From: syzbot <syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com> To: anthony.l.nguyen@intel.com, davem@davemloft.net, eric.dumazet@gmail.com, hawk@kernel.org, intel-wired-lan-owner@osuosl.org, intel-wired-lan@lists.osuosl.org, jesse.brandeburg@intel.com, kuba@kernel.org, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, mkl@pengutronix.de, netdev@vger.kernel.org, socketcan@hartkopp.net, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] kernel BUG in pskb_expand_head Date: Sun, 19 Dec 2021 16:19:20 -0800 [thread overview] Message-ID: <0000000000000fbea205d388d749@google.com> (raw) In-Reply-To: <0000000000007ea16705d0cfbb53@google.com> syzbot has found a reproducer for the following issue on: HEAD commit: 434ed2138994 Merge branch 'tc-action-offload' git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=1722300db00000 kernel config: https://syzkaller.appspot.com/x/.config?x=7488eea316146357 dashboard link: https://syzkaller.appspot.com/bug?extid=4c63f36709a642f801c5 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14141ca3b00000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com skbuff: skb_over_panic: text:ffffffff88257728 len:4096 put:4096 head:ffff8880769c1400 data:ffff8880769c1400 tail:0x1000 end:0xc0 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 net/core/skbuff.c:113 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 a0 82 ad 8a ff 74 24 10 ff 74 24 20 e8 13 20 c2 ff <0f> 0b e8 6c 3d 35 f8 4c 8b 64 24 18 e8 f2 9e 7c f8 48 c7 c1 40 8f RSP: 0018:ffffc90000d279e0 EFLAGS: 00010286 RAX: 000000000000008b RBX: ffff88801c5b8640 RCX: 0000000000000000 RDX: ffff888011938000 RSI: ffffffff815f21d8 RDI: fffff520001a4f2e RBP: ffffffff8aad8f80 R08: 000000000000008b R09: 0000000000000000 R10: ffffffff815ebf7e R11: 0000000000000000 R12: ffffffff88257728 R13: 0000000000001000 R14: ffffffff8aad8260 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f14858bf718 CR3: 0000000072e5c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_over_panic net/core/skbuff.c:118 [inline] net/core/skbuff.c:1986 skb_put.cold+0x24/0x24 net/core/skbuff.c:1986 net/core/skbuff.c:1986 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv_cf net/can/isotp.c:570 [inline] net/can/isotp.c:668 isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] deliver net/can/af_can.c:574 [inline] net/can/af_can.c:635 can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5350 net/core/dev.c:5350 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5464 net/core/dev.c:5464 process_backlog+0x2a5/0x6c0 net/core/dev.c:5796 net/core/dev.c:5796 __napi_poll+0xaf/0x440 net/core/dev.c:6364 net/core/dev.c:6364 napi_poll net/core/dev.c:6431 [inline] napi_poll net/core/dev.c:6431 [inline] net/core/dev.c:6518 net_rx_action+0x801/0xb40 net/core/dev.c:6518 net/core/dev.c:6518 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd kernel/softirq.c:921 [inline] kernel/softirq.c:913 run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 arch/x86/entry/entry_64.S:295 </TASK> Modules linked in: ---[ end trace 076cfcb09686117c ]--- RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 net/core/skbuff.c:113 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 a0 82 ad 8a ff 74 24 10 ff 74 24 20 e8 13 20 c2 ff <0f> 0b e8 6c 3d 35 f8 4c 8b 64 24 18 e8 f2 9e 7c f8 48 c7 c1 40 8f RSP: 0018:ffffc90000d279e0 EFLAGS: 00010286 RAX: 000000000000008b RBX: ffff88801c5b8640 RCX: 0000000000000000 RDX: ffff888011938000 RSI: ffffffff815f21d8 RDI: fffff520001a4f2e RBP: ffffffff8aad8f80 R08: 000000000000008b R09: 0000000000000000 R10: ffffffff815ebf7e R11: 0000000000000000 R12: ffffffff88257728 R13: 0000000000001000 R14: ffffffff8aad8260 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f14858bf718 CR3: 0000000072e5c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com> To: intel-wired-lan@osuosl.org Subject: [Intel-wired-lan] [syzbot] kernel BUG in pskb_expand_head Date: Sun, 19 Dec 2021 16:19:20 -0800 [thread overview] Message-ID: <0000000000000fbea205d388d749@google.com> (raw) In-Reply-To: <0000000000007ea16705d0cfbb53@google.com> syzbot has found a reproducer for the following issue on: HEAD commit: 434ed2138994 Merge branch 'tc-action-offload' git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=1722300db00000 kernel config: https://syzkaller.appspot.com/x/.config?x=7488eea316146357 dashboard