Re: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_hi

Re: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_hi

[Eric Biggers]

On Thu, Jan 18, 2018 at 01:34:02AM -0800, syzbot wrote:
> syzbot has found reproducer for the following crash on linux-next commit
> a362f6d2cdbd089dd7040ba66dcb0ad276a20cf7 (Thu Jan 18 07:07:54 2018 +0000)
> Add linux-next specific files for 20180118
> 
> So far this crash happened 185 times on linux-next, mmots, net-next,
> upstream.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by:
> syzbot+3ca02e1a9272a28e8959b32039154c5605164653@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed.
> 
> BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at
> net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
> CPU: 1 PID: 6246 Comm: syzkaller158939 Not tainted 4.15.0-rc8-next-20180118+
> #100
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:422
>  ccid3_hc_rx_packet_recv+0x696/0xeb3 net/dccp/ccids/ccid3.c:765
>  ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
>  dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180
>  dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
>  dccp_v4_do_rcv+0x135/0x160 net/dccp/ipv4.c:653
>  sk_backlog_rcv include/net/sock.h:908 [inline]
>  __sk_receive_skb+0x33e/0xc10 net/core/sock.c:513
>  dccp_v4_rcv+0xf5f/0x1c80 net/dccp/ipv4.c:874
>  ip_local_deliver_finish+0x2f1/0xc50 net/ipv4/ip_input.c:216
>  NF_HOOK include/linux/netfilter.h:288 [inline]
>  ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
>  dst_input include/net/dst.h:449 [inline]
>  ip_rcv_finish+0x953/0x1e30 net/ipv4/ip_input.c:397
>  NF_HOOK include/linux/netfilter.h:288 [inline]
>  ip_rcv+0xc5a/0x1840 net/ipv4/ip_input.c:493
>  __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4537
>  __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4602
>  process_backlog+0x203/0x740 net/core/dev.c:5282
>  napi_poll net/core/dev.c:5680 [inline]
>  net_rx_action+0x792/0x1910 net/core/dev.c:5746
>  __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
>  do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1150
>  </IRQ>
>  do_softirq.part.19+0x14d/0x190 kernel/softirq.c:329
>  do_softirq kernel/softirq.c:177 [inline]
>  __local_bh_enable_ip+0x1ee/0x230 kernel/softirq.c:182
>  local_bh_enable include/linux/bottom_half.h:32 [inline]
>  rcu_read_unlock_bh include/linux/rcupdate.h:726 [inline]
>  ip_finish_output2+0x962/0x1550 net/ipv4/ip_output.c:231
>  ip_finish_output+0x864/0xd10 net/ipv4/ip_output.c:317
>  NF_HOOK_COND include/linux/netfilter.h:277 [inline]
>  ip_output+0x1d2/0x860 net/ipv4/ip_output.c:405
>  dst_output include/net/dst.h:443 [inline]
>  ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
>  ip_queue_xmit+0x8c0/0x18e0 net/ipv4/ip_output.c:504
>  dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142
>  dccp_xmit_packet+0x215/0x740 net/dccp/output.c:281
>  dccp_write_xmit+0x17d/0x1d0 net/dccp/output.c:363
>  dccp_sendmsg+0x95f/0xdc0 net/dccp/proto.c:813
>  inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
>  sock_sendmsg_nosec net/socket.c:630 [inline]
>  sock_sendmsg+0xca/0x110 net/socket.c:640
>  ___sys_sendmsg+0x767/0x8b0 net/socket.c:2020
>  __sys_sendmsg+0xe5/0x210 net/socket.c:2054
>  SYSC_sendmsg net/socket.c:2065 [inline]
>  SyS_sendmsg+0x2d/0x50 net/socket.c:2061
>  entry_SYSCALL_64_fastpath+0x29/0xa0
> RIP: 0033:0x446469
> RSP: 002b:00007fcecb23bda8 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00000000006dbc3c RCX: 0000000000446469
> RDX: 0000000000000080 RSI: 00000000206c8000 RDI: 0000000000000005
> RBP: 00000000006dbc38 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000293 R12: f8e4cbe49e572d45
> R13: 54c1b85d98aba1df R14: a6eaa24dbeb18c29 R15: 000000000000000c
> 

This is still happening.  It *might* be related to the other bug "suspicious RCU
usage at ./include/net/inet_sock.h:LINE".  Here's a simplified reproducer for
this one:

