On Tue, Sep 21, 2021 at 12:09 PM syzbot <syzbot+581aff2ae6b860625116@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 98dc68f8b0c2 selftests: nci: replace unsigned int with int > git tree: net > console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000 > kernel config: https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea > dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > Unfortunately, I don't have any reproducer for this issue yet. > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+581aff2ae6b860625116@xxxxxxxxxxxxxxxxxxxxxxxxx > > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] > CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Workqueue: ipv6_addrconf addrconf_dad_work > RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline] by anyway, checking if skb_header_pointer() return NULL is always needed: @@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb) ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch); /* Break out if chunk length is less then minimal. */ - if (ntohs(ch->length) < sizeof(_ch)) + if (!ch || ntohs(ch->length) < sizeof(_ch)) break; > RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196 > Code: fb 03 0f 8e 51 01 00 00 e8 99 ac 17 f9 4c 01 ed e8 91 ac 17 f9 48 8d 7d 02 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ea > RSP: 0018:ffffc900000079c8 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 00000000fffffff2 RCX: dffffc0000000000 > RDX: ffff88803d790000 RSI: ffffffff885e62cf RDI: 0000000000000002 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 > R10: ffffffff885e6448 R11: 0000000000000000 R12: 000000000000050c > R13: ffff88803f42a0e4 R14: 0000000000000510 R15: ffff888070e2c500 > FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f0dce1763ad CR3: 0000000027250000 CR4: 00000000001506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <IRQ> > sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109 > ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422 > ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463 > NF_HOOK include/linux/netfilter.h:307 [inline] > NF_HOOK include/linux/netfilter.h:301 [inline] > ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472 > dst_input include/net/dst.h:460 [inline] > ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] > NF_HOOK include/linux/netfilter.h:307 [inline] > NF_HOOK include/linux/netfilter.h:301 [inline] > ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297 > __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5436 > __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5550 > process_backlog+0x2a5/0x6c0 net/core/dev.c:6427 > __napi_poll+0xaf/0x440 net/core/dev.c:6982 > napi_poll net/core/dev.c:7049 [inline] > net_rx_action+0x801/0xb40 net/core/dev.c:7136 > __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 > do_softirq.part.0+0xde/0x130 kernel/softirq.c:459 > </IRQ> > do_softirq kernel/softirq.c:451 [inline] > __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:383 > spin_unlock_bh include/linux/spinlock.h:408 [inline] > addrconf_dad_work+0x474/0x1340 net/ipv6/addrconf.c:4077 > process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 > worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 > kthread+0x3e5/0x4d0 kernel/kthread.c:319 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > Modules linked in: > ---[ end trace 80d76c5102c944b0 ]--- > RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline] > RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196 > Code: fb 03 0f 8e 51 01 00 00 e8 99 ac 17 f9 4c 01 ed e8 91 ac 17 f9 48 8d 7d 02 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <0f> b6 14 08 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ea > RSP: 0018:ffffc900000079c8 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 00000000fffffff2 RCX: dffffc0000000000 > RDX: ffff88803d790000 RSI: ffffffff885e62cf RDI: 0000000000000002 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 > R10: ffffffff885e6448 R11: 0000000000000000 R12: 000000000000050c > R13: ffff88803f42a0e4 R14: 0000000000000510 R15: ffff888070e2c500 > FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f0dce1763ad CR3: 0000000027250000 CR4: 00000000001506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > ---------------- > Code disassembly (best guess): > 0: fb sti > 1: 03 0f add (%rdi),%ecx > 3: 8e 51 01 mov 0x1(%rcx),%ss > 6: 00 00 add %al,(%rax) > 8: e8 99 ac 17 f9 callq 0xf917aca6 > d: 4c 01 ed add %r13,%rbp > 10: e8 91 ac 17 f9 callq 0xf917aca6 > 15: 48 8d 7d 02 lea 0x2(%rbp),%rdi > 19: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx > 20: fc ff df > 23: 48 89 f8 mov %rdi,%rax > 26: 48 c1 e8 03 shr $0x3,%rax > * 2a: 0f b6 14 08 movzbl (%rax,%rcx,1),%edx <-- trapping instruction > 2e: 48 89 f8 mov %rdi,%rax > 31: 83 e0 07 and $0x7,%eax > 34: 83 c0 01 add $0x1,%eax > 37: 38 d0 cmp %dl,%al > 39: 7c 08 jl 0x43 > 3b: 84 d2 test %dl,%dl > 3d: 0f .byte 0xf > 3e: 85 ea test %ebp,%edx > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
