syzbot

 sign-in | mailing list | source | docs
🐞 Open [1633]
Subsystems
🐞 Fixed [6115]
🐞 Invalid [15342]
Missing Backports [170]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: unable to handle kernel paging request in csum_partial (5)

Status: closed as invalid on 2024/09/23 08:38
Subsystems: net
[Documentation on labels]
First crash: 225d, last: 225d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 BUG: unable to handle kernel paging request in csum_partial C 5 1311d 1892d 1/2 fixed on 2021/10/21 11:33
upstream BUG: unable to handle kernel paging request in csum_partial (4) net 12 617d 675d 0/28 closed as invalid on 2023/10/17 18:04
upstream BUG: unable to handle kernel paging request in csum_partial (2) kernel 1 1527d 1527d 0/28 auto-closed as invalid on 2021/04/23 09:26
upstream BUG: unable to handle kernel paging request in csum_partial (3) kernel C done 1 1324d 1354d 20/28 fixed on 2021/11/10 00:50
upstream KASAN: slab-out-of-bounds Read in csum_partial net 1 385d 385d 0/28 closed as invalid on 2024/06/20 17:23

Sample crash report:
8<--- cut here ---
Unable to handle kernel paging request at virtual address df000000 when read
[df000000] *pgd=80000080007003, *pmd=00000000
Internal error: Oops: 206 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 12939 Comm: syz.1.2076 Not tainted 6.11.0-rc3-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at csum_partial+0x2c/0x130 arch/arm/lib/csumpartial.S:115
LR is at 0x0
pc : [<819250d4>]    lr : [<00000000>]    psr: 80000013
sp : dfbe5b80  ip : a6d00020  fp : dfbe5bbc
r10: 00000000  r9 : 85d0002b  r8 : 85b3aed0
r7 : dfbe5c54  r6 : 00000000  r5 : 00000000  r4 : 00000000
r3 : 00000000  r2 : 4045475d  r1 : ffffff97  r0 : defffff4
Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 85b71dc0  DAC: fffffffd
Register r0 information: non-slab/vmalloc memory
Register r1 information: non-paged memory
Register r2 information: non-paged memory
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: NULL pointer
Register r6 information: NULL pointer
Register r7 information: 2-page vmalloc region starting at 0xdfbe4000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2800
Register r8 information: slab kmalloc-cg-2k start 85b3a800 pointer offset 1744 size 2048
Register r9 information: non-slab/vmalloc memory
Register r10 information: NULL pointer
Register r11 information: 2-page vmalloc region starting at 0xdfbe4000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2800
Register r12 information: non-slab/vmalloc memory
Process syz.1.2076 (pid: 12939, stack limit = 0xdfbe4000)
Stack: (0xdfbe5b80 to 0xdfbe6000)
5b80: 85e550c0 85d00092 85d00092 81794f34 8145a7c8 81454280 85e550c0 85b3a800
5ba0: 00000000 00000040 0000dd7a 0000c117 dfbe5bfc dfbe5bc0 81798938 81794e20
5bc0: 00010020 85b3aeb8 00000000 83d80400 80c81afc 85e550c0 85b3a800 85b3aeb8
5be0: 85b75e40 00000040 00000000 dfbe5c54 dfbe5c94 dfbe5c00 80c85040 81798884
5c00: dfbe5c54 85b3aed0 00000000 00000040 00000000 0000dd7a 0000c117 00000000
5c20: dfbe5c74 dfbe5c30 00000070 85ce0000 85448d00 85448d00 00000000 0000dd7a
5c40: 85b3ae80 84c34000 00020000 85e550c0 dfbe5c94 00000000 00000000 00000000
5c60: aa1414ac d421191a 85e550c0 85e550c0 81b76968 85b3a800 857dbc00 00000000
5c80: 856f4600 00000000 dfbe5cdc dfbe5c98 8147a598 80c84498 dfbe5cdc dfbe5ca8
5ca0: dfbe5d00 824b9fce 82606000 00010010 85e550c0 85e550c0 824b9fcc 856f4600
5cc0: 85b3a800 dfbe5ce0 00000000 00000000 dfbe5d9c dfbe5ce0 8147aa80 8147a4c0
5ce0: dfbe5d90 00000000 0000007f 808060c4 20000013 ffffffff dfbe5d14 00003500
5d00: fffffff4 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5d20: 00000000 00000000 00000000 0000007f 0000007f 0000007f 00000000 d421191a
5d40: dfbe5d84 85e550c0 dfbe5e1c 00020000 dfbe5dbc dfbe5d60 8179df5c 81454538
5d60: dfbe5dbc dfbe5d70 8179d134 d421191a 00000000 85e550c0 8319d900 855b3000
5d80: 855b3000 85e550c0 dfbe5e98 85cfff00 dfbe5dbc dfbe5da0 8179a364 8147a8b8
5da0: 0001001a 8319d900 855b3000 855b3000 dfbe5e6c dfbe5dc0 8179f3b8 8179a2d4
5dc0: dfbe5e18 00000003 dfbe5dd4 00000000 dfbe5df4 00000002 dfbe5de4 00000000
5de0: 00000000 00000000 855b3000 00000000 00000000 00000000 00000070 85b3ab48
5e00: 85b3ab4c 00000000 0000000e 0000000a 85b3a800 00000000 00000000 ff91050b
