general protection fault in skb_segment
5 views
Skip to first unread message
syzbot
Jul 5, 2022, 1:51:28 PM7/5/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ed2e96e11936 Linux 4.14.286
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13e967d4080000
kernel config: https://syzkaller.appspot.com/x/.config?x=d9ccbaec7c54db8b
dashboard link: https://syzkaller.appspot.com/bug?extid=05c03f6cb680c83bcdee
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05c03f...@syzkaller.appspotmail.com
ip_tables: iptables: counters copy to user failed while replacing table
could not allocate digest TFM handle sm3
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 8 Comm: ksoftirqd/0 Not tainted 4.14.286-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
task: ffff8880b540e200 task.stack: ffff8880b5418000
RIP: 0010:skb_segment+0x1733/0x2e60 net/core/skbuff.c:3627
RSP: 0018:ffff8880b541e6a0 EFLAGS: 00010202
RAX: 0000000000000010 RBX: 000000000000113a RCX: ffff8880951db744
RDX: 0000000000000100 RSI: 0000000000000598 RDI: 0000000000000080
RBP: ffff8880b541e830 R08: 0000000000000001 R09: ffffed1014a92073
R10: ffff8880a549039f R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880abebe580 R14: 00000000000010f8 R15: 0000000000000598
FS: 0000000000000000(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff6be94b000 CR3: 00000000b0493000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sctp_gso_segment net/sctp/offload.c:76 [inline]
sctp_gso_segment+0x204/0x810 net/sctp/offload.c:43
inet_gso_segment+0x487/0x10f0 net/ipv4/af_inet.c:1272
inet_gso_segment+0x487/0x10f0 net/ipv4/af_inet.c:1272
skb_mac_gso_segment+0x240/0x4c0 net/core/dev.c:2745
__skb_gso_segment+0x302/0x600 net/core/dev.c:2818
skb_gso_segment include/linux/netdevice.h:4005 [inline]
validate_xmit_skb+0x49c/0x9f0 net/core/dev.c:3071
validate_xmit_skb_list+0xaf/0x110 net/core/dev.c:3122
sch_direct_xmit+0x2dc/0x500 net/sched/sch_generic.c:181
qdisc_restart net/sched/sch_generic.c:249 [inline]
__qdisc_run+0x25d/0xe00 net/sched/sch_generic.c:257
__dev_xmit_skb net/core/dev.c:3231 [inline]
__dev_queue_xmit+0x13ac/0x2480 net/core/dev.c:3489
neigh_hh_output include/net/neighbour.h:490 [inline]
neigh_output include/net/neighbour.h:498 [inline]
ip_finish_output2+0x9db/0x1340 net/ipv4/ip_output.c:237
ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cd/0x510 net/ipv4/ip_output.c:413
dst_output include/net/dst.h:470 [inline]
ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
sit_tunnel_xmit__ net/ipv6/sit.c:1006 [inline]
sit_tunnel_xmit+0x1ab/0x2130 net/ipv6/sit.c:1019
__netdev_start_xmit include/linux/netdevice.h:4054 [inline]
netdev_start_xmit include/linux/netdevice.h:4063 [inline]
xmit_one net/core/dev.c:3005 [inline]
dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
__dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
neigh_output include/net/neighbour.h:500 [inline]
ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cd/0x510 net/ipv4/ip_output.c:413
dst_output include/net/dst.h:470 [inline]
ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
nf_dup_ipv4 net/ipv4/netfilter/nf_dup_ipv4.c:91 [inline]
nf_dup_ipv4+0x4bb/0x680 net/ipv4/netfilter/nf_dup_ipv4.c:53
tee_tg4+0x109/0x160 net/netfilter/xt_TEE.c:36
ipt_do_table+0xa9d/0x16f0 net/ipv4/netfilter/ip_tables.c:353
iptable_filter_hook+0x172/0x1e0 net/ipv4/netfilter/iptable_filter.c:47
nf_hook_entry_hookfn include/linux/netfilter.h:108 [inline]
nf_hook_slow+0xb0/0x1a0 net/netfilter/core.c:468