#include <linux/dccp.h>
#include <linux/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>

int main()
{
        struct sockaddr_in addr = { .sin_family = AF_INET };
        socklen_t addrlen = sizeof(addr);
        int fd;

        while (fork())
                wait(NULL);
        fd = socket(AF_INET, SOCK_DCCP, 0);
        bind(fd, (void *)&addr, addrlen);
        getsockname(fd, (void *)&addr, &addrlen);
        listen(fd, 100);
        if (fork()) {
                fd = socket(AF_INET, SOCK_DCCP, 0);
                setsockopt(fd, SOL_DCCP, DCCP_SOCKOPT_CCID, "\x03", 1);
                connect(fd, (void *)&addr, sizeof(addr));
        } else {
                fd = accept(fd, NULL, 0);
        }
        for (int i = 0; i < 1000; i++)
                write(fd, "X", 1);
}

BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_histor

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x13d5de47800000
kernel config:  https://syzkaller.appspot.com/x/.config?xZ1dc06635c10d27
dashboard link: https://syzkaller.appspot.com/bug?extid™858724c0ba555a12ea
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x\x170afde7800000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x\x141b4be7800000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+99858724c0ba555a12ea@syzkaller.appspotmail.com

random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at  
net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 0 PID: 4495 Comm: syz-executor551 Not tainted 4.17.0-rc3+ #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1b9/0x294 lib/dump_stack.c:113
  tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c  
net/dccp/ccids/lib/packet_history.c:422
  ccid3_hc_rx_packet_recv+0x5c8/0xed0 net/dccp/ccids/ccid3.c:765
  ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
  dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
  dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
  dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
  sk_backlog_rcv include/net/sock.h:909 [inline]
  __sk_receive_skb+0x3a2/0xd60 net/core/sock.c:513
  dccp_v4_rcv+0x10e5/0x1f3f net/dccp/ipv4.c:875
  ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
  NF_HOOK include/linux/netfilter.h:288 [inline]
  ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
  dst_input include/net/dst.h:450 [inline]
  ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
  NF_HOOK include/linux/netfilter.h:288 [inline]
  ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
  __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
  __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
  process_backlog+0x219/0x760 net/core/dev.c:5337
  napi_poll net/core/dev.c:5735 [inline]
  net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
  __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
  do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
  </IRQ>
  do_softirq.part.17+0x14d/0x190 kernel/softirq.c:329
  do_softirq arch/x86/include/asm/preempt.h:23 [inline]
  __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:182
  local_bh_enable include/linux/bottom_half.h:32 [inline]
  rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
  ip_finish_output2+0xab2/0x1840 net/ipv4/ip_output.c:231
  ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317
  NF_HOOK_COND include/linux/netfilter.h:277 [inline]
  ip_output+0x21b/0x850 net/ipv4/ip_output.c:405
  dst_output include/net/dst.h:444 [inline]
  ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124
  ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504
  dccp_transmit_skb+0x999/0x12e0 net/dccp/output.c:142
  dccp_xmit_packet+0x250/0x790 net/dccp/output.c:281
  dccp_write_xmit+0x190/0x1f0 net/dccp/output.c:363
  dccp_sendmsg+0x8c7/0x1020 net/dccp/proto.c:818
  inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
  sock_sendmsg_nosec net/socket.c:629 [inline]
  sock_sendmsg+0xd5/0x120 net/socket.c:639
  ___sys_sendmsg+0x525/0x940 net/socket.c:2117
  __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
  __do_sys_sendmmsg net/socket.c:2241 [inline]
  __se_sys_sendmmsg net/socket.c:2238 [inline]
  __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445d09
RSP: 002b:00007f3c7eff5d88 EFLAGS: 00000293 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000006dac40 RCX: 0000000000445d09
RDX: 0000000000000001 RSI: 000000


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

Re: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_hi

[Eric Biggers]

