general protection fault in bq_flush_to

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	general protection fault in bq_flush_to_queue bpf net				22	37d	46d	27/27	fixed on 2024/08/23 02:59
linux-6.1	general protection fault in bq_flush_to_queue				2	15d	40d	0/3	upstream: reported on 2024/07/29 12:28

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3546 Comm: syz.1.1317 Not tainted 6.1.90-syzkaller-00026-g514bdc80b9d2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 RIP: 0010:bq_flush_to_queue+0x47/0x6e0 kernel/bpf/cpumap.c:713 Code: df e8 0d 8b dd ff 49 8d 5f 50 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 83 af 24 00 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 cd 04 00 00 48 89 5d 80 44 8b 33 4d 8d RSP: 0018:ffffc900028e78b8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc90001119000 RSI: 000000000000007b RDI: 000000000000007c RBP: ffffc900028e7948 R08: ffffffff81981958 R09: ffffffff831fd802 R10: 0000000000000002 R11: ffff88811bfca880 R12: dffffc0000000000 R13: ffff8881f7034440 R14: ffff8881f7034440 R15: ffff8881f7000000 FS: 00007fa8187856c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002001a2c2 CR3: 000000012dd93000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __cpu_map_flush+0xab/0x130 kernel/bpf/cpumap.c:804 xdp_do_flush+0x13/0x20 net/core/filter.c:4168 tun_build_skb drivers/net/tun.c:1723 [inline] tun_get_user+0x1e4e/0x3a90 drivers/net/tun.c:1818 tun_chr_write_iter+0x129/0x210 drivers/net/tun.c:2044 call_write_iter include/linux/fs.h:2274 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x902/0xeb0 fs/read_write.c:584 ksys_write+0x199/0x2c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x7b/0x90 fs/read_write.c:646 x64_sys_call+0x2f/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7fa81797895f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48 RSP: 002b:00007fa818785000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa817b15f80 RCX: 00007fa81797895f RDX: 0000000000000046 RSI: 000000002001a2c0 RDI: 00000000000000c8 RBP: 00007fa8179e793e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000046 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fa817b15f80 R15: 00007ffc44fac548 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:bq_flush_to_queue+0x47/0x6e0 kernel/bpf/cpumap.c:713 Code: df e8 0d 8b dd ff 49 8d 5f 50 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 83 af 24 00 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 cd 04 00 00 48 89 5d 80 44 8b 33 4d 8d RSP: 0018:ffffc900028e78b8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc90001119000 RSI: 000000000000007b RDI: 000000000000007c RBP: ffffc900028e7948 R08: ffffffff81981958 R09: ffffffff831fd802 R10: 0000000000000002 R11: ffff88811bfca880 R12: dffffc0000000000 R13: ffff8881f7034440 R14: ffff8881f7034440 R15: ffff8881f7000000 FS: 00007fa8187856c0(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002001a2c2 CR3: 000000012dd93000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: df e8 fucomip %st(0),%st 2: 0d 8b dd ff 49 or $0x49ffdd8b,%eax 7: 8d 5f 50 lea 0x50(%rdi),%ebx a: 48 89 d8 mov %rbx,%rax d: 48 c1 e8 03 shr $0x3,%rax 11: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) 16: 74 08 je 0x20 18: 48 89 df mov %rbx,%rdi 1b: e8 83 af 24 00 call 0x24afa3 20: 48 8b 1b mov (%rbx),%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping instruction 2f: 84 c0 test %al,%al 31: 0f 85 cd 04 00 00 jne 0x504 37: 48 89 5d 80 mov %rbx,-0x80(%rbp) 3b: 44 8b 33 mov (%rbx),%r14d 3e: 4d rex.WRB 3f: 8d .byte 0x8d

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2024/08/26 14:18	android14-6.1	514bdc80b9d2	9aee4e0b	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-android-6-1	general protection fault in bq_flush_to_queue
2024/08/24 21:46	android14-6.1	514bdc80b9d2	d7d32352	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-android-6-1-perf	general protection fault in bq_flush_to_queue
2024/07/18 06:28	android14-6.1	c78828e3832d	0f902625	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-android-6-1-perf	general protection fault in bq_flush_to_queue
2024/07/15 20:17	android14-6.1	96d66062d076	e8709b21	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci2-android-6-1	general protection fault in bq_flush_to_queue

Crashes (4):

Assets (help?)