nf_hook include/linux/netfilter.h:205 [inline]
NF_HOOK include/linux/netfilter.h:248 [inline]
ip_local_deliver+0x28c/0x460 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:476 [inline]
ip_rcv_finish+0x6e3/0x19f0 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0x8a7/0xf10 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x15ee/0x2a30 net/core/dev.c:4474
__netif_receive_skb+0x27/0x1a0 net/core/dev.c:4512
process_backlog+0x218/0x6f0 net/core/dev.c:5195
napi_poll net/core/dev.c:5604 [inline]
net_rx_action+0x466/0xfd0 net/core/dev.c:5670
__do_softirq+0x24d/0x9ff kernel/softirq.c:288
run_ksoftirqd+0x50/0x1a0 kernel/softirq.c:670
smpboot_thread_fn+0x5c1/0x920 kernel/smpboot.c:164
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: 24 53 00 c7 44 24 1c 00 00 00 00 e9 ae ec ff ff e8 23 e2 94 fb 48 8b 84 24 e8 00 00 00 48 8d b8 80 00 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 74 08 3c 03 0f 8e 8b 16 00 00 48 8b 84 24
RIP: skb_segment+0x1733/0x2e60 net/core/skbuff.c:3627 RSP: ffff8880b541e6a0
---[ end trace 5270ba1bb7fb1d5b ]---
----------------
Code disassembly (best guess):
0: 24 53 and $0x53,%al
2: 00 c7 add %al,%bh
4: 44 24 1c rex.R and $0x1c,%al
7: 00 00 add %al,(%rax)
9: 00 00 add %al,(%rax)
b: e9 ae ec ff ff jmpq 0xffffecbe
10: e8 23 e2 94 fb callq 0xfb94e238
15: 48 8b 84 24 e8 00 00 mov 0xe8(%rsp),%rax
1c: 00
1d: 48 8d b8 80 00 00 00 lea 0x80(%rax),%rdi
24: 48 89 f8 mov %rdi,%rax
27: 48 c1 e8 03 shr $0x3,%rax
* 2b: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping instruction
30: 84 c0 test %al,%al
32: 74 08 je 0x3c
34: 3c 03 cmp $0x3,%al
36: 0f 8e 8b 16 00 00 jle 0x16c7
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 84 .byte 0x84
3f: 24 .byte 0x24
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: ed2e96e11936 Linux 4.14.286
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13e967d4080000
kernel config: https://syzkaller.appspot.com/x/.config?x=d9ccbaec7c54db8b
dashboard link: https://syzkaller.appspot.com/bug?extid=05c03f6cb680c83bcdee
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05c03f...@syzkaller.appspotmail.com
ip_tables: iptables: counters copy to user failed while replacing table
could not allocate digest TFM handle sm3
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 8 Comm: ksoftirqd/0 Not tainted 4.14.286-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022
task: ffff8880b540e200 task.stack: ffff8880b5418000
RIP: 0010:skb_segment+0x1733/0x2e60 net/core/skbuff.c:3627
RSP: 0018:ffff8880b541e6a0 EFLAGS: 00010202
RAX: 0000000000000010 RBX: 000000000000113a RCX: ffff8880951db744
RDX: 0000000000000100 RSI: 0000000000000598 RDI: 0000000000000080
RBP: ffff8880b541e830 R08: 0000000000000001 R09: ffffed1014a92073
R10: ffff8880a549039f R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880abebe580 R14: 00000000000010f8 R15: 0000000000000598
FS: 0000000000000000(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff6be94b000 CR3: 00000000b0493000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sctp_gso_segment net/sctp/offload.c:76 [inline]
sctp_gso_segment+0x204/0x810 net/sctp/offload.c:43
inet_gso_segment+0x487/0x10f0 net/ipv4/af_inet.c:1272
inet_gso_segment+0x487/0x10f0 net/ipv4/af_inet.c:1272
skb_mac_gso_segment+0x240/0x4c0 net/core/dev.c:2745
__skb_gso_segment+0x302/0x600 net/core/dev.c:2818
skb_gso_segment include/linux/netdevice.h:4005 [inline]
validate_xmit_skb+0x49c/0x9f0 net/core/dev.c:3071
validate_xmit_skb_list+0xaf/0x110 net/core/dev.c:3122
