[v6.6] general protection fault in __xfrm_state_insert
0 views
Skip to first unread message
syzbot
Sep 5, 2025, 3:36:32 PMSep 5
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 355bd0b51d2f Linux 6.6.104
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11585312580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dac93b93d3de2741
dashboard link: https://syzkaller.appspot.com/bug?extid=576a0da46ec47b09d020
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef00d28b2c5b/disk-355bd0b5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7627cd51eb0a/vmlinux-355bd0b5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3fdd0a51dd65/bzImage-355bd0b5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+576a0d...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 12455 Comm: syz.1.2002 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:hlist_add_before_rcu include/linux/rculist.h:656 [inline]
RIP: 0010:__xfrm_state_insert+0x1250/0x1700 net/xfrm/xfrm_state.c:1512
Code: 00 00 00 00 00 fc ff df 80 3c 03 00 74 08 4c 89 ff e8 d4 2d bf f8 49 8b 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 52 2e bf f8 4c 89 2b 48 b8 00 00 00
RSP: 0018:ffffc900052174e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: ffffc90010833000 RSI: 00000000000249b0 RDI: 00000000000249b1
RBP: 1ffff1100bac0906 R08: dffffc0000000000 R09: 0000000000000002
R10: 000000000000000a R11: 0000000000000002 R12: ffff88805d604828
R13: ffff88805d605428 R14: ffff88805d605400 R15: ffff88805d605430
FS: 00007fb3a7ca06c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb34b3912f8 CR3: 0000000060c36000 CR4: 00000000003506e0
Call Trace:
<TASK>
xfrm_state_insert+0x54/0x60 net/xfrm/xfrm_state.c:1561
ipcomp6_tunnel_attach net/ipv6/ipcomp6.c:129 [inline]
ipcomp6_init_state+0x5ab/0x7f0 net/ipv6/ipcomp6.c:161
__xfrm_init_state+0xd8b/0x11c0 net/xfrm/xfrm_state.c:2904
xfrm_init_state+0x1f/0x80 net/xfrm/xfrm_state.c:2932
pfkey_msg2xfrm_state net/key/af_key.c:1286 [inline]
pfkey_add+0x1cee/0x2da0 net/key/af_key.c:1503
pfkey_process net/key/af_key.c:2847 [inline]
pfkey_sendmsg+0xbed/0x1050 net/key/af_key.c:3698
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5bf/0x950 net/socket.c:2595
___sys_sendmsg+0x220/0x290 net/socket.c:2649
__sys_sendmsg net/socket.c:2678 [inline]
__do_sys_sendmsg net/socket.c:2687 [inline]
__se_sys_sendmsg+0x1a5/0x270 net/socket.c:2685
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fb3a6d8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb3a7ca0038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fb3a6fc6180 RCX: 00007fb3a6d8ebe9
RDX: 0000000000000000 RSI: 00002000000001c0 RDI: 000000000000000c
RBP: 00007fb3a6e11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb3a6fc6218 R14: 00007fb3a6fc6180 R15: 00007ffc4b844088
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hlist_add_before_rcu include/linux/rculist.h:656 [inline]
RIP: 0010:__xfrm_state_insert+0x1250/0x1700 net/xfrm/xfrm_state.c:1512
Code: 00 00 00 00 00 fc ff df 80 3c 03 00 74 08 4c 89 ff e8 d4 2d bf f8 49 8b 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 52 2e bf f8 4c 89 2b 48 b8 00 00 00
RSP: 0018:ffffc900052174e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: ffffc90010833000 RSI: 00000000000249b0 RDI: 00000000000249b1
RBP: 1ffff1100bac0906 R08: dffffc0000000000 R09: 0000000000000002
R10: 000000000000000a R11: 0000000000000002 R12: ffff88805d604828
R13: ffff88805d605428 R14: ffff88805d605400 R15: ffff88805d605430
FS: 00007fb3a7ca06c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb34b3912f8 CR3: 0000000060c36000 CR4: 00000000003506e0
----------------
Code disassembly (best guess), 7 bytes skipped:
0: df 80 3c 03 00 74 filds 0x7400033c(%rax)
6: 08 4c 89 ff or %cl,-0x1(%rcx,%rcx,4)
a: e8 d4 2d bf f8 call 0xf8bf2de3
f: 49 8b 1f mov (%r15),%rbx
12: 48 89 d8 mov %rbx,%rax
15: 48 c1 e8 03 shr $0x3,%rax
19: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
20: fc ff df
* 23: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
27: 74 08 je 0x31
29: 48 89 df mov %rbx,%rdi
2c: e8 52 2e bf f8 call 0xf8bf2e83
31: 4c 89 2b mov %r13,(%rbx)
34: 48 rex.W
