syzbot

 sign-in | mailing list | source | docs
🐞 Open [1593]
Subsystems
🐞 Fixed [6234]
🐞 Invalid [15796]
Missing Backports [184]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

general protection fault in skb_segment (2)

Status: auto-closed as invalid on 2021/05/17 11:26
Subsystems: net
[Documentation on labels]
First crash: 1554d, last: 1554d
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 general protection fault in skb_segment C done 1 512d 526d 0/2 auto-obsoleted due to no activity on 2024/04/02 16:56
android-5-15 general protection fault in skb_segment origin:upstream C done 1 512d 526d 0/2 auto-obsoleted due to no activity on 2024/04/03 02:38
linux-4.14 general protection fault in skb_segment 1 1049d 1049d 0/1 auto-obsoleted due to no activity on 2022/11/02 17:51
upstream general protection fault in skb_segment (3) net C done 2 645d 645d 23/28 fixed on 2023/10/12 12:48
upstream general protection fault in skb_segment sctp C 7 2689d 2698d 4/28 fixed on 2018/01/29 03:39
android-6-1 general protection fault in skb_segment origin:upstream missing-backport C done done 1 434d 524d 0/2 auto-obsoleted due to no activity on 2024/06/20 07:05
upstream general protection fault in skb_segment (4) net C error 4 520d 527d 25/28 fixed on 2024/01/22 01:16
android-54 general protection fault in skb_segment C 1 442d 527d 0/2 auto-obsoleted due to no activity on 2024/06/11 14:46

