[syzbot] [smc?] general protection fault in __smc_diag_dump (4)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+f775be4458668f7d220e@syzkaller.appspotmail.com>
To: alibuda@linux.alibaba.com, davem@davemloft.net,
	dust.li@linux.alibaba.com,  edumazet@google.com,
	guwen@linux.alibaba.com, horms@kernel.org,  kuba@kernel.org,
	linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
	 linux-s390@vger.kernel.org, mjambigi@linux.ibm.com,
	netdev@vger.kernel.org,  pabeni@redhat.com,
	sidraya@linux.ibm.com, syzkaller-bugs@googlegroups.com,
	 tonylu@linux.alibaba.com, wenjia@linux.ibm.com
Subject: [syzbot] [smc?] general protection fault in __smc_diag_dump (4)
Date: Wed, 17 Sep 2025 10:58:31 -0700	[thread overview]
Message-ID: <68caf6c7.050a0220.2ff435.0597.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    5aca7966d2a7 Merge tag 'perf-tools-fixes-for-v6.17-2025-09..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=147e2e42580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f01d8629880e620
dashboard link: https://syzkaller.appspot.com/bug?extid=f775be4458668f7d220e
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17aec534580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=115a9f62580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f191b2524020/disk-5aca7966.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5aa02ba0cba2/vmlinux-5aca7966.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b9b04ddba61b/bzImage-5aca7966.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f775be4458668f7d220e@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]
CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89
Code: 4c 8b b3 40 06 00 00 4d 85 f6 0f 84 f6 02 00 00 e8 6b 4f 78 f6 49 8d 7e 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f6 1e 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
RSP: 0018:ffffc90003f2f1a8 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffff88802a33bd40 RCX: ffffffff897ee8a4
RDX: 1bd5a9d5a0000003 RSI: ffffffff8b434dd5 RDI: dead4ead00000018
RBP: ffff888032418000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000000 R12: ffff8880754915f0
R13: ffff88805d823780 R14: dead4ead00000000 R15: ffff88802a33c380
FS:  00007fec5f7dd6c0(0000) GS:ffff8881247b2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fec5f7dcf98 CR3: 000000007d646000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217
 smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234
 netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327
 __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442
 netlink_dump_start include/linux/netlink.h:341 [inline]
 smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251
 __sock_diag_cmd net/core/sock_diag.c:249 [inline]
 sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285
 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg net/socket.c:729 [inline]
 ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
 __sys_sendmsg+0x16d/0x220 net/socket.c:2700
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fec6018eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fec5f7dd038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fec603d6090 RCX: 00007fec6018eba9
RDX: 0000000000000000 RSI: 0000200000000140 RDI: 0000000000000003
RBP: 00007fec60211e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fec603d6128 R14: 00007fec603d6090 R15: 00007ffcb0713c08
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89
Code: 4c 8b b3 40 06 00 00 4d 85 f6 0f 84 f6 02 00 00 e8 6b 4f 78 f6 49 8d 7e 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f6 1e 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
RSP: 0018:ffffc90003f2f1a8 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ffff88802a33bd40 RCX: ffffffff897ee8a4
RDX: 1bd5a9d5a0000003 RSI: ffffffff8b434dd5 RDI: dead4ead00000018
RBP: ffff888032418000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000001 R11: 0000000000000000 R12: ffff8880754915f0
R13: ffff88805d823780 R14: dead4ead00000000 R15: ffff88802a33c380
FS:  00007fec5f7dd6c0(0000) GS:ffff8881247b2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fec5f7dcf98 CR3: 000000007d646000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	4c 8b b3 40 06 00 00 	mov    0x640(%rbx),%r14
   7:	4d 85 f6             	test   %r14,%r14
   a:	0f 84 f6 02 00 00    	je     0x306
  10:	e8 6b 4f 78 f6       	call   0xf6784f80
  15:	49 8d 7e 18          	lea    0x18(%r14),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 f6 1e 00 00    	jne    0x1f2a
  34:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  3b:	fc ff df
  3e:	4d                   	rex.WRB
  3f:	8b                   	.byte 0x8b


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2025-09-17 17:58 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-17 17:58 syzbot [this message]
2025-09-19 12:15 ` [syzbot] [smc?] general protection fault in __smc_diag_dump (4) syzbot
2025-09-20  3:14 ` Wang Liang
2025-09-20  4:37   ` syzbot
  -- strict thread matches above, loose matches on Subject: below --
2025-09-20  6:48 Wang Liang
2025-09-20  6:52 ` syzbot
2025-10-17  6:48 Wang Liang
2025-10-17  7:40 ` Wang Liang
2025-10-17  6:50 Wang Liang
2025-10-17  7:22 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=68caf6c7.050a0220.2ff435.0597.GAE@google.com \
    --to=syzbot+f775be4458668f7d220e@syzkaller.appspotmail.com \
    --cc=alibuda@linux.alibaba.com \
    --cc=davem@davemloft.net \
    --cc=dust.li@linux.alibaba.com \
    --cc=edumazet@google.com \
    --cc=guwen@linux.alibaba.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=mjambigi@linux.ibm.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sidraya@linux.ibm.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tonylu@linux.alibaba.com \
    --cc=wenjia@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.