syzbot

 sign-in | mailing list | source | docs
🐞 Open [1592]
Subsystems
🐞 Fixed [6233]
🐞 Invalid [15779]
Missing Backports [183]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li() (3)

Status: upstream: reported C repro on 2022/09/22 23:07
Subsystems: dccp
[Documentation on labels]
Reported-by: syzbot+2ad8ef335371014d4dc7@syzkaller.appspotmail.com
First crash: 971d, last: 121d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: failed (error log, bisect log)
  
Discussions (15)
Title Replies (including bot) Last reply
[syzbot] Monthly dccp report (Jan 2025) 0 (1) 2025/01/16 10:11
[syzbot] Monthly dccp report (Sep 2024) 0 (1) 2024/09/15 14:39
[syzbot] Monthly dccp report (Aug 2024) 0 (1) 2024/08/15 10:40
[syzbot] Monthly dccp report (Jul 2024) 0 (1) 2024/07/15 11:52
[syzbot] Monthly dccp report (May 2024) 0 (1) 2024/05/14 20:49
[syzbot] Monthly dccp report (Mar 2024) 0 (1) 2024/03/06 09:53
[syzbot] Monthly dccp report (Jan 2024) 0 (1) 2024/01/16 07:56
[syzbot] Monthly dccp report (Dec 2023) 0 (1) 2023/12/08 13:16
[syzbot] Monthly dccp report (Nov 2023) 0 (1) 2023/11/07 04:52
[syzbot] Monthly dccp report (Sep 2023) 0 (1) 2023/09/29 09:08
[syzbot] Monthly dccp report (Aug 2023) 0 (1) 2023/08/29 07:13
[syzbot] Monthly dccp report (Jul 2023) 0 (1) 2023/07/22 14:10
[syzbot] Monthly dccp report (May 2023) 0 (1) 2023/05/13 09:53
[syzbot] Monthly dccp report 0 (1) 2023/04/12 08:35
[syzbot] BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li() (3) 0 (1) 2022/09/22 23:07
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li() 1 1488d 1488d 0/1 auto-closed as invalid on 2021/08/17 18:35
upstream BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li() (2) dccp 2 1122d 1155d 0/28 auto-closed as invalid on 2022/07/19 17:37
upstream BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li() dccp 1 1370d 1366d 0/28 auto-closed as invalid on 2021/11/13 12:08
Last patch testing requests (10)
Created Duration User Patch Repo Result
2025/05/14 02:48 49m retest repro upstream OK log
2025/04/11 16:30 18m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/03/27 01:40 41m retest repro upstream report log
2025/03/04 11:14 24m retest repro upstream report log
2025/01/31 11:05 19m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2025/01/16 01:12 11m retest repro upstream report log
2024/12/24 10:19 16m retest repro upstream report log
2024/11/09 15:55 23m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/11/07 00:56 13m retest repro upstream report log
2024/08/31 10:00 17m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
Fix bisection attempts (11)
Created Duration User Patch Repo Result
2024/10/15 08:26 0m bisect fix upstream error job log
2024/09/15 05:49 2h34m bisect fix upstream OK (0) job log log
2024/08/14 22:45 1h36m bisect fix upstream OK (0) job log log
2024/07/14 18:12 2h03m bisect fix upstream OK (0) job log log
2024/03/05 14:02 2h51m bisect fix upstream OK (0) job log log
2023/10/29 12:56 1h47m bisect fix upstream OK (0) job log log
2023/04/30 19:27 24m bisect fix upstream OK (0) job log log
2023/03/31 08:02 56m bisect fix upstream OK (0) job log log
2023/02/28 13:37 24m bisect fix upstream OK (0) job log log
2023/01/28 17:28 24m bisect fix upstream OK (0) job log log
2022/11/23 05:07 25m bisect fix upstream OK (0) job log log

