Re: [syzbot] [tipc?] general protection fault in cleanup_bearer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+46aa5474f179dacd1a3b@syzkaller.appspotmail.com>
To: davem@davemloft.net, edumazet@google.com, eric.dumazet@gmail.com,
	 horms@kernel.org, jmaloy@redhat.com, kuba@kernel.org,
	kuniyu@amazon.com,  linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, pabeni@redhat.com,
	 syzkaller-bugs@googlegroups.com,
	tipc-discussion@lists.sourceforge.net,  ying.xue@windriver.com
Subject: Re: [syzbot] [tipc?] general protection fault in cleanup_bearer
Date: Thu, 05 Dec 2024 08:51:24 -0800	[thread overview]
Message-ID: <6751da0c.050a0220.b4160.01dc.GAE@google.com> (raw)
In-Reply-To: <67508b5f.050a0220.17bd51.0070.GAE@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    31f1b55d5d7e net :mana :Request a V2 response version for ..
git tree:       net
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17d290f8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3891b550f14aea0f
dashboard link: https://syzkaller.appspot.com/bug?extid=46aa5474f179dacd1a3b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1724ade8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=148868df980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ba0fb1ec0f79/disk-31f1b55d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/535224afed4c/vmlinux-31f1b55d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bd1b0227ba3d/bzImage-31f1b55d.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+46aa5474f179dacd1a3b@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-syzkaller-10767-g31f1b55d5d7e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events cleanup_bearer
RIP: 0010:read_pnet include/net/net_namespace.h:392 [inline]
RIP: 0010:sock_net include/net/sock.h:655 [inline]
RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820
Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 ec 2e 91 f6 48 8b 1b 48 83 c3 30 e8 80 97 63 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 ca 2e 91 f6 49 83 c7 e8 48 8b 1b
RSP: 0018:ffffc900000e7b70 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88801cef8000
RDX: dffffc0000000000 RSI: ffffffff8c0ad980 RDI: 0000000000000001
RBP: ffff8880287b5e08 R08: ffffffff9432398f R09: 1ffffffff2864731
R10: dffffc0000000000 R11: fffffbfff2864732 R12: ffff8880287b5e98
R13: dffffc0000000000 R14: 0000000000000001 R15: ffff8880287b5e18
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efddcf2f208 CR3: 000000007aa02000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:read_pnet include/net/net_namespace.h:392 [inline]
RIP: 0010:sock_net include/net/sock.h:655 [inline]
RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820
Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 ec 2e 91 f6 48 8b 1b 48 83 c3 30 e8 80 97 63 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 ca 2e 91 f6 49 83 c7 e8 48 8b 1b
RSP: 0018:ffffc900000e7b70 EFLAGS: 00010206
RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88801cef8000
RDX: dffffc0000000000 RSI: ffffffff8c0ad980 RDI: 0000000000000001
RBP: ffff8880287b5e08 R08: ffffffff9432398f R09: 1ffffffff2864731
R10: dffffc0000000000 R11: fffffbfff2864732 R12: ffff8880287b5e98
R13: dffffc0000000000 R14: 0000000000000001 R15: ffff8880287b5e18
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bf163e0cc0 CR3: 000000007e7d8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	18 48 89             	sbb    %cl,-0x77(%rax)
   3:	d8 48 c1             	fmuls  -0x3f(%rax)
   6:	e8 03 42 80 3c       	call   0x3c80420e
   b:	28 00                	sub    %al,(%rax)
   d:	74 08                	je     0x17
   f:	48 89 df             	mov    %rbx,%rdi
  12:	e8 ec 2e 91 f6       	call   0xf6912f03
  17:	48 8b 1b             	mov    (%rbx),%rbx
  1a:	48 83 c3 30          	add    $0x30,%rbx
  1e:	e8 80 97 63 00       	call   0x6397a3
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 ca 2e 91 f6       	call   0xf6912f03
  39:	49 83 c7 e8          	add    $0xffffffffffffffe8,%r15
  3d:	48 8b 1b             	mov    (%rbx),%rbx


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

     prev parent reply	other threads:[~2024-12-05 16:51 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-04 17:03 [syzbot] [tipc?] general protection fault in cleanup_bearer syzbot
2024-12-05 16:51 ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6751da0c.050a0220.b4160.01dc.GAE@google.com \
    --to=syzbot+46aa5474f179dacd1a3b@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=horms@kernel.org \
    --cc=jmaloy@redhat.com \
    --cc=kuba@kernel.org \
    --cc=kuniyu@amazon.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tipc-discussion@lists.sourceforge.net \
    --cc=ying.xue@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.