syzbot


general protection fault in ip6_pol_route (3)

Status: upstream: reported syz repro on 2025/02/04 14:07
Subsystems: bcachefs net
[Documentation on labels]
Reported-by: syzbot+3201be560ebfa39bc6bd@syzkaller.appspotmail.com
First crash: 184d, last: 5d16h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] general protection fault in ip6_pol_route (3) 3 (7) 2025/02/07 12:24
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ip6_pol_route (2) net C done unreliable 9 1062d 1498d 0/28 auto-obsoleted due to no activity on 2022/09/19 15:39
upstream general protection fault in ip6_pol_route (2) net 15 275d 282d 0/28 auto-obsoleted due to no activity on 2024/08/28 04:33
upstream general protection fault in ip6_pol_route net 73 283d 321d 26/28 fixed on 2024/06/18 11:11
linux-5.15 KASAN: use-after-free Read in ip6_pol_route 1 367d 367d 0/3 auto-obsoleted due to no activity on 2024/07/04 16:14
upstream Internal error in ip6_pol_route net 2 503d 527d 0/28 auto-obsoleted due to no activity on 2024/02/18 23:43
Last patch testing requests (7)
Created Duration User Patch Repo Result
2025/02/07 12:10 12m hdanton@sina.com patch upstream error
2025/02/06 11:24 0m hdanton@sina.com patch upstream error
2025/02/05 11:34 12m hdanton@sina.com patch upstream error
2025/01/07 14:54 13m retest repro upstream report log
2024/12/12 02:47 13m retest repro upstream report log
2024/10/17 12:22 20m edumazet@google.com upstream report log
2024/10/09 04:20 16m retest repro upstream report log

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 0 UID: 0 PID: 975 Comm: kworker/0:2 Not tainted 6.14.0-rc3-syzkaller-00096-ge9a8cac0bf89 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1411 [inline]
RIP: 0010:ip6_pol_route+0x4d1/0x15d0 net/ipv6/route.c:2264
Code: 8a f7 48 8b 03 65 4c 8b 30 31 ff 4c 89 f6 e8 76 56 25 f7 4d 85 f6 0f 84 da 00 00 00 49 8d 9e 98 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 12 0f 00 00 44 8b 3b 31 ff 44 89 fe e8
RSP: 0018:ffffc90000006ec0 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000099 RCX: ffff88802648bc00
RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000007010 R08: ffffffff8a9c689a R09: ffff8880325513c0
R10: dffffc0000000000 R11: fffffbfff20777cf R12: ffffc90000006f90
R13: 1ffff92000000df2 R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa178d704e0 CR3: 000000002a762000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 pol_lookup_func include/net/ip6_fib.h:616 [inline]
 fib6_rule_lookup+0x58c/0x790 net/ipv6/fib6_rules.c:119
 ip6_route_input_lookup net/ipv6/route.c:2300 [inline]
 ip6_route_input+0x859/0xd90 net/ipv6/route.c:2596
 ip6_list_rcv_finish net/ipv6/ip6_input.c:130 [inline]
 ip6_sublist_rcv+0x72c/0xec0 net/ipv6/ip6_input.c:319
 ipv6_list_rcv+0x42d/0x480 net/ipv6/ip6_input.c:353
 __netif_receive_skb_list_ptype net/core/dev.c:5871 [inline]
 __netif_receive_skb_list_core+0x755/0x980 net/core/dev.c:5918
 __netif_receive_skb_list net/core/dev.c:5970 [inline]
 netif_receive_skb_list_internal+0xa51/0xe30 net/core/dev.c:6061
 gro_normal_list include/net/gro.h:515 [inline]
 napi_complete_done+0x2b5/0x870 net/core/dev.c:6428
 wg_packet_rx_poll+0x24ad/0x2540 drivers/net/wireguard/receive.c:488
 __napi_poll+0xcb/0x490 net/core/dev.c:7106
 napi_poll net/core/dev.c:7175 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:7297
 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
 do_softirq+0x11b/0x1e0 kernel/softirq.c:462
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:389
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
 wg_packet_decrypt_worker+0xcde/0xd80 drivers/net/wireguard/receive.c:499
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xabe/0x18e0 kernel/workqueue.c:3317
 worker_thread+0x870/0xd30 kernel/workqueue.c:3398
 kthread+0x7a9/0x920 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1411 [inline]
RIP: 0010:ip6_pol_route+0x4d1/0x15d0 net/ipv6/route.c:2264
Code: 8a f7 48 8b 03 65 4c 8b 30 31 ff 4c 89 f6 e8 76 56 25 f7 4d 85 f6 0f 84 da 00 00 00 49 8d 9e 98 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 12 0f 00 00 44 8b 3b 31 ff 44 89 fe e8
RSP: 0018:ffffc90000006ec0 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000099 RCX: ffff88802648bc00
RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000007010 R08: ffffffff8a9c689a R09: ffff8880325513c0
R10: dffffc0000000000 R11: fffffbfff20777cf R12: ffffc90000006f90
R13: 1ffff92000000df2 R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa178d704e0 CR3: 000000002a762000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	8a f7                	mov    %bh,%dh
   2:	48 8b 03             	mov    (%rbx),%rax
   5:	65 4c 8b 30          	mov    %gs:(%rax),%r14
   9:	31 ff                	xor    %edi,%edi
   b:	4c 89 f6             	mov    %r14,%rsi
   e:	e8 76 56 25 f7       	call   0xf7255689
  13:	4d 85 f6             	test   %r14,%r14
  16:	0f 84 da 00 00 00    	je     0xf6
  1c:	49 8d 9e 98 00 00 00 	lea    0x98(%r14),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 12 0f 00 00    	jne    0xf49
  37:	44 8b 3b             	mov    (%rbx),%r15d
  3a:	31 ff                	xor    %edi,%edi
  3c:	44 89 fe             	mov    %r15d,%esi
  3f:	e8                   	.byte 0xe8

Crashes (18):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/20 22:29 upstream e9a8cac0bf89 0808a665 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs general protection fault in ip6_pol_route
2025/03/23 00:59 upstream 183601b78a9b c6512ef7 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2025/03/21 17:24 upstream b3ee1e460951 62330552 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2 (clean fs)] [mounted in repro #3 (clean fs)] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2025/03/21 10:11 upstream b3ee1e460951 62330552 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2025/03/13 11:40 upstream b7f94fcf5546 44be8b44 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2025/03/12 09:51 upstream 0b46b049d6ec ee70e6db .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2024/11/13 17:15 upstream f1b785f4c787 4dfba277 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2024/09/25 04:13 upstream 68e5c7d4cefb 349a68c4 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2025/03/07 00:12 upstream 848e07631744 831e3629 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2025/03/03 23:58 upstream 99fa936e8e4f c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in ip6_pol_route
2025/03/03 10:04 upstream 7eb172143d55 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2025/02/13 11:24 upstream 4dc1d1bec898 b27c2402 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2025/01/20 11:55 upstream ffd294d346d1 f2cb035c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in ip6_pol_route
2024/12/24 14:41 upstream f07044dd0df0 444551c4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2024/11/26 22:40 upstream 7eef7e306d3c e9a9a9f2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2024/10/24 07:07 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in ip6_pol_route
2024/10/22 22:52 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2024/11/28 02:42 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 7b1d1d4cfac0 5df23865 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in ip6_pol_route
* Struck through repros no longer work on HEAD.