syzbot


BUG: unable to handle kernel paging request in csum_partial (4)

Status: closed as invalid on 2023/10/17 18:04
Subsystems: net
[Documentation on labels]
First crash: 282d, last: 224d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 BUG: unable to handle kernel paging request in csum_partial C 5 918d 1500d 1/2 fixed on 2021/10/21 11:33
upstream BUG: unable to handle kernel paging request in csum_partial (2) kernel 1 1135d 1135d 0/26 auto-closed as invalid on 2021/04/23 09:26
upstream BUG: unable to handle kernel paging request in csum_partial (3) kernel C done 1 931d 962d 20/26 fixed on 2021/11/10 00:50

Sample crash report:
8<--- cut here ---
Unable to handle kernel paging request at virtual address df000000 when read
[df000000] *pgd=80000080007003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 25727 Comm: syz-executor.1 Not tainted 6.4.0-rc6-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at csum_partial+0x40/0x130 arch/arm/lib/csumpartial.S:120
LR is at 0x0
pc : [<817acf08>]    lr : [<00000000>]    psr: 00000013
sp : e079db38  ip : a5c5e800  fp : e079db94
r10: 813145b0  r9 : 813145b0  r8 : 00000d02
r7 : fffff2fd  r6 : 00000d02  r5 : 00000000  r4 : 00000000
r3 : 00000000  r2 : 494cad30  r1 : fffffef0  r0 : df000000
Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 98d1b500  DAC: fffffffd
Register r0 information: non-paged memory
Register r1 information: non-paged memory
Register r2 information: non-paged memory
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: NULL pointer
Register r6 information: non-paged memory
Register r7 information: non-paged memory
Register r8 information: non-paged memory
Register r9 information: non-slab/vmalloc memory
Register r10 information: non-slab/vmalloc memory
Register r11 information: 2-page vmalloc region starting at 0xe079c000 allocated at kernel_clone+0x9c/0x3dc kernel/fork.c:2915
Register r12 information: non-slab/vmalloc memory
Process syz-executor.1 (pid: 25727, stack limit = 0xe079c000)
Stack: (0xe079db38 to 0xe079e000)
db20:                                                       8617e300 84c5e910
db40: 84c5e910 8150d530 e079db74 e079db58 8617ea80 8617e300 81fdf764 827e238d
db60: 84c5b000 000008c0 e079dc1c 8617ea80 00006869 00000000 00000000 00000000
db80: 00000000 89f1c000 e079dbd4 e079db98 815f78f0 8150d358 00000001 05200000
dba0: 00c00000 9b0df705 98d89318 8617ea80 0000000e 00000000 00006869 00000000
dbc0: 00000000 89f1c000 e079dc1c e079dbd8 816312b0 815f7834 80277e38 802a6100
dbe0: 00000060 00000052 85c2de00 9b0df705 20001000 8617ea80 00000000 00006869
dc00: 0000dd86 81631820 e079dcf7 00000011 e079dc3c e079dc20 81631864 81631194
dc20: 8617ea80 00000000 00006869 0000dd86 e079dc6c e079dc40 813784a4 8163182c
dc40: 0000000e 9b0df705 e079dcf7 8617ea80 00006869 00000001 00000000 85804000
dc60: e079dc8c e079dc70 8133361c 813783ec 8617ea80 00006869 00000000 e079dcf7
dc80: e079dcc4 e079dc90 8133b028 81333568 00000001 ffff0000 ffffdd86 00000000
dca0: 00000000 84cea800 85804000 00000000 e079dcf7 00000011 e079dcec e079dcc8
dcc0: 8133b240 8133ae98 84a73000 8617ea80 84cea800 85804000 00000000 00000001
dce0: e079dd24 e079dcf0 813aab3c 8133b20c 84a73000 00804000 00000010 9b0df705
dd00: 8617ea80 84a73000 00000000 00000001 a3ea38c0 84a730c4 e079dd84 e079dd28
dd20: 8133be20 813aa988 00000000 00000001 00000011 8260ee30 0079dda4 fffffff4
