syzbot


general protection fault in sk_psock_verdict_data_ready

Status: auto-obsoleted due to no activity on 2023/09/14 09:29
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+8252ac3e16614ea0ea04@syzkaller.appspotmail.com
First crash: 384d, last: 373d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] [bpf?] general protection fault in sk_psock_verdict_data_ready 0 (1) 2023/06/01 08:17
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready net bpf C unreliable 15 103d 223d 26/28 fixed on 2024/04/02 10:57
upstream KASAN: slab-use-after-free Read in sk_psock_verdict_data_ready bpf net 1 11d 7d16h 0/28 moderation: reported on 2024/06/06 11:10
android-6-1 BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready origin:upstream missing-backport C 156 12h24m 121d 0/2 upstream: reported C repro on 2024/02/13 08:31
linux-6.1 BUG: unable to handle kernel NULL pointer dereference in sk_psock_verdict_data_ready origin:upstream C done 1 120d 120d 3/3 fixed on 2024/03/18 12:46

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc000000005c: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000002e0-0x00000000000002e7]
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 6.4.0-rc4-syzkaller-00207-gfb928170e32e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
RIP: 0010:sk_psock_verdict_data_ready+0x19f/0x3c0 net/core/skmsg.c:1213
Code: 4c 89 e6 e8 a3 a8 5e f9 4d 85 e4 75 75 e8 59 ac 5e f9 48 8d bb e0 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 07 02 00 00 48 89 ef ff 93 e0 02 00 00 e8 59 32
RSP: 0018:ffffc900001b7688 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: 000000000000005c RSI: ffffffff882599e7 RDI: 00000000000002e0
RBP: ffff8880167a3100 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000008000 R15: ffff8880167a3100
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000202880c0 CR3: 000000004c18d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 tcp_data_ready+0x10a/0x520 net/ipv4/tcp_input.c:5006
 tcp_data_queue+0x25d3/0x4c50 net/ipv4/tcp_input.c:5080
 tcp_rcv_established+0x829/0x1f90 net/ipv4/tcp_input.c:6019
 tcp_v4_do_rcv+0x65a/0x9c0 net/ipv4/tcp_ipv4.c:1722
 tcp_v4_rcv+0x30ed/0x3300 net/ipv4/tcp_ipv4.c:2144
 ip_protocol_deliver_rcu+0x9f/0x480 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x2ec/0x520 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:303 [inline]
 NF_HOOK include/linux/netfilter.h:297 [inline]
 ip_local_deliver+0x1ae/0x200 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:468 [inline]
 ip_rcv_finish+0x1cf/0x2f0 net/ipv4/ip_input.c:449
 NF_HOOK include/linux/netfilter.h:303 [inline]
 NF_HOOK include/linux/netfilter.h:297 [inline]
 ip_rcv+0xae/0xd0 net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491
 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605
 process_backlog+0x101/0x670 net/core/dev.c:5933
 __napi_poll+0xb7/0x6f0 net/core/dev.c:6496
 napi_poll net/core/dev.c:6563 [inline]
 net_rx_action+0x8a9/0xcb0 net/core/dev.c:6696
 __do_softirq+0x1d4/0x905 kernel/softirq.c:571
 run_ksoftirqd kernel/softirq.c:939 [inline]
 run_ksoftirqd+0x31/0x60 kernel/softirq.c:931
 smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164
 kthread+0x344/0x440 kernel/kthread.c:379
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:sk_psock_verdict_data_ready+0x19f/0x3c0 net/core/skmsg.c:1213
Code: 4c 89 e6 e8 a3 a8 5e f9 4d 85 e4 75 75 e8 59 ac 5e f9 48 8d bb e0 02 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 07 02 00 00 48 89 ef ff 93 e0 02 00 00 e8 59 32
RSP: 0018:ffffc900001b7688 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: 000000000000005c RSI: ffffffff882599e7 RDI: 00000000000002e0
RBP: ffff8880167a3100 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000008000 R15: ffff8880167a3100
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000202880c0 CR3: 000000004c18d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	4c 89 e6             	mov    %r12,%rsi
   3:	e8 a3 a8 5e f9       	callq  0xf95ea8ab
   8:	4d 85 e4             	test   %r12,%r12
   b:	75 75                	jne    0x82
   d:	e8 59 ac 5e f9       	callq  0xf95eac6b
  12:	48 8d bb e0 02 00 00 	lea    0x2e0(%rbx),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 07 02 00 00    	jne    0x23b
  34:	48 89 ef             	mov    %rbp,%rdi
  37:	ff 93 e0 02 00 00    	callq  *0x2e0(%rbx)
  3d:	e8                   	.byte 0xe8
  3e:	59                   	pop    %rcx
  3f:	32                   	.byte 0x32

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/06/06 09:29 net fb928170e32e a4ae4f42 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce general protection fault in sk_psock_verdict_data_ready
2023/05/27 00:54 net-next 4781e965e655 cf184559 .config console log report info ci-upstream-net-kasan-gce general protection fault in sk_psock_verdict_data_ready
* Struck through repros no longer work on HEAD.