On Sat, May 05, 2018 at 05:57:02PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x\x13d5de47800000
> kernel config:  https://syzkaller.appspot.com/x/.config?xZ1dc06635c10d27
> dashboard link: https://syzkaller.appspot.com/bug?extid™858724c0ba555a12ea
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x\x170afde7800000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x\x141b4be7800000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+99858724c0ba555a12ea@syzkaller.appspotmail.com
> 
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> random: sshd: uninitialized urandom read (32 bytes read)
> BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at
> net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
> CPU: 0 PID: 4495 Comm: syz-executor551 Not tainted 4.17.0-rc3+ #34
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x1b9/0x294 lib/dump_stack.c:113
>  tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c
> net/dccp/ccids/lib/packet_history.c:422
>  ccid3_hc_rx_packet_recv+0x5c8/0xed0 net/dccp/ccids/ccid3.c:765
>  ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
>  dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
>  dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
>  dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
>  sk_backlog_rcv include/net/sock.h:909 [inline]
>  __sk_receive_skb+0x3a2/0xd60 net/core/sock.c:513
>  dccp_v4_rcv+0x10e5/0x1f3f net/dccp/ipv4.c:875
>  ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
>  NF_HOOK include/linux/netfilter.h:288 [inline]
>  ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
>  dst_input include/net/dst.h:450 [inline]
>  ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
>  NF_HOOK include/linux/netfilter.h:288 [inline]
>  ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
>  __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
>  __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
>  process_backlog+0x219/0x760 net/core/dev.c:5337
>  napi_poll net/core/dev.c:5735 [inline]
>  net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
>  __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
>  do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
>  </IRQ>
>  do_softirq.part.17+0x14d/0x190 kernel/softirq.c:329
>  do_softirq arch/x86/include/asm/preempt.h:23 [inline]
>  __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:182
>  local_bh_enable include/linux/bottom_half.h:32 [inline]
>  rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
>  ip_finish_output2+0xab2/0x1840 net/ipv4/ip_output.c:231
>  ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317
>  NF_HOOK_COND include/linux/netfilter.h:277 [inline]
>  ip_output+0x21b/0x850 net/ipv4/ip_output.c:405
>  dst_output include/net/dst.h:444 [inline]
>  ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124
>  ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504
>  dccp_transmit_skb+0x999/0x12e0 net/dccp/output.c:142
>  dccp_xmit_packet+0x250/0x790 net/dccp/output.c:281
>  dccp_write_xmit+0x190/0x1f0 net/dccp/output.c:363
>  dccp_sendmsg+0x8c7/0x1020 net/dccp/proto.c:818
>  inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
>  sock_sendmsg_nosec net/socket.c:629 [inline]
>  sock_sendmsg+0xd5/0x120 net/socket.c:639
>  ___sys_sendmsg+0x525/0x940 net/socket.c:2117
>  __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
>  __do_sys_sendmmsg net/socket.c:2241 [inline]
>  __se_sys_sendmmsg net/socket.c:2238 [inline]
>  __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
>  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x445d09
> RSP: 002b:00007f3c7eff5d88 EFLAGS: 00000293 ORIG_RAX: 0000000000000133
> RAX: ffffffffffffffda RBX: 00000000006dac40 RCX: 0000000000445d09
> RDX: 0000000000000001 RSI: 000000
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report

There's already a bug report with this title, this one just had a few characters
truncated from the end.  Dmitry, is that intentional?  The other one is
https://groups.google.com/forum/#!msg/syzkaller-bugs/u5nq3PdPkIc/bBFjKHXPAgAJ:

#syz dup: BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()

Anyway, this is apparently a DCCP bug, and as I posted on the other thread it's
easily reproducible with the following program.  Gerrit, are you still the DCCP
maintainer, or is the MAINTAINERS file outdated?

	#include <linux/dccp.h>
	#include <linux/in.h>
	#include <sys/socket.h>
	#include <sys/wait.h>
	#include <unistd.h>

	int main()
	{
		struct sockaddr_in addr = { .sin_family = AF_INET };
		socklen_t addrlen = sizeof(addr);
		int fd;

		while (fork())
			wait(NULL);
		fd = socket(AF_INET, SOCK_DCCP, 0);
		bind(fd, (void *)&addr, addrlen);
		getsockname(fd, (void *)&addr, &addrlen);
		listen(fd, 100);
		if (fork()) {
			fd = socket(AF_INET, SOCK_DCCP, 0);
			setsockopt(fd, SOL_DCCP, DCCP_SOCKOPT_CCID, "\x03", 1);
			connect(fd, (void *)&addr, sizeof(addr));
		} else {
			fd = accept(fd, NULL, 0);
		}
		for (int i = 0; i < 1000; i++)
			write(fd, "X", 1);
	}

- Eric

Re: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_hi

[Dmitry Vyukov]

