general protection fault in skb

Kernel	Title	Repro	Cause bisect	Count	Last	Reported	Patched	Status
linux-4.14	general protection fault in skb_segment			1	522d	522d	0/1	auto-obsoleted due to no activity on 2022/11/02 17:51
upstream	general protection fault in skb_segment (3) net	C	done	2	118d	118d	25/25	fixed on 2023/10/12 12:48
upstream	general protection fault in skb_segment sctp	C		7	2161d	2171d	4/25	fixed on 2018/01/29 03:39

general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:skb_headlen include/linux/skbuff.h:2118 [inline] RIP: 0010:skb_segment+0x6a9/0x3840 net/core/skbuff.c:3909 Code: 89 f6 89 df e8 f8 01 7f fa 44 39 f3 0f 8f b7 00 00 00 e8 4a fc 7e fa 48 8b 84 24 e0 00 00 00 48 8d 78 70 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 74 08 3c 03 0f 8e 1d 2b 00 00 48 8b 84 24 e0 RSP: 0018:ffffc90000dafa30 EFLAGS: 00010202 RAX: 000000000000000e RBX: 0000000000000000 RCX: 0000000000000100 RDX: ffff88801191d340 RSI: ffffffff86f3d9a6 RDI: 0000000000000070 RBP: ffffc90000dafbd0 R08: 0000000000000000 R09: 0000000000000008 R10: ffffffff86f3d998 R11: 0000000000000689 R12: 0000000000000008 R13: 0000000000000404 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffde2c2aff0 CR3: 00000000159b0000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> tcp_gso_segment+0x33d/0x17e0 net/ipv4/tcp_offload.c:98 tcp4_gso_segment net/ipv4/tcp_offload.c:51 [inline] tcp4_gso_segment+0x194/0x3a0 net/ipv4/tcp_offload.c:29 inet_gso_segment+0x502/0x1110 net/ipv4/af_inet.c:1378 skb_mac_gso_segment+0x26e/0x530 net/core/dev.c:3326 __skb_gso_segment+0x330/0x6e0 net/core/dev.c:3399 skb_gso_segment include/linux/netdevice.h:4728 [inline] cake_enqueue+0x2808/0x39f0 net/sched/sch_cake.c:1742 __dev_xmit_skb net/core/dev.c:3807 [inline] __dev_queue_xmit+0x1913/0x2dd0 net/core/dev.c:4119 neigh_hh_output include/net/neighbour.h:499 [inline] neigh_output include/net/neighbour.h:508 [inline] ip_finish_output2+0xeb6/0x21b0 net/ipv4/ip_output.c:230 __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x396/0x640 net/ipv4/ip_output.c:290 ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip_output+0x196/0x310 net/ipv4/ip_output.c:432 dst_output include/net/dst.h:441 [inline] ip_local_out net/ipv4/ip_output.c:126 [inline] __ip_queue_xmit+0x8e9/0x1a00 net/ipv4/ip_output.c:532 __tcp_transmit_skb+0x18a4/0x3930 net/ipv4/tcp_output.c:1405 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline] __tcp_retransmit_skb+0x6b9/0x2be0 net/ipv4/tcp_output.c:3237 tcp_retransmit_skb+0x2a/0x360 net/ipv4/tcp_output.c:3260 tcp_xmit_retransmit_queue.part.0+0x3fa/0x990 net/ipv4/tcp_output.c:3342 tcp_xmit_retransmit_queue+0x57/0x70 net/ipv4/tcp_output.c:3296 tcp_xmit_recovery net/ipv4/tcp_input.c:3670 [inline] tcp_xmit_recovery+0x86/0x180 net/ipv4/tcp_input.c:3656 tcp_ack+0x265f/0x59d0 net/ipv4/tcp_input.c:3844 tcp_rcv_state_process+0xb85/0x4cb0 net/ipv4/tcp_input.c:6396 tcp_v4_do_rcv+0x320/0x870 net/ipv4/tcp_ipv4.c:1698 tcp_v4_rcv+0x2d36/0x3780 net/ipv4/tcp_ipv4.c:2059 ip_protocol_deliver_rcu+0x5c/0x8a0 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x20a/0x370 