* next-20250905: x86_64: udpgso_bench.sh triggers NULL deref in zerocopy_fill_skb_from_iter
@ 2025-09-05 9:30 Naresh Kamboju
2025-09-05 12:55 ` Eric Dumazet
0 siblings, 1 reply; 5+ messages in thread
From: Naresh Kamboju @ 2025-09-05 9:30 UTC (permalink / raw)
To: Netdev, open list:KERNEL SELFTEST FRAMEWORK, open list,
lkft-triage, Linux Regressions
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Eric Biggers, Dan Carpenter, Arnd Bergmann, Ben Copeland,
Anders Roxell, Shuah Khan, Willem de Bruijn, Pengtao He
The following kernel crash was noticed on x86_64 running selftests net
udpgso_bench.sh
on Linux next-20250905 tag.
Regression Analysis:
- New regression? yes
- Reproducibility? Re-validation is in progress
First seen on next-20250905
Bad: next-20250905
Good: next-20250904
Test regression: next-20250905 x86_64 selftests net BUG kernel NULL
pointer dereference zerocopy_fill_skb_from_iter
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
x86_64:
Test:
* selftests: net: udpgso_bench.sh
Test error:
selftests: net: udpgso_bench.sh
ipv4
tcp
<trim>
# tcp zerocopy
[ 991.110488] SELinux: unrecognized netlink message: protocol=4
nlmsg_type=19 sclass=netlink_tcpdiag_socket pid=64835 comm=ss
# RTNETLINK answers: Invalid argument
[ 991.129878] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 991.136850] #PF: supervisor read access in kernel mode
[ 991.141986] #PF: error_code(0x0000) - not-present page
[ 991.147118] PGD 0 P4D 0
[ 991.149657] Oops: Oops: 0000 [#1] SMP PTI
[ 991.153661] CPU: 0 UID: 0 PID: 64842 Comm: udpgso_bench_tx Tainted:
G S 6.17.0-rc4-next-20250905 #1 PREEMPT(voluntary)
[ 991.165907] Tainted: [S]=CPU_OUT_OF_SPEC
[ 991.169825] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.7 12/07/2021
[ 991.177209] RIP: 0010:zerocopy_fill_skb_from_iter
(include/linux/page-flags.h:284)
[ 991.182954] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
f7
All code
========
0: 4d 85 c0 test %r8,%r8
3: 0f 84 04 01 00 00 je 0x10d
9: 44 39 c7 cmp %r8d,%edi
c: 41 0f 4d f8 cmovge %r8d,%edi
10: 4c 63 de movslq %esi,%r11
13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
18: 49 89 d6 mov %rdx,%r14
1b: 4d 29 ce sub %r9,%r14
1e: 49 c1 fe 06 sar $0x6,%r14
22: 49 d3 ee shr %cl,%r14
25: 4d 85 f6 test %r14,%r14
28: 74 24 je 0x4e
2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
2e: f6 c1 01 test $0x1,%cl
31: 0f 85 cb 00 00 00 jne 0x102
37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
3c: 31 c9 xor %ecx,%ecx
3e: 48 rex.W
3f: f7 .byte 0xf7
Code starting with the faulting instruction
===========================================
0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
4: f6 c1 01 test $0x1,%cl
7: 0f 85 cb 00 00 00 jne 0xd8
d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
12: 31 c9 xor %ecx,%ecx
14: 48 rex.W
15: f7 .byte 0xf7
[ 991.201691] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
[ 991.206910] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
[ 991.214033] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
[ 991.221156] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
[ 991.228280] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
[ 991.235406] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
[ 991.242529] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
knlGS:0000000000000000
[ 991.250608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 991.256378] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
[ 991.263513] Call Trace:
[ 991.265956] <TASK>
[ 991.268055] __zerocopy_sg_from_iter (net/core/datagram.c:?)
[ 991.272674] ? kmalloc_reserve (net/core/skbuff.c:581)
[ 991.276599] skb_zerocopy_iter_stream (net/core/skbuff.c:1867)
[ 991.281219] tcp_sendmsg_locked (net/ipv4/tcp.c:1283)
[ 991.285493] tcp_sendmsg (net/ipv4/tcp.c:1393)
[ 991.288896] inet6_sendmsg (net/ipv6/af_inet6.c:661)
[ 991.292466] __sock_sendmsg (net/socket.c:717)
[ 991.296126] __sys_sendto (net/socket.c:?)