On Wed, May 9, 2018 at 7:05 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> On Sat, May 05, 2018 at 05:57:02PM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit:    c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x\x13d5de47800000
>> kernel config:  https://syzkaller.appspot.com/x/.config?xZ1dc06635c10d27
>> dashboard link: https://syzkaller.appspot.com/bug?extid™858724c0ba555a12ea
>> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x\x170afde7800000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x\x141b4be7800000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+99858724c0ba555a12ea@syzkaller.appspotmail.com
>>
>> random: sshd: uninitialized urandom read (32 bytes read)
>> random: sshd: uninitialized urandom read (32 bytes read)
>> random: sshd: uninitialized urandom read (32 bytes read)
>> random: sshd: uninitialized urandom read (32 bytes read)
>> BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at
>> net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
>> CPU: 0 PID: 4495 Comm: syz-executor551 Not tainted 4.17.0-rc3+ #34
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>  <IRQ>
>>  __dump_stack lib/dump_stack.c:77 [inline]
>>  dump_stack+0x1b9/0x294 lib/dump_stack.c:113
>>  tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c
>> net/dccp/ccids/lib/packet_history.c:422
>>  ccid3_hc_rx_packet_recv+0x5c8/0xed0 net/dccp/ccids/ccid3.c:765
>>  ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
>>  dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
>>  dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
>>  dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
>>  sk_backlog_rcv include/net/sock.h:909 [inline]
>>  __sk_receive_skb+0x3a2/0xd60 net/core/sock.c:513
>>  dccp_v4_rcv+0x10e5/0x1f3f net/dccp/ipv4.c:875
>>  ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
>>  NF_HOOK include/linux/netfilter.h:288 [inline]
>>  ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
>>  dst_input include/net/dst.h:450 [inline]
>>  ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
>>  NF_HOOK include/linux/netfilter.h:288 [inline]
>>  ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
>>  __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
>>  __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
>>  process_backlog+0x219/0x760 net/core/dev.c:5337
>>  napi_poll net/core/dev.c:5735 [inline]
>>  net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
>>  __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
>>  do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
>>  </IRQ>
>>  do_softirq.part.17+0x14d/0x190 kernel/softirq.c:329
>>  do_softirq arch/x86/include/asm/preempt.h:23 [inline]
>>  __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:182
>>  local_bh_enable include/linux/bottom_half.h:32 [inline]
>>  rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
>>  ip_finish_output2+0xab2/0x1840 net/ipv4/ip_output.c:231
>>  ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317
>>  NF_HOOK_COND include/linux/netfilter.h:277 [inline]
>>  ip_output+0x21b/0x850 net/ipv4/ip_output.c:405
>>  dst_output include/net/dst.h:444 [inline]
>>  ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124
>>  ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504
>>  dccp_transmit_skb+0x999/0x12e0 net/dccp/output.c:142
>>  dccp_xmit_packet+0x250/0x790 net/dccp/output.c:281
>>  dccp_write_xmit+0x190/0x1f0 net/dccp/output.c:363
>>  dccp_sendmsg+0x8c7/0x1020 net/dccp/proto.c:818
>>  inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
>>  sock_sendmsg_nosec net/socket.c:629 [inline]
>>  sock_sendmsg+0xd5/0x120 net/socket.c:639
>>  ___sys_sendmsg+0x525/0x940 net/socket.c:2117
>>  __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
>>  __do_sys_sendmmsg net/socket.c:2241 [inline]
>>  __se_sys_sendmmsg net/socket.c:2238 [inline]
>>  __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
>>  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
>>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x445d09
>> RSP: 002b:00007f3c7eff5d88 EFLAGS: 00000293 ORIG_RAX: 0000000000000133
>> RAX: ffffffffffffffda RBX: 00000000006dac40 RCX: 0000000000445d09
>> RDX: 0000000000000001 RSI: 000000
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report.
>> If you forgot to add the Reported-by tag, once the fix for this bug is
>> merged
>> into any tree, please reply to this email with:
>> #syz fix: exact-commit-title
>> If you want to test a patch for this bug, please reply with:
>> #syz test: git://repo/address.git branch
>> and provide the patch inline or as an attachment.
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>
> There's already a bug report with this title, this one just had a few characters
> truncated from the end.  Dmitry, is that intentional?  The other one is
> https://groups.google.com/forum/#!msg/syzkaller-bugs/u5nq3PdPkIc/bBFjKHXPAgAJ:
>
> #syz dup: BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()

I think this happened when we started truncating kernel crash titles
to 120 columns, so it's intentional.
However, the dup command did not pass. It's hard to understand who
received what today, but this suggests that somebody altered email in
the command to dc...@vger.kernel.org:
https://groups.google.com/forum/message/raw?msg=syzkaller-bugs/GMndq4-h7BI/VIz4aBEOAwAJ
We can also mark the old one as invalid.


