commit: commit 3b3fd068c56e3fbea30090859216a368398e39bf Author: Anmol Karn Date: Thu Nov 19 19:10:43 2020 + rose: Fix Null pointer dereference in rose_send_frame() bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=139e2b9b50 start commit: 23ee3e4e Merge tag 'pci-v5.8-fixes-2' of git://git.kernel... git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=f87a5e4232fdb267 dashboard link: https://syzkaller.appspot.com/bug?extid=7078ae989d857fe17988 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=157e896490 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10046c5490 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: rose: Fix Null pointer dereference in rose_send_frame() For information about bisection process see: https://goo.gl/tpsmEJ#bisection
UBSAN: object-size-mismatch in wg_xmit
Hello, syzbot found the following issue on: HEAD commit:5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12b12c1350 kernel config: https://syzkaller.appspot.com/x/.config?x=267a60b188ded8ed dashboard link: https://syzkaller.appspot.com/bug?extid=8f90d005ab2d22342b6d compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8f90d005ab2d22342...@syzkaller.appspotmail.com UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2021:28 member access within address 85889cc2 with insufficient space for an object of type 'struct sk_buff' CPU: 1 PID: 2998 Comm: kworker/1:2 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1e2/0x390 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:339 __skb_queue_before include/linux/skbuff.h:2021 [inline] __skb_queue_tail include/linux/skbuff.h:2054 [inline] wg_xmit+0x45d/0xdf0 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4775 [inline] netdev_start_xmit+0x7b/0x140 include/linux/netdevice.h:4789 xmit_one net/core/dev.c:3556 [inline] dev_hard_start_xmit+0x182/0x2e0 net/core/dev.c:3572 __dev_queue_xmit+0x1229/0x1e60 net/core/dev.c:4133 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0xe8d/0x11e0 net/ipv6/ip6_output.c:117 dst_output include/net/dst.h:441 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ndisc_send_skb+0x85b/0xc70 net/ipv6/ndisc.c:508 addrconf_dad_completed+0x5ef/0x990 net/ipv6/addrconf.c:4192 addrconf_dad_work+0xb92/0x1480 net/ipv6/addrconf.c:3959 process_one_work+0x471/0x830 kernel/workqueue.c:2275 worker_thread+0x757/0xb10 kernel/workqueue.c:2421 kthread+0x39a/0x3c0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
WARNING in isotp_tx_timer_handler
Hello, syzbot found the following issue on: HEAD commit:5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=179a228750 kernel config: https://syzkaller.appspot.com/x/.config?x=db720fe37a6a41d8 dashboard link: https://syzkaller.appspot.com/bug?extid=78bab6958a614b0c80b9 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10ea3e0f50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+78bab6958a614b0c8...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 0 PID: 9908 at net/can/isotp.c:835 isotp_tx_timer_handler+0x65f/0xba0 net/can/isotp.c:835 Modules linked in: CPU: 0 PID: 9908 Comm: systemd-udevd Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:isotp_tx_timer_handler+0x65f/0xba0 net/can/isotp.c:835 Code: c1 e8 03 83 e1 07 0f b6 04 28 38 c8 7f 08 84 c0 0f 85 b8 04 00 00 41 88 54 24 05 e9 07 fb ff ff 40 84 ed 75 21 e8 21 11 80 f9 <0f> 0b 45 31 e4 e8 17 11 80 f9 44 89 e0 48 83 c4 48 5b 5d 41 5c 41 RSP: 0018:c9007dc8 EFLAGS: 00010246 RAX: RBX: 88803e4e8518 RCX: 0100 RDX: 8880117d5040 RSI: 87f2102f RDI: 0003 RBP: R08: 8a7b6540 R09: 87f20a2e R10: 0003 R11: R12: R13: 8880b9c26c80 R14: 8880b9c26a00 R15: 88803e4e8000 FS: 7fc247dbb8c0() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffcab7e7800 CR3: 1c8c6000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x609/0xea0 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x2bc/0xa77 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:420 irq_exit_rcu+0x5/0x20 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628 RIP: 0010:call_rcu+0x2e7/0x710 kernel/rcu/tree.c:3039 Code: 3c 02 00 0f 85 bb 03 00 00 48 8b 05 63 75 1a 0a 49 03 84 24 f0 00 00 00 49 39 c7 0f 8f 72 01 00 00 e8 5d e4 18 00 ff 34 24 9d <48> 83 c4 20 5b 5d 41 5c 41 5d 41 5e 41 5f c3 80 3c 02 00 0f 84 2f RSP: 0018:c9000adafb88 EFLAGS: 0246 RAX: 10e9 RBX: 8880143c1780 RCX: 815740d7 RDX: RSI: RDI: RBP: 8880b9c35b70 R08: 0001 R09: 8f4f983f R10: fbfff1e9f307 R11: R12: 8880b9c35a80 R13: 8880b9c35b60 R14: 8880b9c35b18 R15: 002c security_inode_free+0x9a/0xc0 security/security.c:1005 __destroy_inode+0x24d/0x740 fs/inode.c:259 destroy_inode+0x91/0x1b0 fs/inode.c:282 iput_final fs/inode.c:1654 [inline] iput.part.0+0x41e/0x840 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 dentry_unlink_inode+0x2b1/0x3d0 fs/dcache.c:374 __dentry_kill+0x3c0/0x640 fs/dcache.c:579 dentry_kill fs/dcache.c:717 [inline] dput+0x696/0xc10 fs/dcache.c:878 do_renameat2+0xae7/0xbf0 fs/namei.c:4461 __do_sys_rename fs/namei.c:4503 [inline] __se_sys_rename fs/namei.c:4501 [inline] __x64_sys_rename+0x5d/0x80 fs/namei.c:4501 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc246bb7d47 Code: 75 12 48 89 df e8 19 84 07 00 85 c0 0f 95 c0 0f b6 c0 f7 d8 5b c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 52 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 41 33 00 f7 d8 64 89 01 48 RSP: 002b:7ffcab6e3c68 EFLAGS: 0246 ORIG_RAX: 0052 RAX: ffda RBX: 5556c8f7a380 RCX: 7fc246bb7d47 RDX: RSI: 7ffcab6e3c70 RDI: 5556c8f823b0 RBP: 7ffcab6e3d30 R08: 5556c8f812c0 R09: 5556c8f811e0 R10: 7fc247dbb8c0 R11: 0246 R12: 7ffcab6e3c70 R13: 0001 R14: 5556c71306cb R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: h
general protection fault in find_match (2)
Hello, syzbot found the following issue on: HEAD commit:3db1a3fa Merge tag 'staging-5.11-rc1' of git://git.kernel... git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=1103eadf50 kernel config: https://syzkaller.appspot.com/x/.config?x=2764fc28a92339f9 dashboard link: https://syzkaller.appspot.com/bug?extid=b08cdcfff539328e6c32 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b08cdcfff539328e6...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc4b: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0258-0x025f] CPU: 1 PID: 13682 Comm: syz-executor.5 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ip6_ignore_linkdown include/net/addrconf.h:407 [inline] RIP: 0010:find_match.part.0+0xcc/0xc70 net/ipv6/route.c:753 Code: f9 0f b6 45 c0 84 c0 0f 84 39 04 00 00 e8 ec a0 c4 f9 49 8d bf 5c 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 91 RSP: 0018:c900022cf000 EFLAGS: 00010207 RAX: dc00 RBX: 88801c2cc2a0 RCX: c90013d33000 RDX: 004b RSI: 87abfc74 RDI: 025c RBP: c900022cf070 R08: 0001 R09: c900022cf250 R10: R11: R12: 0003 R13: 0001 R14: R15: FS: 7f94614f2700() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f75a1fccdb8 CR3: 2d8c6000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: find_match net/ipv6/route.c:840 [inline] __find_rr_leaf+0x17f/0xd10 net/ipv6/route.c:841 find_rr_leaf net/ipv6/route.c:862 [inline] rt6_select net/ipv6/route.c:906 [inline] fib6_table_lookup+0x5b3/0xa20 net/ipv6/route.c:2193 ip6_pol_route+0x1e1/0x11c0 net/ipv6/route.c:2229 pol_lookup_func include/net/ip6_fib.h:583 [inline] fib6_rule_lookup+0x111/0x6f0 net/ipv6/fib6_rules.c:115 ip6_route_output_flags_noref+0x2c2/0x360 net/ipv6/route.c:2510 ip6_route_output_flags+0x8b/0x310 net/ipv6/route.c:2523 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0xb3a/0x1700 net/ipv6/ip6_output.c:1024 ip6_dst_lookup_flow+0x8c/0x1d0 net/ipv6/ip6_output.c:1154 ip6_sk_dst_lookup_flow+0x55c/0x990 net/ipv6/ip6_output.c:1192 udpv6_sendmsg+0x18a5/0x2bd0 net/ipv6/udp.c:1508 inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:638 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 sys_sendmsg+0x6e8/0x810 net/socket.c:2336 ___sys_sendmsg+0xf3/0x170 net/socket.c:2390 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e149 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f94614f1c68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0003 RCX: 0045e149 RDX: RSI: 2040 RDI: 0005 RBP: 0119bfc0 R08: R09: R10: R11: 0246 R12: 0119bf8c R13: 7ffd9413345f R14: 7f94614f29c0 R15: 0119bf8c Modules linked in: ---[ end trace a9799337710952e8 ]--- RIP: 0010:ip6_ignore_linkdown include/net/addrconf.h:407 [inline] RIP: 0010:find_match.part.0+0xcc/0xc70 net/ipv6/route.c:753 Code: f9 0f b6 45 c0 84 c0 0f 84 39 04 00 00 e8 ec a0 c4 f9 49 8d bf 5c 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 91 RSP: 0018:c900022cf000 EFLAGS: 00010207 RAX: dc00 RBX: 88801c2cc2a0 RCX: c90013d33000 RDX: 004b RSI: 87abfc74 RDI: 025c RBP: c900022cf070 R08: 0001 R09: c900022cf250 R10: R11: R12: 0003 R13: 0001 R14: R15: FS: 7f94614f2700() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: CR3: 2d8c6000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/
kernel BUG at lib/string.c:LINE! (6)
Hello,
syzbot found the following issue on:
HEAD commit:d64c6f96 Merge tag 'net-5.11-rc1' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10bc561350
kernel config: https://syzkaller.appspot.com/x/.config?x=aca0dc5c721fe9e5
dashboard link: https://syzkaller.appspot.com/bug?extid=e86f7c428c8c50db65b4
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169378a750
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=144692cb50
The issue was bisected to:
commit 2f78788b55baa3410b1ec91a576286abe1ad4d6a
Author: Jakub Jelinek
Date: Wed Dec 16 04:43:37 2020 +
ilog2: improve ilog2 for constant arguments
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1584f13750
final oops: https://syzkaller.appspot.com/x/report.txt?x=1784f13750
console output: https://syzkaller.appspot.com/x/log.txt?x=1384f13750
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e86f7c428c8c50db6...@syzkaller.appspotmail.com
Fixes: 2f78788b55ba ("ilog2: improve ilog2 for constant arguments")
detected buffer overflow in strlen
[ cut here ]
kernel BUG at lib/string.c:1149!
invalid opcode: [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8713 Comm: syz-executor731 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:fortify_panic+0xf/0x11 lib/string.c:1149
Code: b5 78 a3 04 48 c7 c7 c0 8f c2 89 58 5b 5d 41 5c 41 5d 41 5e 41 5f e9 30
ba ee ff 48 89 fe 48 c7 c7 80 90 c2 89 e8 21 ba ee ff <0f> 0b e8 90 f9 97 f8 0f
b6 f3 48 c7 c7 20 f4 10 8c e8 41 e8 fc fa
RSP: 0018:c900020af500 EFLAGS: 00010282
RAX: 0022 RBX: 888011c26768 RCX:
RDX: 88801bad RSI: 815a6925 RDI: f52000415e92
RBP: 88801be7c220 R08: 0022 R09:
R10: 815a4d7b R11: R12: 88801180ec00
R13: 888011c26700 R14: 192000415ea2 R15: 0010
FS: 00812880() GS:8880b9c0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 006dcf60 CR3: 141ee000 CR4: 001506f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
strlen include/linux/string.h:325 [inline]
strlcpy include/linux/string.h:348 [inline]
xt_rateest_tg_checkentry+0x2a5/0x6b0 net/netfilter/xt_RATEEST.c:143
xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1019
check_target net/ipv6/netfilter/ip6_tables.c:529 [inline]
find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:572
translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:734
do_replace net/ipv6/netfilter/ip6_tables.c:1152 [inline]
do_ip6t_set_ctl+0x553/0xb70 net/ipv6/netfilter/ip6_tables.c:1636
nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1008
tcp_setsockopt+0x136/0x2440 net/ipv4/tcp.c:3597
__sys_setsockopt+0x2db/0x610 net/socket.c:2115
__do_sys_setsockopt net/socket.c:2126 [inline]
__se_sys_setsockopt net/socket.c:2123 [inline]
__x64_sys_setsockopt+0xba/0x150 net/socket.c:2123
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4493d9
Code: e8 0c ca 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
9b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7fff679a3898 EFLAGS: 0246 ORIG_RAX: 0036
RAX: ffda RBX: 22c0 RCX: 004493d9
RDX: 0040 RSI: 0029 RDI: 0006
RBP: 7fff679a38b0 R08: 0470 R09: 00c2
R10: 2080 R11: 0246 R12: 000112d5
R13: 006d7dc8 R14: R15:
Modules linked in:
---[ end trace e17a915ca7e8b666 ]---
RIP: 0010:fortify_panic+0xf/0x11 lib/string.c:1149
Code: b5 78 a3 04 48 c7 c7 c0 8f c2 89 58 5b 5d 41 5c 41 5d 41 5e 41 5f e9 30
ba ee ff 48 89 fe 48 c7 c7 80 90 c2 89 e8 21 ba ee ff <0f> 0b e8 90 f9 97 f8 0f
b6 f3 48 c7 c7 20 f4 10 8c e8 41 e8 fc fa
RSP: 0018:c900020af500 EFLAGS: 00010282
RAX: 0022 RBX: 888011c26768 RCX:
RDX: 88801bad RSI: 815a6925 RDI: f52000415e92
RBP: 88801be7c220 R08: 0022 R09:
R10: 815a4d7b R11: R12: 88801180ec00
R13: 888011c26700 R14: 192000415ea2 R15: 0010
FS: 00812880() GS:8880b9c0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 006dcf60 CR3: 141ee000 CR4:
UBSAN: shift-out-of-bounds in sfq_init
Hello, syzbot found the following issue on: HEAD commit:a409ed15 Merge tag 'gpio-v5.11-1' of git://git.kernel.org/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=164f512350 kernel config: https://syzkaller.appspot.com/x/.config?x=f7c39e7211134bc0 dashboard link: https://syzkaller.appspot.com/bug?extid=97c5bd9cc81eca63d36e compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1136680f50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1438348750 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+97c5bd9cc81eca63d...@syzkaller.appspotmail.com UBSAN: shift-out-of-bounds in ./include/net/red.h:252:22 shift exponent 72 is too large for 32-bit type 'int' CPU: 1 PID: 8479 Comm: syz-executor063 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 red_set_parms include/net/red.h:252 [inline] sfq_change net/sched/sch_sfq.c:674 [inline] sfq_init.cold+0x4f/0xd5 net/sched/sch_sfq.c:762 qdisc_create+0x4ba/0x13a0 net/sched/sch_api.c:1246 tc_modify_qdisc+0x4c8/0x1a30 net/sched/sch_api.c:1662 rtnetlink_rcv_msg+0x498/0xb80 net/core/rtnetlink.c:5564 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 sys_sendmsg+0x6e8/0x810 net/socket.c:2345 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4404f9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fffef145e18 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 004002c8 RCX: 004404f9 RDX: RSI: 2040 RDI: 0004 RBP: 006ca018 R08: R09: 004002c8 R10: R11: 0246 R12: 00401d00 R13: 00401d90 R14: R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
UBSAN: object-size-mismatch in tipc_sk_filter_rcv
Hello, syzbot found the following issue on: HEAD commit:5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11913e0f50 kernel config: https://syzkaller.appspot.com/x/.config?x=267a60b188ded8ed dashboard link: https://syzkaller.appspot.com/bug?extid=bc0b77f2a9209716067f compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+bc0b77f2a92097160...@syzkaller.appspotmail.com UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2021:28 member access within address 2c1825a5 with insufficient space for an object of type 'struct sk_buff' CPU: 1 PID: 9846 Comm: syz-executor.1 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x137/0x1be lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1e2/0x390 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:339 __skb_queue_before include/linux/skbuff.h:2021 [inline] __skb_queue_tail include/linux/skbuff.h:2054 [inline] tipc_sk_filter_rcv+0x2bf/0x2330 net/tipc/socket.c:2342 tipc_sk_enqueue net/tipc/socket.c:2438 [inline] tipc_sk_rcv+0x3d9/0xf80 net/tipc/socket.c:2490 tipc_node_xmit+0x285/0xb10 net/tipc/node.c:1689 __tipc_sendmsg+0x1cbe/0x2f90 net/tipc/socket.c:1524 tipc_sendmsg+0x51/0x70 net/tipc/socket.c:1409 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xc1/0xf0 net/socket.c:672 sys_sendmsg+0x4b3/0x840 net/socket.c:2336 ___sys_sendmsg net/socket.c:2390 [inline] __sys_sendmmsg+0x3de/0x860 net/socket.c:2480 __do_sys_sendmmsg net/socket.c:2509 [inline] __se_sys_sendmmsg net/socket.c:2506 [inline] __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2506 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e149 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f20231a6c68 EFLAGS: 0246 ORIG_RAX: 0133 RAX: ffda RBX: 0004 RCX: 0045e149 RDX: 0002 RSI: 20c0 RDI: 0003 RBP: 0119bfc8 R08: R09: R10: R11: 0246 R12: 0119bf8c R13: 7ffd81950ccf R14: 7f20231a79c0 R15: 0119bf8c --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
general protection fault in tipc_crypto_key_distr
Hello, syzbot found the following issue on: HEAD commit:3db1a3fa Merge tag 'staging-5.11-rc1' of git://git.kernel... git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=107df12350 kernel config: https://syzkaller.appspot.com/x/.config?x=2764fc28a92339f9 dashboard link: https://syzkaller.appspot.com/bug?extid=fff41d21ca02315bd004 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+fff41d21ca02315bd...@syzkaller.appspotmail.com RBP: 7f349d602ca0 R08: R09: R10: R11: 0246 R12: 0030 R13: 7fff8446099f R14: 7f349d6039c0 R15: 0119bf8c general protection fault, probably for non-canonical address 0xdc04: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0020-0x0027] CPU: 0 PID: 5549 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:tipc_aead_key_size include/uapi/linux/tipc.h:254 [inline] RIP: 0010:tipc_crypto_key_xmit net/tipc/crypto.c:2245 [inline] RIP: 0010:tipc_crypto_key_distr+0x218/0xa70 net/tipc/crypto.c:2211 Code: 02 00 0f 85 51 08 00 00 48 8b 45 00 49 8d 4d 20 48 89 ca 48 89 4c 24 10 48 c1 ea 03 48 89 04 24 48 b8 00 00 00 00 00 fc ff df <0f> b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 3d RSP: 0018:c900025073f0 EFLAGS: 00010202 RAX: dc00 RBX: 88804fc22e00 RCX: 0020 RDX: 0004 RSI: 88771597 RDI: 88804fc22e40 RBP: 888016bc3000 R08: R09: R10: 0001 R11: 0001 R12: 0001 R13: R14: R15: FS: 7f349d603700() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fa36516cdb8 CR3: 25ae CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __tipc_nl_node_set_key net/tipc/node.c:3008 [inline] tipc_nl_node_set_key+0xcb4/0xf30 net/tipc/node.c:3023 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 sys_sendmsg+0x6e8/0x810 net/socket.c:2336 ___sys_sendmsg+0xf3/0x170 net/socket.c:2390 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e149 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f349d602c68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0004 RCX: 0045e149 RDX: RSI: 2340 RDI: 0003 RBP: 7f349d602ca0 R08: R09: R10: R11: 0246 R12: 0030 R13: 7fff8446099f R14: 7f349d6039c0 R15: 0119bf8c Modules linked in: ---[ end trace a296abf4d3e5aa59 ]--- RIP: 0010:tipc_aead_key_size include/uapi/linux/tipc.h:254 [inline] RIP: 0010:tipc_crypto_key_xmit net/tipc/crypto.c:2245 [inline] RIP: 0010:tipc_crypto_key_distr+0x218/0xa70 net/tipc/crypto.c:2211 Code: 02 00 0f 85 51 08 00 00 48 8b 45 00 49 8d 4d 20 48 89 ca 48 89 4c 24 10 48 c1 ea 03 48 89 04 24 48 b8 00 00 00 00 00 fc ff df <0f> b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 3d RSP: 0018:c900025073f0 EFLAGS: 00010202 RAX: dc00 RBX: 88804fc22e00 RCX: 0020 RDX: 0004 RSI: 88771597 RDI: 88804fc22e40 RBP: 888016bc3000 R08: R09: R10: 0001 R11: 0001 R12: 0001 R13: R14: R15: FS: 7f349d603700() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fa36516cdb8 CR3: 25ae CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This rep