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] ip_local_deliver+0x1b3/0x200 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:447 [inline] ip_rcv_finish+0x1da/0x2f0 net/ipv4/ip_input.c:428 NF_HOOK include/linux/netfilter.h:301 [inline] NF_HOOK include/linux/netfilter.h:295 [inline] ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:539 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5323 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5437 process_backlog+0x232/0x6c0 net/core/dev.c:6328 napi_poll net/core/dev.c:6806 [inline] net_rx_action+0x461/0xe10 net/core/dev.c:6889 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 </IRQ> __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu kernel/softirq.c:420 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:629 RIP: 0010:lockdep_enabled kernel/locking/lockdep.c:90 [inline] RIP: 0010:lock_is_held_type+0x42/0x120 kernel/locking/lockdep.c:5474 Code: a9 04 85 c9 0f 84 c6 00 00 00 65 8b 05 f7 6d 07 77 85 c0 0f 85 b7 00 00 00 65 4c 8b 24 25 00 f0 01 00 41 8b 94 24 84 09 00 00 <85> d2 0f 85 9e 00 00 00 48 89 fd 41 89 f6 9c 8f 04 24 fa 48 c7 c7 RSP: 0018:ffffc90000cd76f0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffffffff8bd73d40 RBP: ffffffff8a4a29a0 R08: 0000000000000001 R09: ffffffff8f8667bf R10: fffffbfff1f0ccf7 R11: 0000000000000000 R12: ffff88801191d340 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 lock_is_held include/linux/lockdep.h:271 [inline] ___might_sleep+0x202/0x2c0 kernel/sched/core.c:7932 get_next_corpse net/netfilter/nf_conntrack_core.c:2223 [inline] nf_ct_iterate_cleanup+0x132/0x400 net/netfilter/nf_conntrack_core.c:2245 nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2330 [inline] nf_ct_iterate_cleanup_net+0x113/0x170 net/netfilter/nf_conntrack_core.c:2315 masq_device_event+0xae/0xe0 net/netfilter/nf_nat_masquerade.c:88 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040 call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] dev_close_many+0x30b/0x650 net/core/dev.c:1641 rollback_registered_many+0x3ee/0x14c0 net/core/dev.c:9473 unregister_netdevice_many.part.0+0x1a/0x2f0 net/core/dev.c:10736 unregister_netdevice_many net/core/dev.c:10735 [inline] default_device_exit_batch+0x30c/0x3d0 net/core/dev.c:11219 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: ---[ end trace 4ad368d47deb4c12 ]--- RIP: 0010:skb_headlen include/linux/skbuff.h:2118 [inline] RIP: 0010:skb_segment+0x6a9/0x3840 net/core/skbuff.c:3909 Code: 89 f6 89 df e8 f8 01 7f fa 44 39 f3 0f 8f b7 00 00 00 e8 4a fc 7e fa 48 8b 84 24 e0 00 00 00 48 8d 78 70 48 89 f8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 74 08 3c 03 0f 8e 1d 2b 00 00 48 8b 84 24 e0 RSP: 0018:ffffc90000dafa30 EFLAGS: 00010202 RAX: 000000000000000e RBX: 0000000000000000 RCX: 0000000000000100 RDX: ffff88801191d340 RSI: ffffffff86f3d9a6 RDI: 0000000000000070 RBP: ffffc90000dafbd0 R08: 0000000000000000 R09: 0000000000000008 R10: ffffffff86f3d998 R11: 0000000000000689 R12: 0000000000000008 R13: 0000000000000404 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffde2c2aff0 CR3: 00000000159b0000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400