From: syzbot <syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com>
To: aha310510@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
Date: Mon, 22 Jul 2024 03:52:03 -0700 [thread overview]
Message-ID: <000000000000d57245061dd3d547@google.com> (raw)
In-Reply-To: <20240722103109.4668-1-aha310510@gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed
==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298
Read of size 4 at addr ffffc90003387a50 by task syz.0.105/5938
CPU: 0 UID: 0 PID: 5938 Comm: syz.0.105 Not tainted 6.10.0-syzkaller-g933069701c1b-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__schedule+0xe3f/0x5490 kernel/sched/core.c:6399
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 3f 00 00 48 8b bd 10 ff ff ff 4d 89 77 10 4c 89 f6 e8 c9 a5 0f f6 48 89 c7 e8 61 54 6a f6 <48> 8b 8d a0 fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 01 c1 48 c7
RSP: 0018:ffffc90003387980 EFLAGS: 00000206
RAX: 00000000000001a9 RBX: ffff888043a40000 RCX: 1ffffffff1fce089
RDX: 0000000000000000 RSI: ffffffff8b2cc580 RDI: ffffffff8b90c740
RBP: ffffc90003387b10 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe7489f R11: 0000000000000001 R12: ffff88806b03f908
R13: 0000000000000000 R14: ffff888043a40000 R15: ffff88806b03ee00
preempt_schedule_common+0x44/0xc0 kernel/sched/core.c:6708
preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk.S:12
class_preempt_destructor include/linux/preempt.h:480 [inline]
class_preempt_destructor include/linux/preempt.h:480 [inline]
try_to_wake_up+0xc08/0x13e0 kernel/sched/core.c:4022
wake_up_process kernel/sched/core.c:4299 [inline]
wake_up_q+0x91/0x140 kernel/sched/core.c:1029
futex_wake+0x43e/0x4e0 kernel/futex/waitwake.c:199
do_futex+0x1e5/0x350 kernel/futex/syscalls.c:107
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex kernel/futex/syscalls.c:160 [inline]
__x64_sys_futex+0x1e1/0x4c0 kernel/futex/syscalls.c:160
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faaa0975b59
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faaa16670f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007faaa0b05f68 RCX: 00007faaa0975b59
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007faaa0b05f6c
RBP: 00007faaa0b05f60 R08: 00007faaa1668080 R09: 00007faaa16676c0
R10: 0000000000000e80 R11: 0000000000000246 R12: 00007faaa0b05f6c
R13: 000000000000000b R14: 00007fff8e045980 R15: 00007fff8e045a68
</TASK>
The buggy address belongs to stack of task syz.0.105/5938
and is located at offset 40 in frame:
__schedule+0x0/0x5490
This frame has 3 objects:
[48, 52) 'cid'
[64, 80) 'rf'
[96, 120) 'ac'
The buggy address belongs to the virtual mapping at
[ffffc90003380000, ffffc90003389000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2781
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801f49d0f0 pfn:0x1f49d
memcg:ffff88802787e902
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88801f49d0f0 0000000000000000 00000001ffffffff ffff88802787e902
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5663, tgid 5663 (syz-executor), ts 127270798487, free_ts 127240380476
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781
__do_sys_clone+0xba/0x100 kernel/fork.c:2924
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5663 tgid 5663 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608
__folio_put+0x31c/0x3e0 mm/swap.c:128
folio_put include/linux/mm.h:1479 [inline]
free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2843
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Memory state around the buggy address:
ffffc90003387900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90003387980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90003387a00: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00 f2
^
ffffc90003387a80: f2 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00
ffffc90003387b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: fa cli
1: 48 c1 ea 03 shr $0x3,%rdx
5: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
9: 0f 85 ba 3f 00 00 jne 0x3fc9
f: 48 8b bd 10 ff ff ff mov -0xf0(%rbp),%rdi
16: 4d 89 77 10 mov %r14,0x10(%r15)
1a: 4c 89 f6 mov %r14,%rsi
1d: e8 c9 a5 0f f6 call 0xf60fa5eb
22: 48 89 c7 mov %rax,%rdi
25: e8 61 54 6a f6 call 0xf66a548b
* 2a: 48 8b 8d a0 fe ff ff mov -0x160(%rbp),%rcx <-- trapping instruction
31: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
38: fc ff df
3b: 48 01 c1 add %rax,%rcx
3e: 48 rex.W
3f: c7 .byte 0xc7
Tested on:
commit: 93306970 Merge tag '6.11-rc-smb3-server-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1162fe3d980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c043ce4607a33671
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1214995e980000
next parent reply other threads:[~2024-07-22 10:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240722103109.4668-1-aha310510@gmail.com>
2024-07-22 10:52 ` syzbot [this message]
[not found] <20240725112758.15367-1-aha310510@gmail.com>
2024-07-25 12:18 ` [syzbot] [bpf?] [net?] general protection fault in __dev_flush syzbot
[not found] <20240725112730.15279-1-aha310510@gmail.com>
2024-07-25 11:53 ` syzbot
[not found] <20240724141325.10569-1-aha310510@gmail.com>
2024-07-24 14:38 ` syzbot
[not found] <20240724134011.10477-1-aha310510@gmail.com>
2024-07-24 13:51 ` syzbot
[not found] <20240724122756.9572-1-aha310510@gmail.com>
2024-07-24 13:02 ` syzbot
[not found] <20240724114325.8995-1-aha310510@gmail.com>
2024-07-24 12:20 ` syzbot
[not found] <20240724093902.8331-1-aha310510@gmail.com>
2024-07-24 9:59 ` syzbot
[not found] <20240722114035.5337-1-aha310510@gmail.com>
2024-07-22 12:01 ` syzbot
[not found] <20240722103139.4718-1-aha310510@gmail.com>
2024-07-22 11:11 ` syzbot
2024-07-19 3:59 [syzbot] [net?] [bpf?] " syzbot
2024-07-22 2:59 ` [syzbot] [bpf?] [net?] " syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000d57245061dd3d547@google.com \
--to=syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com \
--cc=aha310510@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.