Re: general protection fault in ip6_dst_lookup_tail (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+58d8f704b86e4e3fb4d3@syzkaller.appspotmail.com>
To: ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net,
	davem@davemloft.net, dvyukov@google.com, edumazet@google.com,
	kafai@fb.com, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, songliubraving@fb.com,
	syzkaller-bugs@googlegroups.com, yhs@fb.com,
	yoshfuji@linux-ipv6.org
Subject: Re: general protection fault in ip6_dst_lookup_tail (2)
Date: Thu, 06 Jun 2019 16:14:06 -0700	[thread overview]
Message-ID: <000000000000d810c9058aafdeb9@google.com> (raw)
In-Reply-To: <0000000000006b30f30587a5b569@google.com>

syzbot has found a reproducer for the following crash on:

HEAD commit:    07c3bbdb samples: bpf: print a warning about headers_install
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14424e2ea00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b7b54c66298f8420
dashboard link: https://syzkaller.appspot.com/bug?extid=58d8f704b86e4e3fb4d3
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=117f50e1a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+58d8f704b86e4e3fb4d3@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 14003 Comm: syz-executor.4 Not tainted 5.2.0-rc2+ #14
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:ip6_route_get_saddr include/net/ip6_route.h:120 [inline]
RIP: 0010:ip6_dst_lookup_tail+0xf0e/0x1b30 net/ipv6/ip6_output.c:1032
Code: e6 07 e8 75 66 55 fb 48 85 db 0f 84 83 08 00 00 e8 67 66 55 fb 48 8d  
7b 7c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48  
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 07
RSP: 0018:ffff888079027480 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: ff8880990716c000 RCX: 0000000000000000
RDX: 1ff1101320e2d80f RSI: ffffffff861b3f59 RDI: ff8880990716c07c
RBP: ffff8880790275d8 R08: ffff8880855b43c0 R09: ffffed1015d26be8
R10: ffffed1015d26be7 R11: ffff8880ae935f3b R12: ffff888079027740
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888079027768
FS:  00007f7158009700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd85cf4eb8 CR3: 00000000a96aa000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  ip6_dst_lookup_flow+0xa8/0x220 net/ipv6/ip6_output.c:1155
  tcp_v6_connect+0xda3/0x20a0 net/ipv6/tcp_ipv6.c:282
  __inet_stream_connect+0x834/0xe90 net/ipv4/af_inet.c:659
  tcp_sendmsg_fastopen net/ipv4/tcp.c:1143 [inline]
  tcp_sendmsg_locked+0x2318/0x3920 net/ipv4/tcp.c:1185
  tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1419
  inet_sendmsg+0x141/0x5d0 net/ipv4/af_inet.c:802
  sock_sendmsg_nosec net/socket.c:652 [inline]
  sock_sendmsg+0xd7/0x130 net/socket.c:671
  ___sys_sendmsg+0x803/0x920 net/socket.c:2292
  __sys_sendmsg+0x105/0x1d0 net/socket.c:2330
  __do_sys_sendmsg net/socket.c:2339 [inline]
  __se_sys_sendmsg net/socket.c:2337 [inline]
  __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2337
  do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7158008c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
RDX: 0000000020008844 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000075bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f71580096d4
R13: 00000000004c6ccc R14: 00000000004dbb30 R15: 00000000ffffffff
Modules linked in:
---[ end trace c968f232eacd4c70 ]---
RIP: 0010:ip6_route_get_saddr include/net/ip6_route.h:120 [inline]
RIP: 0010:ip6_dst_lookup_tail+0xf0e/0x1b30 net/ipv6/ip6_output.c:1032
Code: e6 07 e8 75 66 55 fb 48 85 db 0f 84 83 08 00 00 e8 67 66 55 fb 48 8d  
7b 7c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48  
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 07
RSP: 0018:ffff888079027480 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: ff8880990716c000 RCX: 0000000000000000
RDX: 1ff1101320e2d80f RSI: ffffffff861b3f59 RDI: ff8880990716c07c
RBP: ffff8880790275d8 R08: ffff8880855b43c0 R09: ffffed1015d26be8
R10: ffffed1015d26be7 R11: ffff8880ae935f3b R12: ffff888079027740
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888079027768
FS:  00007f7158009700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000015523b8 CR3: 00000000a96aa000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

next prev parent reply	other threads:[~2019-06-06 23:14 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-29  6:51 general protection fault in ip6_dst_lookup_tail (2) syzbot
2019-04-29  6:52 ` Dmitry Vyukov
2019-06-06 23:14 ` syzbot [this message]
2019-06-07  3:25 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000d810c9058aafdeb9@google.com \
    --to=syzbot+58d8f704b86e4e3fb4d3@syzkaller.appspotmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=dvyukov@google.com \
    --cc=edumazet@google.com \
    --cc=kafai@fb.com \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=songliubraving@fb.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yhs@fb.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.