WARNING in sk_stream_kill_queues (5)
Hello,
syzbot found the following issue on:
HEAD commit:6147c83f Add linux-next specific files for 20201126
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=117c967950
kernel config: https://syzkaller.appspot.com/x/.config?x=9b91566da897c24f
dashboard link: https://syzkaller.appspot.com/bug?extid=7b99aafdcc2eedea6178
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103bf74350
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=167c60c950
The issue was bisected to:
commit 145cd60fb481328faafba76842aa0fd242e2b163
Author: Alexander Potapenko
Date: Tue Nov 24 05:38:44 2020 +
mm, kfence: insert KFENCE hooks for SLUB
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13abe5b350
final oops: https://syzkaller.appspot.com/x/report.txt?x=106be5b350
console output: https://syzkaller.appspot.com/x/log.txt?x=17abe5b350
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7b99aafdcc2eedea6...@syzkaller.appspotmail.com
Fixes: 145cd60fb481 ("mm, kfence: insert KFENCE hooks for SLUB")
[ cut here ]
WARNING: CPU: 0 PID: 11307 at net/core/stream.c:207
sk_stream_kill_queues+0x3c3/0x530 net/core/stream.c:207
Modules linked in:
CPU: 0 PID: 11307 Comm: syz-executor673 Not tainted
5.10.0-rc5-next-20201126-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:sk_stream_kill_queues+0x3c3/0x530 net/core/stream.c:207
Code: 00 00 00 fc ff df 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 63 01
00 00 8b ab 20 02 00 00 e9 60 ff ff ff e8 ad 24 7b fa <0f> 0b eb 97 e8 a4 24 7b
fa 0f 0b eb a0 e8 9b 24 7b fa 0f 0b e9 a5
RSP: 0018:c9000979f978 EFLAGS: 00010293
RAX: RBX: fe80 RCX: 86f5877a
RDX: 88801ebb5040 RSI: 86f587e3 RDI: 0005
RBP: 0180 R08: 0001 R09: 8ebd9817
R10: R11: 0001 R12: 8880182f3ce0
R13: 8fb178c0 R14: 8880182f3ae8 R15: 8880182f3c70
FS: () GS:8880b9e0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 004c7cd8 CR3: 0b08e000 CR4: 001506f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
inet_csk_destroy_sock+0x1a5/0x490 net/ipv4/inet_connection_sock.c:885
__tcp_close+0xd3e/0x1170 net/ipv4/tcp.c:2585
tcp_close+0x29/0xc0 net/ipv4/tcp.c:2597
inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
__sock_release+0xcd/0x280 net/socket.c:596
sock_close+0x18/0x20 net/socket.c:1255
__fput+0x283/0x920 fs/file_table.c:280
task_work_run+0xdd/0x190 kernel/task_work.c:140
exit_task_work include/linux/task_work.h:30 [inline]
do_exit+0xb89/0x29e0 kernel/exit.c:823
do_group_exit+0x125/0x310 kernel/exit.c:920
get_signal+0x3ec/0x2010 kernel/signal.c:2770
arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
handle_signal_work kernel/entry/common.c:144 [inline]
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x124/0x200 kernel/entry/common.c:198
syscall_exit_to_user_mode+0x36/0x260 kernel/entry/common.c:275
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44ea59
Code: Unable to access opcode bytes at RIP 0x44ea2f.
RSP: 002b:7fd1200f3d98 EFLAGS: 0246 ORIG_RAX: 0001
RAX: 00012255 RBX: 006e6a18 RCX: 0044ea59
RDX: 000101bd RSI: 21c0 RDI: 0003
RBP: 006e6a10 R08: R09:
R10: R11: 0246 R12: 006e6a1c
R13: 3030303030303030 R14: 3030303030303d65 R15: 2b74d0dd4a6f722c
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
BUG: rwlock bad magic on CPU, kworker/0:LINE/NUM, ADDR
Hello, syzbot found the following issue on: HEAD commit:90cf87d1 enetc: Let the hardware auto-advance the taprio b.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=135479b350 kernel config: https://syzkaller.appspot.com/x/.config?x=5720c06118e6c4cc dashboard link: https://syzkaller.appspot.com/bug?extid=cb987a9c796abc570b47 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+cb987a9c796abc570...@syzkaller.appspotmail.com tipc: 32-bit node address hash set to aa1414ac BUG: rwlock bad magic on CPU#0, kworker/0:18/18158, 859f2a8d CPU: 0 PID: 18158 Comm: kworker/0:18 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events tipc_net_finalize_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 rwlock_bug kernel/locking/spinlock_debug.c:144 [inline] debug_write_lock_before kernel/locking/spinlock_debug.c:182 [inline] do_raw_write_lock+0x1ef/0x280 kernel/locking/spinlock_debug.c:206 tipc_mon_reinit_self+0x1f7/0x630 net/tipc/monitor.c:685 tipc_net_finalize net/tipc/net.c:134 [inline] tipc_net_finalize+0x1df/0x310 net/tipc/net.c:125 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x3af/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: KASAN: use-after-free Write in kernfs_path_from_node_locked
syzbot has bisected this issue to:
commit 0f818c4bc1f3dc0d6d0ea916e0ab30cf5e75f4c0
Author: Axel Rasmussen
Date: Tue Nov 24 05:37:42 2020 +
mm: mmap_lock: add tracepoints around lock acquisition
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1626291d50
start commit: 6174f052 Add linux-next specific files for 20201127
git tree: linux-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=1526291d50
console output: https://syzkaller.appspot.com/x/log.txt?x=1126291d50
kernel config: https://syzkaller.appspot.com/x/.config?x=79c69cf2521bef9c
dashboard link: https://syzkaller.appspot.com/bug?extid=19e6dd9943972fa1c58a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c3351d50
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14c2880950
Reported-by: syzbot+19e6dd9943972fa1c...@syzkaller.appspotmail.com
Fixes: 0f818c4bc1f3 ("mm: mmap_lock: add tracepoints around lock acquisition")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
INFO: task hung in ath6kl_usb_destroy (3)
Hello,
syzbot found the following issue on:
HEAD commit:ebad4326 Merge 5.10-rc6 into usb-next
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=1566291d50
kernel config: https://syzkaller.appspot.com/x/.config?x=fe8988e4dc252d01
dashboard link: https://syzkaller.appspot.com/bug?extid=bccb3d118a39c43b6c9d
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bccb3d118a39c43b6...@syzkaller.appspotmail.com
INFO: task kworker/1:4:7246 blocked for more than 143 seconds.
Not tainted 5.10.0-rc6-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:4 state:D stack:22864 pid: 7246 ppid: 2 flags:0x4000
Workqueue: usb_hub_wq hub_event
Call Trace:
context_switch kernel/sched/core.c:3779 [inline]
__schedule+0x8a2/0x1f30 kernel/sched/core.c:4528
schedule+0xcb/0x270 kernel/sched/core.c:4606
schedule_timeout+0x1d8/0x250 kernel/time/timer.c:1847
do_wait_for_common kernel/sched/completion.c:85 [inline]
__wait_for_common kernel/sched/completion.c:106 [inline]
wait_for_common kernel/sched/completion.c:117 [inline]
wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
flush_workqueue+0x3ff/0x13e0 kernel/workqueue.c:2835
flush_scheduled_work include/linux/workqueue.h:597 [inline]
ath6kl_usb_flush_all drivers/net/wireless/ath/ath6kl/usb.c:476 [inline]
ath6kl_usb_destroy+0xc6/0x290 drivers/net/wireless/ath/ath6kl/usb.c:609
ath6kl_usb_probe+0xc7b/0x11f0 drivers/net/wireless/ath/ath6kl/usb.c:1166
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
really_probe+0x291/0xde0 drivers/base/dd.c:554
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:738
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:844
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:912
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbb2/0x1ce0 drivers/base/core.c:2936
usb_set_configuration+0x113c/0x1910 drivers/usb/core/message.c:2168
usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
really_probe+0x291/0xde0 drivers/base/dd.c:554
driver_probe_device+0x26b/0x3d0 drivers/base/dd.c:738
__device_attach_driver+0x1d1/0x290 drivers/base/dd.c:844
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:431
__device_attach+0x228/0x4a0 drivers/base/dd.c:912
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:491
device_add+0xbb2/0x1ce0 drivers/base/core.c:2936
usb_new_device.cold+0x71d/0xfe9 drivers/usb/core/hub.c:2555
hub_port_connect drivers/usb/core/hub.c:5223 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
port_event drivers/usb/core/hub.c:5509 [inline]
hub_event+0x2348/0x42d0 drivers/usb/core/hub.c:5591
process_one_work+0x933/0x1520 kernel/workqueue.c:2272
process_scheduled_works kernel/workqueue.c:2334 [inline]
worker_thread+0x82b/0x1120 kernel/workqueue.c:2420
kthread+0x38c/0x460 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Showing all locks held in the system:
5 locks held by kworker/0:0/5:
#0: 888103c7ed38 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888103c7ed38 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888103c7ed38 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888103c7ed38 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 888103c7ed38 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888103c7ed38 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at:
process_one_work+0x821/0x1520 kernel/workqueue.c:2243
#1: c905fda8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at:
process_one_work+0x854/0x1520 kernel/workqueue.c:2247
#2: 888108dd6218 (&dev->mutex){}-{3:3}, at: device_lock
include/linux/device.h:731 [inline]
#2: 888108dd6218 (&dev->mutex){}-{3:3}, at: hub_event+0x1c5/0x42d0
drivers/usb/core/hub.c:5537
#3: 88813b5e7218 (&dev->mutex){}-{3:3}, at: device_lock
include/linux/device.h:731 [inline]
#3: 88813b5e7218 (&dev->mutex){}-{3:3}, at: __device_attach+0x7a/0x4a0
drivers/base/dd.c:887
#4: 888102bc51a8 (&dev->mutex){}-{3:3}, at: device_lock
include/linux/device.h:731 [inline]
#4: 888102bc51a8 (&dev->mutex){}-{3:3}, at: __device_attach+0x7a/0x4a0
drivers/base/dd.c:887
1 lock held by khungtaskd/1268:
#0: 872495a0 (rcu_
KASAN: stack-out-of-bounds Write in bitmap_from_arr32
Hello,
syzbot found the following issue on:
HEAD commit:594e31bc Merge branch '40GbE' of git://git.kernel.org/pub/..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=179b834950
kernel config: https://syzkaller.appspot.com/x/.config?x=df65150a33f23d8c
dashboard link: https://syzkaller.appspot.com/bug?extid=9d39fa49d4df294aab93
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11dc60c950
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17e130a550
The issue was bisected to:
commit 0980bfcd6954f124e40a000b85335c197764de14
Author: Michal Kubecek
Date: Thu Mar 12 20:07:58 2020 +
ethtool: set netdev features with FEATURES_SET request
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=116dec6350
final oops: https://syzkaller.appspot.com/x/report.txt?x=136dec6350
console output: https://syzkaller.appspot.com/x/log.txt?x=156dec6350
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9d39fa49d4df294aa...@syzkaller.appspotmail.com
Fixes: 0980bfcd6954 ("ethtool: set netdev features with FEATURES_SET request")
==
BUG: KASAN: stack-out-of-bounds in bitmap_from_arr32+0x199/0x1f0
lib/bitmap.c:1278
Write of size 8 at addr c9000151f5b0 by task syz-executor624/8469
CPU: 0 PID: 8469 Comm: syz-executor624 Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0x5/0x4c8 mm/kasan/report.c:385
__kasan_report mm/kasan/report.c:545 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
bitmap_from_arr32+0x199/0x1f0 lib/bitmap.c:1278
ethnl_parse_bitset+0x448/0x7a0 net/ethtool/bitset.c:631
ethnl_set_features+0x2ac/0xa70 net/ethtool/features.c:240
genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:671
sys_sendmsg+0x6e8/0x810 net/socket.c:2331
___sys_sendmsg+0xf3/0x170 net/socket.c:2385
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2418
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440899
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
5b 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7ffe5de83088 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 004002c8 RCX: 00440899
RDX: RSI: 2440 RDI: 0003
RBP: 006cb018 R08: R09: 004002c8
R10: R11: 0246 R12: 00401e80
R13: 00401f10 R14: R15:
addr c9000151f5b0 is located in stack of task syz-executor624/8469 at
offset 264 in frame:
ethnl_set_features+0x0/0xa70 net/ethtool/features.c:58
this frame has 9 objects:
[32, 40) 'reply_payload'
[64, 80) 'req_info'
[96, 104) 'wanted_diff_mask'
[128, 136) 'active_diff_mask'
[160, 168) 'old_active'
[192, 200) 'old_wanted'
[224, 232) 'new_active'
[256, 264) 'req_wanted'
[288, 296) 'req_mask'
Memory state around the buggy address:
c9000151f480: 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 00 f2
c9000151f500: f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2
>c9000151f580: f2 00 f2 f2 f2 00 f2 f2 f2 00 f3 f3 f3 00 00 00
^
c9000151f600: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
c9000151f680: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00
==
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
UBSAN: array-index-out-of-bounds in ieee80211_del_key (2)
Hello, syzbot found the following issue on: HEAD commit:aae5ab85 Merge tag 'riscv-for-linus-5.10-rc6' of git://git.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1496d35350 kernel config: https://syzkaller.appspot.com/x/.config?x=cb8d1a3819ba4356 dashboard link: https://syzkaller.appspot.com/bug?extid=49d4cab497c2142ee170 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1440c58d50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1743351d50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+49d4cab497c2142ee...@syzkaller.appspotmail.com UBSAN: array-index-out-of-bounds in net/mac80211/cfg.c:520:10 index 5 is out of range for type 'ieee80211_key *[4]' CPU: 0 PID: 8535 Comm: syz-executor933 Not tainted 5.10.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356 ieee80211_del_key+0x3f6/0x440 net/mac80211/cfg.c:520 rdev_del_key net/wireless/rdev-ops.h:107 [inline] nl80211_del_key+0x4b0/0x910 net/wireless/nl80211.c:4292 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x6e8/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x441ff9 Code: e8 ac 00 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffdb026c968 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0003 RCX: 00441ff9 RDX: RSI: 2300 RDI: 0003 RBP: R08: 0021 R09: 0021 R10: R11: 0246 R12: 0032 R13: R14: 000c R15: 0004 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
WARNING: locking bug in ip6_datagram_connect
Hello, syzbot found the following issue on: HEAD commit:d5beb314 Merge tag 'hyperv-fixes-signed' of git://git.kern.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15808bed50 kernel config: https://syzkaller.appspot.com/x/.config?x=a31e7421a3bb7a0f dashboard link: https://syzkaller.appspot.com/bug?extid=d3af95d2506e1511dcc1 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15b5bfb950 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d3af95d2506e1511d...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 10853 at kernel/locking/lockdep.c:894 look_up_lock_class kernel/locking/lockdep.c:894 [inline] WARNING: CPU: 1 PID: 10853 at kernel/locking/lockdep.c:894 register_lock_class+0x1fb/0x1100 kernel/locking/lockdep.c:1242 Modules linked in: CPU: 1 PID: 10853 Comm: syz-executor.0 Not tainted 5.10.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:look_up_lock_class kernel/locking/lockdep.c:894 [inline] RIP: 0010:register_lock_class+0x1fb/0x1100 kernel/locking/lockdep.c:1242 Code: 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 21 0d 00 00 4d 3b 67 18 74 0b 49 81 3f 80 51 4a 8e 74 02 <0f> 0b 85 ed 0f 84 20 01 00 00 f6 44 24 04 01 0f 85 15 01 00 00 83 RSP: 0018:c90002377a58 EFLAGS: 00010006 RAX: dc00 RBX: 19200046ef52 RCX: 8ef48920 RDX: 1110032d9217 RSI: RDI: 8880196c90b8 RBP: R08: R09: R10: R11: R12: 8a42ad20 R13: 8fa9f980 R14: 8ec04d40 R15: 8880196c90a0 FS: 7f3808a81700() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004e0b50 CR3: 1cacf000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __lock_acquire+0xff/0x5500 kernel/locking/lockdep.c:4711 lock_acquire kernel/locking/lockdep.c:5437 [inline] lock_acquire+0x29d/0x740 kernel/locking/lockdep.c:5402 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] release_sock+0x1b/0x1b0 net/core/sock.c:3051 ip6_datagram_connect+0x36/0x40 net/ipv6/datagram.c:273 inet_dgram_connect+0x14a/0x2d0 net/ipv4/af_inet.c:577 __sys_connect_file+0x155/0x1a0 net/socket.c:1852 __sys_connect+0x161/0x190 net/socket.c:1869 __do_sys_connect net/socket.c:1879 [inline] __se_sys_connect net/socket.c:1876 [inline] __x64_sys_connect+0x6f/0xb0 net/socket.c:1876 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f3808a80c78 EFLAGS: 0246 ORIG_RAX: 002a RAX: ffda RBX: 2400 RCX: 0045deb9 RDX: 001c RSI: 2080 RDI: 0005 RBP: 0118c008 R08: R09: R10: R11: 0246 R12: 0118bfd4 R13: 7fff08fcd91f R14: 7f3808a819c0 R15: 0118bfd4 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
