general protection fault in sk_psock_verdict_data

Title	Replies (including bot)	Last reply
[syzbot] [net?] [bpf?] general protection fault in sk_psock_verdict_data_ready	0 (1)	2023/06/01 08:17

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready net bpf	C	unreliable		15	47d	167d	26/26	fixed on 2024/04/02 10:57
android-6-1	BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready origin:upstream missing-backport	C			14	3d06h	66d	0/2	upstream: reported C repro on 2024/02/13 08:31
linux-6.1	BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready origin:upstream	C		done	1	65d	65d	3/3	fixed on 2024/03/18 12:46

general protection fault, probably for non-canonical address 0xdffffc000000005c: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000002e0-0x00000000000002e7]
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 6.4.0-rc4-syzkaller-00207-gfb928170e32e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
RIP: 0010:sk_psock_verdict_data_ready+0x19f/0x3c0 net/core/skmsg.c:1213
Code: 4c 89 e6 e8 a3 a8 5e f9 4d 85 e4 75 75 e8 59 ac 5e f9 48 8d bb e0 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 07 02 00 00 48 89 ef ff 93 e0 02 00 00 e8 59 32
RSP: 0018:ffffc900001b7688 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: 000000000000005c RSI: ffffffff882599e7 RDI: 00000000000002e0
RBP: ffff8880167a3100 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000008000 R15: ffff8880167a3100
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000202880c0 CR3: 000000004c18d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 tcp_data_ready+0x10a/0x520 net/ipv4/tcp_input.c:5006
 tcp_data_queue+0x25d3/0x4c50 net/ipv4/tcp_input.c:5080
 tcp_rcv_established+0x829/0x1f90 net/ipv4/tcp_input.c:6019
 tcp_v4_do_rcv+0x65a/0x9c0 net/ipv4/tcp_ipv4.c:1722
 tcp_v4_rcv+0x30ed/0x3300 net/ipv4/tcp_ipv4.c:2144
 ip_protocol_deliver_rcu+0x9f/0x480 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x2ec/0x520 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:303 [inline]
 NF_HOOK include/linux/netfilter.h:297 [inline]
 ip_local_deliver+0x1ae/0x200 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:468 [inline]
 ip_rcv_finish+0x1cf/0x2f0 net/ipv4/ip_input.c:449
 NF_HOOK include/linux/netfilter.h:303 [inline]
 NF_HOOK include/linux/netfilter.h:297 [inline]
 ip_rcv+0xae/0xd0 net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491
 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605
 process_backlog+0x101/0x670 net/core/dev.c:5933
 __napi_poll+0xb7/0x6f0 net/core/dev.c:6496
 napi_poll net/core/dev.c:6563 [inline]
 net_rx_action+0x8a9/0xcb0 net/core/dev.c:6696
 __do_softirq+0x1d4/0x905 kernel/softirq.c:571
 run_ksoftirqd kernel/softirq.c:939 [inline]
 run_ksoftirqd+0x31/0x60 kernel/softirq.c:931
 smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164
 kthread+0x344/0x440 kernel/kthread.c:379
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:sk_psock_verdict_data_ready+0x19f/0x3c0 net/core/skmsg.c:1213
Code: 4c 89 e6 e8 a3 a8 5e f9 4d 85 e4 75 75 e8 59 ac 5e f9 48 8d bb e0 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 07 02 00 00 48 89 ef ff 93 e0 02 00 00 e8 59 32
RSP: 0018:ffffc900001b7688 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: 000000000000005c RSI: ffffffff882599e7 RDI: 00000000000002e0
RBP: ffff8880167a3100 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000008000 R15: ffff8880167a3100
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000202880c0 CR3: 000000004c18d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	4c 89 e6             	mov    %r12,%rsi
   3:	e8 a3 a8 5e f9       	callq  0xf95ea8ab
   8:	4d 85 e4             	test   %r12,%r12
   b:	75 75                	jne    0x82
   d:	e8 59 ac 5e f9       	callq  0xf95eac6b
  12:	48 8d bb e0 02 00 00 	lea    0x2e0(%rbx),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 07 02 00 00    	jne    0x23b
  34:	48 89 ef             	mov    %rbp,%rdi
  37:	ff 93 e0 02 00 00    	callq  *0x2e0(%rbx)
  3d:	e8                   	.byte 0xe8
  3e:	59                   	pop    %rcx
  3f:	32                   	.byte 0x32

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2023/06/06 09:29	net	fb928170e32e	a4ae4f42	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-this-kasan-gce	general protection fault in sk_psock_verdict_data_ready
2023/05/27 00:54	net-next	4781e965e655	cf184559	.config	console log	report			info		ci-upstream-net-kasan-gce	general protection fault in sk_psock_verdict_data_ready