From: syzbot <syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com> To: anthony.l.nguyen@intel.com, changbin.du@intel.com, christian.brauner@ubuntu.com, davem@davemloft.net, edumazet@google.com, eric.dumazet@gmail.com, hawk@kernel.org, hkallweit1@gmail.com, intel-wired-lan-owner@osuosl.org, intel-wired-lan@lists.osuosl.org, jesse.brandeburg@intel.com, kuba@kernel.org, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, mkl@pengutronix.de, netdev@vger.kernel.org, socketcan@hartkopp.net, syzkaller-bugs@googlegroups.com, yajun.deng@linux.dev Subject: Re: [syzbot] kernel BUG in pskb_expand_head Date: Wed, 05 Jan 2022 03:20:26 -0800 [thread overview] Message-ID: <000000000000c7845605d4d3f0a0@google.com> (raw) In-Reply-To: <0000000000007ea16705d0cfbb53@google.com> syzbot has found a reproducer for the following issue on: HEAD commit: c9e6606c7fe9 Linux 5.16-rc8 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=148351c3b00000 kernel config: https://syzkaller.appspot.com/x/.config?x=32f9fa260d7413b4 dashboard link: https://syzkaller.appspot.com/bug?extid=4c63f36709a642f801c5 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15435e2bb00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f4508db00000 The issue was bisected to: commit e4b8954074f6d0db01c8c97d338a67f9389c042f Author: Eric Dumazet <edumazet@google.com> Date: Tue Dec 7 01:30:37 2021 +0000 netlink: add net device refcount tracker to struct ethnl_req_info bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=109e6fcbb00000 final oops: https://syzkaller.appspot.com/x/report.txt?x=129e6fcbb00000 console output: https://syzkaller.appspot.com/x/log.txt?x=149e6fcbb00000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com Fixes: e4b8954074f6 ("netlink: add net device refcount tracker to struct ethnl_req_info") skbuff: skb_over_panic: text:ffffffff88235fb8 len:4096 put:4096 head:ffff888021cb8400 data:ffff888021cb8400 tail:0x1000 end:0xc0 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 e0 4b ad 8a ff 74 24 10 ff 74 24 20 e8 6e 24 c2 ff <0f> 0b e8 74 92 38 f8 4c 8b 64 24 18 e8 da 47 7f f8 48 c7 c1 80 58 RSP: 0018:ffffc90000d979e0 EFLAGS: 00010286 RAX: 000000000000008b RBX: ffff888021ccb500 RCX: 0000000000000000 RDX: ffff88801196d700 RSI: ffffffff815f0948 RDI: fffff520001b2f2e RBP: ffffffff8aad58c0 R08: 000000000000008b R09: 0000000000000000 R10: ffffffff815ea6ee R11: 0000000000000000 R12: ffffffff88235fb8 R13: 0000000000001000 R14: ffffffff8aad4ba0 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f886c8cc718 CR3: 000000007ad6d000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 process_backlog+0x2a5/0x6c0 net/core/dev.c:6455 __napi_poll+0xaf/0x440 net/core/dev.c:7023 napi_poll net/core/dev.c:7090 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:7177 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Modules linked in: ---[ end trace 9f06028ec4daf4be ]--- RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 e0 4b ad 8a ff 74 24 10 ff 74 24 20 e8 6e 24 c2 ff <0f> 0b e8 74 92 38 f8 4c 8b 64 24 18 e8 da 47 7f f8 48 c7 c1 80 58 RSP: 0018:ffffc90000d979e0 EFLAGS: 00010286 RAX: 000000000000008b RBX: ffff888021ccb500 RCX: 0000000000000000 RDX: ffff88801196d700 RSI: ffffffff815f0948 RDI: fffff520001b2f2e RBP: ffffffff8aad58c0 R08: 000000000000008b R09: 0000000000000000 R10: ffffffff815ea6ee R11: 0000000000000000 R12: ffffffff88235fb8 R13: 0000000000001000 R14: ffffffff8aad4ba0 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f886c8cc718 CR3: 000000007ad6d000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com> To: intel-wired-lan@osuosl.org Subject: [Intel-wired-lan] [syzbot] kernel BUG in pskb_expand_head Date: Wed, 05 Jan 2022 03:20:26 -0800 [thread overview] Message-ID: <000000000000c7845605d4d3f0a0@google.com> (raw) In-Reply-To: <0000000000007ea16705d0cfbb53@google.com> syzbot has found a reproducer for the following issue on: HEAD commit: c9e6606c7fe9 Linux 5.16-rc8 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=148351c3b00000 kernel config: https://syzkaller.appspot.com/x/.config?x=32f9fa260d7413b4 dashboard link: https://syzkaller.appspot.com/bug?extid=4c63f36709a642f801c5 