KASAN: global-out-of-bounds Read in lock_sock_nested
Hello, syzbot found the following issue on: HEAD commit:d3d45f82 Merge tag 'pinctrl-v5.9-2' of git://git.kernel.or.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15e6bca390 kernel config: https://syzkaller.appspot.com/x/.config?x=89ab6a0c48f30b49 dashboard link: https://syzkaller.appspot.com/bug?extid=92de81bbc21385b15723 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+92de81bbc21385b15...@syzkaller.appspotmail.com == BUG: KASAN: global-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:56 [inline] BUG: KASAN: global-out-of-bounds in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline] BUG: KASAN: global-out-of-bounds in __lock_acquire+0xfa0/0x5780 kernel/locking/lockdep.c:4411 Read of size 8 at addr 890f9b18 by task kworker/1:0/17 CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.9.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fd lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:192 instrument_atomic_read include/linux/instrumented.h:56 [inline] test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline] __lock_acquire+0xfa0/0x5780 kernel/locking/lockdep.c:4411 lock_acquire+0x1f3/0xaf0 kernel/locking/lockdep.c:5029 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x3b/0x110 net/core/sock.c:3048 l2cap_sock_teardown_cb+0x88/0x400 net/bluetooth/l2cap_sock.c:1520 l2cap_chan_del+0xad/0x1300 net/bluetooth/l2cap_core.c:618 l2cap_chan_close+0x118/0xb10 net/bluetooth/l2cap_core.c:823 l2cap_chan_timeout+0x173/0x450 net/bluetooth/l2cap_core.c:436 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the variable: rtl8150_table+0x9f8/0x26e0 Memory state around the buggy address: 890f9a00: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 890f9a80: 00 00 05 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 >890f9b00: 00 00 07 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 ^ 890f9b80: 00 00 07 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 890f9c00: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9 == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
KASAN: out-of-bounds Read in lock_sock_nested
Hello, syzbot found the following issue on: HEAD commit:fb3158ea Merge branch 'add-chacha20-poly1305-cipher-to-ker.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=159594e950 kernel config: https://syzkaller.appspot.com/x/.config?x=df65150a33f23d8c dashboard link: https://syzkaller.appspot.com/bug?extid=664818c59309176d03ee compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+664818c59309176d0...@syzkaller.appspotmail.com == BUG: KASAN: out-of-bounds in __lock_acquire+0x400f/0x5c00 kernel/locking/lockdep.c:4700 Read of size 8 at addr 8880687ab0a0 by task kworker/1:4/9766 CPU: 1 PID: 9766 Comm: kworker/1:4 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 __lock_acquire+0x400f/0x5c00 kernel/locking/lockdep.c:4700 lock_acquire kernel/locking/lockdep.c:5435 [inline] lock_acquire+0x2a3/0x8c0 kernel/locking/lockdep.c:5400 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x3b/0x110 net/core/sock.c:3036 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1520 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:618 l2cap_chan_close+0x1bc/0xaf0 net/bluetooth/l2cap_core.c:823 l2cap_chan_timeout+0x17e/0x2f0 net/bluetooth/l2cap_core.c:436 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x3af/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 21553: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 kmalloc include/linux/slab.h:557 [inline] sk_prot_alloc+0x17a/0x300 net/core/sock.c:1666 sk_alloc+0x32/0xbd0 net/core/sock.c:1720 __netlink_create+0x63/0x340 net/netlink/af_netlink.c:630 netlink_create+0x3a1/0x5d0 net/netlink/af_netlink.c:693 __sock_create+0x3de/0x780 net/socket.c:1405 sock_create net/socket.c:1456 [inline] __sys_socket+0xef/0x200 net/socket.c:1498 __do_sys_socket net/socket.c:1507 [inline] __se_sys_socket net/socket.c:1505 [inline] __x64_sys_socket+0x6f/0xb0 net/socket.c:1505 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xc0/0xf0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2953 [inline] call_rcu+0xbb/0x700 kernel/rcu/tree.c:3027 netlink_release+0xd43/0x1cf0 net/netlink/af_netlink.c:802 __sock_release+0xcd/0x280 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1255 __fput+0x285/0x920 fs/file_table.c:281 task_work_run+0xdd/0x190 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x17e/0x1a0 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at 8880687ab000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 160 bytes inside of 2048-byte region [8880687ab000, 8880687ab800) The buggy address belongs to the page: page:f09df1cc refcount:1 mapcount:0 mapping: index:0x0 pfn:0x687a8 head:f09df1cc order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff0010200(slab|head) raw: 00fff0010200 dead0100 dead0122 888010042000 raw: 00080008 0001 page dumped because: kasan: bad access detected Memory state around the buggy address: 8880687aaf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8880687ab000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8880687ab080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ 8880687ab100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8880687ab180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reac
Re: KMSAN: uninit-value in validate_beacon_head
syzbot has found a reproducer for the following issue on: HEAD commit:73d62e81 kmsan: random: prevent boot-time reports in _mix_.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=153d460750 kernel config: https://syzkaller.appspot.com/x/.config?x=eef728deea880383 dashboard link: https://syzkaller.appspot.com/bug?extid=72b99dcf4607e8c770f3 compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c1cec350 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160b6cd350 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+72b99dcf4607e8c77...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in validate_beacon_head+0x51e/0x5c0 net/wireless/nl80211.c:225 CPU: 0 PID: 8275 Comm: syz-executor237 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 validate_beacon_head+0x51e/0x5c0 net/wireless/nl80211.c:225 validate_nla lib/nlattr.c:544 [inline] __nla_validate_parse+0x241a/0x4e00 lib/nlattr.c:588 __nla_parse+0x141/0x150 lib/nlattr.c:685 __nlmsg_parse include/net/netlink.h:733 [inline] nlmsg_parse_deprecated include/net/netlink.h:772 [inline] nl80211_prepare_wdev_dump+0x6fd/0xbb0 net/wireless/nl80211.c:891 nl80211_dump_station+0x143/0x740 net/wireless/nl80211.c:5810 netlink_dump+0xb92/0x1670 net/netlink/af_netlink.c:2268 __netlink_dump_start+0xcf1/0xea0 net/netlink/af_netlink.c:2373 genl_family_rcv_msg_dumpit net/netlink/genetlink.c:697 [inline] genl_family_rcv_msg net/netlink/genetlink.c:780 [inline] genl_rcv_msg+0xff0/0x1610 net/netlink/genetlink.c:800 netlink_rcv_skb+0x70a/0x820 net/netlink/af_netlink.c:2494 genl_rcv+0x63/0x80 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x11da/0x14b0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x173c/0x1840 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x6d5/0x830 net/socket.c:2440 __do_sys_sendmsg net/socket.c:2449 [inline] __se_sys_sendmsg+0x97/0xb0 net/socket.c:2447 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4418a9 Code: e8 fc a9 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffe906479e8 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: RCX: 004418a9 RDX: RSI: 20c0 RDI: 0003 RBP: 006cc018 R08: R09: 004002c8 R10: R11: 0246 R12: 00402430 R13: 004024c0 R14: R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104 kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76 slab_alloc_node mm/slub.c:2906 [inline] __kmalloc_node_track_caller+0xc61/0x15f0 mm/slub.c:4512 __kmalloc_reserve net/core/skbuff.c:142 [inline] __alloc_skb+0x309/0xae0 net/core/skbuff.c:210 alloc_skb include/linux/skbuff.h:1094 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline] netlink_sendmsg+0xdb8/0x1840 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x6d5/0x830 net/socket.c:2440 __do_sys_sendmsg net/socket.c:2449 [inline] __se_sys_sendmsg+0x97/0xb0 net/socket.c:2447 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 =
Re: KMSAN: uninit-value in __skb_checksum_complete (5)
syzbot has found a reproducer for the following issue on: HEAD commit:73d62e81 kmsan: random: prevent boot-time reports in _mix_.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=13bd460750 kernel config: https://syzkaller.appspot.com/x/.config?x=eef728deea880383 dashboard link: https://syzkaller.appspot.com/bug?extid=b024befb3ca7990fea37 compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126c837950 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cdf7b550 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b024befb3ca7990fe...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in __skb_checksum_complete+0x421/0x630 net/core/skbuff.c:2846 CPU: 0 PID: 497 Comm: kworker/u4:11 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 __skb_checksum_complete+0x421/0x630 net/core/skbuff.c:2846 __skb_checksum_validate_complete include/linux/skbuff.h:4014 [inline] icmp_rcv+0x94b/0x1d70 net/ipv4/icmp.c:1081 ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:449 [inline] ip_rcv_finish net/ipv4/ip_input.c:428 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539 __netif_receive_skb_one_core net/core/dev.c:5315 [inline] __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429 process_backlog+0x523/0xc10 net/core/dev.c:6319 napi_poll+0x420/0x1010 net/core/dev.c:6763 net_rx_action+0x35c/0xd40 net/core/dev.c:6833 __do_softirq+0x1a9/0x6fa kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77 do_softirq kernel/softirq.c:343 [inline] __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline] __dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167 dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173 batadv_send_skb_packet+0x622/0x970 net/batman-adv/send.c:108 batadv_send_broadcast_skb+0x76/0x90 net/batman-adv/send.c:127 batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:394 [inline] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] batadv_iv_send_outstanding_bat_ogm_packet+0xb3a/0xf00 net/batman-adv/bat_iv_ogm.c:1712 process_one_work+0x121c/0x1fc0 kernel/workqueue.c:2272 worker_thread+0x10cc/0x2740 kernel/workqueue.c:2418 kthread+0x51c/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289 kmsan_memcpy_memmove_metadata+0x25e/0x2d0 mm/kmsan/kmsan.c:226 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:246 __msan_memcpy+0x46/0x60 mm/kmsan/kmsan_instr.c:110 csum_partial_copy_nocheck include/net/checksum.h:51 [inline] skb_copy_and_csum_bits+0x23e/0x13e0 net/core/skbuff.c:2733 icmp_glue_bits+0x155/0x400 net/ipv4/icmp.c:356 __ip_append_data+0x4f8e/0x6210 net/ipv4/ip_output.c:1139 ip_append_data+0x326/0x490 net/ipv4/ip_output.c:1323 icmp_push_reply+0x1f8/0x810 net/ipv4/icmp.c:374 __icmp_send+0x2a98/0x3a90 net/ipv4/icmp.c:762 icmp_send include/net/icmp.h:43 [inline] __udp4_lib_rcv+0x421f/0x5880 net/ipv4/udp.c:2405 udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564 ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:449 [inline] ip_rcv_finish net/ipv4/ip_input.c:428 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539 __netif_receive_skb_one_core net/core/dev.c:5315 [inline] __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429 process_backlog+0x523/0xc10 net/core/dev.c:6319 napi_poll+0x420/0x1010 net/core/dev.c:6763 net_rx_action+0x35c/0xd40 net/core/dev.c:6833 __do_softirq+0x1a9/0x6fa kernel/softirq.c:298 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline
Re: WARNING in ieee80211_ibss_csa_beacon
syzbot has found a reproducer for the following issue on: HEAD commit:e87297fa Merge tag 'drm-fixes-2020-12-04' of git://anongit.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1412f61750 kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9 dashboard link: https://syzkaller.appspot.com/bug?extid=b6c9fe29aefe68e4ad34 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1513183750 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14550ecf50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b6c9fe29aefe68e4a...@syzkaller.appspotmail.com wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ cut here ] WARNING: CPU: 0 PID: 21 at net/mac80211/ibss.c:504 ieee80211_ibss_csa_beacon+0x5ec/0x730 net/mac80211/ibss.c:504 Modules linked in: CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy10 ieee80211_csa_finalize_work RIP: 0010:ieee80211_ibss_csa_beacon+0x5ec/0x730 net/mac80211/ibss.c:504 Code: ff e8 a8 b7 9c 00 31 ff 89 c5 89 c6 e8 9d 2c 27 f9 85 ed 0f 85 84 fa ff ff e8 40 34 27 f9 0f 0b e9 78 fa ff ff e8 34 34 27 f9 <0f> 0b 41 bd ea ff ff ff e9 e1 fd ff ff e8 72 b2 68 f9 e9 8f fa ff RSP: 0018:c9dbfc50 EFLAGS: 00010293 RAX: RBX: 88801c070c00 RCX: 8155a937 RDX: 888010e1b480 RSI: 8848d04c RDI: RBP: 0002 R08: 0001 R09: 8ebaf727 R10: fbfff1d75ee4 R11: 0001 R12: R13: 88801c0718f0 R14: 888022400c80 R15: 88801c071248 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fdcb706 CR3: 12b2b000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: ieee80211_set_after_csa_beacon net/mac80211/cfg.c:3133 [inline] __ieee80211_csa_finalize+0x504/0xbf0 net/mac80211/cfg.c:3189 ieee80211_csa_finalize net/mac80211/cfg.c:3212 [inline] ieee80211_csa_finalize_work+0x131/0x170 net/mac80211/cfg.c:3237 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Re: WARNING in __cfg80211_ibss_joined (2)
syzbot has found a reproducer for the following issue on: HEAD commit:7059c2c0 Merge branch 'for-linus' of git://git.kernel.org/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11a1199b50 kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9 dashboard link: https://syzkaller.appspot.com/bug?extid=7f064ba1704c2466e36d compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146ff2ef50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105d68df50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+7f064ba1704c2466e...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 9804 at net/wireless/ibss.c:36 __cfg80211_ibss_joined+0x487/0x520 net/wireless/ibss.c:36 Modules linked in: CPU: 1 PID: 9804 Comm: kworker/u4:6 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: cfg80211 cfg80211_event_work RIP: 0010:__cfg80211_ibss_joined+0x487/0x520 net/wireless/ibss.c:36 Code: 0f 0b e9 0c fe ff ff e8 b7 55 7a f9 e9 41 fc ff ff e8 8d 55 7a f9 e9 7d fc ff ff e8 a3 55 7a f9 e9 0d ff ff ff e8 29 d7 38 f9 <0f> 0b e9 7e fc ff ff e8 1d d7 38 f9 0f 0b e8 96 55 7a f9 e9 e4 fb RSP: 0018:c9000a85fbd8 EFLAGS: 00010293 RAX: RBX: 888014edcc10 RCX: 8155a937 RDX: 88802295b480 RSI: 88372d57 RDI: RBP: 888014edc000 R08: 0001 R09: 8ebaf6bf R10: fbfff1d75ed7 R11: R12: 19200150bf7d R13: 88803471e818 R14: R15: 0006 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20e0a000 CR3: 25d73000 CR4: 00350ee0 Call Trace: cfg80211_process_wdev_events+0x3de/0x5b0 net/wireless/util.c:942 cfg80211_process_rdev_events+0x6e/0x100 net/wireless/util.c:968 cfg80211_event_work+0x1a/0x20 net/wireless/core.c:322 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
BUG: unable to handle kernel paging request in bpf_lru_populate
Hello,
syzbot found the following issue on:
HEAD commit:bcd684aa net/nfc/nci: Support NCI 2.x initial sequence
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12001bd350
kernel config: https://syzkaller.appspot.com/x/.config?x=3cb098ab0334059f
dashboard link: https://syzkaller.appspot.com/bug?extid=ec2234240c96fdd26b93
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f7f2ef50
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=103833f750
The issue was bisected to:
commit b93ef089d35c3386dd197e85afb6399bbd54cfb3
Author: Martin KaFai Lau
Date: Mon Nov 16 20:01:13 2020 +
bpf: Fix the irq and nmi check in bpf_sk_storage for tracing usage
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1103b83750
final oops: https://syzkaller.appspot.com/x/report.txt?x=1303b83750
console output: https://syzkaller.appspot.com/x/log.txt?x=1503b83750
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ec2234240c96fdd26...@syzkaller.appspotmail.com
Fixes: b93ef089d35c ("bpf: Fix the irq and nmi check in bpf_sk_storage for
tracing usage")
BUG: unable to handle page fault for address: f5200471266c
#PF: supervisor read access in kernel mode
#PF: error_code(0x) - not-present page
PGD 23fff2067 P4D 23fff2067 PUD 101a4067 PMD 32e3a067 PTE 0
Oops: [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8503 Comm: syz-executor608 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:bpf_common_lru_populate kernel/bpf/bpf_lru_list.c:569 [inline]
RIP: 0010:bpf_lru_populate+0xd8/0x5e0 kernel/bpf/bpf_lru_list.c:614
Code: 03 4d 01 e7 48 01 d8 48 89 4c 24 10 4d 89 fe 48 89 44 24 08 e8 99 23 eb
ff 49 8d 7e 12 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 18 38 d0 7f 08
84 c0 0f 85 80 04 00 00 49 8d 7e 13 41 c6
RSP: 0018:c9000126fc20 EFLAGS: 00010202
RAX: 19200471266c RBX: dc00 RCX: 8184e3e2
RDX: 0002 RSI: 8184e2e7 RDI: c90023893362
RBP: 00bc R08: 107c R09:
R10: 107c R11: R12: 0001
R13: 107c R14: c90023893350 R15: c900234832f0
FS: 00fe0880() GS:8880b9f0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: f5200471266c CR3: 1ba62000 CR4: 001506e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
prealloc_init kernel/bpf/hashtab.c:319 [inline]
