net/ipv6: warning in __alloc_pages_slowpath/ipip6_tunnel_get_prl
From: Andrey Konovalov
Date: Thu Jun 22 2017 - 06:18:34 EST
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit 9705596d08ac87c18aee32cc97f2783b7d14624e (4.12-rc6+).
A reproducer and .config are attached.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4313 at mm/page_alloc.c:3700
__alloc_pages_slowpath+0x18fd/0x2360
Modules linked in:
CPU: 1 PID: 4313 Comm: a.out Not tainted 4.12.0-rc6+ #11
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006a8c1600 task.stack: ffff8800640b8000
RIP: 0010:should_compact_retry mm/page_alloc.c:3385
RIP: 0010:__alloc_pages_slowpath+0x18fd/0x2360 mm/page_alloc.c:3866
RSP: 0018:ffff8800640bec48 EFLAGS: 00010246
RAX: 0000000100010fde RBX: 00000000014000c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000014 RDI: 000000000140c0c0
RBP: ffff8800640bf180 R08: 0000000000000000 R09: fffffffffff00f88
R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000c817e38
R13: ffff8800640bf220 R14: ffff8800640bf340 R15: ffff8800640bf2e0
FS: 00007facb1334700(0000) GS:ffff88006cb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020781000 CR3: 0000000065757000 CR4: 00000000000006e0
Call Trace:
__alloc_pages_nodemask+0x914/0xc80 mm/page_alloc.c:4039
alloc_pages_current+0x1cc/0x6b0 mm/mempolicy.c:2065
alloc_pages ./include/linux/gfp.h:478
kmalloc_order+0x24/0x70 mm/slab_common.c:1114
kmalloc_order_trace+0x24/0x160 mm/slab_common.c:1125
kmalloc_large ./include/linux/slab.h:424
__kmalloc+0x215/0x2d0 mm/slub.c:3734
kmalloc_array ./include/linux/slab.h:611
kcalloc ./include/linux/slab.h:622
ipip6_tunnel_get_prl net/ipv6/sit.c:308
ipip6_tunnel_ioctl+0xed1/0x2070 net/ipv6/sit.c:1263
dev_ifsioc+0x544/0x9f0 net/core/dev_ioctl.c:338
dev_ioctl+0xc41/0x1160 net/core/dev_ioctl.c:555
sock_ioctl+0x16e/0x440 net/socket.c:944
vfs_ioctl fs/ioctl.c:45
do_vfs_ioctl+0x1c4/0x1660 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700
SyS_ioctl+0x94/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe arch/x86/entry/entry_64.S:203
RIP: 0033:0x7facb0a46b79
RSP: 002b:00007ffeb5763068 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffeb5763170 RCX: 00007facb0a46b79
RDX: 0000000020781000 RSI: 00000000000089f4 RDI: 0000000000000004
RBP: 00000000004004e0 R08: 0003000000000019 R09: 0000000000000000
R10: 00e315ffffff0300 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffeb5763170 R14: 0000000000000000 R15: 0000000000000000
Code: ff ff 39 d8 0f 8f b4 01 00 00 8b 85 d8 fa ff ff c7 85 98 fb ff
ff 01 00 00 00 41 bd 01 00 00 00 89 85 a0 fb ff ff e9 2d fc ff ff <0f>
ff e9 ca e8 ff ff 0f ff 89 d8 c7 85 ec fa ff ff 00 00 00 00
---[ end trace edcb5387b3d4d646 ]---
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#ifndef __NR_ioctl
#define __NR_ioctl 16
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_setsockopt
#define __NR_setsockopt 54
#endif
#define _GNU_SOURCE
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
long r[13];
void loop()
{
memset(r, -1, sizeof(r));
r[0] = syscall(__NR_mmap, 0x20000000ul, 0x93b000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
r[1] = syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul);
memcpy((void*)0x208e8000, "\x45", 1);
r[3] =
syscall(__NR_setsockopt, r[1], 0x0ul, 0x0ul, 0x208e8000ul, 0x1ul);
memcpy((void*)0x2012cfd8,
"\x73\x69\x74\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00",
16);
*(uint64_t*)0x2012cfe8 = (uint64_t)0x208e7fe0;
memcpy((void*)0x208e7fe0,
"\x01\x00\x00\x00\x09\x00\x02\x00\x00\x03\x06\x00\x00\x00\xeb"
"\x00\xec\xff\x00\x00\x00\x00\x03\x00\x04\x49\xfa\xf5\x02\x00"
"\x7e\x23",
32);
r[7] = syscall(__NR_ioctl, r[1], 0x89f1ul, 0x2012cfd8ul);
r[8] = syscall(__NR_socket, 0x2ul, 0x1ul, 0x0ul);
memcpy((void*)0x20781000,
"\x01\x00\x01\xe9\x00\x00\x00\x00\x04\x00\xff\xfe\x00\x00\x00"
"\x02",
16);
*(uint64_t*)0x20781010 = (uint64_t)0x208e7fe0;
memcpy((void*)0x208e7fe0,
"\x00\x00\x00\x00\x00\x00\x02\x00\x00\x03\xff\xff\xff\x15\xe3"
"\x00\x19\x00\x00\x00\x00\x00\x03\x00\x04\x49\xfa\xf5\x23\x8f"
"\x7e\x23",
32);
r[12] = syscall(__NR_ioctl, r[8], 0x89f4ul, 0x20781000ul);
}
int main()
{
loop();
return 0;
}
Attachment:
.config
Description: Binary data