syzbot

 sign-in | mailing list | source | docs
🐞 Open [82] 🐞 Fixed [21] 🐞 Invalid [283] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in skb_segment

Status: upstream: reported C repro on 2023/12/10 13:55
Reported-by: syzbot+3f124e609b90027ed1e1@syzkaller.appspotmail.com
First crash: 142d, last: 58d
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 general protection fault in skb_segment C done 1 128d 142d 0/2 auto-obsoleted due to no activity on 2024/04/02 16:56
android-5-15 general protection fault in skb_segment origin:upstream C done 1 127d 141d 0/2 auto-obsoleted due to no activity on 2024/04/03 02:38
linux-4.14 general protection fault in skb_segment 1 665d 665d 0/1 auto-obsoleted due to no activity on 2022/11/02 17:51
upstream general protection fault in skb_segment (3) net C done 2 261d 261d 23/26 fixed on 2023/10/12 12:48
upstream general protection fault in skb_segment sctp C 7 2304d 2314d 4/26 fixed on 2018/01/29 03:39
android-6-1 general protection fault in skb_segment origin:upstream missing-backport C done done 1 49d 139d 0/2 upstream: reported C repro on 2023/12/13 03:03
upstream general protection fault in skb_segment (4) net C error 4 135d 142d 25/26 fixed on 2024/01/22 01:16
upstream general protection fault in skb_segment (2) net 1 1170d 1170d 0/26 auto-closed as invalid on 2021/05/17 11:26
Last patch testing requests (2)
Created Duration User Patch Repo Result
2024/03/03 14:36 10m retest repro android12-5.4 report log
2023/12/24 14:19 14m retest repro android12-5.4 report log

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 356 Comm: syz-executor203 Not tainted 5.4.259-syzkaller-00006-g1303f659c2b1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:skb_segment+0x2940/0x3f30 net/core/skbuff.c:3903
Code: 89 bc 24 90 00 00 00 81 7c 24 3c ff ff 00 00 0f 85 6b e2 ff ff e8 90 63 ea fd 48 8b 44 24 78 48 8d 58 70 48 89 d8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 47 08 00 00 8b 03 48 89 44 24 40 48 8b
RSP: 0018:ffff8881dc75f060 EFLAGS: 00010202
RAX: 000000000000000e RBX: 0000000000000070 RCX: ffff8881dc719f80
RDX: 0000000000000000 RSI: ffff8881f21ef1be RDI: 000000000000ffff
RBP: ffff8881dc75f2f0 R08: ffffffff8379c2ce R09: ffffffff837dfe9b
R10: ffff8881dc719f80 R11: 0000000000000002 R12: 000000000000003e
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881de396800
FS:  00005555558cd380(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 00000001dc574000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 udp6_ufo_fragment+0x866/0xcd0 net/ipv6/udp_offload.c:107
 ipv6_gso_segment+0x65e/0x1130 net/ipv6/ip6_offload.c:113
 skb_mac_gso_segment+0x27c/0x490 net/core/dev.c:2970
 __skb_gso_segment+0x305/0x4a0 net/core/dev.c:3043
 skb_gso_segment include/linux/netdevice.h:4488 [inline]
 validate_xmit_skb+0x30a/0xc50 net/core/dev.c:3283
 __dev_queue_xmit+0xf7d/0x27e0 net/core/dev.c:3786
 packet_snd net/packet/af_packet.c:3009 [inline]
 packet_sendmsg+0x4747/0x6100 net/packet/af_packet.c:3038
 sock_sendmsg_nosec net/socket.c:638 [inline]
 __sock_sendmsg net/socket.c:650 [inline]
 __sys_sendto+0x4f3/0x6c0 net/socket.c:1959
 __do_sys_sendto net/socket.c:1971 [inline]
 __se_sys_sendto net/socket.c:1967 [inline]
 __x64_sys_sendto+0xda/0xf0 net/socket.c:1967
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
---[ end trace a3432f496e43c9ce ]---
RIP: 0010:skb_segment+0x2940/0x3f30 net/core/skbuff.c:3903
Code: 89 bc 24 90 00 00 00 81 7c 24 3c ff ff 00 00 0f 85 6b e2 ff ff e8 90 63 ea fd 48 8b 44 24 78 48 8d 58 70 48 89 d8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 47 08 00 00 8b 03 48 89 44 24 40 48 8b
RSP: 0018:ffff8881dc75f060 EFLAGS: 00010202
RAX: 000000000000000e RBX: 0000000000000070 RCX: ffff8881dc719f80
RDX: 0000000000000000 RSI: ffff8881f21ef1be RDI: 000000000000ffff
RBP: ffff8881dc75f2f0 R08: ffffffff8379c2ce R09: ffffffff837dfe9b
R10: ffff8881dc719f80 R11: 0000000000000002 R12: 000000000000003e
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881de396800
FS:  00005555558cd380(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 00000001dc574000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	89 bc 24 90 00 00 00 	mov    %edi,0x90(%rsp)
   7:	81 7c 24 3c ff ff 00 	cmpl   $0xffff,0x3c(%rsp)
   e:	00
   f:	0f 85 6b e2 ff ff    	jne    0xffffe280
  15:	e8 90 63 ea fd       	call   0xfdea63aa
  1a:	48 8b 44 24 78       	mov    0x78(%rsp),%rax
  1f:	48 8d 58 70          	lea    0x70(%rax),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 47 08 00 00    	jne    0x87e
  37:	8b 03                	mov    (%rbx),%eax
  39:	48 89 44 24 40       	mov    %rax,0x40(%rsp)
  3e:	48                   	rex.W
  3f:	8b                   	.byte 0x8b

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/12/10 13:54 android12-5.4 1303f659c2b1 28b24332 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan general protection fault in skb_segment
* Struck through repros no longer work on HEAD.