htab_map_alloc+0xf6e/0x1230 kernel/bpf/hashtab.c:507
find_and_alloc_map kernel/bpf/syscall.c:123 [inline]
map_create kernel/bpf/syscall.c:829 [inline]
__do_sys_bpf+0xa81/0x5170 kernel/bpf/syscall.c:4374
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4402e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7ffe77af23b8 EFLAGS: 0246 ORIG_RAX: 0141
RAX: ffda RBX: 004002c8 RCX: 004402e9
RDX: 0040 RSI: 2000 RDI: 0d00
RBP: 006ca018 R08: R09:
R10: R11: 0246 R12: 00401af0
R13: 00401b80 R14: R15:
Modules linked in:
CR2: f5200471266c
---[ end trace 4f3928bacde7b3ed ]---
RIP: 0010:bpf_common_lru_populate kernel/bpf/bpf_lru_list.c:569 [inline]
RIP: 0010:bpf_lru_populate+0xd8/0x5e0 kernel/bpf/bpf_lru_list.c:614
Code: 03 4d 01 e7 48 01 d8 48 89 4c 24 10 4d 89 fe 48 89 44 24 08 e8 99 23 eb
ff 49 8d 7e 12 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 18 38 d0 7f 08
84 c0 0f 85 80 04 00 00 49 8d 7e 13 41 c6
RSP: 0018:c9000126fc20 EFLAGS: 00010202
RAX: 19200471266c RBX: dc00 RCX: 8184e3e2
RDX: 0002 RSI: 8184e2e7 RDI: c90023893362
RBP: 00bc R08: 107c R09:
R10: 107c R11: R12: 0001
R13: 107c R14: c90023893350 R15: c900234832f0
FS: 00fe0880() GS:8880b9f0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: f5200471266c CR3: 1ba62000 CR4: 001506e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@go
WARNING: ODEBUG bug in slave_kobj_release
Hello, syzbot found the following issue on: HEAD commit:34816d20 Merge tag 'gfs2-v5.10-rc5-fixes' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=153f779d50 kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9 dashboard link: https://syzkaller.appspot.com/bug?extid=7bce4c2f7e1768ec3fe0 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+7bce4c2f7e1768ec3...@syzkaller.appspotmail.com kobject_add_internal failed for bonding_slave (error: -12 parent: veth213) [ cut here ] ODEBUG: assert_init not available (active state 0) object type: timer_list hint: 0x0 WARNING: CPU: 1 PID: 22707 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 1 PID: 22707 Comm: syz-executor.4 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 20 a2 9d 89 4c 89 ee 48 c7 c7 20 96 9d 89 e8 1e 0e f2 04 <0f> 0b 83 05 a5 87 32 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:c9000e37e9a0 EFLAGS: 00010082 RAX: RBX: 0005 RCX: RDX: 0004 RSI: 8158c855 RDI: f52001c6fd26 RBP: 0001 R08: 0001 R09: 8880b9f2011b R10: R11: R12: 894d3be0 R13: 899d9ca0 R14: 815f15f0 R15: 192001c6fd3f FS: 7fc5d258d700() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 00749138 CR3: 52e81000 CR4: 00350ee0 Call Trace: debug_object_assert_init lib/debugobjects.c:890 [inline] debug_object_assert_init+0x1f4/0x2e0 lib/debugobjects.c:861 debug_timer_assert_init kernel/time/timer.c:737 [inline] debug_assert_init kernel/time/timer.c:782 [inline] del_timer+0x6d/0x110 kernel/time/timer.c:1202 try_to_grab_pending+0x6d/0xd0 kernel/workqueue.c:1252 __cancel_work_timer+0xa6/0x520 kernel/workqueue.c:3095 slave_kobj_release+0x48/0xe0 drivers/net/bonding/bond_main.c:1468 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:753 bond_kobj_init drivers/net/bonding/bond_main.c:1489 [inline] bond_alloc_slave drivers/net/bonding/bond_main.c:1506 [inline] bond_enslave+0x2488/0x4bf0 drivers/net/bonding/bond_main.c:1708 do_set_master+0x1c8/0x220 net/core/rtnetlink.c:2517 do_setlink+0x911/0x3a70 net/core/rtnetlink.c:2713 __rtnl_newlink+0xc1c/0x1740 net/core/rtnetlink.c:3374 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5562 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x6e8/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fc5d258cc78 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0002e740 RCX: 0045deb9 RDX: RSI: 2080 RDI: 0005 RBP: 7fc5d258cca0 R08: R09: R10: R11: 0246 R12: 0009 R13: 7ffdcf6b003f R14: 7fc5d258d9c0 R15: 0119bf2c --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
KASAN: use-after-free Read in ieee80211_ibss_build_presp
Hello, syzbot found the following issue on: HEAD commit:e87297fa Merge tag 'drm-fixes-2020-12-04' of git://anongit.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=144035d350 kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9 dashboard link: https://syzkaller.appspot.com/bug?extid=cd25350b5fe5b8ed143c compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=107ebd4550 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ef29bb50 Bisection is inconclusive: the issue happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1410d2ef50 final oops: https://syzkaller.appspot.com/x/report.txt?x=1610d2ef50 console output: https://syzkaller.appspot.com/x/log.txt?x=1210d2ef50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+cd25350b5fe5b8ed1...@syzkaller.appspotmail.com wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 == BUG: KASAN: use-after-free in memcpy include/linux/string.h:399 [inline] BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0x10be/0x15f0 net/mac80211/ibss.c:171 Read of size 4 at addr 888014132cf8 by task kworker/u4:7/1428 CPU: 1 PID: 1428 Comm: kworker/u4:7 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy0 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:192 memcpy+0x20/0x60 mm/kasan/common.c:105 memcpy include/linux/string.h:399 [inline] ieee80211_ibss_build_presp+0x10be/0x15f0 net/mac80211/ibss.c:171 __ieee80211_sta_join_ibss+0x685/0x17f0 net/mac80211/ibss.c:317 ieee80211_sta_create_ibss.cold+0xc9/0x116 net/mac80211/ibss.c:1354 ieee80211_sta_find_ibss net/mac80211/ibss.c:1484 [inline] ieee80211_ibss_work.cold+0x30e/0x60f net/mac80211/ibss.c:1708 ieee80211_iface_work+0x82e/0x970 net/mac80211/iface.c:1476 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 8545: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:526 [inline] slab_alloc_node mm/slub.c:2891 [inline] slab_alloc mm/slub.c:2899 [inline] __kmalloc_track_caller+0x1dc/0x3d0 mm/slub.c:4464 kmemdup+0x23/0x50 mm/util.c:128 kmemdup include/linux/string.h:472 [inline] ieee80211_ibss_join+0x861/0xf30 net/mac80211/ibss.c:1824 rdev_join_ibss net/wireless/rdev-ops.h:535 [inline] __cfg80211_join_ibss+0x78c/0x1170 net/wireless/ibss.c:144 nl80211_join_ibss+0xcbb/0x12b0 net/wireless/nl80211.c:10151 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x6e8/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 8549: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577 slab_free mm/slub.c:3142 [inline] kfree+0xdb/0x360 mm/slub.c:4124 ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline] __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212 cfg80211_leave_ibss+0x57/0x80 net/wireless/ibss.c:230 cfg80211_change_iface+0x855/0xef0 net/wireless/util.c:1012 nl80211_set_interface+0x65c/0x8d0 net/wireless/nl80211.c:3789 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genet
KASAN: vmalloc-out-of-bounds Write in pcpu_freelist_populate
Hello, syzbot found the following issue on: HEAD commit:34da8721 selftests/bpf: Test bpf_sk_storage_get in tcp ite.. git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=10c3b83750 kernel config: https://syzkaller.appspot.com/x/.config?x=3cb098ab0334059f dashboard link: https://syzkaller.appspot.com/bug?extid=942085bfb8f7a276af1c compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+942085bfb8f7a276a...@syzkaller.appspotmail.com == BUG: KASAN: vmalloc-out-of-bounds in pcpu_freelist_push_node kernel/bpf/percpu_freelist.c:33 [inline] BUG: KASAN: vmalloc-out-of-bounds in pcpu_freelist_populate+0x1fe/0x260 kernel/bpf/percpu_freelist.c:114 Write of size 8 at addr c90119e78020 by task syz-executor.4/27988 CPU: 1 PID: 27988 Comm: syz-executor.4 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 pcpu_freelist_push_node kernel/bpf/percpu_freelist.c:33 [inline] pcpu_freelist_populate+0x1fe/0x260 kernel/bpf/percpu_freelist.c:114 prealloc_init kernel/bpf/hashtab.c:323 [inline] htab_map_alloc+0x981/0x1230 kernel/bpf/hashtab.c:507 find_and_alloc_map kernel/bpf/syscall.c:123 [inline] map_create kernel/bpf/syscall.c:829 [inline] __do_sys_bpf+0xa81/0x5170 kernel/bpf/syscall.c:4374 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e0f9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f679c7a7c68 EFLAGS: 0246 ORIG_RAX: 0141 RAX: ffda RBX: 0003 RCX: 0045e0f9 RDX: 0040 RSI: 2040 RDI: RBP: 0119c068 R08: R09: R10: R11: 0246 R12: 0119c034 R13: 7fffd601c75f R14: 7f679c7a89c0 R15: 0119c034 Memory state around the buggy address: c90119e77f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c90119e77f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >c90119e78000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ c90119e78080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c90119e78100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
general protection fault in hci_chan_del
Hello, syzbot found the following issue on: HEAD commit:b3298500 Merge tag 'for-5.10/dm-fixes' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=144f0bf750 kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9 dashboard link: https://syzkaller.appspot.com/bug?extid=4c574753a325a601326c compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4c574753a325a6013...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc000b00: [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x5800-0x5807] CPU: 1 PID: 30846 Comm: syz-executor.1 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_del_entry_valid+0x81/0xf0 lib/list_debug.c:51 Code: 0f 84 d3 c0 fb 04 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 d4 c0 fb 04 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 8b c0 fb 04 49 8d 7d RSP: 0018:c9001653fb50 EFLAGS: 00010206 RAX: dc00 RBX: 0054 RCX: c9000aab6000 RDX: 0b00 RSI: 87df1892 RDI: 888014569f08 RBP: 888014569f00 R08: 0001 R09: 88801a734a77 R10: ed10034e694e R11: 0001 R12: 5800 R13: 30401000 R14: fbfff19608c8 R15: 0067 FS: 7f7eae8b2700() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 55c3b4ac8030 CR3: 25fa7000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __list_del_entry include/linux/list.h:132 [inline] list_del_rcu include/linux/rculist.h:166 [inline] hci_chan_del+0x4e/0x200 net/bluetooth/hci_conn.c:1733 l2cap_conn_del+0x478/0x7b0 net/bluetooth/l2cap_core.c:1900 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8161 [inline] l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8154 hci_disconn_cfm include/net/bluetooth/hci_core.h:1441 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1557 hci_dev_do_close+0x569/0x1110 net/bluetooth/hci_core.c:1770 hci_rfkill_set_block+0x19c/0x1d0 net/bluetooth/hci_core.c:2209 rfkill_set_block+0x1f9/0x540 net/rfkill/core.c:341 rfkill_fop_write+0x267/0x500 net/rfkill/core.c:1240 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45de79 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f7eae8b1c68 EFLAGS: 0246 ORIG_RAX: 0001 RAX: ffda RBX: 0003 RCX: 0045de79 RDX: 0008 RSI: 2000 RDI: 0003 RBP: 0118bf60 R08: R09: R10: R11: 0246 R12: 0118bf2c R13: 0169fb7f R14: 7f7eae8b29c0 R15: 0118bf2c Modules linked in: ---[ end trace 8aa7b596113f27d8 ]--- RIP: 0010:__list_del_entry_valid+0x81/0xf0 lib/list_debug.c:51 Code: 0f 84 d3 c0 fb 04 48 b8 22 01 00 00 00 00 ad de 49 39 c4 0f 84 d4 c0 fb 04 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 8b c0 fb 04 49 8d 7d RSP: 0018:c9001653fb50 EFLAGS: 00010206 RAX: dc00 RBX: 0054 RCX: c9000aab6000 RDX: 0b00 RSI: 87df1892 RDI: 888014569f08 RBP: 888014569f00 R08: 0001 R09: 88801a734a77 R10: ed10034e694e R11: 0001 R12: 5800 R13: 30401000 R14: fbfff19608c8 R15: 0067 FS: 7f7eae8b2700() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 01590004 CR3: 25fa7000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
BUG: unable to handle kernel paging request in smc_nl_handle_smcr_dev
Hello, syzbot found the following issue on: HEAD commit:b1f7b098 Merge branch 's390-qeth-next' git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=164d246b50 kernel config: https://syzkaller.appspot.com/x/.config?x=2ac2dabe250b3a58 dashboard link: https://syzkaller.appspot.com/bug?extid=600fef7c414ee7e2d71b compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+600fef7c414ee7e2d...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: ff84 #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD b08f067 P4D b08f067 PUD b091067 PMD 0 Oops: [#1] PREEMPT SMP KASAN CPU: 0 PID: 21334 Comm: syz-executor.1 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_set_pci_values net/smc/smc_core.h:396 [inline] RIP: 0010:smc_nl_handle_smcr_dev.isra.0+0x4bd/0x11b0 net/smc/smc_ib.c:422 Code: 00 00 00 fc ff df 48 8d 7b 84 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 59 0c 00 00 <0f> b7 43 84 48 8d 7b 86 48 89 fa 48 c1 ea 03 66 89 84 24 ee 00 00 RSP: 0018:c900018b7228 EFLAGS: 00010246 RAX: 0005 RBX: RCX: RDX: RSI: RDI: ff84 RBP: 8ccc6120 R08: 0001 R09: c900018b7310 R10: f52000316e65 R11: R12: R13: 88802f52d540 R14: dc00 R15: 888062412014 FS: 7f9ce0405700() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ff84 CR3: 13c46000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: smc_nl_prep_smcr_dev net/smc/smc_ib.c:469 [inline] smcr_nl_get_device+0xdf/0x1f0 net/smc/smc_ib.c:481 genl_lock_dumpit+0x60/0x90 net/netlink/genetlink.c:623 netlink_dump+0x4b9/0xb70 net/netlink/af_netlink.c:2268 __netlink_dump_start+0x642/0x900 net/netlink/af_netlink.c:2373 genl_family_rcv_msg_dumpit+0x2af/0x310 net/netlink/genetlink.c:686 genl_family_rcv_msg net/netlink/genetlink.c:780 [inline] genl_rcv_msg+0x434/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x6e8/0x810 net/socket.c:2331 ___sys_sendmsg+0xf3/0x170 net/socket.c:2385 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2418 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e0f9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f9ce0404c68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 0003 RCX: 0045e0f9 RDX: RSI: 2040 RDI: 0003 RBP: 0119bfc0 R08: R09: R10: R11: 0246 R12: 0119bf8c R13: 7ffda3a6b65f R14: 7f9ce04059c0 R15: 0119bf8c Modules linked in: CR2: ff84 ---[ end trace 7323b30ca37a03b9 ]--- RIP: 0010:smc_set_pci_values net/smc/smc_core.h:396 [inline] RIP: 0010:smc_nl_handle_smcr_dev.isra.0+0x4bd/0x11b0 net/smc/smc_ib.c:422 Code: 00 00 00 fc ff df 48 8d 7b 84 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 59 0c 00 00 <0f> b7 43 84 48 8d 7b 86 48 89 fa 48 c1 ea 03 66 89 84 24 ee 00 00 RSP: 0018:c900018b7228 EFLAGS: 00010246 RAX: 0005 RBX: RCX: RDX: RSI: RDI: ff84 RBP: 8ccc6120 R08: 0001 R09: c900018b7310 R10: f52000316e65 R11: R12: R13: 88802f52d540 R14: dc00 R15: 888062412014 FS: 7f9ce0405700() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ff84 CR3: 13c46000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information abou
KMSAN: uninit-value in smsc95xx_wait_eeprom (2)
Hello, syzbot found the following issue on: HEAD commit:73d62e81 kmsan: random: prevent boot-time reports in _mix_.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=178d246b50 kernel config: https://syzkaller.appspot.com/x/.config?x=eef728deea880383 dashboard link: https://syzkaller.appspot.com/bug?extid=94b1393490c2c70b781b compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+94b1393490c2c70b7...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in smsc95xx_wait_eeprom+0x223/0x3e0 drivers/net/usb/smsc95xx.c:303 CPU: 1 PID: 28836 Comm: kworker/1:1 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 smsc95xx_wait_eeprom+0x223/0x3e0 drivers/net/usb/smsc95xx.c:303 smsc95xx_read_eeprom+0x46d/0xa10 drivers/net/usb/smsc95xx.c:360 smsc95xx_init_mac_address drivers/net/usb/smsc95xx.c:769 [inline] smsc95xx_bind+0x811/0x1d30 drivers/net/usb/smsc95xx.c:1090 usbnet_probe+0x1169/0x3e90 drivers/net/usb/usbnet.c:1712 usb_probe_interface+0xfcc/0x1520 drivers/usb/core/driver.c:396 really_probe+0xebd/0x2420 drivers/base/dd.c:558 driver_probe_device+0x293/0x390 drivers/base/dd.c:738 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:844 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x538/0x860 drivers/base/dd.c:912 device_initial_probe+0x4a/0x60 drivers/base/dd.c:959 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x399e/0x3f20 drivers/base/core.c:2936 usb_set_configuration+0x39cf/0x4010 drivers/usb/core/message.c:2159 usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:238 usb_probe_device+0x317/0x570 drivers/usb/core/driver.c:293 really_probe+0xebd/0x2420 drivers/base/dd.c:558 driver_probe_device+0x293/0x390 drivers/base/dd.c:738 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:844 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x538/0x860 drivers/base/dd.c:912 device_initial_probe+0x4a/0x60 drivers/base/dd.c:959 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x399e/0x3f20 drivers/base/core.c:2936 usb_new_device+0x1bd6/0x2a30 drivers/usb/core/hub.c:2554 hub_port_connect drivers/usb/core/hub.c:5222 [inline] hub_port_connect_change drivers/usb/core/hub.c:5362 [inline] port_event drivers/usb/core/hub.c:5508 [inline] hub_event+0x5bc9/0x8890 drivers/usb/core/hub.c:5590 process_one_work+0x121c/0x1fc0 kernel/workqueue.c:2272 worker_thread+0x10cc/0x2740 kernel/workqueue.c:2418 kthread+0x51c/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Local variable buf.i.i@smsc95xx_wait_eeprom created at: __smsc95xx_read_reg drivers/net/usb/smsc95xx.c:77 [inline] smsc95xx_read_reg drivers/net/usb/smsc95xx.c:141 [inline] smsc95xx_wait_eeprom+0x9d/0x3e0 drivers/net/usb/smsc95xx.c:297 __smsc95xx_read_reg drivers/net/usb/smsc95xx.c:77 [inline] smsc95xx_read_reg drivers/net/usb/smsc95xx.c:141 [inline] smsc95xx_wait_eeprom+0x9d/0x3e0 drivers/net/usb/smsc95xx.c:297 = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
memory leak in pcan_usb_pro_init
