netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* general protection fault in ipv6_rcv
@ 2019-03-09  7:39 syzbot
  0 siblings, 0 replies; only message in thread
From: syzbot @ 2019-03-09  7:39 UTC (permalink / raw)
  To: davem, kuznet, linux-kernel, netdev, syzkaller-bugs, yoshfuji

Hello,

syzbot found the following crash on:

HEAD commit:    d9862cfb Merge tag 'mips_5.1' of git://git.kernel.org/pub/..
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15d1e5ad200000
kernel config:  https://syzkaller.appspot.com/x/.config?x=73d88a42238825ad
dashboard link: https://syzkaller.appspot.com/bug?extid=6c54e67cc0b0c896aa4b
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: amd64

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6c54e67cc0b0c896aa4b@syzkaller.appspotmail.com

netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor.3'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
Enabling of bearer <::�> rejected, illegal name
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:__x86_indirect_thunk_rax+0x10/0x20 arch/x86/lib/retpoline.S:32
netlink: 3 bytes leftover after parsing attributes in process  
`syz-executor.3'.
Code: c4 ff 48 8d 0c ca e9 bd 42 c4 ff bb f2 ff ff ff 45 30 ff e9 63 47 c4  
ff 90 90 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 89 04 24 <c3> 0f 1f 44 00  
00 66 2e 0f 1f 84 00 00 00 00 00 e8 07 00 00 00 f3
RSP: 0018:ffff8880aa2c7a20 EFLAGS: 00010246
RAX: 0000ffffffff8607 RBX: ffff888096e276ca RCX: ffffffff8607ee22
RDX: 1ffff11012dc4ede RSI: ffffffff8607edc8 RDI: ffff88806509fd40
RBP: ffff8880aa2c7a58 R08: ffff8880aa2b2440 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffff88806509fd40
R13: 0000000000000001 R14: ffff88806509fd98 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fed7c51a518 CR3: 000000004654c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  NF_HOOK include/linux/netfilter.h:289 [inline]
  NF_HOOK include/linux/netfilter.h:283 [inline]
  ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:272
  __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973
  __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
  process_backlog+0x206/0x750 net/core/dev.c:5923
  napi_poll net/core/dev.c:6346 [inline]
  net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
  __do_softirq+0x266/0x95a kernel/softirq.c:292
  run_ksoftirqd kernel/softirq.c:654 [inline]
  run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
  smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
  kthread+0x357/0x430 kernel/kthread.c:246
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
---[ end trace 1ebaef9e8c3600e4 ]---
RIP: 0010:__x86_indirect_thunk_rax+0x10/0x20 arch/x86/lib/retpoline.S:32
Code: c4 ff 48 8d 0c ca e9 bd 42 c4 ff bb f2 ff ff ff 45 30 ff e9 63 47 c4  
ff 90 90 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 89 04 24 <c3> 0f 1f 44 00  
00 66 2e 0f 1f 84 00 00 00 00 00 e8 07 00 00 00 f3
Enabling of bearer <::�> rejected, illegal name
RSP: 0018:ffff8880aa2c7a20 EFLAGS: 00010246
RAX: 0000ffffffff8607 RBX: ffff888096e276ca RCX: ffffffff8607ee22
RDX: 1ffff11012dc4ede RSI: ffffffff8607edc8 RDI: ffff88806509fd40
RBP: ffff8880aa2c7a58 R08: ffff8880aa2b2440 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffff88806509fd40
R13: 0000000000000001 R14: ffff88806509fd98 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fed7c51a518 CR3: 000000004654c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kobject: 'loop0' (00000000152428b3): kobject_uevent_env
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2019-03-09  7:39 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-09  7:39 general protection fault in ipv6_rcv syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).