Re: [syzbot] [bpf?] [net?] general protection fault in __xsk_map_flush

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+61a1cfc2b6632363d319@syzkaller.appspotmail.com>
To: aha310510@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bpf?] [net?] general protection fault in __xsk_map_flush
Date: Mon, 22 Jul 2024 08:54:03 -0700	[thread overview]
Message-ID: <000000000000e28242061dd80dc5@google.com> (raw)
In-Reply-To: <20240722144935.2611-1-aha310510@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in bpf_net_ctx_get_all_used_flush_lists

BUG: unable to handle page fault for address: ffffe630188daf02
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1503a067 P4D 1503a067 PUD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 7523 Comm: syz-executor288 Not tainted 6.10.0-syzkaller-11840-g933069701c1b-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:list_empty include/linux/list.h:373 [inline]
RIP: 0010:bpf_net_ctx_get_all_used_flush_lists+0x16b/0x390 include/linux/filter.h:846
Code: e6 08 31 ff e8 f6 c8 29 f8 4c 89 f8 48 83 e0 08 75 07 e8 08 c4 29 f8 eb 56 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 47 0f 91 f8 48 8b 03 48 39 d8 74 2a
RSP: 0000:ffffc90000007a28 EFLAGS: 00010a02
RAX: 1fffea30188daf02 RBX: ffff5180c46d7810 RCX: dffffc0000000000
RDX: 0000000080000100 RSI: 0000000000000008 RDI: 0000000000000000
RBP: ffffffff8ddf3a40 R08: ffffffff8969be0a R09: 1ffffffff1f5f50d
R10: dffffc0000000000 R11: fffffbfff1f5f50e R12: 1ffff92000000f5c
R13: ffffc9000b2d77c0 R14: ffffc90000007ae0 R15: 000000000165af0c
FS:  0000555589e57380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffe630188daf02 CR3: 000000007d0c8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 xdp_do_check_flushed+0x130/0x2f0 net/core/filter.c:4298
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5763
Code: 2b 00 74 08 4c 89 f7 e8 ba 1f 8b 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
RSP: 0000:ffffc9000b2d7620 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 1ffff9200165aed0 RCX: 697b9cec6cfc8500
RDX: dffffc0000000000 RSI: ffffffff8bcae720 RDI: ffffffff8c20a480
RBP: ffffc9000b2d7778 R08: ffffffff930028af R09: 1ffffffff2600515
R10: dffffc0000000000 R11: fffffbfff2600516 R12: 1ffff9200165aecc
R13: dffffc0000000000 R14: ffffc9000b2d7680 R15: 0000000000000246
 percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
 __sb_start_write include/linux/fs.h:1675 [inline]
 sb_start_write+0x4d/0x1c0 include/linux/fs.h:1811
 mnt_want_write+0x3f/0x90 fs/namespace.c:515
 do_unlinkat+0x1fe/0x830 fs/namei.c:4469
 do_coredump+0x2247/0x2a30 fs/coredump.c:678
 get_signal+0x13fa/0x1740 kernel/signal.c:2902
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 irqentry_exit_to_user_mode+0x79/0x280 kernel/entry/common.c:231
 exc_page_fault+0x590/0x8c0 arch/x86/mm/fault.c:1542
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fdae0dfb15e
Code: fd d7 c9 0f bc d1 c5 fe 7f 27 c5 fe 7f 6f 20 c5 fe 7f 77 40 c5 fe 7f 7f 60 49 83 c0 1f 49 29 d0 48 8d 7c 17 61 e9 d2 04 00 00 <c5> fe 6f 1e c5 fe 6f 56 20 c5 fd 74 cb c5 fd d7 d1 49 83 f8 21 0f
RSP: 002b:00007ffcbd96f8c8 EFLAGS: 00010287
RAX: 00007ffcbd96f8e0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 00000000000003ff RSI: 0000000000000000 RDI: 00007ffcbd96f8e0
RBP: 00007ffcbd96f8e0 R08: 00000000000003ff R09: 00007ffcbd96fe28
R10: 00007ffcbd96fe28 R11: 0000000000000246 R12: 6666666666666667
R13: 0000000000000000 R14: 00007ffcbd96fd30 R15: 00007ffcbd96fd20
 </TASK>
Modules linked in:
CR2: ffffe630188daf02
---[ end trace 0000000000000000 ]---
RIP: 0010:list_empty include/linux/list.h:373 [inline]
RIP: 0010:bpf_net_ctx_get_all_used_flush_lists+0x16b/0x390 include/linux/filter.h:846
Code: e6 08 31 ff e8 f6 c8 29 f8 4c 89 f8 48 83 e0 08 75 07 e8 08 c4 29 f8 eb 56 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 47 0f 91 f8 48 8b 03 48 39 d8 74 2a
RSP: 0000:ffffc90000007a28 EFLAGS: 00010a02
RAX: 1fffea30188daf02 RBX: ffff5180c46d7810 RCX: dffffc0000000000
RDX: 0000000080000100 RSI: 0000000000000008 RDI: 0000000000000000
RBP: ffffffff8ddf3a40 R08: ffffffff8969be0a R09: 1ffffffff1f5f50d
R10: dffffc0000000000 R11: fffffbfff1f5f50e R12: 1ffff92000000f5c
R13: ffffc9000b2d77c0 R14: ffffc90000007ae0 R15: 000000000165af0c
FS:  0000555589e57380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffe630188daf02 CR3: 000000007d0c8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e6 08                	out    %al,$0x8
   2:	31 ff                	xor    %edi,%edi
   4:	e8 f6 c8 29 f8       	call   0xf829c8ff
   9:	4c 89 f8             	mov    %r15,%rax
   c:	48 83 e0 08          	and    $0x8,%rax
  10:	75 07                	jne    0x19
  12:	e8 08 c4 29 f8       	call   0xf829c41f
  17:	eb 56                	jmp    0x6f
  19:	48 89 d8             	mov    %rbx,%rax
  1c:	48 c1 e8 03          	shr    $0x3,%rax
  20:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  27:	fc ff df
* 2a:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	48 89 df             	mov    %rbx,%rdi
  33:	e8 47 0f 91 f8       	call   0xf8910f7f
  38:	48 8b 03             	mov    (%rbx),%rax
  3b:	48 39 d8             	cmp    %rbx,%rax
  3e:	74 2a                	je     0x6a


Tested on:

commit:         93306970 Merge tag '6.11-rc-smb3-server-fixes' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=124846ad980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d04f9888ed34da73
dashboard link: https://syzkaller.appspot.com/bug?extid=61a1cfc2b6632363d319
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12158b79980000

next      parent reply	other threads:[~2024-07-22 15:54 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20240722144935.2611-1-aha310510@gmail.com>
2024-07-22 15:54 ` syzbot [this message]
     [not found] <20240722161240.4116-1-aha310510@gmail.com>
2024-07-22 16:46 ` [syzbot] [bpf?] [net?] general protection fault in __xsk_map_flush syzbot
     [not found] <20240722145736.3603-1-aha310510@gmail.com>
2024-07-22 16:04 ` syzbot
     [not found] <20240722125338.6315-1-aha310510@gmail.com>
2024-07-22 14:32 ` syzbot
2024-07-16  1:23 syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000e28242061dd80dc5@google.com \
    --to=syzbot+61a1cfc2b6632363d319@syzkaller.appspotmail.com \
    --cc=aha310510@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.