Hello, syzbot found the following issue on: HEAD commit:0477e928 Linux 5.10-rc7 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14ef3f4550 kernel config: https://syzkaller.appspot.com/x/.config?x=4305fa9ea70c7a9f dashboard link: https://syzkaller.appspot.com/bug?extid=215ecdbae76bb8c36b7e compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1207c05b50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10b7b61350 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+215ecdbae76bb8c36...@syzkaller.appspotmail.com BUG: memory leak unreferenced object 0x888110d22380 (size 96): comm "kworker/0:3", pid 4912, jiffies 4294942219 (age 8.820s) hex dump (first 32 bytes): 40 89 17 12 81 88 ff ff 00 00 00 00 00 00 00 00 @... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<706edd19>] kmalloc include/linux/slab.h:552 [inline] [<706edd19>] kzalloc include/linux/slab.h:664 [inline] [<706edd19>] pcan_usb_pro_init+0x120/0x280 drivers/net/can/usb/peak_usb/pcan_usb_pro.c:856 [<25ad9e43>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:850 [inline] [<25ad9e43>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:948 [<64acbdae>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<32f135d3>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<e1ce8490>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<bfd26436>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 [<cc4dd83e>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<f1b1aa05>] __device_attach+0x122/0x250 drivers/base/dd.c:912 [<34abf9f3>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<ade05bb4>] device_add+0x5ac/0xc30 drivers/base/core.c:2936 [<a596bcb5>] usb_set_configuration+0x9de/0xb90 drivers/usb/core/message.c:2159 [<08726818>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<c9e87a33>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<32f135d3>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<e1ce8490>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<bfd26436>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
WARNING in ieee80211_start_next_roc
Hello, syzbot found the following issue on: HEAD commit:e87297fa Merge tag 'drm-fixes-2020-12-04' of git://anongit.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17d9c9d350 kernel config: https://syzkaller.appspot.com/x/.config?x=e49433cfed49b7d9 dashboard link: https://syzkaller.appspot.com/bug?extid=c3a167b5615df4ccd7fb compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171f77e350 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1603469b50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c3a167b5615df4ccd...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 8533 at net/mac80211/offchannel.c:401 ieee80211_start_next_roc+0x1f4/0x240 net/mac80211/offchannel.c:401 Modules linked in: CPU: 1 PID: 8533 Comm: kworker/u4:1 Not tainted 5.10.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy4 ieee80211_scan_work RIP: 0010:ieee80211_start_next_roc+0x1f4/0x240 net/mac80211/offchannel.c:401 Code: d0 21 00 00 48 89 ef 48 89 c2 e8 77 7f 0b 00 5b 5d e9 d0 f4 28 f9 e8 cb f4 28 f9 48 89 ef e8 c3 73 ff ff eb 8d e8 bc f4 28 f9 <0f> 0b eb 84 48 c7 c7 9c df ec 8c e8 1c 73 6a f9 e9 2f fe ff ff e8 RSP: 0018:c9000167fb80 EFLAGS: 00010293 RAX: RBX: 0001 RCX: 88470edd RDX: 88801f861a40 RSI: 88470fc4 RDI: 0001 RBP: 8880292c0c80 R08: 0001 R09: 8ebaf727 R10: R11: R12: 0001 R13: dc00 R14: 0001 R15: 8880292c25b8 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fff0e86f950 CR3: 1d954000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __ieee80211_scan_completed+0x602/0xed0 net/mac80211/scan.c:477 ieee80211_scan_work+0x3dd/0x1a90 net/mac80211/scan.c:1119 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
KMSAN: uninit-value in smsc75xx_read_eeprom (2)
Hello, syzbot found the following issue on: HEAD commit:73d62e81 kmsan: random: prevent boot-time reports in _mix_.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=1256cc1350 kernel config: https://syzkaller.appspot.com/x/.config?x=eef728deea880383 dashboard link: https://syzkaller.appspot.com/bug?extid=341170ccba949fac01a2 compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+341170ccba949fac0...@syzkaller.appspotmail.com cdc_ether: probe of 5-1:1.0 failed with error -22 smsc75xx v1.0.0 = BUG: KMSAN: uninit-value in smsc75xx_eeprom_confirm_not_busy drivers/net/usb/smsc75xx.c:333 [inline] BUG: KMSAN: uninit-value in smsc75xx_read_eeprom+0x266/0xa10 drivers/net/usb/smsc75xx.c:352 CPU: 1 PID: 8502 Comm: kworker/1:0 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 smsc75xx_eeprom_confirm_not_busy drivers/net/usb/smsc75xx.c:333 [inline] smsc75xx_read_eeprom+0x266/0xa10 drivers/net/usb/smsc75xx.c:352 smsc75xx_init_mac_address drivers/net/usb/smsc75xx.c:771 [inline] smsc75xx_bind+0xc71/0x13f0 drivers/net/usb/smsc75xx.c:1489 usbnet_probe+0x1169/0x3e90 drivers/net/usb/usbnet.c:1712 usb_probe_interface+0xfcc/0x1520 drivers/usb/core/driver.c:396 really_probe+0xebd/0x2420 drivers/base/dd.c:558 driver_probe_device+0x293/0x390 drivers/base/dd.c:738 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:844 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x538/0x860 drivers/base/dd.c:912 device_initial_probe+0x4a/0x60 drivers/base/dd.c:959 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x399e/0x3f20 drivers/base/core.c:2936 usb_set_configuration+0x39cf/0x4010 drivers/usb/core/message.c:2159 usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:238 usb_probe_device+0x317/0x570 drivers/usb/core/driver.c:293 really_probe+0xebd/0x2420 drivers/base/dd.c:558 driver_probe_device+0x293/0x390 drivers/base/dd.c:738 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:844 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x538/0x860 drivers/base/dd.c:912 device_initial_probe+0x4a/0x60 drivers/base/dd.c:959 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x399e/0x3f20 drivers/base/core.c:2936 usb_new_device+0x1bd6/0x2a30 drivers/usb/core/hub.c:2554 hub_port_connect drivers/usb/core/hub.c:5222 [inline] hub_port_connect_change drivers/usb/core/hub.c:5362 [inline] port_event drivers/usb/core/hub.c:5508 [inline] hub_event+0x5bc9/0x8890 drivers/usb/core/hub.c:5590 process_one_work+0x121c/0x1fc0 kernel/workqueue.c:2272 worker_thread+0x10cc/0x2740 kernel/workqueue.c:2418 kthread+0x51c/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Local variable buf.i.i92@smsc75xx_read_eeprom created at: __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:322 [inline] smsc75xx_read_reg drivers/net/usb/smsc75xx.c:147 [inline] smsc75xx_eeprom_confirm_not_busy drivers/net/usb/smsc75xx.c:327 [inline] smsc75xx_read_eeprom+0x124/0xa10 drivers/net/usb/smsc75xx.c:352 __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:322 [inline] smsc75xx_read_reg drivers/net/usb/smsc75xx.c:147 [inline] smsc75xx_eeprom_confirm_not_busy drivers/net/usb/smsc75xx.c:327 [inline] smsc75xx_read_eeprom+0x124/0xa10 drivers/net/usb/smsc75xx.c:352 = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: WARNING in __queue_work (3)
syzbot has found a reproducer for the following issue on: HEAD commit:7d8761ba Merge branch 'fixes' of git://git.kernel.org/pub/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1485974550 kernel config: https://syzkaller.appspot.com/x/.config?x=59df2a4dced5f928 dashboard link: https://syzkaller.appspot.com/bug?extid=63bed493aebbf6872647 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1431cc1350 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+63bed493aebbf6872...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 24939 at kernel/workqueue.c:1416 __queue_work+0xb59/0xf00 kernel/workqueue.c:1416 Modules linked in: CPU: 1 PID: 24939 Comm: syz-executor.3 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__queue_work+0xb59/0xf00 kernel/workqueue.c:1416 Code: e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 3f d0 69 00 8b 5b 24 31 ff 83 e3 20 89 de e8 20 4b 28 00 85 db 75 7c e8 c7 52 28 00 <0f> 0b e9 dc fa ff ff e8 bb 52 28 00 0f 0b e9 55 fa ff ff e8 af 52 RSP: 0018:c9000266f750 EFLAGS: 00010093 RAX: RBX: RCX: 8147b1a0 RDX: 88801f184ec0 RSI: 8147b1a9 RDI: 0005 RBP: 88804d3d4b00 R08: R09: 8f12d1a3 R10: R11: R12: 888059ce4ac8 R13: 88803f6b5800 R14: 0293 R15: 88803f6b5800 FS: 7f4e91751700() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7e766db8 CR3: 59bc CR4: 00350ee0 Call Trace: queue_work_on+0xc7/0xd0 kernel/workqueue.c:1521 l2cap_do_send+0x248/0x480 net/bluetooth/l2cap_core.c:987 l2cap_chan_send+0xcc3/0x2ac0 net/bluetooth/l2cap_core.c:2706 l2cap_sock_sendmsg+0x235/0x2f0 net/bluetooth/l2cap_sock.c:1134 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x331/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmmsg+0x195/0x470 net/socket.c:2497 __do_sys_sendmmsg net/socket.c:2526 [inline] __se_sys_sendmmsg net/socket.c:2523 [inline] __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2523 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e0f9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f4e91750c68 EFLAGS: 0246 ORIG_RAX: 0133 RAX: ffda RBX: 0004 RCX: 0045e0f9 RDX: 0500 RSI: 20003f00 RDI: 0005 RBP: 0119c070 R08: R09: R10: R11: 0246 R12: 0119c034 R13: 7ffd9c18ecaf R14: 7f4e917519c0 R15: 0119c034
KASAN: use-after-free Write in rtl_fw_do_work (2)
Hello, syzbot found the following issue on: HEAD commit:b175d273 USB: legotower: fix logical error in recent commit git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=12ee7c8750 kernel config: https://syzkaller.appspot.com/x/.config?x=d24ee9ecd7ce968e dashboard link: https://syzkaller.appspot.com/bug?extid=65be4277f3c489293939 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+65be4277f3c489293...@syzkaller.appspotmail.com usb 5-1: Direct firmware load for rtlwifi/rtl8192cufw.bin failed with error -2 rtlwifi: Loading alternative firmware rtlwifi/rtl8192cufw.bin rtlwifi: Selected firmware is not available == BUG: KASAN: use-after-free in rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93 Write of size 4 at addr 8881454cff50 by task kworker/0:6/7379 CPU: 0 PID: 7379 Comm: kworker/0:6 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 rtl_fw_do_work.cold+0x68/0x6a drivers/net/wireless/realtek/rtlwifi/core.c:93 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1079 process_one_work+0x933/0x1520 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x38c/0x460 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the page: page:f54435b3 refcount:0 mapcount:0 mapping: index:0x0 pfn:0x1454cf flags: 0x200() raw: 0200 ea00051533c8 raw: page dumped because: kasan: bad access detected Memory state around the buggy address: 8881454cfe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 8881454cfe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >8881454cff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ 8881454cff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 8881454d: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
INFO: task can't die in p9_client_rpc (2)
Hello,
syzbot found the following issue on:
HEAD commit:0eedceaf Add linux-next specific files for 20201201
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1df750
kernel config: https://syzkaller.appspot.com/x/.config?x=55aec7153b7827ea
dashboard link: https://syzkaller.appspot.com/bug?extid=4ff9239a00671c7c656f
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4ff9239a00671c7c6...@syzkaller.appspotmail.com
INFO: task syz-executor.2:10555 can't die for more than 143 seconds.
task:syz-executor.2 state:D stack:27024 pid:10555 ppid: 8514 flags:0x4004
Call Trace:
context_switch kernel/sched/core.c:4325 [inline]
__schedule+0x8cd/0x2150 kernel/sched/core.c:5076
schedule+0xcf/0x270 kernel/sched/core.c:5155
p9_client_rpc+0x400/0x1240 net/9p/client.c:759
p9_client_flush+0x1f9/0x430 net/9p/client.c:667
p9_client_rpc+0xfde/0x1240 net/9p/client.c:784
p9_client_version net/9p/client.c:955 [inline]
p9_client_create+0xae1/0x1110 net/9p/client.c:1055
v9fs_session_init+0x1dd/0x1770 fs/9p/v9fs.c:406
v9fs_mount+0x79/0x9b0 fs/9p/vfs_super.c:126
legacy_get_tree+0x105/0x220 fs/fs_context.c:592
vfs_get_tree+0x89/0x2f0 fs/super.c:1549
do_new_mount fs/namespace.c:2896 [inline]
path_mount+0x12ae/0x1e70 fs/namespace.c:3227
do_mount fs/namespace.c:3240 [inline]
__do_sys_mount fs/namespace.c:3448 [inline]
__se_sys_mount fs/namespace.c:3425 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45de79
RSP: 002b:7f4ba88a6c68 EFLAGS: 0246 ORIG_RAX: 00a5
RAX: ffda RBX: 0005 RCX: 0045de79
RDX: 2200 RSI: 2000 RDI:
RBP: 0118bf70 R08: 2140 R09:
R10: R11: 0246 R12: 0118bf2c
R13: 7fff44b1496f R14: 7f4ba88a79c0 R15: 0118bf2c
Showing all locks held in the system:
2 locks held by kworker/u4:3/81:
1 lock held by khungtaskd/1618:
#0: 8b33a7a0 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6254
1 lock held by systemd-journal/4903:
1 lock held by in:imklog/8195:
#0: 88801dba7270 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:923
=
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
WARNING in mptcp_reset_timer
Hello, syzbot found the following issue on: HEAD commit:7c8ca812 Add linux-next specific files for 20201117 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=14ccfce250 kernel config: https://syzkaller.appspot.com/x/.config?x=ff4bc71371dc5b13 dashboard link: https://syzkaller.appspot.com/bug?extid=42aa53dafb66a07e5a24 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1342e36e50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17f29bba50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+42aa53dafb66a07e5...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 8718 at net/mptcp/protocol.c:719 mptcp_reset_timer+0x12a/0x160 net/mptcp/protocol.c:719 Modules linked in: CPU: 1 PID: 8718 Comm: kworker/1:3 Not tainted 5.10.0-rc4-next-20201117-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events mptcp_worker RIP: 0010:mptcp_reset_timer+0x12a/0x160 net/mptcp/protocol.c:719 Code: e8 0b 87 43 fe e8 46 71 c5 f8 48 b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 00 48 83 c4 40 5b 5d 41 5c c3 e8 26 71 c5 f8 <0f> 0b 41 bc 14 00 00 00 eb 98 e8 c7 d3 07 f9 e9 30 ff ff ff 48 c7 RSP: 0018:c90001adfa38 EFLAGS: 00010293 RAX: RBX: 19200035bf47 RCX: 88ab2357 RDX: 88801ae14f80 RSI: 88ab23ba RDI: 0007 RBP: 88802420 R08: R09: 88802420084f R10: R11: R12: R13: 00281400 R14: 88802420 R15: dc00 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f994238f010 CR3: 28d92000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: mptcp_push_pending+0x1351/0x17c0 net/mptcp/protocol.c:1266 mptcp_worker+0x385/0x1a10 net/mptcp/protocol.c:1877 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x3af/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: KASAN: use-after-free Read in ath9k_hif_usb_rx_cb (2)
syzbot has bisected this issue to:
commit dcd479e10a0510522a5d88b29b8f79ea3467d501
Author: Johannes Berg
Date: Fri Oct 9 12:17:11 2020 +
mac80211: always wind down STA state
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=100c9c1650
start commit: 0fa8ee0d Merge branch 'for-linus' of git://git.kernel.org/..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=120c9c1650
console output: https://syzkaller.appspot.com/x/log.txt?x=140c9c1650
kernel config: https://syzkaller.appspot.com/x/.config?x=75292221eb79ace2
dashboard link: https://syzkaller.appspot.com/bug?extid=03110230a11411024147
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1587f84150
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ec0fe650
Reported-by: syzbot+03110230a11411024...@syzkaller.appspotmail.com
Fixes: dcd479e10a05 ("mac80211: always wind down STA state")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
INFO: task can't die in perf_event_free_task
Hello,
syzbot found the following issue on:
HEAD commit:92edc4ae Add linux-next specific files for 20201113
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15982d7250
kernel config: https://syzkaller.appspot.com/x/.config?x=79ad4f8ad2d96176
dashboard link: https://syzkaller.appspot.com/bug?extid=f02b92479b7065807a2a
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=116fb7be50
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f02b92479b7065807...@syzkaller.appspotmail.com
INFO: task syz-executor.0:26152 can't die for more than 143 seconds.
task:syz-executor.0 state:D stack:28544 pid:26152 ppid: 8500 flags:0x4004
Call Trace:
context_switch kernel/sched/core.c:4269 [inline]
__schedule+0x890/0x2030 kernel/sched/core.c:5019
schedule+0xcf/0x270 kernel/sched/core.c:5098
perf_event_free_task+0x514/0x6b0 kernel/events/core.c:12605
copy_process+0x48e0/0x6f90 kernel/fork.c:2360
kernel_clone+0xe7/0xab0 kernel/fork.c:2462
__do_sys_clone+0xc8/0x110 kernel/fork.c:2579
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45deb9
Code: Unable to access opcode bytes at RIP 0x45de8f.
RSP: 002b:7ffb605e6c78 EFLAGS: 0246 ORIG_RAX: 0038
RAX: ffda RBX: 2040 RCX: 0045deb9
RDX: RSI: RDI: 0100
RBP: 0118bf70 R08: R09:
R10: R11: 0246 R12: 0118bf2c
R13: 7fff8d97524f R14: 7ffb605e79c0 R15: 0118bf2c
INFO: task syz-executor.0:26152 blocked for more than 143 seconds.
Not tainted 5.10.0-rc3-next-20201113-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:28544 pid:26152 ppid: 8500 flags:0x4004
Call Trace:
context_switch kernel/sched/core.c:4269 [inline]
__schedule+0x890/0x2030 kernel/sched/core.c:5019
schedule+0xcf/0x270 kernel/sched/core.c:5098
perf_event_free_task+0x514/0x6b0 kernel/events/core.c:12605
copy_process+0x48e0/0x6f90 kernel/fork.c:2360
kernel_clone+0xe7/0xab0 kernel/fork.c:2462
__do_sys_clone+0xc8/0x110 kernel/fork.c:2579
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45deb9
Code: Unable to access opcode bytes at RIP 0x45de8f.
