Re: [PATCH net] ipv6: sit: fix skb_under_panic with overflowed needed_headroom
From: Wang Liang
Date: Thu Mar 27 2025 - 03:40:22 EST
在 2025/3/27 14:39, Eric Dumazet 写道:
On Thu, Mar 27, 2025 at 7:33 AM Wang Liang <wangliang74@xxxxxxxxxx> wrote:
You can get the report in
https://syzkaller.appspot.com/text?tag=CrashReport&x=106b6b34880000
Well, please provide the most accurate stack trace with symbols in
your patch then ?
If you spent time reproducing the issue and providing your stack
trace, please add the symbols.
Thank you for the reminder of decode_stacktrace.sh.
I just reproduce the issue, and first use decode_stacktrace.sh to get the
stack trace below[1], please check it. I will update the stack trace in my
patch later.
Thanks.
[1]
[ 895.885034][T23587] ------------[ cut here ]------------
[ 895.885951][T23587] kernel BUG at net/core/skbuff.c:209!
[ 895.886889][T23587] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
[ 895.888037][T23587] CPU: 0 UID: 0 PID: 23587 Comm: test Tainted:
G W 6.14.0-00624-g2f2d52945852-dirty #15
[ 895.889837][T23587] Tainted: [W]=WARN
[ 895.890469][T23587] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[895.891962][T23587] RIP: 0010:skb_panic (net/core/skbuff.c:209
(discriminator 4))
[ 895.892786][T23587] Code: 0f b6 04 01 84 c0 74 04 3c 03 7e 20 8b 4b 70
41 56 45 89 e8 48 c7 c7 c0 0c 7e 8b 41 57 56 48 89 ee 52 4c 89 e2 e8 6a
40 6e f9 <0f> 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 b5 68 ec f9 4c
[ 895.895918][T23587] RSP: 0018:ffffc900000e6a18 EFLAGS: 00010282
[ 895.897396][T23587] RAX: 0000000000000088 RBX: ffff88809a0cd000 RCX:
ffffffff819352e9
[ 895.898695][T23587] RDX: 0000000000000000 RSI: ffffffff8193bd1d RDI:
0000000000000005
[ 895.899992][T23587] RBP: ffffffff8b7e2020 R08: 0000000000000000 R09:
fffffbfff1989a84
[ 895.901274][T23587] R10: 0000000000000200 R11: 000000000023df70 R12:
ffffffff88d9b291
[ 895.902561][T23587] R13: 0000000000000008 R14: ffff88805013e120 R15:
0000000000000180
[ 895.903863][T23587] FS: 00000000162863c0(0000)
GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 895.905307][T23587] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 895.906378][T23587] CR2: ffffffffff600400 CR3: 0000000094fcc000 CR4:
00000000000006f0
[ 895.907669][T23587] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 895.908960][T23587] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 895.910252][T23587] Call Trace:
[ 895.910798][T23587] <TASK>
[895.923567][T23587] skb_push (net/core/skbuff.c:2544)
[895.924232][T23587] fou_build_udp (./include/linux/skbuff.h:3026
net/ipv4/fou_core.c:1041)
[895.925001][T23587] gue_build_header (net/ipv4/fou_core.c:1085)
[895.927586][T23587] ip_tunnel_xmit (./include/net/ip_tunnels.h:541
./include/net/ip_tunnels.h:525 net/ipv4/ip_tunnel.c:780)
[895.931769][T23587] sit_tunnel_xmit__.isra.0 (net/ipv6/sit.c:1065)
[895.932682][T23587] sit_tunnel_xmit (net/ipv6/sit.c:1076)
[895.937147][T23587] dev_hard_start_xmit
(./include/linux/netdevice.h:5161 net/core/dev.c:3800 net/core/dev.c:3816)
[895.937996][T23587] __dev_queue_xmit (net/core/dev.h:320
net/core/dev.c:4653)
[895.945680][T23587] neigh_connected_output
(./include/linux/netdevice.h:3313 net/core/neighbour.c:1543)
[895.946570][T23587] ip_finish_output2 (./include/net/neighbour.h:539
net/ipv4/ip_output.c:236)
[895.948304][T23587] __ip_finish_output (net/ipv4/ip_output.c:314
net/ipv4/ip_output.c:296)
[895.949152][T23587] ip_finish_output (net/ipv4/ip_output.c:324)
[895.949945][T23587] ip_mc_output (./include/linux/netfilter.h:303
net/ipv4/ip_output.c:421)
[895.951538][T23587] ip_send_skb (./include/net/dst.h:459
./include/net/dst.h:457 net/ipv4/ip_output.c:130 net/ipv4/ip_output.c:1502)
[895.952279][T23587] udp_send_skb (net/ipv4/udp.c:1197)
[895.953048][T23587] udp_sendmsg (net/ipv4/udp.c:1484)
[895.962452][T23587] udpv6_sendmsg (net/ipv6/udp.c:1545 (discriminator 1))
[895.976909][T23587] inet6_sendmsg (net/ipv6/af_inet6.c:659
(discriminator 4))
[895.978530][T23587] ____sys_sendmsg (net/socket.c:718 net/socket.c:733
net/socket.c:2573)
[895.982832][T23587] ___sys_sendmsg (net/socket.c:2629)
[895.988814][T23587] __sys_sendmmsg (net/socket.c:2719)
[895.994530][T23587] __x64_sys_sendmmsg (net/socket.c:2740)
[895.996217][T23587] do_syscall_64 (arch/x86/entry/common.c:52
arch/x86/entry/common.c:83)
[895.996965][T23587] entry_SYSCALL_64_after_hwframe
(arch/x86/entry/entry_64.S:130)
[ 895.997937][T23587] RIP: 0033:0x44a19d
[ 895.998581][T23587] Code: c3 e8 37 1f 00 00 0f 1f 80 00 00 00 00 f3 0f
1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 896.001683][T23587] RSP: 002b:00007fffc1b01a88 EFLAGS: 00000216
ORIG_RAX: 0000000000000133
[ 896.003032][T23587] RAX: ffffffffffffffda RBX: 0000000020000014 RCX:
000000000044a19d
[ 896.004311][T23587] RDX: 0000000000000001 RSI: 00000000200017c0 RDI:
0000000000000003
[ 896.005595][T23587] RBP: 00007fffc1b01ab0 R08: 0000000000000000 R09:
0000000000000000
[ 896.006891][T23587] R10: 0000000000000000 R11: 0000000000000216 R12:
0000000000000001
[ 896.008164][T23587] R13: 00007fffc1b01cf8 R14: 00000000004c4710 R15:
0000000000000001
[ 896.009454][T23587] </TASK>
[ 896.009969][T23587] Modules linked in:
[ 896.010664][T23587] ---[ end trace 0000000000000000 ]---