[ 991.299785] __x64_sys_sendto (net/socket.c:2235 net/socket.c:2231
net/socket.c:2231)
[ 991.303622] x64_sys_call (arch/x86/entry/syscall_64.c:41)
[ 991.307462] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
[ 991.311128] ? irqentry_exit (kernel/entry/common.c:210)
[ 991.314881] ? exc_page_fault (arch/x86/mm/fault.c:1536)
[ 991.318720] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 991.323762] RIP: 0033:0x7f41e814b687
[ 991.327352] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00
59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10
0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff
ff
All code
========
0: 48 89 fa mov %rdi,%rdx
3: 4c 89 df mov %r11,%rdi
6: e8 58 b3 00 00 call 0xb363
b: 8b 93 08 03 00 00 mov 0x308(%rbx),%edx
11: 59 pop %rcx
12: 5e pop %rsi
13: 48 83 f8 fc cmp $0xfffffffffffffffc,%rax
17: 74 1a je 0x33
19: 5b pop %rbx
1a: c3 ret
1b: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
22: 00
23: 48 8b 44 24 10 mov 0x10(%rsp),%rax
28: 0f 05 syscall
2a:* 5b pop %rbx <-- trapping instruction
2b: c3 ret
2c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
33: 83 e2 39 and $0x39,%edx
36: 83 fa 08 cmp $0x8,%edx
39: 75 de jne 0x19
3b: e8 23 ff ff ff call 0xffffffffffffff63
Code starting with the faulting instruction
===========================================
0: 5b pop %rbx
1: c3 ret
2: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
9: 83 e2 39 and $0x39,%edx
c: 83 fa 08 cmp $0x8,%edx
f: 75 de jne 0xffffffffffffffef
11: e8 23 ff ff ff call 0xffffffffffffff39
[ 991.346124] RSP: 002b:00007ffdd843ba50 EFLAGS: 00000202 ORIG_RAX:
000000000000002c
[ 991.353680] RAX: ffffffffffffffda RBX: 00007f41e80b9740 RCX: 00007f41e814b687
[ 991.360806] RDX: 000000000000f180 RSI: 000056251f1fd100 RDI: 0000000000000005
[ 991.367931] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 991.375063] R10: 0000000004000000 R11: 0000000000000202 R12: 0000000000000000
[ 991.382193] R13: 000056251f1fb080 R14: 000001a670e438d8 R15: 0000000000000005
[ 991.389357] </TASK>
[ 991.391571] Modules linked in: mptcp_diag tcp_diag inet_diag
xt_conntrack xfrm_user ipip bridge stp llc geneve vxlan act_csum
act_pedit openvswitch nsh nf_nat nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 psample cls_flower sch_prio xt_mark nft_compat
nf_tables sch_ingress act_mirred cls_basic sch_fq_codel vrf pktgen
macvtap macvlan tap x86_pkg_temp_thermal ip_tables x_tables [last
unloaded: test_bpf]
[ 991.426812] CR2: 0000000000000008
[ 991.430121] ---[ end trace 0000000000000000 ]---
[ 991.434733] RIP: 0010:zerocopy_fill_skb_from_iter
(include/linux/page-flags.h:284)
[ 991.440477] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
f7
All code
========
0: 4d 85 c0 test %r8,%r8
3: 0f 84 04 01 00 00 je 0x10d
9: 44 39 c7 cmp %r8d,%edi
c: 41 0f 4d f8 cmovge %r8d,%edi
10: 4c 63 de movslq %esi,%r11
13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
18: 49 89 d6 mov %rdx,%r14
1b: 4d 29 ce sub %r9,%r14
1e: 49 c1 fe 06 sar $0x6,%r14
22: 49 d3 ee shr %cl,%r14
25: 4d 85 f6 test %r14,%r14
28: 74 24 je 0x4e
2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
2e: f6 c1 01 test $0x1,%cl
31: 0f 85 cb 00 00 00 jne 0x102
37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
3c: 31 c9 xor %ecx,%ecx
3e: 48 rex.W
3f: f7 .byte 0xf7
Code starting with the faulting instruction
===========================================
0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
4: f6 c1 01 test $0x1,%cl
7: 0f 85 cb 00 00 00 jne 0xd8
d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
12: 31 c9 xor %ecx,%ecx
14: 48 rex.W
15: f7 .byte 0xf7
[ 991.459215] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
[ 991.464434] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
[ 991.471557] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