RSP: 002b:7ffb605e6c78 EFLAGS: 0246 ORIG_RAX: 0038
RAX: ffda RBX: 2040 RCX: 0045deb9
RDX: RSI: RDI: 0100
RBP: 0118bf70 R08: R09:
R10: R11: 0246 R12: 0118bf2c
R13: 7fff8d97524f R14: 7ffb605e79c0 R15: 0118bf2c
Showing all locks held in the system:
1 lock held by khungtaskd/1567:
#0: 8b339ce0 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6252
1 lock held by in:imklog/8178:
#0: 88801c937c70 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:932
=
NMI backtrace for cpu 0
CPU: 0 PID: 1567 Comm: khungtaskd Not tainted
5.10.0-rc3-next-20201113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:147 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:253 [inline]
watchdog+0xd89/0xf30 kernel/hung_task.c:338
kthread+0x3af/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at native_safe_halt
arch/x86/include/asm/irqflags.h:60 [inline]
NMI backtrace for cpu 1 skipped: idling at arch_safe_halt
arch/x86/include/asm/irqflags.h:103 [inline]
NMI backtrace for cpu 1 skipped: idling at acpi_safe_halt
drivers/acpi/processor_idle.c:111 [inline]
NMI backtrace for cpu 1 skipped: idling at acpi_idle_do_entry+0x1c9/0x250
drivers/acpi/processor_idle.c:517
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
INFO: task hung in sync_inodes_sb (4)
Hello,
syzbot found the following issue on:
HEAD commit:03430750 Add linux-next specific files for 20201116
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17027fdc50
kernel config: https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8
dashboard link: https://syzkaller.appspot.com/bug?extid=7d50f1e54a12ba3aeae2
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=124a884150
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15a4fce250
The issue was bisected to:
commit c68df2e7be0c1238ea3c281fd744a204ef3b15a0
Author: Emmanuel Grumbach
Date: Thu Sep 15 13:30:02 2016 +
mac80211: allow using AP_LINK_PS with mac80211-generated TIM IE
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1445e98150
final oops: https://syzkaller.appspot.com/x/report.txt?x=1645e98150
console output: https://syzkaller.appspot.com/x/log.txt?x=1245e98150
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7d50f1e54a12ba3ae...@syzkaller.appspotmail.com
Fixes: c68df2e7be0c ("mac80211: allow using AP_LINK_PS with mac80211-generated
TIM IE")
INFO: task syz-executor017:8513 blocked for more than 143 seconds.
Not tainted 5.10.0-rc3-next-20201116-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor017 state:D stack:27448 pid: 8513 ppid: 8507 flags:0x4000
Call Trace:
context_switch kernel/sched/core.c:4269 [inline]
__schedule+0x890/0x2030 kernel/sched/core.c:5019
schedule+0xcf/0x270 kernel/sched/core.c:5098
wb_wait_for_completion+0x17b/0x230 fs/fs-writeback.c:209
sync_inodes_sb+0x1a6/0x9d0 fs/fs-writeback.c:2559
__sync_filesystem fs/sync.c:34 [inline]
sync_filesystem fs/sync.c:67 [inline]
sync_filesystem+0x15c/0x260 fs/sync.c:48
generic_shutdown_super+0x70/0x370 fs/super.c:448
kill_block_super+0x97/0xf0 fs/super.c:1446
deactivate_locked_super+0x94/0x160 fs/super.c:335
deactivate_super+0xad/0xd0 fs/super.c:366
cleanup_mnt+0x3a3/0x530 fs/namespace.c:1123
task_work_run+0xdd/0x190 kernel/task_work.c:140
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x1f0/0x200 kernel/entry/common.c:199
syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:274
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44e0e7
Code: Unable to access opcode bytes at RIP 0x44e0bd.
RSP: 002b:7fff42061288 EFLAGS: 0206 ORIG_RAX: 00a6
RAX: RBX: 000cee4c RCX: 0044e0e7
RDX: 00400be0 RSI: 0002 RDI: 7fff42061330
RBP: 2142 R08: R09: 0009
R10: 0005 R11: 0206 R12: 7fff420623e0
R13: 01f67880 R14: R15:
Showing all locks held in the system:
2 locks held by kworker/u4:5/225:
#0: 8881413a4138 ((wq_completion)writeback){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 8881413a4138 ((wq_completion)writeback){+.+.}-{0:0}, at: atomic64_set
include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 8881413a4138 ((wq_completion)writeback){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 8881413a4138 ((wq_completion)writeback){+.+.}-{0:0}, at: set_work_data
kernel/workqueue.c:616 [inline]
#0: 8881413a4138 ((wq_completion)writeback){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 8881413a4138 ((wq_completion)writeback){+.+.}-{0:0}, at:
process_one_work+0x821/0x15a0 kernel/workqueue.c:2243
#1: c9000191fda8 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at:
process_one_work+0x854/0x15a0 kernel/workqueue.c:2247
1 lock held by khungtaskd/1655:
#0: 8b339ce0 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6252
1 lock held by in:imklog/8188:
#0: 888017c8f4f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:932
2 locks held by syz-executor017/8513:
#0: 88801a8500e0 (&type->s_umount_key#49){+.+.}-{3:3}, at:
deactivate_super+0xa5/0xd0 fs/super.c:365
#1: 888143f5e708 (&bdi->wb_switch_rwsem){+.+.}-{3:3}, at:
bdi_down_write_wb_switch_rwsem fs/fs-writeback.c:344 [inline]
#1: 888143f5e708 (&bdi->wb_switch_rwsem){+.+.}-{3:3}, at:
sync_inodes_sb+0x18c/0x9d0 fs/fs-writeback.c:2557
=
NMI backtrace for cpu 0
CPU: 0 PID: 1655 Comm: khungtaskd Not tainted
5.10.0-rc3-next-20201116-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stac
Re: general protection fault in ieee80211_chanctx_num_assigned
syzbot has found a reproducer for the following issue on: HEAD commit:a349e4c6 Merge tag 'xfs-5.10-fixes-7' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=144e1e9950 kernel config: https://syzkaller.appspot.com/x/.config?x=330f3436df12fd44 dashboard link: https://syzkaller.appspot.com/bug?extid=00ce7332120071df39b1 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153140a550 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179bf83550 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+00ce7332120071df3...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xfbd59c20: [#1] PREEMPT SMP KASAN KASAN: maybe wild-memory-access in range [0xdead0100-0xdead0107] CPU: 1 PID: 8531 Comm: syz-executor169 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ieee80211_chanctx_num_assigned+0xb1/0x140 net/mac80211/chan.c:21 Code: a8 f6 ff ff 48 39 c5 74 3b 49 bd 00 00 00 00 00 fc ff df e8 c1 91 1b f9 48 8d bb 58 09 00 00 41 83 c4 01 48 89 f8 48 c1 e8 03 <42> 80 3c 28 00 75 68 48 8b 83 58 09 00 00 48 8d 98 a8 f6 ff ff 48 RSP: 0018:c9000169f330 EFLAGS: 00010a02 RAX: 1bd5a020 RBX: deacf7a8 RCX: 88549e6b RDX: 888011c8b480 RSI: 88549e0f RDI: dead0100 RBP: 8880130ca720 R08: R09: 8cecb9cf R10: R11: R12: 0002 R13: dc00 R14: 8880130ca700 R15: FS: 0087d940() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 006d3090 CR3: 1c20a000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: ieee80211_assign_vif_chanctx+0x7b8/0x1230 net/mac80211/chan.c:690 __ieee80211_vif_release_channel+0x236/0x430 net/mac80211/chan.c:1557 ieee80211_vif_release_channel+0x117/0x220 net/mac80211/chan.c:1771 ieee80211_ibss_disconnect+0x44e/0x7b0 net/mac80211/ibss.c:735 ieee80211_ibss_leave+0x12/0xe0 net/mac80211/ibss.c:1871 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline] __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212 cfg80211_leave_ibss+0x57/0x80 net/wireless/ibss.c:230 cfg80211_change_iface+0x855/0xef0 net/wireless/util.c:1012 nl80211_set_interface+0x65c/0x8d0 net/wireless/nl80211.c:3789 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 sys_sendmsg+0x6e8/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4429b9 Code: e8 bc fd 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffd820d0a58 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: RCX: 004429b9 RDX: RSI: 2340 RDI: 0004 RBP: fbef R08: 004035b0 R09: 004035b0 R10: R11: 0246 R12: 00403520 R13: 004035b0 R14: R15: Modules linked in: ---[ end trace 4cedfcb59a8efe47 ]--- RIP: 0010:ieee80211_chanctx_num_assigned+0xb1/0x140 net/mac80211/chan.c:21 Code: a8 f6 ff ff 48 39 c5 74 3b 49 bd 00 00 00 00 00 fc ff df e8 c1 91 1b f9 48 8d bb 58 09 00 00 41 83 c4 01 48 89 f8 48 c1 e8 03 <42> 80 3c 28 00 75 68 48 8b 83 58 09 00 00 48 8d 98 a8 f6 ff ff 48 RSP: 0018:c9000169f330 EFLAGS: 00010a02 RAX: 1bd5a020 RBX: deacf7a8 RCX: 88549e6b RDX: 888011c8b480 RSI: 88549e0f RDI: dead0100 RBP: 8880130ca720 R08: R09: 8cecb9cf R10: R11: R12: 0002 R13: dc00 R14: 8880130ca700 R15: FS: 0087d940() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7efedefa7000 CR3: 1c20a0
BUG: receive list entry not found for dev vcan0, id 001, mask C00007FF
Hello, syzbot found the following issue on: HEAD commit:b9ad3e9f bonding: wait for sysfs kobject destruction befor.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=1195c5cd50 kernel config: https://syzkaller.appspot.com/x/.config?x=330f3436df12fd44 dashboard link: https://syzkaller.appspot.com/bug?extid=d0ddd88c9a7432f041e6 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c409cd50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1349ced150 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d0ddd88c9a7432f04...@syzkaller.appspotmail.com RAX: ffda RBX: 7fffc0827800 RCX: 00443749 RDX: 0018 RSI: 2300 RDI: 0004 RBP: R08: 0001 R09: 01bb R10: R11: 0246 R12: R13: 0005 R14: R15: [ cut here ] BUG: receive list entry not found for dev vcan0, id 001, mask C7FF WARNING: CPU: 0 PID: 8495 at net/can/af_can.c:546 can_rx_unregister+0x5a4/0x700 net/can/af_can.c:546 Modules linked in: CPU: 0 PID: 8495 Comm: syz-executor608 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:can_rx_unregister+0x5a4/0x700 net/can/af_can.c:546 Code: 8b 7c 24 78 44 8b 64 24 68 49 c7 c5 a0 ae 56 8a e8 11 58 97 f9 44 89 f9 44 89 e2 4c 89 ee 48 c7 c7 e0 ae 56 8a e8 76 ab d3 00 <0f> 0b 48 8b 7c 24 28 e8 90 22 0f 01 e9 54 fb ff ff e8 06 cf d8 f9 RSP: 0018:c9000182f9f0 EFLAGS: 00010282 RAX: RBX: RCX: RDX: 88801ffe8000 RSI: 8158f3c5 RDI: f52000305f30 RBP: 0118 R08: 0001 R09: 8880b9e30627 R10: R11: R12: 0001 R13: 88801ab0 R14: 192000305f45 R15: c7ff FS: () GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004c8928 CR3: 0b08e000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: isotp_notifier+0x2a7/0x540 net/can/isotp.c:1303 call_netdevice_notifier net/core/dev.c:1735 [inline] call_netdevice_unregister_notifiers+0x156/0x1c0 net/core/dev.c:1763 call_netdevice_unregister_net_notifiers net/core/dev.c:1791 [inline] unregister_netdevice_notifier+0xcd/0x170 net/core/dev.c:1870 isotp_release+0x136/0x600 net/can/isotp.c:1011 __sock_release+0xcd/0x280 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1277 __fput+0x285/0x920 fs/file_table.c:281 task_work_run+0xdd/0x190 kernel/task_work.c:151 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xb64/0x29b0 kernel/exit.c:809 do_group_exit+0x125/0x310 kernel/exit.c:906 __do_sys_exit_group kernel/exit.c:917 [inline] __se_sys_exit_group kernel/exit.c:915 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:915 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x442388 Code: Unable to access opcode bytes at RIP 0x44235e. RSP: 002b:7fffc0827768 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: 0001 RCX: 00442388 RDX: 0001 RSI: 003c RDI: 0001 RBP: 004c88f0 R08: 00e7 R09: ffd0 R10: R11: 0246 R12: 0001 R13: 006dd240 R14: R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
inconsistent lock state in io_file_data_ref_zero
Hello,
syzbot found the following issue on:
HEAD commit:27bba9c5 Merge tag 'scsi-fixes' of git://git.kernel.org/pu..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11041f1e50
kernel config: https://syzkaller.appspot.com/x/.config?x=330f3436df12fd44
dashboard link: https://syzkaller.appspot.com/bug?extid=1f4ba1e5520762c523c6
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d9b77550
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157e4f7550
The issue was bisected to:
commit dcd479e10a0510522a5d88b29b8f79ea3467d501
Author: Johannes Berg
Date: Fri Oct 9 12:17:11 2020 +
mac80211: always wind down STA state
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=130299a950
final oops: https://syzkaller.appspot.com/x/report.txt?x=108299a950
console output: https://syzkaller.appspot.com/x/log.txt?x=170299a950
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f4ba1e5520762c52...@syzkaller.appspotmail.com
Fixes: dcd479e10a05 ("mac80211: always wind down STA state")
WARNING: inconsistent lock state
5.10.0-rc4-syzkaller #0 Not tainted
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
swapper/0/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
8880125202a8 (&file_data->lock){+.?.}-{2:2}, at: spin_lock
include/linux/spinlock.h:354 [inline]
8880125202a8 (&file_data->lock){+.?.}-{2:2}, at:
io_file_data_ref_zero+0x75/0x480 fs/io_uring.c:7361
{SOFTIRQ-ON-W} state was registered at:
lock_acquire kernel/locking/lockdep.c:5435 [inline]
lock_acquire+0x2a3/0x8c0 kernel/locking/lockdep.c:5400
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
io_sqe_files_register fs/io_uring.c:7496 [inline]
__io_uring_register fs/io_uring.c:9660 [inline]
__do_sys_io_uring_register+0x343a/0x40d0 fs/io_uring.c:9750
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
irq event stamp: 131582
hardirqs last enabled at (131582): []
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
hardirqs last enabled at (131582): []
_raw_spin_unlock_irqrestore+0x42/0x50 kernel/locking/spinlock.c:191
hardirqs last disabled at (131581): []
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (131581): []
_raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:159
softirqs last enabled at (131566): []
irq_enter_rcu+0xcf/0xf0 kernel/softirq.c:360
softirqs last disabled at (131567): []
asm_call_irq_on_stack+0xf/0x20
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
lock(&file_data->lock);
lock(&file_data->lock);
*** DEADLOCK ***
2 locks held by swapper/0/0:
#0: 8b337700 (rcu_callback){}-{0:0}, at: rcu_do_batch
kernel/rcu/tree.c:2466 [inline]
#0: 8b337700 (rcu_callback){}-{0:0}, at: rcu_core+0x576/0xe80
kernel/rcu/tree.c:2711
#1: 8b337820 (rcu_read_lock){}-{1:2}, at:
percpu_ref_put_many.constprop.0+0x0/0x250 net/netfilter/xt_cgroup.c:62
stack backtrace:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
print_usage_bug kernel/locking/lockdep.c:3738 [inline]
valid_state kernel/locking/lockdep.c:3749 [inline]
mark_lock_irq kernel/locking/lockdep.c:3952 [inline]
mark_lock.cold+0x32/0x74 kernel/locking/lockdep.c:4409
mark_usage kernel/locking/lockdep.c:4304 [inline]
__lock_acquire+0x11b1/0x5c00 kernel/locking/lockdep.c:4784
lock_acquire kernel/locking/lockdep.c:5435 [inline]
lock_acquire+0x2a3/0x8c0 kernel/locking/lockdep.c:5400
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
io_file_data_ref_zero+0x75/0x480 fs/io_uring.c:7361
percpu_ref_put_many.constprop.0+0x217/0x250 include/linux/percpu-refcount.h:322
rcu_do_batch kernel/rcu/tree.c:2476 [inline]
rcu_core+0x5df/0xe80 kernel/rcu/tree.c:2711
__do_softirq+0x2a0/0x9f6 kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu kernel/softirq.c:423 [inline]
irq_exit_rcu+0x132/0x200 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1091
general protection fault in ieee80211_subif_start_xmit