sch_direct_xmit+0x2dc/0x500 net/sched/sch_generic.c:181
qdisc_restart net/sched/sch_generic.c:249 [inline]
__qdisc_run+0x25d/0xe00 net/sched/sch_generic.c:257
__dev_xmit_skb net/core/dev.c:3231 [inline]
__dev_queue_xmit+0x13ac/0x2480 net/core/dev.c:3489
neigh_hh_output include/net/neighbour.h:490 [inline]
neigh_output include/net/neighbour.h:498 [inline]
ip_finish_output2+0x9db/0x1340 net/ipv4/ip_output.c:237
ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cd/0x510 net/ipv4/ip_output.c:413
dst_output include/net/dst.h:470 [inline]
ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
sit_tunnel_xmit__ net/ipv6/sit.c:1006 [inline]
sit_tunnel_xmit+0x1ab/0x2130 net/ipv6/sit.c:1019
__netdev_start_xmit include/linux/netdevice.h:4054 [inline]
netdev_start_xmit include/linux/netdevice.h:4063 [inline]
xmit_one net/core/dev.c:3005 [inline]
dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
__dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
neigh_output include/net/neighbour.h:500 [inline]
ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_output+0x1cd/0x510 net/ipv4/ip_output.c:413
dst_output include/net/dst.h:470 [inline]
ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
nf_dup_ipv4 net/ipv4/netfilter/nf_dup_ipv4.c:91 [inline]
nf_dup_ipv4+0x4bb/0x680 net/ipv4/netfilter/nf_dup_ipv4.c:53
tee_tg4+0x109/0x160 net/netfilter/xt_TEE.c:36
ipt_do_table+0xa9d/0x16f0 net/ipv4/netfilter/ip_tables.c:353
iptable_filter_hook+0x172/0x1e0 net/ipv4/netfilter/iptable_filter.c:47
nf_hook_entry_hookfn include/linux/netfilter.h:108 [inline]
nf_hook_slow+0xb0/0x1a0 net/netfilter/core.c:468
nf_hook include/linux/netfilter.h:205 [inline]
NF_HOOK include/linux/netfilter.h:248 [inline]
ip_local_deliver+0x28c/0x460 net/ipv4/ip_input.c:257
dst_input include/net/dst.h:476 [inline]
ip_rcv_finish+0x6e3/0x19f0 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0x8a7/0xf10 net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x15ee/0x2a30 net/core/dev.c:4474
__netif_receive_skb+0x27/0x1a0 net/core/dev.c:4512
process_backlog+0x218/0x6f0 net/core/dev.c:5195
napi_poll net/core/dev.c:5604 [inline]
net_rx_action+0x466/0xfd0 net/core/dev.c:5670
__do_softirq+0x24d/0x9ff kernel/softirq.c:288
run_ksoftirqd+0x50/0x1a0 kernel/softirq.c:670
smpboot_thread_fn+0x5c1/0x920 kernel/smpboot.c:164
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: 24 53 00 c7 44 24 1c 00 00 00 00 e9 ae ec ff ff e8 23 e2 94 fb 48 8b 84 24 e8 00 00 00 48 8d b8 80 00 00 00 48 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 74 08 3c 03 0f 8e 8b 16 00 00 48 8b 84 24
RIP: skb_segment+0x1733/0x2e60 net/core/skbuff.c:3627 RSP: ffff8880b541e6a0
---[ end trace 5270ba1bb7fb1d5b ]---
----------------
Code disassembly (best guess):
0: 24 53 and $0x53,%al
2: 00 c7 add %al,%bh
4: 44 24 1c rex.R and $0x1c,%al
7: 00 00 add %al,(%rax)
9: 00 00 add %al,(%rax)
b: e9 ae ec ff ff jmpq 0xffffecbe
10: e8 23 e2 94 fb callq 0xfb94e238
15: 48 8b 84 24 e8 00 00 mov 0xe8(%rsp),%rax
1c: 00
1d: 48 8d b8 80 00 00 00 lea 0x80(%rax),%rdi
24: 48 89 f8 mov %rdi,%rax
27: 48 c1 e8 03 shr $0x3,%rax
* 2b: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping instruction
30: 84 c0 test %al,%al
32: 74 08 je 0x3c
34: 3c 03 cmp $0x3,%al
36: 0f 8e 8b 16 00 00 jle 0x16c7
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 84 .byte 0x84
3f: 24 .byte 0x24
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 2, 2022, 1:51:36 PM11/2/22
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages