From: syzbot <syzbot+b17c05ecb64771a892d1@syzkaller.appspotmail.com>
To: coreteam@netfilter.org, davem@davemloft.net, dsahern@kernel.org,
edumazet@google.com, fw@strlen.de, horms@kernel.org,
kadlec@netfilter.org, kuba@kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, pabeni@redhat.com,
pablo@netfilter.org, sdf@fomichev.me,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [netfilter?] WARNING in nf_reject_fill_skb_dst
Date: Thu, 21 Aug 2025 02:55:30 -0700 [thread overview]
Message-ID: <68a6ed12.050a0220.3d78fd.0021.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 5c69e0b395c1 Merge branch 'stmmac-stop-silently-dropping-b..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=128597a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5b2fdcd062d798f6
dashboard link: https://syzkaller.appspot.com/bug?extid=b17c05ecb64771a892d1
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12175442580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124c16f0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef95b68de898/disk-5c69e0b3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/70d343b8a3cf/vmlinux-5c69e0b3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/55dad8818bb6/bzImage-5c69e0b3.xz
The issue was bisected to:
commit a890348adcc993f48d1ae38f1174dc8de4c3c5ac
Author: Stanislav Fomichev <sdf@fomichev.me>
Date: Mon Aug 18 15:40:32 2025 +0000
net: Add skb_dst_check_unset
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12d1b7a2580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=11d1b7a2580000
console output: https://syzkaller.appspot.com/x/log.txt?x=16d1b7a2580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b17c05ecb64771a892d1@syzkaller.appspotmail.com
Fixes: a890348adcc9 ("net: Add skb_dst_check_unset")
------------[ cut here ]------------
WARNING: CPU: 1 PID: 1038 at ./include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
WARNING: CPU: 1 PID: 1038 at ./include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1211 [inline]
WARNING: CPU: 1 PID: 1038 at ./include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234
Modules linked in:
CPU: 1 UID: 0 PID: 1038 Comm: kworker/u8:5 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
RIP: 0010:skb_dst_set include/linux/skbuff.h:1211 [inline]
RIP: 0010:nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234
Code: 8b 0d 10 6f 8b 08 48 3b 8c 24 e0 00 00 00 75 5d 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 fd ca aa f7 90 <0f> 0b 90 e9 38 ff ff ff 44 89 f9 80 e1 07 fe c1 38 c1 0f 8c 2b fe
RSP: 0018:ffffc90000a08360 EFLAGS: 00010246
RAX: ffffffff8a14e133 RBX: ffff888079c898c0 RCX: ffff8880266ada00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000a08490 R08: ffffffff8fa37e37 R09: 1ffffffff1f46fc6
R10: dffffc0000000000 R11: fffffbfff1f46fc7 R12: ffff88807be46101
R13: dffffc0000000001 R14: 1ffff92000141070 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff888125d1b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f95283b6088 CR3: 000000000df36000 CR4: 00000000003526f0
Call Trace:
<IRQ>
nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325
nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27
expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]
nft_do_chain+0x40c/0x1920 net/netfilter/nf_tables_core.c:285
nft_do_chain_inet+0x25d/0x340 net/netfilter/nft_chain_filter.c:161
nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
nf_hook include/linux/netfilter.h:273 [inline]
NF_HOOK+0x206/0x3a0 include/linux/netfilter.h:316
__netif_receive_skb_one_core net/core/dev.c:5979 [inline]
__netif_receive_skb+0x143/0x380 net/core/dev.c:6092
process_backlog+0x60e/0x14f0 net/core/dev.c:6444
__napi_poll+0xc7/0x360 net/core/dev.c:7494
napi_poll net/core/dev.c:7557 [inline]
net_rx_action+0x707/0xe30 net/core/dev.c:7684
handle_softirqs+0x283/0x870 kernel/softirq.c:579
do_softirq+0xec/0x180 kernel/softirq.c:480
</IRQ>
<TASK>
__local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:910 [inline]
__dev_queue_xmit+0x1d79/0x3b50 net/core/dev.c:4740
neigh_output include/net/neighbour.h:547 [inline]
ip6_finish_output2+0x11fb/0x16a0 net/ipv6/ip6_output.c:141
NF_HOOK include/linux/netfilter.h:318 [inline]
ndisc_send_skb+0xb96/0x1470 net/ipv6/ndisc.c:512
ndisc_send_ns+0xcb/0x150 net/ipv6/ndisc.c:670
addrconf_dad_work+0xaae/0x14b0 net/ipv6/addrconf.c:4282
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x711/0x8a0 kernel/kthread.c:463
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2025-08-21 9:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-21 9:55 syzbot [this message]
2025-08-24 9:06 ` Forwarded: Re: [syzbot] [netfilter?] WARNING in nf_reject_fill_skb_dst syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68a6ed12.050a0220.3d78fd.0021.GAE@google.com \
--to=syzbot+b17c05ecb64771a892d1@syzkaller.appspotmail.com \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=sdf@fomichev.me \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.