35: b8 .byte 0xb8
36: 00 00 add %al,(%rax)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 355bd0b51d2f Linux 6.6.104
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11585312580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dac93b93d3de2741
dashboard link: https://syzkaller.appspot.com/bug?extid=576a0da46ec47b09d020
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef00d28b2c5b/disk-355bd0b5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7627cd51eb0a/vmlinux-355bd0b5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3fdd0a51dd65/bzImage-355bd0b5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+576a0d...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 12455 Comm: syz.1.2002 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:hlist_add_before_rcu include/linux/rculist.h:656 [inline]
RIP: 0010:__xfrm_state_insert+0x1250/0x1700 net/xfrm/xfrm_state.c:1512
Code: 00 00 00 00 00 fc ff df 80 3c 03 00 74 08 4c 89 ff e8 d4 2d bf f8 49 8b 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 52 2e bf f8 4c 89 2b 48 b8 00 00 00
RSP: 0018:ffffc900052174e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: ffffc90010833000 RSI: 00000000000249b0 RDI: 00000000000249b1
RBP: 1ffff1100bac0906 R08: dffffc0000000000 R09: 0000000000000002
R10: 000000000000000a R11: 0000000000000002 R12: ffff88805d604828
R13: ffff88805d605428 R14: ffff88805d605400 R15: ffff88805d605430
FS: 00007fb3a7ca06c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb34b3912f8 CR3: 0000000060c36000 CR4: 00000000003506e0
Call Trace:
<TASK>
xfrm_state_insert+0x54/0x60 net/xfrm/xfrm_state.c:1561
ipcomp6_tunnel_attach net/ipv6/ipcomp6.c:129 [inline]
ipcomp6_init_state+0x5ab/0x7f0 net/ipv6/ipcomp6.c:161
__xfrm_init_state+0xd8b/0x11c0 net/xfrm/xfrm_state.c:2904
xfrm_init_state+0x1f/0x80 net/xfrm/xfrm_state.c:2932
pfkey_msg2xfrm_state net/key/af_key.c:1286 [inline]
pfkey_add+0x1cee/0x2da0 net/key/af_key.c:1503
pfkey_process net/key/af_key.c:2847 [inline]
pfkey_sendmsg+0xbed/0x1050 net/key/af_key.c:3698
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5bf/0x950 net/socket.c:2595
___sys_sendmsg+0x220/0x290 net/socket.c:2649
__sys_sendmsg net/socket.c:2678 [inline]
__do_sys_sendmsg net/socket.c:2687 [inline]
__se_sys_sendmsg+0x1a5/0x270 net/socket.c:2685
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fb3a6d8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb3a7ca0038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fb3a6fc6180 RCX: 00007fb3a6d8ebe9
RDX: 0000000000000000 RSI: 00002000000001c0 RDI: 000000000000000c
RBP: 00007fb3a6e11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb3a6fc6218 R14: 00007fb3a6fc6180 R15: 00007ffc4b844088
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:hlist_add_before_rcu include/linux/rculist.h:656 [inline]
RIP: 0010:__xfrm_state_insert+0x1250/0x1700 net/xfrm/xfrm_state.c:1512
Code: 00 00 00 00 00 fc ff df 80 3c 03 00 74 08 4c 89 ff e8 d4 2d bf f8 49 8b 1f 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 52 2e bf f8 4c 89 2b 48 b8 00 00 00
RSP: 0018:ffffc900052174e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: ffffc90010833000 RSI: 00000000000249b0 RDI: 00000000000249b1
RBP: 1ffff1100bac0906 R08: dffffc0000000000 R09: 0000000000000002
R10: 000000000000000a R11: 0000000000000002 R12: ffff88805d604828
R13: ffff88805d605428 R14: ffff88805d605400 R15: ffff88805d605430
FS: 00007fb3a7ca06c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb34b3912f8 CR3: 0000000060c36000 CR4: 00000000003506e0
----------------
Code disassembly (best guess), 7 bytes skipped:
0: df 80 3c 03 00 74 filds 0x7400033c(%rax)
6: 08 4c 89 ff or %cl,-0x1(%rcx,%rcx,4)
a: e8 d4 2d bf f8 call 0xf8bf2de3
f: 49 8b 1f mov (%r15),%rbx
12: 48 89 d8 mov %rbx,%rax
15: 48 c1 e8 03 shr $0x3,%rax
19: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
20: fc ff df
* 23: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
27: 74 08 je 0x31
29: 48 89 df mov %rbx,%rdi
2c: e8 52 2e bf f8 call 0xf8bf2e83
31: 4c 89 2b mov %r13,(%rbx)
34: 48 rex.W
35: b8 .byte 0xb8
36: 00 00 add %al,(%rax)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages