syzbot

 sign-in | mailing list | source | docs
🐞 Open [1574]
Subsystems
🐞 Fixed [6358]
🐞 Invalid [16202]
Missing Backports [194]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

kernel BUG in cdc_ncm_fill_tx_frame

Status: upstream: reported syz repro on 2023/06/02 18:39
Subsystems: usb
[Documentation on labels]
Reported-by: syzbot+1994e2ecf323ed90f255@syzkaller.appspotmail.com
First crash: 764d, last: 13d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] [usb?] kernel BUG in cdc_ncm_fill_tx_frame 0 (2) 2023/06/02 19:09
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 kernel BUG in add_grec C error 83 1195d 1269d 2/2 fixed on 2022/03/29 10:01
android-54 kernel BUG at net/core/skbuff.c:LINE! C 267 781d 2001d 0/2 auto-obsoleted due to no activity on 2023/08/22 15:17
android-5-15 kernel BUG in cdc_ncm_fill_tx_frame (2) origin:downstream C done 5 774d 788d 2/2 fixed on 2023/06/16 14:10
android-5-10 kernel BUG in add_grec (2) C error inconclusive 1039 955d 955d 2/2 fixed on 2023/02/24 12:10
android-5-10 kernel BUG in cdc_ncm_fill_tx_frame C error 40 1287d 1353d 1/2 fixed on 2021/12/29 12:20
android-5-15 kernel BUG in cdc_ncm_fill_tx_frame 1 955d 955d 0/2 auto-obsoleted due to no activity on 2023/04/11 17:56
android-5-10 kernel BUG in cdc_ncm_fill_tx_frame (2) C error 3 781d 788d 2/2 fixed on 2023/06/28 00:02
Last patch testing requests (10)
Created Duration User Patch Repo Result
2025/06/22 17:48 28m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/05/30 07:55 15m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing OK log
2025/04/13 16:34 46m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/03/21 05:37 9m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2025/02/02 09:06 23m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/01/06 18:23 8m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2024/11/24 07:32 18m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/10/28 17:15 9m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2024/10/13 19:34 31m retest repro upstream OK log
2024/09/15 06:03 17m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2024/10/15 06:23 0m bisect fix upstream error job log
2024/01/06 13:22 2h04m bisect fix upstream OK (0) job log log

Sample crash report:
skbuff: skb_over_panic: text:ffff80000db33558 len:428 put:172 head:ffff0000c2c66100 data:ffff0000c2c66100 tail:0x1ac end:0x140 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:200!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 5642 Comm: dhcpcd Not tainted 6.4.0-rc3-syzkaller-geb0f1697d729 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : skb_panic net/core/skbuff.c:196 [inline]
pc : skb_over_panic+0x13c/0x140 net/core/skbuff.c:205
lr : skb_panic net/core/skbuff.c:196 [inline]
lr : skb_over_panic+0x13c/0x140 net/core/skbuff.c:205
sp : ffff800020cf6ce0
x29: ffff800020cf6cf0 x28: ffff0000dce10b40 x27: dfff800000000000
x26: ffff0000dce10b50 x25: 00000000000001ac x24: ffff0000c2c66100
x23: ffff0000c2c66100 x22: 00000000000001ac x21: 0000000000000140
x20: 00000000000000ac x19: ffff80000db33558 x18: ffff800020cf6340
x17: 0000000000000000 x16: ffff8000124340b0 x15: 0000000000000605
x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001
x11: 0000000000000604 x10: 0000000000000000 x9 : 1eee255e7785d700
x8 : 1eee255e7785d700 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800020cf65f8 x4 : ffff800015f9e800 x3 : ffff80000aa946e4
x2 : 0000000000000001 x1 : 0000000100000604 x0 : 0000000000000089
Call trace:
 skb_panic net/core/skbuff.c:196 [inline]
 skb_over_panic+0x13c/0x140 net/core/skbuff.c:205
 skb_put+0x128/0x1b8 net/core/skbuff.c:2390
 skb_put_zero include/linux/skbuff.h:2595 [inline]
 cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1132 [inline]
 cdc_ncm_fill_tx_frame+0xdf0/0x30e0 drivers/net/usb/cdc_ncm.c:1309
 cdc_ncm_tx_fixup+0xac/0x110
 usbnet_start_xmit+0x100/0x1a20 drivers/net/usb/usbnet.c:1365
 __netdev_start_xmit include/linux/netdevice.h:4915 [inline]
 netdev_start_xmit include/linux/netdevice.h:4929 [inline]
 xmit_one net/core/dev.c:3578 [inline]
 dev_hard_start_xmit+0x240/0x8ac net/core/dev.c:3594
 sch_direct_xmit+0x234/0x548 net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3805 [inline]
 __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210
 dev_queue_xmit include/linux/netdevice.h:3085 [inline]
 lapbeth_data_transmit+0x1e0/0x298 drivers/net/wan/lapbether.c:259
 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447
 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149
 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251
 lapb_establish_data_link+0x94/0xec
 lapb_device_event+0x348/0x4e0
 notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93
 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461
 __dev_notify_flags+0x2bc/0x544
 dev_change_flags+0xd0/0x15c net/core/dev.c:8643
 devinet_ioctl+0x858/0x17e4 net/ipv4/devinet.c:1150
 inet_ioctl+0x2ac/0x4d8 net/ipv4/af_inet.c:977
 sock_do_ioctl+0x134/0x2dc net/socket.c:1201
 sock_ioctl+0x4ec/0x858 net/socket.c:1318
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
 el0_svc+0x4c/0x15c arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Code: aa1803e6 aa1903e7 a90023f5 9477281a (d4210000) 
---[ end trace 0000000000000000 ]---

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/06/02 22:27 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci eb0f1697d729 a4ae4f42 .config console log report syz [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 kernel BUG in cdc_ncm_fill_tx_frame
2024/05/08 07:06 upstream dccb07f2914c 4cf3f9b3 .config console log report syz [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream kernel BUG in cdc_ncm_fill_tx_frame
2023/07/01 16:53 upstream b25f62ccb490 af3053d2 .config strace log report syz [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root kernel BUG in cdc_ncm_fill_tx_frame
2023/06/02 19:09 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 243ff7e6a035 a4ae4f42 .config console log report syz [disk image] [vmlinux] [kernel image] ci2-upstream-usb kernel BUG in cdc_ncm_fill_tx_frame
2023/06/02 14:23 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 243ff7e6a035 a4ae4f42 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb kernel BUG in cdc_ncm_fill_tx_frame
* Struck through repros no longer work on HEAD.