general protection fault in bpf_get_local

Date	Name	Commit	Repro	Result
2025/09/22	lts (merge base)	3594f306da12	C	[report] general protection fault in bpf_get_local_storage
2025/09/22	upstream (ToT)	07e27ad16399	C	[report] general protection fault in bpf_get_local_storage

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	general protection fault in bpf_get_local_storage bpf	2	C			13	100d	171d	0/29	auto-obsoleted due to no activity on 2025/10/02 04:58

Kernel

Title

Rank 🛈

upstream

general protection fault in bpf_get_local_storage bpf

100d

171d

0/29

auto-obsoleted due to no activity on 2025/10/02 04:58

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 290 Comm: syz-execprog Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:____bpf_get_local_storage kernel/bpf/cgroup.c:1575 [inline] RIP: 0010:bpf_get_local_storage+0xb8/0x180 kernel/bpf/cgroup.c:1557 Code: 4e 8d 74 f8 08 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 07 3c 21 00 4d 8b 36 83 fb 15 75 5e 4c 89 f0 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 f7 e8 e9 3b 21 00 49 8b 1e e8 91 e0 59 RSP: 0018:ffffc90000007478 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000015 RCX: 0000000000000100 RDX: ffff88810ec8a880 RSI: 0000000000000015 RDI: 0000000000000015 RBP: ffffc90000007498 R08: dffffc0000000000 R09: ffffc90000007600 R10: fffff52000000ec3 R11: 1ffff92000000ec0 R12: dffffc0000000000 R13: ffffc90001137002 R14: 0000000000000000 R15: 0000000000000001 FS: 000000c002107898(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c0070e5020 CR3: 000000010886e000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> bpf_prog_3647604f6c8667e9+0x25/0x38 bpf_dispatcher_nop_func include/linux/bpf.h:987 [inline] __bpf_prog_run include/linux/filter.h:603 [inline] bpf_prog_run include/linux/filter.h:610 [inline] __bpf_prog_run_save_cb include/linux/filter.h:733 [inline] bpf_prog_run_array_cg kernel/bpf/cgroup.c:68 [inline] __cgroup_bpf_run_filter_skb+0x90e/0xf50 kernel/bpf/cgroup.c:1427 sk_filter_trim_cap+0x5bb/0x700 net/core/filter.c:141 tcp_filter net/ipv4/tcp_ipv4.c:1911 [inline] tcp_v4_rcv+0x1e83/0x2a80 net/ipv4/tcp_ipv4.c:2093 ip_protocol_deliver_rcu+0x325/0x6e0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x24e/0x410 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:305 [inline] ip_local_deliver+0x1d8/0x320 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:463 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] ip_rcv+0x163/0x270 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5585 [inline] __netif_receive_skb+0xd7/0x2a0 net/core/dev.c:5699 process_backlog+0x351/0x600 net/core/dev.c:6027 __napi_poll+0xd0/0x5e0 net/core/dev.c:6594 napi_poll net/core/dev.c:6661 [inline] net_rx_action+0x49b/0xaa0 net/core/dev.c:6775 handle_softirqs+0x1d7/0x600 kernel/softirq.c:642 __do_softirq+0xb/0xd kernel/softirq.c:680 do_softirq+0xc6/0x120 kernel/softirq.c:524 </IRQ> <TASK> __local_bh_enable_ip+0x75/0x80 kernel/softirq.c:448 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:870 [inline] __dev_queue_xmit+0x13fb/0x3420 net/core/dev.c:4372 dev_queue_xmit include/linux/netdevice.h:3085 [inline] neigh_hh_output include/net/neighbour.h:536 [inline] neigh_output include/net/neighbour.h:550 [inline] ip_finish_output2+0xb09/0xef0 net/ipv4/ip_output.c:228 __ip_finish_output+0x172/0x370 net/ipv4/ip_output.c:-1 ip_finish_output+0x31/0x2b0 net/ipv4/ip_output.c:316 