dd40: 00000000 8132ca8c 00000000 0000dd86 00000000 9b0df705 00000000 8617ea80
dd60: 00002378 85804000 0000000a 8617ea80 84c5b000 89f1ff00 e079dda4 e079dd88
dd80: 81634fac 8133b8c4 84c5b000 00002378 85804000 0000000a e079de5c e079dda8
dda0: 81638700 81634f1c e079de08 00000000 817faa24 80277f18 00002001 e079ddc8
ddc0: e079dea8 83205648 00002001 817fb30c 80200288 806b843c e079de1c e079dde8
dde0: 81a02a70 00000000 00000002 0000236e 00000060 00000300 00000000 0000000e
de00: 00000000 0000000a 00000000 236e0500 07440205 0000030c 00000000 00000000
de20: 00000000 00000000 8216d67c 9b0df705 e079de5c 00000000 e079de98 85479400
de40: 04000002 80200288 85c2de00 00000122 e079de7c e079de60 8130da78 81637844
de60: 00000000 85479400 00000000 04000002 e079df8c e079de80 8130f8cc 8130da40
de80: e079dea8 85dc8dd0 fffffff7 00000001 85dc8bc0 00000000 00000000 00000000
dea0: e079ded4 e079deb0 01000006 00000001 00002378 20000080 00000000 00000000
dec0: 00000001 00000000 00000000 00000000 04000002 00000000 00000000 00000000
dee0: 00000000 ffffffff 00000000 00000000 00000001 9b0df705 00000005 00000000
df00: 00000080 0014c288 00000000 00000000 85c2de00 000000f0 e079df4c e079df28
df20: 80309a90 8030d210 ffffffff 80200288 85479400 8163abf0 85479400 00000000
df40: e079dfa4 e079df50 8030a054 803099ec e079df84 e079df60 80277e38 802a6100
df60: 00000000 00000000 85c2de00 9b0df705 00000000 000002ff 0014c2c4 00000122
df80: e079dfa4 e079df90 8130f934 8130f808 00000000 000002ff 00000000 e079dfa8
dfa0: 80200060 8130f924 00000000 000002ff 00000003 20000080 00002378 04000002
dfc0: 00000000 000002ff 0014c2c4 00000122 7e8403c2 76b706d0 7e840534 76b7020c
dfe0: 76b70020 76b70010 00017004 0004df80 60000010 00000003 00000000 00000000
Backtrace: 
[<8150d34c>] (__udp_gso_segment) from [<815f78f0>] (udp6_ufo_fragment+0xc8/0x39c net/ipv6/udp_offload.c:47)
 r10:89f1c000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:00006869
 r4:8617ea80
[<815f7828>] (udp6_ufo_fragment) from [<816312b0>] (ipv6_gso_segment.part.0+0x128/0x42c net/ipv6/ip6_offload.c:119)
 r10:89f1c000 r9:00000000 r8:00000000 r7:00006869 r6:00000000 r5:0000000e
 r4:8617ea80
[<81631188>] (ipv6_gso_segment.part.0) from [<81631864>] (ipv6_gso_segment+0x44/0x48 net/ipv6/ip6_offload.c:91)
 r10:00000011 r9:e079dcf7 r8:81631820 r7:0000dd86 r6:00006869 r5:00000000
 r4:8617ea80
[<81631820>] (ipv6_gso_segment) from [<813784a4>] (skb_mac_gso_segment+0xc4/0x1a4 net/core/gro.c:141)
 r7:0000dd86 r6:00006869 r5:00000000 r4:8617ea80
[<813783e0>] (skb_mac_gso_segment) from [<8133361c>] (__skb_gso_segment+0xc0/0x16c net/core/dev.c:3401)
 r8:85804000 r7:00000000 r6:00000001 r5:00006869 r4:8617ea80
[<8133355c>] (__skb_gso_segment) from [<8133b028>] (skb_gso_segment include/linux/netdevice.h:4862 [inline])
[<8133355c>] (__skb_gso_segment) from [<8133b028>] (validate_xmit_skb+0x19c/0x374 net/core/dev.c:3659)
 r7:e079dcf7 r6:00000000 r5:00006869 r4:8617ea80
[<8133ae8c>] (validate_xmit_skb) from [<8133b240>] (validate_xmit_skb_list+0x40/0x74 net/core/dev.c:3709)
 r10:00000011 r9:e079dcf7 r8:00000000 r7:85804000 r6:84cea800 r5:00000000
 r4:00000000
[<8133b200>] (validate_xmit_skb_list) from [<813aab3c>] (sch_direct_xmit+0x1c0/0x45c net/sched/sch_generic.c:327)
 r9:00000001 r8:00000000 r7:85804000 r6:84cea800 r5:8617ea80 r4:84a73000
[<813aa97c>] (sch_direct_xmit) from [<8133be20>] (__dev_xmit_skb net/core/dev.c:3805 [inline])
[<813aa97c>] (sch_direct_xmit) from [<8133be20>] (__dev_queue_xmit+0x568/0xdc8 net/core/dev.c:4210)
 r9:84a730c4 r8:a3ea38c0 r7:00000001 r6:00000000 r5:84a73000 r4:8617ea80
[<8133b8b8>] (__dev_queue_xmit) from [<81634fac>] (dev_queue_xmit include/linux/netdevice.h:3088 [inline])
[<8133b8b8>] (__dev_queue_xmit) from [<81634fac>] (packet_xmit net/packet/af_packet.c:276 [inline])
[<8133b8b8>] (__dev_queue_xmit) from [<81634fac>] (packet_xmit+0x9c/0x100 net/packet/af_packet.c:273)
 r10:89f1ff00 r9:84c5b000 r8:8617ea80 r7:0000000a r6:85804000 r5:00002378
 r4:8617ea80
[<81634f10>] (packet_xmit) from [<81638700>] (packet_snd net/packet/af_packet.c:3081 [inline])
[<81634f10>] (packet_xmit) from [<81638700>] (packet_sendmsg+0xec8/0x1448 net/packet/af_packet.c:3113)
 r7:0000000a r6:85804000 r5:00002378 r4:84c5b000
[<81637838>] (packet_sendmsg) from [<8130da78>] (sock_sendmsg_nosec net/socket.c:724 [inline])
[<81637838>] (packet_sendmsg) from [<8130da78>] (sock_sendmsg+0x44/0x78 net/socket.c:747)
 r10:00000122 r9:85c2de00 r8:80200288 r7:04000002 r6:85479400 r5:e079de98
 r4:00000000
[<8130da34>] (sock_sendmsg) from [<8130f8cc>] (__sys_sendto+0xd0/0x11c net/socket.c:2144)
 r7:04000002 r6:00000000 r5:85479400 r4:00000000
[<8130f7fc>] (__sys_sendto) from [<8130f934>] (__do_sys_sendto net/socket.c:2156 [inline])
[<8130f7fc>] (__sys_sendto) from [<8130f934>] (sys_sendto+0x1c/0x24 net/socket.c:2152)
 r7:00000122 r6:0014c2c4 r5:000002ff r4:00000000
[<8130f918>] (sys_sendto) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xe079dfa8 to 0xe079dff0)
dfa0:                   00000000 000002ff 00000003 20000080 00002378 04000002
dfc0: 00000000 000002ff 0014c2c4 00000122 7e8403c2 76b706d0 7e840534 76b7020c
dfe0: 76b70020 76b70010 00017004 0004df80
Code: e0b22003 e0b22004 e0b22005 e0b2200e (e8b04038) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e0b22003 	adcs	r2, r2, r3
   4:	e0b22004 	adcs	r2, r2, r4
   8:	e0b22005 	adcs	r2, r2, r5
   c:	e0b2200e 	adcs	r2, r2, lr
* 10:	e8b04038 	ldm	r0!, {r3, r4, r5, lr} <-- trapping instruction

Crashes (12):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/06/15 17:30 upstream b6dad5178cea ff5fb304 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/06/08 21:59 upstream 5f63595ebd82 058b3a5a .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/06/05 14:58 upstream 9561de3a55be a4ae4f42 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/06/05 14:57 upstream 9561de3a55be a4ae4f42 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/06/05 14:50 upstream 9561de3a55be a4ae4f42 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/06/05 14:50 upstream 9561de3a55be a4ae4f42 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/05/26 07:22 upstream eb03e3181354 b40ef614 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/05/26 07:13 upstream eb03e3181354 b40ef614 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/05/26 07:12 upstream eb03e3181354 b40ef614 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/05/25 17:13 upstream 933174ae28ba 51e154a0 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/05/25 17:13 upstream 933174ae28ba 51e154a0 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
2023/07/22 22:01 upstream 725d444db6b0 27cbe77f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-out-of-bounds Read in csum_partial
* Struck through repros no longer work on HEAD.