syzbot


general protection fault in skb_clone (3)

Status: fixed on 2020/07/17 17:58
Subsystems: net
[Documentation on labels]
Fix commit: 239174945dac tcp: tcp_v4_err() icmp skb is named icmp_skb
First crash: 1425d, last: 1423d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 general protection fault in skb_clone C 1 418d 551d 0/1 upstream: reported C repro on 2022/10/17 02:33
upstream general protection fault in skb_clone syz 3 2439d 2438d 3/26 fixed on 2017/10/24 19:00
upstream BUG: unable to handle kernel paging request in skb_clone net 2 981d 1026d 0/26 closed as invalid on 2021/10/04 21:36
linux-4.19 general protection fault in skb_clone C error 2 551d 860d 0/1 upstream: reported C repro on 2021/12/12 07:38
upstream general protection fault in skb_clone (4) net C unreliable 41 563d 860d 0/26 closed as invalid on 2022/10/12 18:15
upstream general protection fault in skb_clone (2) hams 1 1607d 1604d 0/26 auto-closed as invalid on 2020/03/25 12:28
upstream general protection fault in skb_clone (5) net C done 7 536d 554d 22/26 fixed on 2023/02/24 13:50

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 10288 Comm: syz-executor.0 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_zcopy include/linux/skbuff.h:1446 [inline]
RIP: 0010:skb_orphan_frags include/linux/skbuff.h:2777 [inline]
RIP: 0010:skb_clone+0x9a/0x3c0 net/core/skbuff.c:1436
Code: c1 ea 03 80 3c 02 00 0f 85 06 03 00 00 4c 03 a5 c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 03 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 64 02 00 00
RSP: 0018:ffffc90000da8898 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8880a03db440 RCX: 000000000000204e
RDX: 0000000000000000 RSI: ffffffff861d2bc3 RDI: 0000000000000003
RBP: ffffffff8a6329e0 R08: 0000000000000000 R09: ffff8880a03db440
R10: ffff8880ae738b1b R11: ffffed1015ce7163 R12: 0000000000000000
R13: 0000000000000a20 R14: 000000000000006f R15: ffffffff8a6329e0
FS:  00007f1162872700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200000c0 CR3: 00000000a214e000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 ip_icmp_error+0x31/0x5a0 net/ipv4/ip_sockglue.c:397
 tcp_v4_err+0x9b2/0x1d00 net/ipv4/tcp_ipv4.c:576
 icmp_socket_deliver+0x1e4/0x360 net/ipv4/icmp.c:803
 icmp_unreach+0x33b/0xab0 net/ipv4/icmp.c:920
 icmp_rcv+0xee6/0x15f0 net/ipv4/icmp.c:1102
 ip_protocol_deliver_rcu+0x57/0x880 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x220/0x360 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_local_deliver+0x1c8/0x4e0 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:441 [inline]
 ip_rcv_finish+0x1da/0x2f0 net/ipv4/ip_input.c:428
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ip_rcv+0xd0/0x3c0 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5268
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5382
 process_backlog+0x21e/0x7a0 net/core/dev.c:6214
 napi_poll net/core/dev.c:6659 [inline]
 net_rx_action+0x4c2/0x1070 net/core/dev.c:6727
 __do_softirq+0x26c/0x9f7 kernel/softirq.c:292
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
 </IRQ>
 do_softirq.part.0+0x10f/0x160 kernel/softirq.c:337
 do_softirq kernel/softirq.c:329 [inline]
 __local_bh_enable_ip+0x20e/0x270 kernel/softirq.c:189
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 __icmp_send+0xc7c/0x14a0 net/ipv4/icmp.c:746
 icmp_send include/net/icmp.h:43 [inline]
 ip_vs_leave+0x548/0x1270 net/netfilter/ipvs/ip_vs_core.c:680
 tcp_conn_schedule+0x763/0x830 net/netfilter/ipvs/ip_vs_proto_tcp.c:93
 ip_vs_try_to_schedule net/netfilter/ipvs/ip_vs_core.c:1558 [inline]
 ip_vs_in.part.0+0xc47/0x1cd0 net/netfilter/ipvs/ip_vs_core.c:2101
 ip_vs_in+0x18c/0x3b0 net/netfilter/ipvs/ip_vs_core.c:2002
 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
 nf_hook_slow+0xba/0x1e0 net/netfilter/core.c:512
 nf_hook include/linux/netfilter.h:262 [inline]
 __ip_local_out+0x3d4/0x850 net/ipv4/ip_output.c:114
 ip_local_out+0x26/0x1a0 net/ipv4/ip_output.c:123
 __ip_queue_xmit+0x863/0x1c20 net/ipv4/ip_output.c:530
 __tcp_transmit_skb+0x1a18/0x3770 net/ipv4/tcp_output.c:1238
 tcp_transmit_skb net/ipv4/tcp_output.c:1254 [inline]
 tcp_connect+0x2d0f/0x42b0 net/ipv4/tcp_output.c:3671
 tcp_v4_connect+0x14f0/0x1c10 net/ipv4/tcp_ipv4.c:311
 __inet_stream_connect+0x80f/0xe30 net/ipv4/af_inet.c:658
 inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:722
 __sys_connect_file+0x155/0x1a0 net/socket.c:1854
 __sys_connect+0x160/0x190 net/socket.c:1871
 __do_sys_connect net/socket.c:1882 [inline]
 __se_sys_connect net/socket.c:1879 [inline]
 __x64_sys_connect+0x6f/0xb0 net/socket.c:1879
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca29
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1162871c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00000000004daf00 RCX: 000000000045ca29
RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000083 R14: 00000000004c33b5 R15: 00007f11628726d4
Modules linked in:
---[ end trace 720ffdb5cdd07e46 ]---
RIP: 0010:skb_zcopy include/linux/skbuff.h:1446 [inline]
RIP: 0010:skb_orphan_frags include/linux/skbuff.h:2777 [inline]
RIP: 0010:skb_clone+0x9a/0x3c0 net/core/skbuff.c:1436
Code: c1 ea 03 80 3c 02 00 0f 85 06 03 00 00 4c 03 a5 c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 03 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 64 02 00 00
RSP: 0018:ffffc90000da8898 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8880a03db440 RCX: 000000000000204e
RDX: 0000000000000000 RSI: ffffffff861d2bc3 RDI: 0000000000000003
RBP: ffffffff8a6329e0 R08: 0000000000000000 R09: ffff8880a03db440
R10: ffff8880ae738b1b R11: ffffed1015ce7163 R12: 0000000000000000
R13: 0000000000000a20 R14: 000000000000006f R15: ffffffff8a6329e0
FS:  00007f1162872700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200000c0 CR3: 00000000a214e000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (44):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/05/26 21:52 net-next-old d52caf0404e6 9072c126 .config console log report ci-upstream-net-kasan-gce
2020/05/26 21:25 net-next-old d52caf0404e6 9072c126 .config console log report ci-upstream-net-kasan-gce
2020/05/26 21:04 net-next-old d52caf0404e6 9072c126 .config console log report ci-upstream-net-kasan-gce
2020/05/26 21:01 net-next-old d52caf0404e6 9072c126 .config console log report ci-upstream-net-kasan-gce
2020/05/26 19:35 net-next-old d52caf0404e6 9072c126 .config console log report ci-upstream-net-kasan-gce
2020/05/26 19:33 net-next-old d52caf0404e6 9072c126 .config console log report ci-upstream-net-kasan-gce
2020/05/26 19:21 net-next-old d52caf0404e6 9072c126 .config console log report ci-upstream-net-kasan-gce
2020/05/26 18:54 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 17:55 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 17:29 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 16:55 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 16:26 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 16:14 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 16:06 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 15:56 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 15:33 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 12:46 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 12:32 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 09:48 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 08:27 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 07:25 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 06:52 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 06:40 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 05:45 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 04:41 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 03:56 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/26 02:29 net-next-old d52caf0404e6 8ca3b7d2 .config console log report ci-upstream-net-kasan-gce
2020/05/28 07:02 linux-next b0523c7b1c9d 142a0957 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/28 04:44 linux-next b0523c7b1c9d 142a0957 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/28 03:36 linux-next b0523c7b1c9d 142a0957 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/28 02:05 linux-next b0523c7b1c9d 142a0957 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/27 22:48 linux-next b0523c7b1c9d ec153193 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/27 21:40 linux-next b0523c7b1c9d ec153193 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/27 20:49 linux-next b0523c7b1c9d ec153193 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/27 14:00 linux-next b0523c7b1c9d ec153193 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/27 13:26 linux-next b0523c7b1c9d ec153193 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/27 13:21 linux-next b0523c7b1c9d ec153193 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/27 07:48 linux-next b0523c7b1c9d 9072c126 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/26 21:12 linux-next b0523c7b1c9d 9072c126 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/26 21:12 linux-next b0523c7b1c9d 9072c126 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/26 16:42 linux-next b0523c7b1c9d 8ca3b7d2 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/26 15:35 linux-next b0523c7b1c9d 8ca3b7d2 .config console log report ci-upstream-linux-next-kasan-gce-root
2020/05/26 12:17 linux-next b0523c7b1c9d 8ca3b7d2 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.