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip_output+0x1e1/0x360 net/ipv4/ip_output.c:430 dst_output include/net/dst.h:453 [inline] ip_local_out net/ipv4/ip_output.c:126 [inline] __ip_queue_xmit+0x11c9/0x1d00 net/ipv4/ip_output.c:532 ip_queue_xmit+0x4d/0x70 net/ipv4/ip_output.c:546 __tcp_transmit_skb+0x1e17/0x3460 net/ipv4/tcp_output.c:1406 tcp_transmit_skb net/ipv4/tcp_output.c:1424 [inline] tcp_write_xmit+0x15fc/0x5fb0 net/ipv4/tcp_output.c:2710 __tcp_push_pending_frames+0x9c/0x2f0 net/ipv4/tcp_output.c:2895 tcp_push+0x48f/0x660 net/ipv4/tcp.c:734 tcp_sendmsg_locked+0x34f1/0x3d90 net/ipv4/tcp.c:1460 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1488 inet6_sendmsg+0xb6/0xd0 net/ipv6/af_inet6.c:673 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] sock_write_iter+0x2ca/0x3b0 net/socket.c:1133 call_write_iter include/linux/fs.h:2282 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x5db/0xca0 fs/read_write.c:584 ksys_write+0x140/0x240 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x7b/0x90 fs/read_write.c:646 x64_sys_call+0x27b/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x40dd0e Code: 24 28 44 8b 44 24 2c e9 70 ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48 RSP: 002b:000000c0030cf3e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000040dd0e RDX: 0000000000000698 RSI: 000000c0070c43e8 RDI: 0000000000000006 RBP: 000000c0030cf428 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 000000c0030cf558 R13: 0000000000000406 R14: 000000c000562700 R15: 000000c0070c4000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:____bpf_get_local_storage kernel/bpf/cgroup.c:1575 [inline] RIP: 0010:bpf_get_local_storage+0xb8/0x180 kernel/bpf/cgroup.c:1557 Code: 4e 8d 74 f8 08 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 07 3c 21 00 4d 8b 36 83 fb 15 75 5e 4c 89 f0 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 f7 e8 e9 3b 21 00 49 8b 1e e8 91 e0 59 RSP: 0018:ffffc90000007478 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000015 RCX: 0000000000000100 RDX: ffff88810ec8a880 RSI: 0000000000000015 RDI: 0000000000000015 RBP: ffffc90000007498 R08: dffffc0000000000 R09: ffffc90000007600 R10: fffff52000000ec3 R11: 1ffff92000000ec0 R12: dffffc0000000000 R13: ffffc90001137002 R14: 0000000000000000 R15: 0000000000000001 FS: 000000c002107898(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c0070e5020 CR3: 000000010886e000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 4e 8d 74 f8 08 lea 0x8(%rax,%r15,8),%r14 5: 4c 89 f0 mov %r14,%rax 8: 48 c1 e8 03 shr $0x3,%rax c: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) 11: 74 08 je 0x1b 13: 4c 89 f7 mov %r14,%rdi 16: e8 07 3c 21 00 call 0x213c22 1b: 4d 8b 36 mov (%r14),%r14 1e: 83 fb 15 cmp $0x15,%ebx 21: 75 5e jne 0x81 23: 4c 89 f0 mov %r14,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 4c 89 f7 mov %r14,%rdi 34: e8 e9 3b 21 00 call 0x213c22 39: 49 8b 1e mov (%r14),%rbx 3c: e8 .byte 0xe8 3d: 91 xchg %eax,%ecx 3e: e0 59 loopne 0x99

Crashes (2):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/09/22 15:05	android14-6.1	462bdb2cb1b1	0ac7291c	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-6-1	general protection fault in bpf_get_local_storage
2025/09/22 07:38	android14-6.1	462bdb2cb1b1	67c37560	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-android-6-1	general protection fault in bpf_get_local_storage

Crashes (2):

Assets (help?)