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15435e2bb00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f4508db00000 The issue was bisected to: commit e4b8954074f6d0db01c8c97d338a67f9389c042f Author: Eric Dumazet <edumazet@google.com> Date: Tue Dec 7 01:30:37 2021 +0000 netlink: add net device refcount tracker to struct ethnl_req_info bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=109e6fcbb00000 final oops: https://syzkaller.appspot.com/x/report.txt?x=129e6fcbb00000 console output: https://syzkaller.appspot.com/x/log.txt?x=149e6fcbb00000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4c63f36709a642f801c5 at syzkaller.appspotmail.com Fixes: e4b8954074f6 ("netlink: add net device refcount tracker to struct ethnl_req_info") skbuff: skb_over_panic: text:ffffffff88235fb8 len:4096 put:4096 head:ffff888021cb8400 data:ffff888021cb8400 tail:0x1000 end:0xc0 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:113! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 e0 4b ad 8a ff 74 24 10 ff 74 24 20 e8 6e 24 c2 ff <0f> 0b e8 74 92 38 f8 4c 8b 64 24 18 e8 da 47 7f f8 48 c7 c1 80 58 RSP: 0018:ffffc90000d979e0 EFLAGS: 00010286 RAX: 000000000000008b RBX: ffff888021ccb500 RCX: 0000000000000000 RDX: ffff88801196d700 RSI: ffffffff815f0948 RDI: fffff520001b2f2e RBP: ffffffff8aad58c0 R08: 000000000000008b R09: 0000000000000000 R10: ffffffff815ea6ee R11: 0000000000000000 R12: ffffffff88235fb8 R13: 0000000000001000 R14: ffffffff8aad4ba0 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f886c8cc718 CR3: 000000007ad6d000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 process_backlog+0x2a5/0x6c0 net/core/dev.c:6455 __napi_poll+0xaf/0x440 net/core/dev.c:7023 napi_poll net/core/dev.c:7090 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:7177 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Modules linked in: ---[ end trace 9f06028ec4daf4be ]--- RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Code: f8 4c 8b 4c 24 10 8b 4b 70 41 56 45 89 e8 4c 89 e2 41 57 48 89 ee 48 c7 c7 e0 4b ad 8a ff 74 24 10 ff 74 24 20 e8 6e 24 c2 ff <0f> 0b e8 74 92 38 f8 4c 8b 64 24 18 e8 da 47 7f f8 48 c7 c1 80 58 RSP: 0018:ffffc90000d979e0 EFLAGS: 00010286 RAX: 000000000000008b RBX: ffff888021ccb500 RCX: 0000000000000000 RDX: ffff88801196d700 RSI: ffffffff815f0948 RDI: fffff520001b2f2e RBP: ffffffff8aad58c0 R08: 000000000000008b R09: 0000000000000000 R10: ffffffff815ea6ee R11: 0000000000000000 R12: ffffffff88235fb8 R13: 0000000000001000 R14: ffffffff8aad4ba0 R15: 00000000000000c0 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f886c8cc718 CR3: 000000007ad6d000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
next prev parent reply other threads:[~2022-01-05 11:20 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-11-15 8:38 [syzbot] kernel BUG in pskb_expand_head syzbot 2021-11-15 8:38 ` [Intel-wired-lan] " syzbot 2021-12-20 0:19 ` syzbot 2021-12-20 0:19 ` [Intel-wired-lan] " syzbot 2022-01-05 11:44 ` Marc Kleine-Budde 2022-01-05 11:44 ` [Intel-wired-lan] " Marc Kleine-Budde 2022-01-05 12:46 ` Oliver Hartkopp 2022-01-05 12:46 ` [Intel-wired-lan] " Oliver Hartkopp 2021-12-20 4:15 ` syzbot 2021-12-20 4:15 ` [Intel-wired-lan] " syzbot 2022-01-05 11:20 ` syzbot [this message] 2022-01-05 11:20 ` syzbot 2022-01-05 13:59 ` Eric Dumazet 2022-01-05 13:59 ` [Intel-wired-lan] " Eric Dumazet 2022-01-05 14:04 ` Marc Kleine-Budde 2022-01-05 14:04 ` [Intel-wired-lan] " Marc Kleine-Budde
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=000000000000c7845605d4d3f0a0@google.com \ --to=syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com \ --cc=anthony.l.nguyen@intel.com \ --cc=changbin.du@intel.com \ --cc=christian.brauner@ubuntu.com \ --cc=davem@davemloft.net \ --cc=edumazet@google.com \ --cc=eric.dumazet@gmail.com \ --cc=hawk@kernel.org \ --cc=hkallweit1@gmail.com \ --cc=intel-wired-lan-owner@osuosl.org \ --cc=intel-wired-lan@lists.osuosl.org \ --cc=jesse.brandeburg@intel.com \ --cc=kuba@kernel.org \ --cc=linux-can@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mkl@pengutronix.de \ --cc=netdev@vger.kernel.org \ --cc=socketcan@hartkopp.net \ --cc=syzkaller-bugs@googlegroups.com \ --cc=yajun.deng@linux.dev \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.