link: https://syzkaller.appspot.com/bug?extid=4c63f36709a642f801c5 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14141ca3b00000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4c63f36709a642f801c5 at syzkaller.appspotmail.com skbuff: skb_over_panic: text:ffffffff88257728 len:4096 put:4096 head:ffff8880769c1400 data:ffff8880769c1400 tail:0x1000 end:0xc0 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 net/core/skbuff.c:113 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 a0 82 ad 8a ff 74 24 10 ff 74 24 20 e8 13 20 c2 ff <0f> 0b e8 6c 3d 35 f8 4c 8b 64 24 18 e8 f2 9e 7c f8 48 c7 c1 40 8f RSP: 0018:ffffc90000d279e0 EFLAGS: 00010286 RAX: 000000000000008b RBX: ffff88801c5b8640 RCX: 0000000000000000 RDX: ffff888011938000 RSI: ffffffff815f21d8 RDI: fffff520001a4f2e RBP: ffffffff8aad8f80 R08: 000000000000008b R09: 0000000000000000 R10: ffffffff815ebf7e R11: 0000000000000000 R12: ffffffff88257728 R13: 0000000000001000 R14: ffffffff8aad8260 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f14858bf718 CR3: 0000000072e5c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_over_panic net/core/skbuff.c:118 [inline] net/core/skbuff.c:1986 skb_put.cold+0x24/0x24 net/core/skbuff.c:1986 net/core/skbuff.c:1986 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv_cf net/can/isotp.c:570 [inline] net/can/isotp.c:668 isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] deliver net/can/af_can.c:574 [inline] net/can/af_can.c:635 can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5350 net/core/dev.c:5350 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5464 net/core/dev.c:5464 process_backlog+0x2a5/0x6c0 net/core/dev.c:5796 net/core/dev.c:5796 __napi_poll+0xaf/0x440 net/core/dev.c:6364 net/core/dev.c:6364 napi_poll net/core/dev.c:6431 [inline] napi_poll net/core/dev.c:6431 [inline] net/core/dev.c:6518 net_rx_action+0x801/0xb40 net/core/dev.c:6518 net/core/dev.c:6518 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd kernel/softirq.c:921 [inline] kernel/softirq.c:913 run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 arch/x86/entry/entry_64.S:295 </TASK> Modules linked in: ---[ end trace 076cfcb09686117c ]--- RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 net/core/skbuff.c:113 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 a0 82 ad 8a ff 74 24 10 ff 74 24 20 e8 13 20 c2 ff <0f> 0b e8 6c 3d 35 f8 4c 8b 64 24 18 e8 f2 9e 7c f8 48 c7 c1 40 8f RSP: 0018:ffffc90000d279e0 EFLAGS: 00010286 RAX: 000000000000008b RBX: ffff88801c5b8640 RCX: 0000000000000000 RDX: ffff888011938000 RSI: ffffffff815f21d8 RDI: fffff520001a4f2e RBP: ffffffff8aad8f80 R08: 000000000000008b R09: 0000000000000000 R10: ffffffff815ebf7e R11: 0000000000000000 R12: ffffffff88257728 R13: 0000000000001000 R14: ffffffff8aad8260 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f14858bf718 CR3: 0000000072e5c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
next prev parent reply other threads:[~2021-12-20 0:19 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-11-15 8:38 [syzbot] kernel BUG in pskb_expand_head syzbot 2021-11-15 8:38 ` [Intel-wired-lan] " syzbot 2021-12-20 0:19 ` syzbot [this message] 2021-12-20 0:19 ` syzbot 2022-01-05 11:44 ` Marc Kleine-Budde 2022-01-05 11:44 ` [Intel-wired-lan] " Marc Kleine-Budde 2022-01-05 12:46 ` Oliver Hartkopp 2022-01-05 12:46 ` [Intel-wired-lan] " Oliver Hartkopp 2021-12-20 4:15 ` syzbot 2021-12-20 4:15 ` [Intel-wired-lan] " syzbot 2022-01-05 11:20 ` syzbot 2022-01-05 11:20 ` [Intel-wired-lan] " syzbot 2022-01-05 13:59 ` Eric Dumazet 2022-01-05 13:59 ` [Intel-wired-lan] " Eric Dumazet 2022-01-05 14:04 ` Marc Kleine-Budde 2022-01-05 14:04 ` [Intel-wired-lan] " Marc Kleine-Budde
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=0000000000000fbea205d388d749@google.com \ --to=syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com \ --cc=anthony.l.nguyen@intel.com \ --cc=davem@davemloft.net \ --cc=eric.dumazet@gmail.com \ --cc=hawk@kernel.org \ --cc=intel-wired-lan-owner@osuosl.org \ --cc=intel-wired-lan@lists.osuosl.org \ --cc=jesse.brandeburg@intel.com \ --cc=kuba@kernel.org \ --cc=linux-can@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mkl@pengutronix.de \ --cc=netdev@vger.kernel.org \ --cc=socketcan@hartkopp.net \ --cc=syzkaller-bugs@googlegroups.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.