Hello,
syzbot found the following crash on:
HEAD commit: 645ff1e8e704 Merge branch 'for-linus' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14a5c64b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=20271e14bc1c87f0
dashboard link: https://syzkaller.appspot.com/bug?extid=987e48d84abddbe2506d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c69d20c00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
8021q: adding VLAN 0 to HW filter on device batadv0
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
8021q: adding VLAN 0 to HW filter on device batadv0
WARNING: CPU: 1 PID: 8154 at kernel/bpf/core.c:578 bpf_prog_ksym_node_add
kernel/bpf/core.c:578 [inline]
WARNING: CPU: 1 PID: 8154 at kernel/bpf/core.c:578
bpf_prog_kallsyms_add+0x909/0xaf0 kernel/bpf/core.c:610
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 8154 Comm: syz-executor0 Not tainted 4.20.0+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
panic+0x2cb/0x589 kernel/panic.c:189
__warn.cold+0x20/0x4b kernel/panic.c:544
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:bpf_prog_ksym_node_add kernel/bpf/core.c:578 [inline]
RIP: 0010:bpf_prog_kallsyms_add+0x909/0xaf0 kernel/bpf/core.c:610
Code: 2d d9 36 00 e9 a4 fe ff ff 31 db 48 c7 c0 f0 db 80 89 e9 a0 fb ff ff
31 db 48 c7 c0 e8 db 80 89 e9 f6 fc ff ff e8 37 06 f3 ff <0f> 0b e9 c6 f8
ff ff 48 89 85 10 ff ff ff e8 54 d9 36 00 48 8b 85
RSP: 0018:ffff88808de979b8 EFLAGS: 00010293
RAX: ffff8880901a6280 RBX: ffff88809292c628 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff818e9039 RDI: ffffc90001933020
RBP: ffff88808de97ac8 R08: 1ffff11011bd2f24 R09: ffffed1011bd2f25
R10: ffffed1011bd2f24 R11: 0000000000000003 R12: ffff88809292c5c0
R13: 1ffff11011bd2f48 R14: ffff88808de97aa0 R15: ffffffff899f1c80
bpf_prog_load+0x13a9/0x1d00 kernel/bpf/syscall.c:1556
__do_sys_bpf+0xc52/0x4410 kernel/bpf/syscall.c:2618
__se_sys_bpf kernel/bpf/syscall.c:2580 [inline]
__x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:2580
do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f94ae545c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
RDX: 0000000000000048 RSI: 0000000020000780 RDI: 0000000000000005
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94ae5466d4
R13: 00000000004be236 R14: 00000000004ce360 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot has bisected this bug to:
commit 7607dd35fc34893214284cca740d015154d20452
Author: Ido Schimmel <[email protected]>
Date: Mon Jul 17 12:15:30 2017 +0000
mlxsw: spectrum: Trap IPv4 packets with Router Alert option
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14e0ac07200000
start commit: 645ff1e8 Merge branch 'for-linus' of git://git.kernel.org/..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=16e0ac07200000
console output: https://syzkaller.appspot.com/x/log.txt?x=12e0ac07200000
kernel config: https://syzkaller.appspot.com/x/.config?x=20271e14bc1c87f0
dashboard link: https://syzkaller.appspot.com/bug?extid=987e48d84abddbe2506d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c69d20c00000
Reported-by: [email protected]
Fixes: 7607dd35fc34 ("mlxsw: spectrum: Trap IPv4 packets with Router Alert
option")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
+ Dmitry
On Sat, Mar 23, 2019 at 07:16:01PM -0700, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit 7607dd35fc34893214284cca740d015154d20452
> Author: Ido Schimmel <[email protected]>
> Date: Mon Jul 17 12:15:30 2017 +0000
>
> mlxsw: spectrum: Trap IPv4 packets with Router Alert option
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14e0ac07200000
> start commit: 645ff1e8 Merge branch 'for-linus' of git://git.kernel.org/..
> git tree: upstream
> final crash: https://syzkaller.appspot.com/x/report.txt?x=16e0ac07200000
> console output: https://syzkaller.appspot.com/x/log.txt?x=12e0ac07200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=20271e14bc1c87f0
> dashboard link: https://syzkaller.appspot.com/bug?extid=987e48d84abddbe2506d
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c69d20c00000
>
> Reported-by: [email protected]
> Fixes: 7607dd35fc34 ("mlxsw: spectrum: Trap IPv4 packets with Router Alert
> option")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Dmitry,
The bisection is probably wrong. Above mentioned commit is specific to
mlxsw which is not even present in the provided kernel config.
I see that this also appears in the web interface [1] which might be
misleading to some people. Might be worthwhile to add a command for
syzbot that tells it that bisection is wrong?
[1] https://syzkaller.appspot.com/bug?id=b658eb696c8279d9951a4ceea79efba8a1d12467
On Mon, Mar 25, 2019 at 1:16 PM Ido Schimmel <[email protected]> wrote:
>
> + Dmitry
>
> On Sat, Mar 23, 2019 at 07:16:01PM -0700, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit 7607dd35fc34893214284cca740d015154d20452
> > Author: Ido Schimmel <[email protected]>
> > Date: Mon Jul 17 12:15:30 2017 +0000
> >
> > mlxsw: spectrum: Trap IPv4 packets with Router Alert option
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14e0ac07200000
> > start commit: 645ff1e8 Merge branch 'for-linus' of git://git.kernel.org/..
> > git tree: upstream
> > final crash: https://syzkaller.appspot.com/x/report.txt?x=16e0ac07200000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12e0ac07200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=20271e14bc1c87f0
> > dashboard link: https://syzkaller.appspot.com/bug?extid=987e48d84abddbe2506d
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c69d20c00000
> >
> > Reported-by: [email protected]
> > Fixes: 7607dd35fc34 ("mlxsw: spectrum: Trap IPv4 packets with Router Alert
> > option")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> Dmitry,
>
> The bisection is probably wrong. Above mentioned commit is specific to
> mlxsw which is not even present in the provided kernel config.
>
> I see that this also appears in the web interface [1] which might be
> misleading to some people. Might be worthwhile to add a command for
> syzbot that tells it that bisection is wrong?
>
> [1] https://syzkaller.appspot.com/bug?id=b658eb696c8279d9951a4ceea79efba8a1d12467
Hi Ido,
Do you mean for the purposes of showing the results as "wrong" on the dashboard?
Generally the idea is that people can leave any free form comments on
the email thread associated with the bug (there is always a link from
the dashboard back to the email thread). It's not possible to capture
all possible situations in a set of fixed tags. All information on the
dashboard may be incorrect in interesting ways. For example, consider
bisection diverged at the very last steps, so one may check the
bisection log and easily identify the commit that is most likely the
root cause, but the official result is off-by-one. Or may the free
stack in a use-after-free report is incorrect and then somebody may
suggest the right stack.
But having said that there is a proposal for custom tags for bugs
(e.g. for priority, subsystem, etc):
https://github.com/google/syzkaller/issues/608
And "bisection is wrong" may be a reasonable tag. I just don't want to
jump to a first ad-hoc implementation right now. I want to at least
try to thought out some consistent, extensible and useful design for
tagging.
I will add a note about bisection there.
Another concern is that I suspect very few people will actually use
it. Most people seem to tend to just drop a comment like "this is
fixed" or "syzbot sucks" without actually caring about any formal bug
state tracking...
But even if nobody will use it for majority of bugs, somebody (me)
still needs to design, implement, write tests, carefully deploy and
maintain this thing...
But thanks for the proposal!