Thread (3 messages) 3 messages, 3 authors, 2018-02-25

BUG: unable to handle kernel paging request in ebt_among_mt_check

From: syzbot <hidden>
Date: 2018-02-18 22:59:48
Also in: bridge, lkml, netfilter-devel

Hello,

syzbot hit the following crash on net-next commit
1ec010e705934c8acbe7dbf31afc81e60e3d828b (Fri Feb 16 10:03:07 2018 +0000)
tun: export flags, uid, gid, queue information over netlink

So far this crash happened 6 times on net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fe0b19af568972814355@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

IPVS: ftp: loaded support on port[0] = 21
BUG: unable to handle kernel paging request at ffffc900017c752d
IP: ebt_among_mt_check+0x170/0x350 net/bridge/netfilter/ebt_among.c:187
PGD 1db12d067 P4D 1db12d067 PUD 1db12e067 PMD 1c3322067 PTE 0
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4122 Comm: syzkaller721371 Not tainted 4.16.0-rc1+ #231
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:ebt_among_mt_check+0x170/0x350  
net/bridge/netfilter/ebt_among.c:187
RSP: 0018:ffff8801cd37f210 EFLAGS: 00010246
RAX: 0000000000000008 RBX: ffffc900017bf128 RCX: ffffffff84f12f1e
RDX: 0000000000000000 RSI: 0000000000000870 RDI: ffffc900017c752d
RBP: ffff8801cd37f240 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff8818c280 R11: 0000000000000000 R12: ffffc900017c7129
R13: ffff8801cd37f548 R14: ffffc900017bf131 R15: 0000000030000414
FS:  000000000170d940(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc900017c752d CR3: 00000001ba8a3004 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  xt_check_match+0x231/0x7d0 net/netfilter/x_tables.c:470
  ebt_check_match net/bridge/netfilter/ebtables.c:374 [inline]
  ebt_check_entry+0xbc3/0x1e00 net/bridge/netfilter/ebtables.c:704
  translate_table+0xcf5/0x2290 net/bridge/netfilter/ebtables.c:945
  do_replace_finish+0x79a/0x2620 net/bridge/netfilter/ebtables.c:1002
  do_replace+0x333/0x4b0 net/bridge/netfilter/ebtables.c:1141
  do_ebt_set_ctl+0xd4/0x110 net/bridge/netfilter/ebtables.c:1518
  nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
  nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
  ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261
  tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2905
  sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2979
  SYSC_setsockopt net/socket.c:1850 [inline]
  SyS_setsockopt+0x189/0x360 net/socket.c:1829
  do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x44cee9
RSP: 002b:00007ffcc80c4578 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044cee9
RDX: 0000000000000080 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000170e940 R08: 0000000000000d80 R09: 000000000170e940
R10: 0000000020fb1000 R11: 0000000000000246 R12: 585858582e72656c
R13: 6c616b7a79732f2e R14: 0000000000000000 R15: 0000000000000000
Code: 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48  
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 c9 01 00 00 <41> 8b 84 24  
04 04 00 00 8d 04 40 45 8d bc 87 08 04 00 00 4d 63
RIP: ebt_among_mt_check+0x170/0x350 net/bridge/netfilter/ebt_among.c:187  
RSP: ffff8801cd37f210
CR2: ffffc900017c752d
---[ end trace 39ec805adb913149 ]---


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

Attachments

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help