Hello, syzbot found the following issue on: HEAD commit:a349e4c6 Merge tag 'xfs-5.10-fixes-7' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1427b22550 kernel config: https://syzkaller.appspot.com/x/.config?x=330f3436df12fd44 dashboard link: https://syzkaller.appspot.com/bug?extid=d7a3b15976bf7de2238a compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164652f550 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d7a3b15976bf7de22...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc34: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x01a0-0x01a7] CPU: 0 PID: 10156 Comm: syz-executor.4 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ieee80211_multicast_to_unicast net/mac80211/tx.c:4070 [inline] RIP: 0010:ieee80211_subif_start_xmit+0x24e/0xee0 net/mac80211/tx.c:4154 Code: 03 80 3c 02 00 0f 85 83 0c 00 00 49 8b 9f 50 17 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb a4 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 58 0c 00 00 RSP: 0018:c9007588 EFLAGS: 00010203 RAX: dc00 RBX: RCX: 8851c61d RDX: 0034 RSI: 8851c6ad RDI: 01a4 RBP: 88801b850280 R08: R09: 8cecb9cf R10: 0004 R11: R12: 8a61f1e0 R13: 888012f07042 R14: 005a R15: 8880284b FS: 7f1159678700() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 016a9e60 CR3: 2ca99000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __netdev_start_xmit include/linux/netdevice.h:4718 [inline] netdev_start_xmit include/linux/netdevice.h:4732 [inline] xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3580 sch_direct_xmit+0x2e1/0xbd0 net/sched/sch_generic.c:313 qdisc_restart net/sched/sch_generic.c:376 [inline] __qdisc_run+0x4ba/0x15e0 net/sched/sch_generic.c:384 qdisc_run include/net/pkt_sched.h:131 [inline] qdisc_run include/net/pkt_sched.h:123 [inline] __dev_xmit_skb net/core/dev.c:3755 [inline] __dev_queue_xmit+0x1453/0x2da0 net/core/dev.c:4108 neigh_hh_output include/net/neighbour.h:499 [inline] neigh_output include/net/neighbour.h:508 [inline] ip6_finish_output2+0x8db/0x16c0 net/ipv6/ip6_output.c:117 __ip6_finish_output net/ipv6/ip6_output.c:143 [inline] __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128 ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] mld_sendpack+0x92a/0xdb0 net/ipv6/mcast.c:1679 mld_send_cr net/ipv6/mcast.c:1975 [inline] mld_ifc_timer_expire+0x60a/0xf10 net/ipv6/mcast.c:2474 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1410 expire_timers kernel/time/timer.c:1455 [inline] __run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1747 __run_timers kernel/time/timer.c:1728 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1760 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x200 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline] RIP: 0010:lock_acquire kernel/locking/lockdep.c:5438 [inline] RIP: 0010:lock_acquire+0x2cd/0x8c0 kernel/locking/lockdep.c:5400 Code: 48 c7 c7 c0 5e 4b 89 48 83 c4 20 e8 dd 68 8f 07 b8 ff ff ff ff 65 0f c1 05 c0 b2 ab 7e 83 f8 01 0f 85 09 04 00 00 ff 34 24 9d 37 fe ff ff 65 ff 05 67 a1 ab 7e 48 8b 05 a0 ab 82 0b e8 6b 5d RSP: 0018:c9000aaf73e0 EFLAGS: 0246 RAX: 0001 RBX: 19200155ee7e RCX: 8155f384 RDX: 111004e58121 RSI: 0001 RDI: RBP: 0001 R08: R09: 8ebb166f R10: fbfff1d762cd R11: R12: R13: 88803eff20a8 R14: R15: __raw_spin_lock include/linux/spinlo
BUG: receive list entry not found for dev vxcan1, id 002, mask C00007FF
Hello, syzbot found the following issue on: HEAD commit:c2e7554e Merge tag 'gfs2-v5.10-rc4-fixes' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=117f03ba50 kernel config: https://syzkaller.appspot.com/x/.config?x=75292221eb79ace2 dashboard link: https://syzkaller.appspot.com/bug?extid=381d06e0c8eaacb8706f compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+381d06e0c8eaacb87...@syzkaller.appspotmail.com [ cut here ] BUG: receive list entry not found for dev vxcan1, id 002, mask C7FF WARNING: CPU: 1 PID: 12946 at net/can/af_can.c:546 can_rx_unregister+0x5a4/0x700 net/can/af_can.c:546 Modules linked in: CPU: 1 PID: 12946 Comm: syz-executor.1 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:can_rx_unregister+0x5a4/0x700 net/can/af_can.c:546 Code: 8b 7c 24 78 44 8b 64 24 68 49 c7 c5 20 ac 56 8a e8 01 6c 97 f9 44 89 f9 44 89 e2 4c 89 ee 48 c7 c7 60 ac 56 8a e8 66 af d3 00 <0f> 0b 48 8b 7c 24 28 e8 b0 25 0f 01 e9 54 fb ff ff e8 26 e0 d8 f9 RSP: 0018:c90017e2fb38 EFLAGS: 00010286 RAX: RBX: RCX: RDX: 8880147a8000 RSI: 8158f3c5 RDI: f52002fc5f59 RBP: 0118 R08: 0001 R09: 8880b9f2011b R10: R11: R12: 0002 R13: 8880254c R14: 192002fc5f6e R15: c7ff FS: 01ddc940() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 001b2f121000 CR3: 152c CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: isotp_notifier+0x2a7/0x540 net/can/isotp.c:1303 call_netdevice_notifier net/core/dev.c:1735 [inline] call_netdevice_unregister_notifiers+0x156/0x1c0 net/core/dev.c:1763 call_netdevice_unregister_net_notifiers net/core/dev.c:1791 [inline] unregister_netdevice_notifier+0xcd/0x170 net/core/dev.c:1870 isotp_release+0x136/0x600 net/can/isotp.c:1011 __sock_release+0xcd/0x280 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1277 __fput+0x285/0x920 fs/file_table.c:281 task_work_run+0xdd/0x190 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x17e/0x1a0 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x417811 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:0169fbf0 EFLAGS: 0293 ORIG_RAX: 0003 RAX: RBX: 0004 RCX: 00417811 RDX: RSI: 13b7 RDI: 0003 RBP: 0001 R08: acabb3b7 R09: acabb3bb R10: 0169fcd0 R11: 0293 R12: 0118c9a0 R13: 0118c9a0 R14: 03e8 R15: 0118bf2c --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: memory leak in inet_create (2)
syzbot has found a reproducer for the following issue on: HEAD commit:418baf2c Linux 5.10-rc5 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=161c84ed50 kernel config: https://syzkaller.appspot.com/x/.config?x=5524c10373633a9c dashboard link: https://syzkaller.appspot.com/bug?extid=bb7ba8dd62c3cb6e3c78 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1514cfa350 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a52fc150 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+bb7ba8dd62c3cb6e3...@syzkaller.appspotmail.com executing program executing program executing program BUG: memory leak unreferenced object 0x88810e85adc0 (size 1728): comm "syz-executor376", pid 8506, jiffies 4294946899 (age 13.430s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@ backtrace: [<cb2829d9>] sk_prot_alloc+0x3e/0x1c0 net/core/sock.c:1660 [<23bd8ef8>] sk_alloc+0x30/0x3f0 net/core/sock.c:1720 [<a4a7ed0a>] inet_create net/ipv4/af_inet.c:322 [inline] [<a4a7ed0a>] inet_create+0x16a/0x560 net/ipv4/af_inet.c:248 [<3b729101>] __sock_create+0x1ab/0x2b0 net/socket.c:1427 [<ebee6fd5>] sock_create net/socket.c:1478 [inline] [<ebee6fd5>] __sys_socket+0x6f/0x140 net/socket.c:1520 [<bcf20e68>] __do_sys_socket net/socket.c:1529 [inline] [<bcf20e68>] __se_sys_socket net/socket.c:1527 [inline] [<bcf20e68>] __x64_sys_socket+0x1a/0x20 net/socket.c:1527 [<732fe45a>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<91e76b15>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x88810fec3c80 (size 768): comm "syz-executor376", pid 8506, jiffies 4294946899 (age 13.430s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 72 a0 0e 81 88 ff ff .r.. backtrace: [<681cd6ae>] sock_alloc_inode+0x18/0x90 net/socket.c:253 [<fa9d2004>] alloc_inode+0x27/0x100 fs/inode.c:234 [<f3a018c7>] new_inode_pseudo+0x13/0x70 fs/inode.c:930 [<549f715a>] sock_alloc+0x18/0x90 net/socket.c:573 [<a044e0d4>] __sock_create+0xb8/0x2b0 net/socket.c:1391 [<973ca39c>] mptcp_subflow_create_socket+0x57/0x280 net/mptcp/subflow.c:1152 [<a3724864>] __mptcp_socket_create net/mptcp/protocol.c:97 [inline] [<a3724864>] mptcp_init_sock net/mptcp/protocol.c:1859 [inline] [<a3724864>] mptcp_init_sock+0x12f/0x270 net/mptcp/protocol.c:1844 [<c97baf32>] inet_create net/ipv4/af_inet.c:380 [inline] [<c97baf32>] inet_create+0x2ed/0x560 net/ipv4/af_inet.c:248 [<3b729101>] __sock_create+0x1ab/0x2b0 net/socket.c:1427 [<ebee6fd5>] sock_create net/socket.c:1478 [inline] [<ebee6fd5>] __sys_socket+0x6f/0x140 net/socket.c:1520 [<bcf20e68>] __do_sys_socket net/socket.c:1529 [inline] [<bcf20e68>] __se_sys_socket net/socket.c:1527 [inline] [<bcf20e68>] __x64_sys_socket+0x1a/0x20 net/socket.c:1527 [<732fe45a>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<91e76b15>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x88810de87bb8 (size 24): comm "syz-executor376", pid 8506, jiffies 4294946899 (age 13.430s) hex dump (first 24 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<bea9ec8c>] kmem_cache_zalloc include/linux/slab.h:654 [inline] [<bea9ec8c>] lsm_inode_alloc security/security.c:589 [inline] [<bea9ec8c>] security_inode_alloc+0x2a/0xb0 security/security.c:972 [<543365c5>] inode_init_always+0x10c/0x250 fs/inode.c:171 [<4da5c777>] alloc_inode+0x44/0x100 fs/inode.c:241 [<f3a018c7>] new_inode_pseudo+0x13/0x70 fs/inode.c:930 [<549f715a>] sock_alloc+0x18/0x90 net/socket.c:573 [<a044e0d4>] __sock_create+0xb8/0x2b0 net/socket.c:1391 [<973ca39c>] mptcp_subflow_create_socket+0x57/0x280 net/mptcp/subflow.c:1152 [<a3724864>] __mptcp_socket_create net/mptcp/protocol.c:97 [inline] [<a3724864>] mptcp_init_sock net/mptcp/protocol.c:1859 [inline] [<a3724864>] mptcp_init_s
INFO: task hung in addrconf_verify_work (4)
Hello,
syzbot found the following issue on:
HEAD commit:4d02da97 Merge tag 'net-5.10-rc5' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1725369650
kernel config: https://syzkaller.appspot.com/x/.config?x=330f3436df12fd44
dashboard link: https://syzkaller.appspot.com/bug?extid=ba67b12b1ca729912834
compiler: gcc (GCC) 10.1.0-syz 20200507
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15577dc150
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1138574d50
The issue was bisected to:
commit 0fedc63fadf0404a729e73a35349481c8009c02f
Author: Cong Wang
Date: Wed Sep 23 03:56:24 2020 +
net_sched: commit action insertions together
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f3c35150
final oops: https://syzkaller.appspot.com/x/report.txt?x=100bc35150
console output: https://syzkaller.appspot.com/x/log.txt?x=17f3c35150
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ba67b12b1ca729912...@syzkaller.appspotmail.com
Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together")
INFO: task kworker/0:1:8444 blocked for more than 143 seconds.
Not tainted 5.10.0-rc4-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1 state:D stack:29768 pid: 8444 ppid: 2 flags:0x4000
Workqueue: ipv6_addrconf addrconf_verify_work
Call Trace:
context_switch kernel/sched/core.c:3774 [inline]
__schedule+0x893/0x2130 kernel/sched/core.c:4523
schedule+0xcf/0x270 kernel/sched/core.c:4601
schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:4660
__mutex_lock_common kernel/locking/mutex.c:1033 [inline]
__mutex_lock+0x3e2/0x10e0 kernel/locking/mutex.c:1103
addrconf_verify_work+0xa/0x20 net/ipv6/addrconf.c:4568
process_one_work+0x933/0x15a0 kernel/workqueue.c:2272
worker_thread+0x64c/0x1120 kernel/workqueue.c:2418
kthread+0x3af/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Showing all locks held in the system:
1 lock held by khungtaskd/1655:
#0: 8b337820 (rcu_read_lock){}-{1:2}, at:
debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6252
1 lock held by in:imklog/8146:
#0: 88801ef9aaf0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100
fs/file.c:932
3 locks held by kworker/0:1/8444:
#0: 888147a41538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
#0: 888147a41538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
#0: 888147a41538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
#0: 888147a41538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
set_work_data kernel/workqueue.c:616 [inline]
#0: 888147a41538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
#0: 888147a41538 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at:
process_one_work+0x821/0x15a0 kernel/workqueue.c:2243
#1: c9e9fda8 ((addr_chk_work).work){+.+.}-{0:0}, at:
process_one_work+0x854/0x15a0 kernel/workqueue.c:2247
#2: 8c928588 (rtnl_mutex){+.+.}-{3:3}, at:
addrconf_verify_work+0xa/0x20 net/ipv6/addrconf.c:4568
2 locks held by syz-executor297/8473:
=
NMI backtrace for cpu 0
CPU: 0 PID: 1655 Comm: khungtaskd Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
nmi_cpu_backtrace.cold+0x44/0xd7 lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace+0x1b3/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:209 [inline]
watchdog+0xd43/0xfa0 kernel/hung_task.c:294
kthread+0x3af/0x4a0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 8473 Comm: syz-executor297 Not tainted 5.10.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:lock_is_held_type+0xc2/0x100 kernel/locking/lockdep.c:5479
Code: 03 44 39 f0 41 0f 94 c4 48 c7 c7 c0 5e 4b 89 e8 d4 0b 00 00 b8 ff ff ff
ff 65 0f c1 05 57 67 1c 77 83 f8 01 75 23 ff 34 24 9d <48> 83 c4 08 44 89 e0 5b
5d 41 5c 41 5d 41 5e 41 5f c3 45 31 e4 eb
RSP: 0018:c900016beb50 EFLAGS: 0202
RAX: 0001 RBX: 0001 RCX: 119d9d4b
RDX: RSI: RDI:
RBP: 8b337760 R08: 87119fb8 R
memory leak in qrtr_tun_open
Hello, syzbot found the following issue on: HEAD commit:4d02da97 Merge tag 'net-5.10-rc5' of git://git.kernel.org/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16f4331e50 kernel config: https://syzkaller.appspot.com/x/.config?x=c5353ac514ca5a43 dashboard link: https://syzkaller.appspot.com/bug?extid=5d6e4af21385f5cfc56a compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1115d00150 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1467f82e50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+5d6e4af21385f5cfc...@syzkaller.appspotmail.com BUG: memory leak unreferenced object 0x888117d40180 (size 64): comm "syz-executor845", pid 10294, jiffies 4295034653 (age 32.350s) hex dump (first 32 bytes): c0 24 04 84 ff ff ff ff 00 00 00 00 00 00 00 00 .$.. 90 01 d4 17 81 88 ff ff 90 01 d4 17 81 88 ff ff backtrace: [<fcfbf0c5>] kmalloc include/linux/slab.h:552 [inline] [<fcfbf0c5>] kzalloc include/linux/slab.h:664 [inline] [<fcfbf0c5>] qrtr_tun_open+0x22/0x90 net/qrtr/tun.c:35 [<3dd258a0>] misc_open+0x19c/0x1e0 drivers/char/misc.c:141 [<c462f734>] chrdev_open+0x10d/0x340 fs/char_dev.c:414 [<6a388b0e>] do_dentry_open+0x1e6/0x620 fs/open.c:817 [<757d8e01>] do_open fs/namei.c:3252 [inline] [<757d8e01>] path_openat+0x74a/0x1b00 fs/namei.c:3369 [<b8d1608f>] do_filp_open+0xa0/0x190 fs/namei.c:3396 [<89fdef83>] do_sys_openat2+0xed/0x230 fs/open.c:1168 [<4cd3d1c0>] do_sys_open fs/open.c:1184 [inline] [<4cd3d1c0>] __do_sys_openat fs/open.c:1200 [inline] [<4cd3d1c0>] __se_sys_openat fs/open.c:1195 [inline] [<4cd3d1c0>] __x64_sys_openat+0x7f/0xe0 fs/open.c:1195 [<d6a554a2>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<99a4af52>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x888117d40180 (size 64): comm "syz-executor845", pid 10294, jiffies 4295034653 (age 32.440s) hex dump (first 32 bytes): c0 24 04 84 ff ff ff ff 00 00 00 00 00 00 00 00 .$.. 90 01 d4 17 81 88 ff ff 90 01 d4 17 81 88 ff ff backtrace: [<fcfbf0c5>] kmalloc include/linux/slab.h:552 [inline] [<fcfbf0c5>] kzalloc include/linux/slab.h:664 [inline] [<fcfbf0c5>] qrtr_tun_open+0x22/0x90 net/qrtr/tun.c:35 [<3dd258a0>] misc_open+0x19c/0x1e0 drivers/char/misc.c:141 [<c462f734>] chrdev_open+0x10d/0x340 fs/char_dev.c:414 [<6a388b0e>] do_dentry_open+0x1e6/0x620 fs/open.c:817 [<757d8e01>] do_open fs/namei.c:3252 [inline] [<757d8e01>] path_openat+0x74a/0x1b00 fs/namei.c:3369 [<b8d1608f>] do_filp_open+0xa0/0x190 fs/namei.c:3396 [<89fdef83>] do_sys_openat2+0xed/0x230 fs/open.c:1168 [<4cd3d1c0>] do_sys_open fs/open.c:1184 [inline] [<4cd3d1c0>] __do_sys_openat fs/open.c:1200 [inline] [<4cd3d1c0>] __se_sys_openat fs/open.c:1195 [inline] [<4cd3d1c0>] __x64_sys_openat+0x7f/0xe0 fs/open.c:1195 [<d6a554a2>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<99a4af52>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x888117d40180 (size 64): comm "syz-executor845", pid 10294, jiffies 4295034653 (age 32.520s) hex dump (first 32 bytes): c0 24 04 84 ff ff ff ff 00 00 00 00 00 00 00 00 .$.. 90 01 d4 17 81 88 ff ff 90 01 d4 17 81 88 ff ff backtrace: [<fcfbf0c5>] kmalloc include/linux/slab.h:552 [inline] [<fcfbf0c5>] kzalloc include/linux/slab.h:664 [inline] [<fcfbf0c5>] qrtr_tun_open+0x22/0x90 net/qrtr/tun.c:35 [<3dd258a0>] misc_open+0x19c/0x1e0 drivers/char/misc.c:141 [<c462f734>] chrdev_open+0x10d/0x340 fs/char_dev.c:414 [<6a388b0e>] do_dentry_open+0x1e6/0x620 fs/open.c:817 [<757d8e01>] do_open fs/namei.c:3252 [inline] [<757d8e01>] path_openat+0x74a/0x1b00 fs/namei.c:3369 [<b8d1608f>] do_filp_open+0xa0/0x190 fs/namei.c:3396 [<89fdef83>] do_sys_openat2+0xed/0x230 fs/open.c:1168 [<4cd3d1c0>] do_sys_open fs/open.c:1184 [inline] [<4cd3d1c0>] __do_sys_openat fs/open.c:1200 [inline] [<4cd3d1c0>] __se_sys_openat fs/open.c:1195 [inline] [<4cd3d1c0>] __x64_sys_o
Re: WARNING in __rate_control_send_low