> Anyway, this is apparently a DCCP bug, and as I posted on the other thread it's
> easily reproducible with the following program.  Gerrit, are you still the DCCP
> maintainer, or is the MAINTAINERS file outdated?
>
>         #include <linux/dccp.h>
>         #include <linux/in.h>
>         #include <sys/socket.h>
>         #include <sys/wait.h>
>         #include <unistd.h>
>
>         int main()
>         {
>                 struct sockaddr_in addr = { .sin_family = AF_INET };
>                 socklen_t addrlen = sizeof(addr);
>                 int fd;
>
>                 while (fork())
>                         wait(NULL);
>                 fd = socket(AF_INET, SOCK_DCCP, 0);
>                 bind(fd, (void *)&addr, addrlen);
>                 getsockname(fd, (void *)&addr, &addrlen);
>                 listen(fd, 100);
>                 if (fork()) {
>                         fd = socket(AF_INET, SOCK_DCCP, 0);
>                         setsockopt(fd, SOL_DCCP, DCCP_SOCKOPT_CCID, "\x03", 1);
>                         connect(fd, (void *)&addr, sizeof(addr));
>                 } else {
>                         fd = accept(fd, NULL, 0);
>                 }
>                 for (int i = 0; i < 1000; i++)
>                         write(fd, "X", 1);
>         }
>
> - Eric

Re: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_hi

[Eric Biggers]

On Wed, May 09, 2018 at 07:23:41AM +0200, 'Dmitry Vyukov' via syzkaller-bugs wrote:
> On Wed, May 9, 2018 at 7:05 AM, Eric Biggers <ebiggers3@gmail.com> wrote:
> > On Sat, May 05, 2018 at 05:57:02PM -0700, syzbot wrote:
> >> Hello,
> >>
> >> syzbot found the following crash on:
> >>
> >> HEAD commit:    c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k..
> >> git tree:       upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x\x13d5de47800000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?xZ1dc06635c10d27
> >> dashboard link: https://syzkaller.appspot.com/bug?extid™858724c0ba555a12ea
> >> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> >> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x\x170afde7800000
> >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x\x141b4be7800000
> >>
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+99858724c0ba555a12ea@syzkaller.appspotmail.com
> >>
> >> random: sshd: uninitialized urandom read (32 bytes read)
> >> random: sshd: uninitialized urandom read (32 bytes read)
> >> random: sshd: uninitialized urandom read (32 bytes read)
> >> random: sshd: uninitialized urandom read (32 bytes read)
> >> BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at
> >> net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
> >> CPU: 0 PID: 4495 Comm: syz-executor551 Not tainted 4.17.0-rc3+ #34
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> >> Google 01/01/2011
> >> Call Trace:
> >>  <IRQ>
> >>  __dump_stack lib/dump_stack.c:77 [inline]
> >>  dump_stack+0x1b9/0x294 lib/dump_stack.c:113
> >>  tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c
> >> net/dccp/ccids/lib/packet_history.c:422
> >>  ccid3_hc_rx_packet_recv+0x5c8/0xed0 net/dccp/ccids/ccid3.c:765
> >>  ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
> >>  dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
> >>  dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
> >>  dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:654
> >>  sk_backlog_rcv include/net/sock.h:909 [inline]
> >>  __sk_receive_skb+0x3a2/0xd60 net/core/sock.c:513
> >>  dccp_v4_rcv+0x10e5/0x1f3f net/dccp/ipv4.c:875
> >>  ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
> >>  NF_HOOK include/linux/netfilter.h:288 [inline]
> >>  ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
> >>  dst_input include/net/dst.h:450 [inline]
> >>  ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
> >>  NF_HOOK include/linux/netfilter.h:288 [inline]
> >>  ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
> >>  __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
> >>  __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
> >>  process_backlog+0x219/0x760 net/core/dev.c:5337
> >>  napi_poll net/core/dev.c:5735 [inline]
> >>  net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
> >>  __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
> >>  do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
> >>  </IRQ>
> >>  do_softirq.part.17+0x14d/0x190 kernel/softirq.c:329
> >>  do_softirq arch/x86/include/asm/preempt.h:23 [inline]
> >>  __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:182
> >>  local_bh_enable include/linux/bottom_half.h:32 [inline]
> >>  rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
> >>  ip_finish_output2+0xab2/0x1840 net/ipv4/ip_output.c:231
> >>  ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317
> >>  NF_HOOK_COND include/linux/netfilter.h:277 [inline]
> >>  ip_output+0x21b/0x850 net/ipv4/ip_output.c:405
> >>  dst_output include/net/dst.h:444 [inline]
> >>  ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124
> >>  ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504
> >>  dccp_transmit_skb+0x999/0x12e0 net/dccp/output.c:142
> >>  dccp_xmit_packet+0x250/0x790 net/dccp/output.c:281
> >>  dccp_write_xmit+0x190/0x1f0 net/dccp/output.c:363
> >>  dccp_sendmsg+0x8c7/0x1020 net/dccp/proto.c:818
> >>  inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
> >>  sock_sendmsg_nosec net/socket.c:629 [inline]
> >>  sock_sendmsg+0xd5/0x120 net/socket.c:639
> >>  ___sys_sendmsg+0x525/0x940 net/socket.c:2117
> >>  __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
> >>  __do_sys_sendmmsg net/socket.c:2241 [inline]
> >>  __se_sys_sendmmsg net/socket.c:2238 [inline]
> >>  __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2238
> >>  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> >>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >> RIP: 0033:0x445d09
> >> RSP: 002b:00007f3c7eff5d88 EFLAGS: 00000293 ORIG_RAX: 0000000000000133
> >> RAX: ffffffffffffffda RBX: 00000000006dac40 RCX: 0000000000445d09
> >> RDX: 0000000000000001 RSI: 000000
> >>
> >>
> >> ---
> >> This bug is generated by a bot. It may contain errors.
> >> See https://goo.gl/tpsmEJ for more information about syzbot.
> >> syzbot engineers can be reached at syzkaller@googlegroups.com.
> >>
> >> syzbot will keep track of this bug report.
> >> If you forgot to add the Reported-by tag, once the fix for this bug is
> >> merged
> >> into any tree, please reply to this email with:
> >> #syz fix: exact-commit-title
> >> If you want to test a patch for this bug, please reply with:
> >> #syz test: git://repo/address.git branch
> >> and provide the patch inline or as an attachment.
> >> To mark this as a duplicate of another syzbot report, please reply with:
> >> #syz dup: exact-subject-of-another-report
> >
> > There's already a bug report with this title, this one just had a few characters
> > truncated from the end.  Dmitry, is that intentional?  The other one is
> > https://groups.google.com/forum/#!msg/syzkaller-bugs/u5nq3PdPkIc/bBFjKHXPAgAJ:
> >
> > #syz dup: BUG: please report to dc...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()
> 
> I think this happened when we started truncating kernel crash titles
> to 120 columns, so it's intentional.
> However, the dup command did not pass. It's hard to understand who
> received what today, but this suggests that somebody altered email in
> the command to dc...@vger.kernel.org:
> https://groups.google.com/forum/message/raw?msg=syzkaller-bugs/GMndq4-h7BI/VIz4aBEOAwAJ
> We can also mark the old one as invalid.
> 

