syzbot

 sign-in | mailing list | source | docs
🐞 Open [1657]
Subsystems
🐞 Fixed [6026]
🐞 Invalid [14867]
Missing Backports [139]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

general protection fault in ip6_pol_route (3)

Status: upstream: reported syz repro on 2025/02/04 14:07
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+3201be560ebfa39bc6bd@syzkaller.appspotmail.com
First crash: 133d, last: 15d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] general protection fault in ip6_pol_route (3) 0 (1) 2025/02/04 14:07
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ip6_pol_route (2) net C done unreliable 9 1011d 1446d 0/28 auto-obsoleted due to no activity on 2022/09/19 15:39
upstream general protection fault in ip6_pol_route (2) net 15 224d 231d 0/28 auto-obsoleted due to no activity on 2024/08/28 04:33
upstream general protection fault in ip6_pol_route net 73 232d 270d 26/28 fixed on 2024/06/18 11:11
linux-5.15 KASAN: use-after-free Read in ip6_pol_route 1 315d 315d 0/3 auto-obsoleted due to no activity on 2024/07/04 16:14
upstream Internal error in ip6_pol_route net 2 452d 475d 0/28 auto-obsoleted due to no activity on 2024/02/18 23:43
Last patch testing requests (4)
Created Duration User Patch Repo Result
2025/01/07 14:54 13m retest repro upstream report log
2024/12/12 02:47 13m retest repro upstream report log
2024/10/17 12:22 20m edumazet@google.com upstream report log
2024/10/09 04:20 16m retest repro upstream report log

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 0 UID: 0 PID: 24 Comm: kworker/u4:2 Not tainted 6.12.0-rc7-syzkaller-00042-gf1b785f4c787 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound macvlan_process_broadcast
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1408 [inline]
RIP: 0010:ip6_pol_route+0x4d1/0x15d0 net/ipv6/route.c:2264
Code: 93 f7 48 8b 03 65 4c 8b 30 31 ff 4c 89 f6 e8 86 b4 29 f7 4d 85 f6 0f 84 da 00 00 00 49 8d 9e 98 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 12 0f 00 00 44 8b 3b 31 ff 44 89 fe e8
RSP: 0018:ffffc900000073a0 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000099 RCX: ffff88801bb0c880
RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900000074f0 R08: ffffffff8a6b3a6a R09: ffff888012677b40
R10: dffffc0000000000 R11: fffffbfff203a13e R12: ffffc90000007470
R13: 1ffff92000000e8e R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b9a67e000 CR3: 000000003ea02000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 pol_lookup_func include/net/ip6_fib.h:616 [inline]
 fib6_rule_lookup+0x58c/0x790 net/ipv6/fib6_rules.c:117
 ip6_route_input_lookup net/ipv6/route.c:2300 [inline]
 ip6_route_input+0x859/0xd90 net/ipv6/route.c:2596
 ip6_rcv_finish+0x144/0x180 net/ipv6/ip6_input.c:77
 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
 __netif_receive_skb_one_core net/core/dev.c:5670 [inline]
 __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5783
 process_backlog+0x662/0x15b0 net/core/dev.c:6115
 __napi_poll+0xcb/0x490 net/core/dev.c:6779
 napi_poll net/core/dev.c:6848 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6970
 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
 do_softirq+0x11b/0x1e0 kernel/softirq.c:455
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 netif_rx+0x83/0x90 net/core/dev.c:5255
 macvlan_broadcast+0x3c4/0x670 drivers/net/macvlan.c:290
 macvlan_process_broadcast+0x50e/0x7f0 drivers/net/macvlan.c:338
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1408 [inline]
RIP: 0010:ip6_pol_route+0x4d1/0x15d0 net/ipv6/route.c:2264
Code: 93 f7 48 8b 03 65 4c 8b 30 31 ff 4c 89 f6 e8 86 b4 29 f7 4d 85 f6 0f 84 da 00 00 00 49 8d 9e 98 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 12 0f 00 00 44 8b 3b 31 ff 44 89 fe e8
RSP: 0018:ffffc900000073a0 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000099 RCX: ffff88801bb0c880
RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900000074f0 R08: ffffffff8a6b3a6a R09: ffff888012677b40
R10: dffffc0000000000 R11: fffffbfff203a13e R12: ffffc90000007470
R13: 1ffff92000000e8e R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b9a67e000 CR3: 000000003ea02000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	93                   	xchg   %eax,%ebx
   1:	f7 48 8b 03 65 4c 8b 	testl  $0x8b4c6503,-0x75(%rax)
   8:	30 31                	xor    %dh,(%rcx)
   a:	ff 4c 89 f6          	decl   -0xa(%rcx,%rcx,4)
   e:	e8 86 b4 29 f7       	call   0xf729b499
  13:	4d 85 f6             	test   %r14,%r14
  16:	0f 84 da 00 00 00    	je     0xf6
  1c:	49 8d 9e 98 00 00 00 	lea    0x98(%r14),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 12 0f 00 00    	jne    0xf49
  37:	44 8b 3b             	mov    (%rbx),%r15d
  3a:	31 ff                	xor    %edi,%edi
  3c:	44 89 fe             	mov    %r15d,%esi
  3f:	e8                   	.byte 0xe8

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/11/13 17:15 upstream f1b785f4c787 4dfba277 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2024/09/25 04:13 upstream 68e5c7d4cefb 349a68c4 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] ci-snapshot-upstream-root general protection fault in ip6_pol_route
2025/01/20 11:55 upstream ffd294d346d1 f2cb035c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in ip6_pol_route
2024/12/24 14:41 upstream f07044dd0df0 444551c4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2024/11/26 22:40 upstream 7eef7e306d3c e9a9a9f2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2024/10/24 07:07 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in ip6_pol_route
2024/10/22 22:52 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in ip6_pol_route
2024/11/28 02:42 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 7b1d1d4cfac0 5df23865 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in ip6_pol_route
* Struck through repros no longer work on HEAD.