syzbot has found a reproducer for the following issue on: HEAD commit:80145ac2 Merge tag 's390-5.10-5' of git://git.kernel.org/p.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=130e5a7950 kernel config: https://syzkaller.appspot.com/x/.config?x=b81aff78c272da44 dashboard link: https://syzkaller.appspot.com/bug?extid=fdc5123366fb9c3fdc6d compiler: gcc (GCC) 10.1.0-syz 20200507 userspace arch: i386 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bf662d50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11671c8b50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+fdc5123366fb9c3fd...@syzkaller.appspotmail.com [ cut here ] no supported rates for sta (null) (0x, band 0) in rate_mask 0x0 with flags 0x0 WARNING: CPU: 1 PID: 8503 at net/mac80211/rate.c:375 __rate_control_send_low+0x4d0/0x6d0 net/mac80211/rate.c:375 Modules linked in: CPU: 1 PID: 8503 Comm: systemd-sysctl Not tainted 5.10.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__rate_control_send_low+0x4d0/0x6d0 net/mac80211/rate.c:375 Code: 14 48 89 44 24 08 e8 7f dd 25 f9 44 8b 44 24 24 45 89 e9 44 89 e1 48 8b 74 24 08 44 89 f2 48 c7 c7 a0 f7 61 8a e8 fc 5b 62 00 <0f> 0b e9 1c fe ff ff e8 54 dd 25 f9 48 8b 44 24 10 48 8d 78 7f 48 RSP: 0018:c9d90a40 EFLAGS: 00010282 RAX: RBX: 888026ce8de8 RCX: RDX: 88801e45 RSI: 8158d875 RDI: f520001b213a RBP: 888144343148 R08: 0001 R09: 8880b9f30627 R10: R11: 0001 R12: R13: R14: R15: 0090 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fde93cedab4 CR3: 12e1 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: rate_control_send_low+0x265/0x730 net/mac80211/rate.c:400 rate_control_get_rate+0x1b9/0x5a0 net/mac80211/rate.c:913 __ieee80211_beacon_get+0xb06/0x1aa0 net/mac80211/tx.c:4924 ieee80211_beacon_get_tim+0x88/0x910 net/mac80211/tx.c:4951 ieee80211_beacon_get include/net/mac80211.h:4912 [inline] mac80211_hwsim_beacon_tx+0x111/0x910 drivers/net/wireless/mac80211_hwsim.c:1729 __iterate_interfaces+0x1e5/0x520 net/mac80211/util.c:792 ieee80211_iterate_active_interfaces_atomic+0x8d/0x170 net/mac80211/util.c:828 mac80211_hwsim_beacon+0xd5/0x1a0 drivers/net/wireless/mac80211_hwsim.c:1782 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x693/0xea0 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x200 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0010:__this_cpu_preempt_check+0xd/0x20 lib/smp_processor_id.c:65 Code: 00 00 48 c7 c6 c0 90 9d 89 48 c7 c7 00 91 9d 89 e9 b8 fe ff ff 0f 1f 84 00 00 00 00 00 55 48 89 fd 0f 1f 44 00 00 48 89 ee 5d <48> c7 c7 40 91 9d 89 e9 97 fe ff ff cc cc cc cc cc cc cc eb 1e 0f RSP: 0018:c900016ff918 EFLAGS: 0283 RAX: 0003 RBX: 8880101ad800 RCX: RDX: fffd RSI: 8956fa40 RDI: 8956fa40 RBP: 0088 R08: 0001 R09: eac3d9b3 R10: R11: R12: 8880101ad890 R13: fffd R14: 0020 R15: 0011 __mod_memcg_lruvec_state+0x10e/0x350 mm/memcontrol.c:837 __mod_lruvec_page_state include/linux/memcontrol.h:847 [inline] __dec_lruvec_page_state include/linux/memcontrol.h:1346 [inline] page_remove_rmap+0x289/0x1c00 mm/rmap.c:1349 zap_pte_range mm/memory.c:1253 [inline] zap_pmd_range mm/memory.c:1357 [inline] zap_pud_range mm/memory.c:1386 [inline] zap_p4d_range mm/memory.c:1407 [inline] unmap_page_range+0xe30/0x2640 mm/memory.c:1428 unmap_single_vma+0x198/0x300 mm/memory.c:1473 unmap_vmas+0x168/0x2e0 mm/memory.c:1505 exit_mmap+0x2b1/0x530 mm/mmap.c:3222 __mmput+0x122/0x470 kernel/fork.c:1079 mmput+0x53/0x60 kernel/fork.c:1100 exit_mm kernel/exit.c:486 [inline] do_exit+0xa72/0x29b0 kernel/exit.c:796 do_group_exit+0x125/0x310 kernel/exit.c:906 __do_sys_exit_group kernel/exit.c:917 [inline] __se_sys_exit_group ker
Re: general protection fault in ieee80211_subif_start_xmit
syzbot has found a reproducer for the following issue on: HEAD commit:80145ac2 Merge tag 's390-5.10-5' of git://git.kernel.org/p.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12a8ad4350 kernel config: https://syzkaller.appspot.com/x/.config?x=b81aff78c272da44 dashboard link: https://syzkaller.appspot.com/bug?extid=d7a3b15976bf7de2238a compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1229d0fd50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a963d150 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d7a3b15976bf7de22...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc34: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x01a0-0x01a7] CPU: 0 PID: 10709 Comm: syz-executor918 Not tainted 5.10.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:ieee80211_multicast_to_unicast net/mac80211/tx.c:4070 [inline] RIP: 0010:ieee80211_subif_start_xmit+0x24e/0xee0 net/mac80211/tx.c:4154 Code: 03 80 3c 02 00 0f 85 83 0c 00 00 49 8b 9f 50 17 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb a4 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 58 0c 00 00 RSP: 0018:c9007588 EFLAGS: 00010203 RAX: dc00 RBX: RCX: 8851c2ad RDX: 0034 RSI: 8851c33d RDI: 01a4 RBP: 888018f8fc80 R08: R09: 8cecbd4f R10: 0004 R11: 0001 R12: 8a61f520 R13: 88802517a042 R14: 005a R15: 888018314000 FS: 00ff5940() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0046dde0 CR3: 203d8000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __netdev_start_xmit include/linux/netdevice.h:4718 [inline] netdev_start_xmit include/linux/netdevice.h:4732 [inline] xmit_one net/core/dev.c:3564 [inline] dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3580 sch_direct_xmit+0x2e1/0xbd0 net/sched/sch_generic.c:313 qdisc_restart net/sched/sch_generic.c:376 [inline] __qdisc_run+0x4ba/0x15e0 net/sched/sch_generic.c:384 qdisc_run include/net/pkt_sched.h:131 [inline] qdisc_run include/net/pkt_sched.h:123 [inline] __dev_xmit_skb net/core/dev.c:3755 [inline] __dev_queue_xmit+0x1453/0x2da0 net/core/dev.c:4108 neigh_hh_output include/net/neighbour.h:499 [inline] neigh_output include/net/neighbour.h:508 [inline] ip6_finish_output2+0x8db/0x16c0 net/ipv6/ip6_output.c:117 __ip6_finish_output net/ipv6/ip6_output.c:143 [inline] __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128 ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:443 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] mld_sendpack+0x92a/0xdb0 net/ipv6/mcast.c:1679 mld_send_cr net/ipv6/mcast.c:1975 [inline] mld_ifc_timer_expire+0x60a/0xf10 net/ipv6/mcast.c:2474 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1410 expire_timers kernel/time/timer.c:1455 [inline] __run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1747 __run_timers kernel/time/timer.c:1728 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1760 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x132/0x200 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631 RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:91 [inline] RIP: 0010:memory_is_nonzero mm/kasan/generic.c:108 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:134 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:165 [inline] RIP: 0010:check_memory_region_inline mm/kasan/generic.c:183 [inline] RIP: 0010:check_memory_region+0xde/0x180 mm/kasan/generic.c:192 Code: 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 48 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00 <74> f2 eb d4 41 bc 08 00 00 00 48 89 ea 45 29 dc 4d 8d 1c 2c eb 0c RSP: 0018:c90001a4f478 EFLAGS: 0246 RAX: f5213784 RBX: f5213785 RCX: 81c2295c RDX: f5213785 RSI
Re: BUG: receive list entry not found for dev vxcan1, id 002, mask C00007FF
syzbot has found a reproducer for the following issue on: HEAD commit:470dfd80 lan743x: replace polling loop by wait_event_timeo.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=107c26a550 kernel config: https://syzkaller.appspot.com/x/.config?x=df65150a33f23d8c dashboard link: https://syzkaller.appspot.com/bug?extid=381d06e0c8eaacb8706f compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12bcd66950 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ecad3e50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+381d06e0c8eaacb87...@syzkaller.appspotmail.com RAX: ffda RBX: 0003 RCX: 004442a9 RDX: 0018 RSI: 2000 RDI: 0004 RBP: 7ffc870fdef0 R08: 0001 R09: 01bb R10: R11: 0246 R12: 7ffc870fdf00 R13: R14: R15: [ cut here ] BUG: receive list entry not found for dev vxcan1, id 002, mask C7FF WARNING: CPU: 0 PID: 8713 at net/can/af_can.c:546 can_rx_unregister+0x5a4/0x700 net/can/af_can.c:546 Modules linked in: CPU: 0 PID: 8713 Comm: syz-executor284 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:can_rx_unregister+0x5a4/0x700 net/can/af_can.c:546 Code: 8b 7c 24 78 44 8b 64 24 68 49 c7 c5 e0 de 56 8a e8 51 d3 95 f9 44 89 f9 44 89 e2 4c 89 ee 48 c7 c7 20 df 56 8a e8 a6 76 d3 00 <0f> 0b 48 8b 7c 24 28 e8 40 e9 0e 01 e9 54 fb ff ff e8 66 db d7 f9 RSP: 0018:c90001b2fb38 EFLAGS: 00010286 RAX: RBX: RCX: RDX: 888014db8000 RSI: 8158f3c5 RDI: f52000365f59 RBP: 0118 R08: 0001 R09: 8880b9e30627 R10: R11: R12: 0002 R13: 8880261f R14: 192000365f6e R15: c7ff FS: 00807880() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004bdfc4 CR3: 14c7c000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: isotp_notifier+0x2a7/0x540 net/can/isotp.c:1303 call_netdevice_notifier net/core/dev.c:1735 [inline] call_netdevice_unregister_notifiers+0x156/0x1c0 net/core/dev.c:1763 call_netdevice_unregister_net_notifiers net/core/dev.c:1791 [inline] unregister_netdevice_notifier+0xcd/0x170 net/core/dev.c:1870 isotp_release+0x136/0x600 net/can/isotp.c:1011 __sock_release+0xcd/0x280 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1255 __fput+0x285/0x920 fs/file_table.c:281 task_work_run+0xdd/0x190 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x17e/0x1a0 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x260 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x403b20 Code: 01 f0 ff ff 0f 83 40 0d 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 6d bc 2d 00 00 75 14 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 14 0d 00 00 c3 48 83 ec 08 e8 7a 02 00 00 RSP: 002b:7ffc870fdee8 EFLAGS: 0246 ORIG_RAX: 0003 RAX: RBX: 0005 RCX: 00403b20 RDX: 0018 RSI: 2000 RDI: 0004 RBP: 7ffc870fdef0 R08: 0001 R09: 01bb R10: R11: 0246 R12: 7ffc870fdf00 R13: R14: R15:
BUG: receive list entry not found for dev vxcan1, id 003, mask C00007FF
Hello, syzbot found the following issue on: HEAD commit:470dfd80 lan743x: replace polling loop by wait_event_timeo.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=13f46c6550 kernel config: https://syzkaller.appspot.com/x/.config?x=df65150a33f23d8c dashboard link: https://syzkaller.appspot.com/bug?extid=76d62d3b8162883c7d11 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1164f8fd50 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=148ae72b50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+76d62d3b8162883c7...@syzkaller.appspotmail.com RAX: ffda RBX: 7ffc766d7540 RCX: 00443729 RDX: 0018 RSI: 2040 RDI: 0003 RBP: R08: 0001 R09: 01bb R10: R11: 0246 R12: R13: 0004 R14: R15: [ cut here ] BUG: receive list entry not found for dev vxcan1, id 003, mask C7FF WARNING: CPU: 1 PID: 8479 at net/can/af_can.c:546 can_rx_unregister+0x5a4/0x700 net/can/af_can.c:546 Modules linked in: CPU: 1 PID: 8479 Comm: syz-executor218 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:can_rx_unregister+0x5a4/0x700 net/can/af_can.c:546 Code: 8b 7c 24 78 44 8b 64 24 68 49 c7 c5 e0 de 56 8a e8 51 d3 95 f9 44 89 f9 44 89 e2 4c 89 ee 48 c7 c7 20 df 56 8a e8 a6 76 d3 00 <0f> 0b 48 8b 7c 24 28 e8 40 e9 0e 01 e9 54 fb ff ff e8 66 db d7 f9 RSP: 0018:c900016ff9f0 EFLAGS: 00010282 RAX: RBX: RCX: RDX: 888020251a40 RSI: 8158f3c5 RDI: f520002dff30 RBP: 0118 R08: 0001 R09: 8880b9f30627 R10: R11: R12: 0003 R13: 88802c1c R14: 1920002dff45 R15: c7ff FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004c8908 CR3: 0b08e000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: isotp_notifier+0x2a7/0x540 net/can/isotp.c:1303 call_netdevice_notifier net/core/dev.c:1735 [inline] call_netdevice_unregister_notifiers+0x156/0x1c0 net/core/dev.c:1763 call_netdevice_unregister_net_notifiers net/core/dev.c:1791 [inline] unregister_netdevice_notifier+0xcd/0x170 net/core/dev.c:1870 isotp_release+0x136/0x600 net/can/isotp.c:1011 __sock_release+0xcd/0x280 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1255 __fput+0x285/0x920 fs/file_table.c:281 task_work_run+0xdd/0x190 kernel/task_work.c:151 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xb64/0x29b0 kernel/exit.c:809 do_group_exit+0x125/0x310 kernel/exit.c:906 __do_sys_exit_group kernel/exit.c:917 [inline] __se_sys_exit_group kernel/exit.c:915 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:915 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x442368 Code: Unable to access opcode bytes at RIP 0x44233e. RSP: 002b:7ffc766d74a8 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: 0001 RCX: 00442368 RDX: 0001 RSI: 003c RDI: 0001 RBP: 004c88d0 R08: 00e7 R09: ffd0 R10: R11: 0246 R12: 0001 R13: 006dd240 R14: R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
KMSAN: uninit-value in validate_beacon_head
Hello, syzbot found the following issue on: HEAD commit:73d62e81 kmsan: random: prevent boot-time reports in _mix_.. git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=164bda9550 kernel config: https://syzkaller.appspot.com/x/.config?x=eef728deea880383 dashboard link: https://syzkaller.appspot.com/bug?extid=72b99dcf4607e8c770f3 compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+72b99dcf4607e8c77...@syzkaller.appspotmail.com = BUG: KMSAN: uninit-value in validate_beacon_head+0x51e/0x5c0 net/wireless/nl80211.c:225 CPU: 1 PID: 21060 Comm: syz-executor.4 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 validate_beacon_head+0x51e/0x5c0 net/wireless/nl80211.c:225 validate_nla lib/nlattr.c:544 [inline] __nla_validate_parse+0x241a/0x4e00 lib/nlattr.c:588 __nla_parse+0x141/0x150 lib/nlattr.c:685 __nlmsg_parse include/net/netlink.h:733 [inline] genl_family_rcv_msg_attrs_parse+0x417/0x5a0 net/netlink/genetlink.c:548 genl_family_rcv_msg_doit net/netlink/genetlink.c:717 [inline] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0xbd9/0x1610 net/netlink/genetlink.c:800 netlink_rcv_skb+0x70a/0x820 net/netlink/af_netlink.c:2494 genl_rcv+0x63/0x80 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x11da/0x14b0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x173c/0x1840 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x6d5/0x830 net/socket.c:2440 __compat_sys_sendmsg net/compat.c:347 [inline] __do_compat_sys_sendmsg net/compat.c:354 [inline] __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351 __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351 do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:139 do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7fa8549 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:f55a20cc EFLAGS: 0296 ORIG_RAX: 0172 RAX: ffda RBX: 0003 RCX: 2380 RDX: RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104 kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76 slab_alloc_node mm/slub.c:2906 [inline] __kmalloc_node_track_caller+0xc61/0x15f0 mm/slub.c:4512 __kmalloc_reserve net/core/skbuff.c:142 [inline] __alloc_skb+0x309/0xae0 net/core/skbuff.c:210 alloc_skb include/linux/skbuff.h:1094 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline] netlink_sendmsg+0xdb8/0x1840 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x6d5/0x830 net/socket.c:2440 __compat_sys_sendmsg net/compat.c:347 [inline] __do_compat_sys_sendmsg net/compat.c:354 [inline] __se_compat_sys_sendmsg+0xa7/0xc0 net/compat.c:351 __ia32_compat_sys_sendmsg+0x4a/0x70 net/compat.c:351 do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:139 do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status
WARNING: suspicious RCU usage in get_counters
Hello,
syzbot found the following issue on:
HEAD commit:127c501a Merge tag '5.10-rc5-smb3-fixes' of git://git.samb..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f4912d50
kernel config: https://syzkaller.appspot.com/x/.config?x=6d1e98d0b97781e4
dashboard link: https://syzkaller.appspot.com/bug?extid=5cfc290df4bbf069bc65
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5cfc290df4bbf069b...@syzkaller.appspotmail.com
=
WARNING: suspicious RCU usage
5.10.0-rc5-syzkaller #0 Not tainted
-
kernel/sched/core.c:7270 Illegal context switch in RCU-sched read-side critical
section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 0
1 lock held by syz-executor.3/10331:
#0: 8880459f8308 (&xt[i].mutex){+.+.}-{3:3}, at:
xt_find_table_lock+0x41/0x540 net/netfilter/x_tables.c:1206
stack backtrace:
CPU: 3 PID: 10331 Comm: syz-executor.3 Not tainted 5.10.0-rc5-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:118
___might_sleep+0x25d/0x2b0 kernel/sched/core.c:7270
get_counters+0x2f5/0x520 net/ipv4/netfilter/ip_tables.c:765
do_ipt_get_ctl+0x634/0x9d0 net/ipv4/netfilter/ip_tables.c:805
nf_getsockopt+0x72/0xd0 net/netfilter/nf_sockopt.c:116
ip_getsockopt net/ipv4/ip_sockglue.c:1777 [inline]
ip_getsockopt+0x164/0x1c0 net/ipv4/ip_sockglue.c:1756
tcp_getsockopt+0x86/0xd0 net/ipv4/tcp.c:3882
__sys_getsockopt+0x219/0x4c0 net/socket.c:2173
__do_sys_getsockopt net/socket.c:2188 [inline]
__se_sys_getsockopt net/socket.c:2185 [inline]
__x64_sys_getsockopt+0xba/0x150 net/socket.c:2185
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45ec3a
Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd 9f fb ff c3 66 2e 0f 1f
84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83
aa 9f fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:7ffccbec9f78 EFLAGS: 0212 ORIG_RAX: 0037
RAX: ffda RBX: 7ffccbec9fb0 RCX: 0045ec3a
RDX: 0041 RSI: RDI: 0003
RBP: 00734000 R08: 7ffccbec9fac R09: 4000
R10: 7ffccbeca010 R11: 0212 R12: 7ffccbeca010
R13: 0003 R14: 00732bc0 R15:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