Sample crash report:
BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:691/ccid3_first_li()
CPU: 1 PID: 1257 Comm: kworker/1:2 Not tainted 6.7.0-syzkaller-02320-gacc657692aed #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
 ccid3_first_li+0x2f8/0x500 net/dccp/ccids/ccid3.c:691
 tfrc_lh_interval_add+0x610/0x8e0 net/dccp/ccids/lib/loss_interval.c:157
 tfrc_rx_handle_loss+0xe04/0x20a0 net/dccp/ccids/lib/packet_history.c:328
 ccid3_hc_rx_packet_recv+0x372/0xf50 net/dccp/ccids/ccid3.c:744
 ccid_hc_rx_packet_recv net/dccp/ccid.h:182 [inline]
 dccp_deliver_input_to_ccids+0xe3/0x260 net/dccp/input.c:176
 dccp_rcv_established net/dccp/input.c:374 [inline]
 dccp_rcv_established+0x106/0x160 net/dccp/input.c:364
 dccp_v4_do_rcv+0x169/0x1b0 net/dccp/ipv4.c:675
 sk_backlog_rcv include/net/sock.h:1121 [inline]
 __sk_receive_skb+0x2af/0x840 net/core/sock.c:571
 dccp_v4_rcv+0x128a/0x1980 net/dccp/ipv4.c:898
 ip_protocol_deliver_rcu+0x9f/0x480 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x2e4/0x510 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_local_deliver+0x18e/0x1f0 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:461 [inline]
 ip_rcv_finish+0x1c4/0x2f0 net/ipv4/ip_input.c:449
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_rcv+0xaf/0xd0 net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x115/0x180 net/core/dev.c:5532
 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5646
 process_backlog+0x101/0x6b0 net/core/dev.c:5974
 __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6536
 napi_poll net/core/dev.c:6605 [inline]
 net_rx_action+0x956/0xe90 net/core/dev.c:6738
 __do_softirq+0x21a/0x8de kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:neigh_alloc net/core/neighbour.c:509 [inline]
RIP: 0010:___neigh_create+0x4fa/0x2a80 net/core/neighbour.c:648
Code: 00 00 48 c7 c6 50 31 78 88 e8 d2 8e fc f8 49 8d be 88 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 <0f> 85 71 21 00 00 49 8b 86 88 03 00 00 65 48 ff 00 48 8d 7d 08 48
RSP: 0018:ffffc900043a76c8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: 0000000000000002 RCX: 1ffffffff1e735cb
RDX: 1ffffffff1dd18a9 RSI: 0000000000000000 RDI: ffffffff8ee8c548
RBP: ffff88801d47f000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000000 R12: ffffffff8ee8c25c
R13: ffffffff8ee8c218 R14: ffffffff8ee8c1c0 R15: 000000000000009b
 ip6_finish_output2+0x10e9/0x1830 net/ipv6/ip6_output.c:128
 __ip6_finish_output net/ipv6/ip6_output.c:211 [inline]
 ip6_finish_output+0x3c7/0xf80 net/ipv6/ip6_output.c:222
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x1e2/0x530 net/ipv6/ip6_output.c:243
 dst_output include/net/dst.h:451 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0xa13/0x18f0 net/ipv6/ndisc.c:509
 ndisc_send_rs+0x133/0x6a0 net/ipv6/ndisc.c:719
 addrconf_dad_completed+0x486/0x1030 net/ipv6/addrconf.c:4295
 addrconf_dad_work+0x7f6/0x14b0 net/ipv6/addrconf.c:4203
 process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
 process_scheduled_works kernel/workqueue.c:2706 [inline]
 worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
 kthread+0x2c6/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	48 c7 c6 50 31 78 88 	mov    $0xffffffff88783150,%rsi
   9:	e8 d2 8e fc f8       	call   0xf8fc8ee0
   e:	49 8d be 88 03 00 00 	lea    0x388(%r14),%rdi
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	48 89 fa             	mov    %rdi,%rdx
  22:	48 c1 ea 03          	shr    $0x3,%rdx
  26:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
* 2a:	0f 85 71 21 00 00    	jne    0x21a1 <-- trapping instruction
  30:	49 8b 86 88 03 00 00 	mov    0x388(%r14),%rax
  37:	65 48 ff 00          	incq   %gs:(%rax)
  3b:	48 8d 7d 08          	lea    0x8(%rbp),%rdi
  3f:	48                   	rex.W

Crashes (17):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/11 07:22 upstream acc657692aed 00f3cc59 .config console log report syz C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2022/09/20 17:54 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 5aa266bb455b 7c41a9ba .config console log report syz C ci-upstream-gce-arm64 BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2024/01/12 01:05 upstream 3e7aeb78ab01 00f3cc59 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/12/08 09:09 upstream 9ace34a8e446 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2022/11/23 05:07 upstream eb7081409f94 9da37ae8 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/09/25 18:17 upstream 6465e260f487 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/12/30 19:00 upstream f016f7547aee fb427a07 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/08/23 22:23 upstream a5e505a99ca7 4d7ae7ab .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/08/23 16:37 upstream 89bf6209cad6 4d7ae7ab .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/07/24 07:27 upstream 6eaae1980760 68162649 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/07/18 18:08 upstream 74f1456c4a5f 022df2bb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/06/06 08:02 upstream f8dba31b0a82 a4ae4f42 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2022/09/18 23:05 upstream 38eddeedbbea dd9a85ff .config console log report info ci-upstream-kasan-gce-root BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/05/20 19:12 upstream d635f6cc934b 4bce1a3e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/07/08 16:19 net-next 6843306689af 668cb1fa .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2023/07/16 02:48 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci e40939bbfc68 35d9ecc5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
2022/09/20 14:42 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 5aa266bb455b 7c41a9ba .config console log report info ci-upstream-gce-arm64 BUG: stored value of X_recv is zero at net/dccp/ccids/ccid3.c:LINE/ccid3_first_li()
* Struck through repros no longer work on HEAD.