5e20: ff89fff4 dfbe0006 00000000 00000000 00000000 00000000 806f3be4 d421191a
5e40: dfbe5e6c 00000000 dfbe5e98 8319d900 8319d900 00000003 857dbc00 00000122
5e60: dfbe5e8c dfbe5e70 8144860c 8179e3ec 00000000 00000000 20000140 8319d900
5e80: dfbe5f8c dfbe5e90 8144abd4 814485d4 00000000 00000001 dfbe5ee4 00000014
5ea0: 00000000 00000000 00010000 0001001a 20000180 00000000 00000001 00000000
5ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ee0: 8020c014 00000011 0000003d 06000001 00000000 00000000 00000000 00000000
5f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5f60: 00000000 d421191a 0014d2e0 20000140 00000014 002762fc 00000122 8020029c
5f80: dfbe5fa4 dfbe5f90 8144ac34 8144aad8 20000140 00000014 00000000 dfbe5fa8
5fa0: 80200060 8144ac24 20000140 00000014 00000003 20000180 0001001a 00000000
5fc0: 20000140 00000014 002762fc 00000122 00000000 00006364 003d0f00 76b360bc
5fe0: 76b35ec0 76b35eb0 000189a0 00132d80 60000010 00000003 00000000 00000000
Call trace: 
[<81794e14>] (udp6_set_csum) from [<81798938>] (udp_tunnel6_xmit_skb+0xc0/0x2f0 net/ipv6/ip6_udp_tunnel.c:99)
 r9:0000c117 r8:0000dd7a r7:00000040 r6:00000000 r5:85b3a800 r4:85e550c0
[<81798878>] (udp_tunnel6_xmit_skb) from [<80c85040>] (geneve6_xmit_skb drivers/net/geneve.c:1006 [inline])
[<81798878>] (udp_tunnel6_xmit_skb) from [<80c85040>] (geneve_xmit+0xbb4/0x1388 drivers/net/geneve.c:1036)
 r10:dfbe5c54 r9:00000000 r8:00000040 r7:85b75e40 r6:85b3aeb8 r5:85b3a800
 r4:85e550c0
[<80c8448c>] (geneve_xmit) from [<8147a598>] (__netdev_start_xmit include/linux/netdevice.h:4913 [inline])
[<80c8448c>] (geneve_xmit) from [<8147a598>] (netdev_start_xmit include/linux/netdevice.h:4922 [inline])
[<80c8448c>] (geneve_xmit) from [<8147a598>] (xmit_one net/core/dev.c:3580 [inline])
[<80c8448c>] (geneve_xmit) from [<8147a598>] (dev_hard_start_xmit+0xe4/0x2b4 net/core/dev.c:3596)
 r10:00000000 r9:856f4600 r8:00000000 r7:857dbc00 r6:85b3a800 r5:81b76968
 r4:85e550c0
[<8147a4b4>] (dev_hard_start_xmit) from [<8147aa80>] (__dev_queue_xmit+0x1d4/0xf0c net/core/dev.c:4423)
 r10:00000000 r9:00000000 r8:dfbe5ce0 r7:85b3a800 r6:856f4600 r5:824b9fcc
 r4:85e550c0
[<8147a8ac>] (__dev_queue_xmit) from [<8179a364>] (dev_queue_xmit include/linux/netdevice.h:3105 [inline])
[<8147a8ac>] (__dev_queue_xmit) from [<8179a364>] (packet_xmit net/packet/af_packet.c:276 [inline])
[<8147a8ac>] (__dev_queue_xmit) from [<8179a364>] (packet_xmit+0x9c/0x104 net/packet/af_packet.c:273)
 r10:85cfff00 r9:dfbe5e98 r8:85e550c0 r7:855b3000 r6:855b3000 r5:8319d900
 r4:85e550c0
[<8179a2c8>] (packet_xmit) from [<8179f3b8>] (packet_snd net/packet/af_packet.c:3145 [inline])
[<8179a2c8>] (packet_xmit) from [<8179f3b8>] (packet_sendmsg+0xfd8/0x1618 net/packet/af_packet.c:3177)
 r7:855b3000 r6:855b3000 r5:8319d900 r4:0001001a
[<8179e3e0>] (packet_sendmsg) from [<8144860c>] (sock_sendmsg_nosec net/socket.c:730 [inline])
[<8179e3e0>] (packet_sendmsg) from [<8144860c>] (__sock_sendmsg+0x44/0x78 net/socket.c:745)
 r10:00000122 r9:857dbc00 r8:00000003 r7:8319d900 r6:8319d900 r5:dfbe5e98
 r4:00000000
[<814485c8>] (__sock_sendmsg) from [<8144abd4>] (__sys_sendto+0x108/0x14c net/socket.c:2204)
 r7:8319d900 r6:20000140 r5:00000000 r4:00000000
[<8144aacc>] (__sys_sendto) from [<8144ac34>] (__do_sys_sendto net/socket.c:2216 [inline])
[<8144aacc>] (__sys_sendto) from [<8144ac34>] (sys_sendto+0x1c/0x24 net/socket.c:2212)
 r8:8020029c r7:00000122 r6:002762fc r5:00000014 r4:20000140
[<8144ac18>] (sys_sendto) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfbe5fa8 to 0xdfbe5ff0)
5fa0:                   20000140 00000014 00000003 20000180 0001001a 00000000
5fc0: 20000140 00000014 002762fc 00000122 00000000 00006364 003d0f00 76b360bc
5fe0: 76b35ec0 76b35eb0 000189a0 00132d80
Code: 1bffffee e3d1c01f 0a00000e e92d0030 (e8b04038) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	1bffffee 	blne	0xffffffc0
   4:	e3d1c01f 	bics	ip, r1, #31
   8:	0a00000e 	beq	0x48
   c:	e92d0030 	push	{r4, r5}
* 10:	e8b04038 	ldm	r0!, {r3, r4, r5, lr} <-- trapping instruction

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/08/17 06:40 upstream 670c12ce09a8 dbc93b08 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel paging request in csum_partial
* Struck through repros no longer work on HEAD.