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:skb_headlen include/linux/skbuff.h:2118 [inline]
RIP: 0010:skb_segment+0x6a9/0x3840 net/core/skbuff.c:3909
Code: 89 f6 89 df e8 f8 01 7f fa 44 39 f3 0f 8f b7 00 00 00 e8 4a fc 7e fa 48 8b 84 24 e0 00 00 00 48 8d 78 70 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 74 08 3c 03 0f 8e 1d 2b 00 00 48 8b 84 24 e0
RSP: 0018:ffffc90000dafa30 EFLAGS: 00010202
RAX: 000000000000000e RBX: 0000000000000000 RCX: 0000000000000100
RDX: ffff88801191d340 RSI: ffffffff86f3d9a6 RDI: 0000000000000070
RBP: ffffc90000dafbd0 R08: 0000000000000000 R09: 0000000000000008
R10: ffffffff86f3d998 R11: 0000000000000689 R12: 0000000000000008
R13: 0000000000000404 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffde2c2aff0 CR3: 00000000159b0000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 tcp_gso_segment+0x33d/0x17e0 net/ipv4/tcp_offload.c:98
 tcp4_gso_segment net/ipv4/tcp_offload.c:51 [inline]
 tcp4_gso_segment+0x194/0x3a0 net/ipv4/tcp_offload.c:29
 inet_gso_segment+0x502/0x1110 net/ipv4/af_inet.c:1378
 skb_mac_gso_segment+0x26e/0x530 net/core/dev.c:3326
 __skb_gso_segment+0x330/0x6e0 net/core/dev.c:3399
 skb_gso_segment include/linux/netdevice.h:4728 [inline]
 cake_enqueue+0x2808/0x39f0 net/sched/sch_cake.c:1742
 __dev_xmit_skb net/core/dev.c:3807 [inline]
 __dev_queue_xmit+0x1913/0x2dd0 net/core/dev.c:4119
 neigh_hh_output include/net/neighbour.h:499 [inline]
 neigh_output include/net/neighbour.h:508 [inline]
 ip_finish_output2+0xeb6/0x21b0 net/ipv4/ip_output.c:230
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x396/0x640 net/ipv4/ip_output.c:290
 ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip_output+0x196/0x310 net/ipv4/ip_output.c:432
 dst_output include/net/dst.h:441 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 __ip_queue_xmit+0x8e9/0x1a00 net/ipv4/ip_output.c:532
 __tcp_transmit_skb+0x18a4/0x3930 net/ipv4/tcp_output.c:1405
 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline]
 __tcp_retransmit_skb+0x6b9/0x2be0 net/ipv4/tcp_output.c:3237
 tcp_retransmit_skb+0x2a/0x360 net/ipv4/tcp_output.c:3260
 tcp_xmit_retransmit_queue.part.0+0x3fa/0x990 net/ipv4/tcp_output.c:3342
 tcp_xmit_retransmit_queue+0x57/0x70 net/ipv4/tcp_output.c:3296
 tcp_xmit_recovery net/ipv4/tcp_input.c:3670 [inline]
 tcp_xmit_recovery+0x86/0x180 net/ipv4/tcp_input.c:3656
 tcp_ack+0x265f/0x59d0 net/ipv4/tcp_input.c:3844
 tcp_rcv_state_process+0xb85/0x4cb0 net/ipv4/tcp_input.c:6396
 tcp_v4_do_rcv+0x320/0x870 net/ipv4/tcp_ipv4.c:1698
 tcp_v4_rcv+0x2d36/0x3780 net/ipv4/tcp_ipv4.c:2059
 ip_protocol_deliver_rcu+0x5c/0x8a0 net/ipv4/ip_input.c:204
 ip_local_deliver_finish+0x20a/0x370 net/ipv4/ip_input.c:231
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip_local_deliver+0x1b3/0x200 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:447 [inline]
 ip_rcv_finish+0x1da/0x2f0 net/ipv4/ip_input.c:428
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5323
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5437
 process_backlog+0x232/0x6c0 net/core/dev.c:6328
 napi_poll net/core/dev.c:6806 [inline]
 net_rx_action+0x461/0xe10 net/core/dev.c:6889
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:226 [inline]
 __irq_exit_rcu kernel/softirq.c:420 [inline]
 irq_exit_rcu+0x134/0x200 kernel/softirq.c:432
 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1100
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:629
RIP: 0010:lockdep_enabled kernel/locking/lockdep.c:90 [inline]
RIP: 0010:lock_is_held_type+0x42/0x120 kernel/locking/lockdep.c:5474
Code: a9 04 85 c9 0f 84 c6 00 00 00 65 8b 05 f7 6d 07 77 85 c0 0f 85 b7 00 00 00 65 4c 8b 24 25 00 f0 01 00 41 8b 94 24 84 09 00 00 <85> d2 0f 85 9e 00 00 00 48 89 fd 41 89 f6 9c 8f 04 24 fa 48 c7 c7
RSP: 0018:ffffc90000cd76f0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffffffff8bd73d40
RBP: ffffffff8a4a29a0 R08: 0000000000000001 R09: ffffffff8f8667bf
R10: fffffbfff1f0ccf7 R11: 0000000000000000 R12: ffff88801191d340
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 lock_is_held include/linux/lockdep.h:271 [inline]
 ___might_sleep+0x202/0x2c0 kernel/sched/core.c:7932
 get_next_corpse net/netfilter/nf_conntrack_core.c:2223 [inline]
 nf_ct_iterate_cleanup+0x132/0x400 net/netfilter/nf_conntrack_core.c:2245
 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2330 [inline]
 nf_ct_iterate_cleanup_net+0x113/0x170 net/netfilter/nf_conntrack_core.c:2315
 masq_device_event+0xae/0xe0 net/netfilter/nf_nat_masquerade.c:88
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
 call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
 call_netdevice_notifiers net/core/dev.c:2066 [inline]
 dev_close_many+0x30b/0x650 net/core/dev.c:1641
 rollback_registered_many+0x3ee/0x14c0 net/core/dev.c:9473
 unregister_netdevice_many.part.0+0x1a/0x2f0 net/core/dev.c:10736
 unregister_netdevice_many net/core/dev.c:10735 [inline]
 default_device_exit_batch+0x30c/0x3d0 net/core/dev.c:11219
 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190
 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604
 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
---[ end trace 4ad368d47deb4c12 ]---
RIP: 0010:skb_headlen include/linux/skbuff.h:2118 [inline]
RIP: 0010:skb_segment+0x6a9/0x3840 net/core/skbuff.c:3909
Code: 89 f6 89 df e8 f8 01 7f fa 44 39 f3 0f 8f b7 00 00 00 e8 4a fc 7e fa 48 8b 84 24 e0 00 00 00 48 8d 78 70 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 74 08 3c 03 0f 8e 1d 2b 00 00 48 8b 84 24 e0
RSP: 0018:ffffc90000dafa30 EFLAGS: 00010202
RAX: 000000000000000e RBX: 0000000000000000 RCX: 0000000000000100
RDX: ffff88801191d340 RSI: ffffffff86f3d9a6 RDI: 0000000000000070
RBP: ffffc90000dafbd0 R08: 0000000000000000 R09: 0000000000000008
R10: ffffffff86f3d998 R11: 0000000000000689 R12: 0000000000000008
R13: 0000000000000404 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffde2c2aff0 CR3: 00000000159b0000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/02/15 20:16 upstream f40ddce88593 98682e5e .config console log report info ci-upstream-kasan-gce general protection fault in skb_segment
* Struck through repros no longer work on HEAD.