syzbot


general protection fault in skb_clone (5)

Status: internal: reported C repro on 2022/10/14 08:44
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: d8b57135fd9f net: hsr: avoid possible NULL deref in skb_clone()
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 114d, last: 96d

Cause bisection: introduced by (bisect log) :
commit f176411401127a07a9360dec14eca448eb2e9d45
Author: Marco Wenzel <marco.wenzel@a-eberle.de>
Date: Wed Feb 24 09:46:49 2021 +0000

  net: hsr: add support for EntryForgetTime

Crash: general protection fault in skb_clone (log)
Repro: C syz .config
similar bugs (7):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 general protection fault in skb_clone C 1 10d 111d 0/1 upstream: reported C repro on 2022/10/17 02:33
upstream general protection fault in skb_clone syz 3 1999d 1998d 3/24 fixed on 2017/10/24 19:00
upstream BUG: unable to handle kernel paging request in skb_clone 2 541d 585d 0/24 closed as invalid on 2021/10/04 21:36
upstream general protection fault in skb_clone (3) 44 983d 985d 17/24 fixed on 2020/07/17 17:58
linux-4.19 general protection fault in skb_clone C error 2 111d 420d 0/1 upstream: reported C repro on 2021/12/12 07:38
upstream general protection fault in skb_clone (4) C unreliable 41 123d 420d 0/24 closed as invalid on 2022/10/12 18:15
upstream general protection fault in skb_clone (2) 1 1166d 1164d 0/24 auto-closed as invalid on 2020/03/25 12:28

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 1 PID: 3646 Comm: syz-executor599 Not tainted 6.0.0-syzkaller-02801-gfa182ea26ff0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641
Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 46 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00
RSP: 0018:ffffc90003e3f4e0 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffffc90003e3f5f8 RCX: 0000000000000000
RDX: 000000000000000f RSI: ffffffff8751cf13 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140
R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff88807169c500
R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5fda0
FS:  0000555556ab2300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbc8115af50 CR3: 0000000071695000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164
 hsr_forward_do net/hsr/hsr_forward.c:461 [inline]
 hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623
 hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69
 __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379
 __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483
 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599
 netif_receive_skb_internal net/core/dev.c:5685 [inline]
 netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744
 tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544
 tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995
 tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025
 call_write_iter include/linux/fs.h:2187 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x9e9/0xdd0 fs/read_write.c:584
 ksys_write+0x127/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fbc810e6f03
Code: ff ff bf 01 00 00 00 e8 ab 6f 00 00 66 2e 0f 1f 84 00 00 00 00 00 90 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
RSP: 002b:00007ffc161f22d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fbc810e6f03
RDX: 0000000000000036 RSI: 0000000020000640 RDI: 00000000000000c8
RBP: 00007ffc161f2300 R08: 0000000000000000 R09: 0000000000000001
R10: 00007ffc161f2077 R11: 0000000000000246 R12: 0000000000000003
R13: 00007ffc161f2320 R14: 00007ffc161f2310 R15: 00007ffc161f22ec
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641
Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 46 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00
RSP: 0018:ffffc90003e3f4e0 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: ffffc90003e3f5f8 RCX: 0000000000000000
RDX: 000000000000000f RSI: ffffffff8751cf13 RDI: 0000000000000000
RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140
R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff88807169c500
R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5fda0
FS:  0000555556ab2300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbc8115af50 CR3: 0000000071695000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	93                   	xchg   %eax,%ebx
   1:	02 00                	add    (%rax),%al
   3:	00 49 83             	add    %cl,-0x7d(%rcx)
   6:	7c 24                	jl     0x2c
   8:	28 00                	sub    %al,(%rax)
   a:	0f 85 e9 00 00 00    	jne    0xf9
  10:	e8 5d 46 29 fa       	callq  0xfa294672
  15:	4c 8d 75 7e          	lea    0x7e(%rbp),%r14
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	4c 89 f2             	mov    %r14,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	4c 89 f2             	mov    %r14,%rdx
  31:	83 e2 07             	and    $0x7,%edx
  34:	38 d0                	cmp    %dl,%al
  36:	7f 08                	jg     0x40
  38:	84 c0                	test   %al,%al
  3a:	0f 85 9e 01 00 00    	jne    0x1de

Crashes (7):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-net-this-kasan-gce 2022/10/17 01:59 net fa182ea26ff0 67cb024c .config strace log report syz C [disk image] [vmlinux] general protection fault in skb_clone
ci-upstream-net-kasan-gce 2022/10/17 02:43 net-next 0326074ff465 67cb024c .config strace log report syz C [disk image] [vmlinux] general protection fault in skb_clone
ci-upstream-gce-arm64 2022/10/17 05:58 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 67cb024c .config console log report syz [disk image] [vmlinux] BUG: unable to handle kernel NULL pointer dereference in skb_clone
ci-upstream-net-this-kasan-gce 2022/10/16 23:25 net fa182ea26ff0 67cb024c .config console log report info [disk image] [vmlinux] general protection fault in skb_clone
ci-upstream-net-this-kasan-gce 2022/10/16 03:39 net fa182ea26ff0 67cb024c .config console log report info [disk image] [vmlinux] general protection fault in skb_clone
ci-upstream-net-kasan-gce 2022/10/14 08:43 net-next 0326074ff465 4954e4b2 .config console log report info [disk image] [vmlinux] general protection fault in skb_clone
ci-upstream-gce-arm64 2022/10/31 22:43 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci bbed346d5a96 2a71366b .config console log report info [disk image] [vmlinux] BUG: unable to handle kernel NULL pointer dereference in skb_clone
* Struck through repros no longer work on HEAD.