Re: [syzbot] general protection fault in pause_prepare_data

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+9d44aae2720fc40b8474@syzkaller.appspotmail.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
	vladimir.oltean@nxp.com
Subject: Re: [syzbot] general protection fault in pause_prepare_data
Date: Tue, 24 Jan 2023 00:25:48 -0800	[thread overview]
Message-ID: <000000000000501e4505f2fe4344@google.com> (raw)
In-Reply-To: <00000000000062150b05f2fd210c@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    32e54254bab8 net: mdio: mux-meson-g12a: use devm_clk_get_e..
git tree:       net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1553d205480000
kernel config:  https://syzkaller.appspot.com/x/.config?x=21d2a04ab2961430
dashboard link: https://syzkaller.appspot.com/bug?extid=9d44aae2720fc40b8474
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15081f7a480000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12458db6480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b82896cd05c2/disk-32e54254.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/77935ce88c7c/vmlinux-32e54254.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d3ebfede7cbd/bzImage-32e54254.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9d44aae2720fc40b8474@syzkaller.appspotmail.com

general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 0 PID: 5071 Comm: syz-executor396 Not tainted 6.2.0-rc4-syzkaller-00687-g32e54254bab8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:pause_prepare_data+0x60/0x400 net/ethtool/pause.c:59
Code: 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 02 03 00 00 48 8d 7d 40 45 8b 6c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 14 03 00 00 48 8b 45 40 48 89 da 48 c1 ea 03 48
RSP: 0018:ffffc90003c0f270 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888021b55c00 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffffffff880744d0 RDI: 0000000000000040
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8e7326d7
R10: fffffbfff1ce64da R11: 0000000000000000 R12: ffff8880218e7d00
R13: 0000000000000000 R14: ffff88807de6c598 R15: ffffffff880744b0
FS:  000055555715c300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006691e0 CR3: 000000007b781000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ethnl_default_dump_one net/ethtool/netlink.c:446 [inline]
 ethnl_default_dumpit+0x4a8/0xe80 net/ethtool/netlink.c:498
 netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2286
 __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2391
 genl_family_rcv_msg_dumpit+0x2be/0x310 net/netlink/genetlink.c:929
 genl_family_rcv_msg net/netlink/genetlink.c:1045 [inline]
 genl_rcv_msg+0x419/0x7e0 net/netlink/genetlink.c:1065
 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
 netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356
 netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932
 sock_sendmsg_nosec net/socket.c:722 [inline]
 sock_sendmsg+0xde/0x190 net/socket.c:745
 ____sys_sendmsg+0x71c/0x900 net/socket.c:2501
 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2555
 __sys_sendmsg+0xf7/0x1c0 net/socket.c:2584
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f620fd6c589
Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdab95a158 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ffdab95a168 RCX: 00007f620fd6c589
RDX: 0000000000000000 RSI: 0000000020000540 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdab95a170
R13: 00007ffdab95a190 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pause_prepare_data+0x60/0x400 net/ethtool/pause.c:59
Code: 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 02 03 00 00 48 8d 7d 40 45 8b 6c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 14 03 00 00 48 8b 45 40 48 89 da 48 c1 ea 03 48
RSP: 0018:ffffc90003c0f270 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff888021b55c00 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffffffff880744d0 RDI: 0000000000000040
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8e7326d7
R10: fffffbfff1ce64da R11: 0000000000000000 R12: ffff8880218e7d00
R13: 0000000000000000 R14: ffff88807de6c598 R15: ffffffff880744b0
FS:  000055555715c300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055e77403a658 CR3: 000000007b781000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax
   4:	84 c0                	test   %al,%al
   6:	74 08                	je     0x10
   8:	3c 03                	cmp    $0x3,%al
   a:	0f 8e 02 03 00 00    	jle    0x312
  10:	48 8d 7d 40          	lea    0x40(%rbp),%rdi
  14:	45 8b 6c 24 18       	mov    0x18(%r12),%r13d
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 14 03 00 00    	jne    0x348
  34:	48 8b 45 40          	mov    0x40(%rbp),%rax
  38:	48 89 da             	mov    %rbx,%rdx
  3b:	48 c1 ea 03          	shr    $0x3,%rdx
  3f:	48                   	rex.W

     prev parent reply	other threads:[~2023-01-24  8:25 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-24  7:04 [syzbot] general protection fault in pause_prepare_data syzbot
2023-01-24  8:25 ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000501e4505f2fe4344@google.com \
    --to=syzbot+9d44aae2720fc40b8474@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vladimir.oltean@nxp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.