Ah, that was my fault -- I must have copied the bug title from the
syzkaller-bugs Google Groups page, which had mangled the email address in the
bug title.  The actual title was:

#syz dup: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()

BUG: please report to dccp@vger.kernel.org => prev = 2, last = 2 at net/dccp/ccids/lib/packet_histor

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    ca9eb48fe01f Merge tag 'regulator-v5.0' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x1482a939400000
kernel config:  https://syzkaller.appspot.com/x/.config?x–3b24abf3f7c2d8
dashboard link: https://syzkaller.appspot.com/bug?extidç86ba000564d103a6fe
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e786ba000564d103a6fe@syzkaller.appspotmail.com

input: syz0 as /devices/virtual/input/input6
BUG: please report to dccp@vger.kernel.org => prev = 2, last = 2 at  
net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0+ #298
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113
  tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c  
net/dccp/ccids/lib/packet_history.c:422
  ccid3_hc_rx_packet_recv+0x5c4/0xeb0 net/dccp/ccids/ccid3.c:767
  ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
  dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
  dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
  dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:656
  sk_backlog_rcv include/net/sock.h:931 [inline]
  __sk_receive_skb+0x3e5/0xec0 net/core/sock.c:473
  dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:877
  ip_local_deliver_finish+0x2e9/0xda0 net/ipv4/ip_input.c:215
  NF_HOOK include/linux/netfilter.h:289 [inline]
  ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256
  dst_input include/net/dst.h:450 [inline]
  ip_rcv_finish+0x1f9/0x300 net/ipv4/ip_input.c:415
  NF_HOOK include/linux/netfilter.h:289 [inline]
  ip_rcv+0xed/0x600 net/ipv4/ip_input.c:524
  __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
  __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
  process_backlog+0x218/0x6f0 net/core/dev.c:5829
  napi_poll net/core/dev.c:6249 [inline]
  net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
  __do_softirq+0x30c/0xb03 kernel/softirq.c:292
  run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
  smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
  kthread+0x35a/0x420 kernel/kthread.c:246
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
net_ratelimit: 18 callbacks suppressed
dccp_close: ABORT with 105978 bytes unread
input: syz0 as /devices/virtual/input/input7
input: syz0 as /devices/virtual/input/input8
dccp_close: ABORT with 52730 bytes unread
input: syz0 as /devices/virtual/input/input9
dccp_close: ABORT with 105978 bytes unread
dccp_close: ABORT with 105978 bytes unread
dccp_close: ABORT with 77306 bytes unread
dccp_close: ABORT with 89594 bytes unread
input: syz0 as /devices/virtual/input/input10
input: syz0 as /devices/virtual/input/input11
input: syz0 as /devices/virtual/input/input12
input: syz0 as /devices/virtual/input/input13
input: syz0 as /devices/virtual/input/input14
input: syz0 as /devices/virtual/input/input15
input: syz0 as /devices/virtual/input/input16
input: syz0 as /devices/virtual/input/input17
input: syz0 as /devices/virtual/input/input18


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

Re: BUG: please report to dccp@vger.kernel.org => prev = 2, last = 2 at net/dccp/ccids/lib/packet_hi

[Eric Biggers]

On Tue, Oct 23, 2018 at 03:13:02AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    ca9eb48fe01f Merge tag 'regulator-v5.0' of git://git.kerne..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x\x1482a939400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x–3b24abf3f7c2d8
> dashboard link: https://syzkaller.appspot.com/bug?extidç86ba000564d103a6fe
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> 
> Unfortunately, I don't have any reproducer for this crash yet.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e786ba000564d103a6fe@syzkaller.appspotmail.com
> 
> input: syz0 as /devices/virtual/input/input6
> BUG: please report to dccp@vger.kernel.org => prev = 2, last = 2 at
> net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
> CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0+ #298
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113
>  tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c
> net/dccp/ccids/lib/packet_history.c:422
>  ccid3_hc_rx_packet_recv+0x5c4/0xeb0 net/dccp/ccids/ccid3.c:767
>  ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
>  dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
>  dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
>  dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:656
>  sk_backlog_rcv include/net/sock.h:931 [inline]
>  __sk_receive_skb+0x3e5/0xec0 net/core/sock.c:473
>  dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:877
>  ip_local_deliver_finish+0x2e9/0xda0 net/ipv4/ip_input.c:215
>  NF_HOOK include/linux/netfilter.h:289 [inline]
>  ip_local_deliver+0x1e9/0x750 net/ipv4/ip_input.c:256
>  dst_input include/net/dst.h:450 [inline]
>  ip_rcv_finish+0x1f9/0x300 net/ipv4/ip_input.c:415
>  NF_HOOK include/linux/netfilter.h:289 [inline]
>  ip_rcv+0xed/0x600 net/ipv4/ip_input.c:524
>  __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913
>  __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023
>  process_backlog+0x218/0x6f0 net/core/dev.c:5829
>  napi_poll net/core/dev.c:6249 [inline]
>  net_rx_action+0x7c5/0x1950 net/core/dev.c:6315
>  __do_softirq+0x30c/0xb03 kernel/softirq.c:292
>  run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
>  smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
>  kthread+0x35a/0x420 kernel/kthread.c:246
>  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
> net_ratelimit: 18 callbacks suppressed
> dccp_close: ABORT with 105978 bytes unread
> input: syz0 as /devices/virtual/input/input7
> input: syz0 as /devices/virtual/input/input8
> dccp_close: ABORT with 52730 bytes unread
> input: syz0 as /devices/virtual/input/input9
> dccp_close: ABORT with 105978 bytes unread
> dccp_close: ABORT with 105978 bytes unread
> dccp_close: ABORT with 77306 bytes unread
> dccp_close: ABORT with 89594 bytes unread
> input: syz0 as /devices/virtual/input/input10
> input: syz0 as /devices/virtual/input/input11
> input: syz0 as /devices/virtual/input/input12
> input: syz0 as /devices/virtual/input/input13
> input: syz0 as /devices/virtual/input/input14
> input: syz0 as /devices/virtual/input/input15
> input: syz0 as /devices/virtual/input/input16
> input: syz0 as /devices/virtual/input/input17
> input: syz0 as /devices/virtual/input/input18
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> 

#syz dup: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()

Still occurring, see existing thread with reproducer here:
https://groups.google.com/d/msg/syzkaller-bugs/u5nq3PdPkIc/M7tbibYVCQAJ

- Eric

Re: BUG: please report to dccp@vger.kernel.org => prev = 5, last = 5 at net/dccp/ccids/lib/packet_hi

[Eric Biggers]

On Fri, Oct 12, 2018 at 12:58:02AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    771b65e89c8a Add linux-next specific files for 20181011
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x\x167d2376400000
> kernel config:  https://syzkaller.appspot.com/x/.config?xEf1c06c4da0a925
> dashboard link: https://syzkaller.appspot.com/bug?extidã26127852f785c44347
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> 
> Unfortunately, I don't have any reproducer for this crash yet.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e326127852f785c44347@syzkaller.appspotmail.com
> 
> BUG: please report to dccp@vger.kernel.org => prev = 5, last = 5 at
> net/dccp/ccids/lib/packet_history.c:425/tfrc_rx_hist_sample_rtt()
> CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 4.19.0-rc7-next-20181011+ #92
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x244/0x3ab lib/dump_stack.c:113
>  tfrc_rx_hist_sample_rtt.cold.3+0x54/0x5c
> net/dccp/ccids/lib/packet_history.c:422
>  ccid3_hc_rx_packet_recv+0x5c4/0xeb0 net/dccp/ccids/ccid3.c:767
>  ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
>  dccp_deliver_input_to_ccids+0xf0/0x280 net/dccp/input.c:180
>  dccp_rcv_established+0x87/0xb0 net/dccp/input.c:378
>  dccp_v4_do_rcv+0x153/0x180 net/dccp/ipv4.c:656
>  sk_backlog_rcv include/net/sock.h:932 [inline]
>  __sk_receive_skb+0x3e0/0xeb0 net/core/sock.c:473
> binder: send failed reply for transaction 41 to 27388:27389
>  dccp_v4_rcv+0x10f9/0x1f58 net/dccp/ipv4.c:877
>  ip_local_deliver_finish+0x2e9/0xda0 net/ipv4/ip_input.c:215
>  NF_HOOK include/linux/netfilter.h:289 [inline]
>  ip_local_deliver+0x1e4/0x740 net/ipv4/ip_input.c:256
>  dst_input include/net/dst.h:450 [inline]
>  ip_rcv_finish+0x1f9/0x300 net/ipv4/ip_input.c:415
>  NF_HOOK include/linux/netfilter.h:289 [inline]
>  ip_rcv+0xe8/0x600 net/ipv4/ip_input.c:524
>  __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4908
>  __netif_receive_skb+0x27/0x1e0 net/core/dev.c:5018
>  process_backlog+0x24e/0x7a0 net/core/dev.c:5822
>  napi_poll net/core/dev.c:6242 [inline]
>  net_rx_action+0x7fa/0x19b0 net/core/dev.c:6308
>  __do_softirq+0x30d/0xb26 kernel/softirq.c:292
>  run_ksoftirqd+0x5e/0x100 kernel/softirq.c:654
>  smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
>  kthread+0x35a/0x440 kernel/kthread.c:246
>  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
> dccp_close: ABORT with 52224 bytes unread
> binder: send failed reply for transaction 43 to 27399:27404
> dccp_close: ABORT with 3584 bytes unread
> binder: send failed reply for transaction 45 to 27417:27418
> binder: send failed reply for transaction 47 to 27424:27425
> dccp_close: ABORT with 105984 bytes unread
> dccp_close: ABORT with 105984 bytes unread
> dccp_close: ABORT with 105984 bytes unread
> nf_conntrack: default automatic helper assignment has been turned off for
> security reasons and CT-based  firewall rule not found. Use the iptables CT
> target to attach helpers instead.
> Dead loop on virtual device ip6_vti0, fix it urgently!
> Dead loop on virtual device ip6_vti0, fix it urgently!
> Dead loop on virtual device ip6_vti0, fix it urgently!
> Dead loop on virtual device ip6_vti0, fix it urgently!
> Dead loop on virtual device ip6_vti0, fix it urgently!
> Dead loop on virtual device ip6_vti0, fix it urgently!
> IPVS: sync thread started: state = BACKUP, mcast_ifn = team_slave_0, syncid
> = 0, id = 0
> Dead loop on virtual device ip6_vti0, fix it urgently!
> IPVS: sync thread started: state = BACKUP, mcast_ifn = team_slave_0, syncid
> = 0, id = 0
> IPVS: ftp: loaded support on port[0] = 21
> : renamed from bpq0
> IPVS: ftp: loaded support on port[0] = 21
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> 

#syz dup: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()

Still occurring, see existing thread with reproducer here:
https://groups.google.com/d/msg/syzkaller-bugs/u5nq3PdPkIc/M7tbibYVCQAJ

- Eric

[syzbot] BUG: please report to dccp@vger.kernel.org => prev = NUM, last = NUM at net/dccp/ccids/lib/

[Dmitry Vyukov]

This is the same as:

#syz dup: BUG: please report to dccp@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()

https://syzkaller.appspot.com/bug?id\b81c535c265ca965edc49c0ac3d0a9850d26eb1