[ 991.478681] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
[ 991.485807] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
[ 991.492930] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
[ 991.500054] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
knlGS:0000000000000000
[ 991.508132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 991.513870] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
[ 991.520994] note: udpgso_bench_tx[64842] exited with irqs disabled
## Source
* Kernel version: 6.17.0-rc4
* Git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next.git
* Git describe: next-20250905
* Git commit: be5d4872e528796df9d7425f2bd9b3893eb3a42c
* Architectures: x86_64
* Toolchains: clang-nightly
* Kconfigs: defconfig+selftests/*/config
## Build
* Test log: https://qa-reports.linaro.org/api/testruns/29777495/log_file/
* LAVA test log: https://lkft.validation.linaro.org/scheduler/job/8434053#L16943
* Test details:
https://regressions.linaro.org/lkft/linux-next-master/next-20250905/log-parser-test/oops-oops-oops-smp-pti/
* Test plan: https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/32GkXBGNRNDEj5d64zd73eXhXQC
* Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/
* Kernel config:
https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/config
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: next-20250905: x86_64: udpgso_bench.sh triggers NULL deref in zerocopy_fill_skb_from_iter
2025-09-05 9:30 next-20250905: x86_64: udpgso_bench.sh triggers NULL deref in zerocopy_fill_skb_from_iter Naresh Kamboju
@ 2025-09-05 12:55 ` Eric Dumazet
2025-09-05 13:07 ` David Hildenbrand
0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2025-09-05 12:55 UTC (permalink / raw)
To: Naresh Kamboju, David Hildenbrand
Cc: Netdev, open list:KERNEL SELFTEST FRAMEWORK, open list,
lkft-triage, Linux Regressions, David S. Miller, Jakub Kicinski,
Paolo Abeni, Eric Biggers, Dan Carpenter, Arnd Bergmann,
Ben Copeland, Anders Roxell, Shuah Khan, Willem de Bruijn,
Pengtao He
On Fri, Sep 5, 2025 at 2:30 AM Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>
> The following kernel crash was noticed on x86_64 running selftests net
> udpgso_bench.sh
> on Linux next-20250905 tag.
>
> Regression Analysis:
> - New regression? yes
> - Reproducibility? Re-validation is in progress
>
> First seen on next-20250905
> Bad: next-20250905
> Good: next-20250904
>
> Test regression: next-20250905 x86_64 selftests net BUG kernel NULL
> pointer dereference zerocopy_fill_skb_from_iter
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>
> x86_64:
> Test:
> * selftests: net: udpgso_bench.sh
>
> Test error:
> selftests: net: udpgso_bench.sh
> ipv4
> tcp
>
> <trim>
>
> # tcp zerocopy
> [ 991.110488] SELinux: unrecognized netlink message: protocol=4
> nlmsg_type=19 sclass=netlink_tcpdiag_socket pid=64835 comm=ss
> # RTNETLINK answers: Invalid argument
> [ 991.129878] BUG: kernel NULL pointer dereference, address: 0000000000000008
> [ 991.136850] #PF: supervisor read access in kernel mode
> [ 991.141986] #PF: error_code(0x0000) - not-present page
> [ 991.147118] PGD 0 P4D 0
> [ 991.149657] Oops: Oops: 0000 [#1] SMP PTI
> [ 991.153661] CPU: 0 UID: 0 PID: 64842 Comm: udpgso_bench_tx Tainted:
> G S 6.17.0-rc4-next-20250905 #1 PREEMPT(voluntary)
> [ 991.165907] Tainted: [S]=CPU_OUT_OF_SPEC
> [ 991.169825] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
> 2.7 12/07/2021
> [ 991.177209] RIP: 0010:zerocopy_fill_skb_from_iter
> (include/linux/page-flags.h:284)
> [ 991.182954] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
> 63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
> 74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
> f7
> All code
> ========
> 0: 4d 85 c0 test %r8,%r8
> 3: 0f 84 04 01 00 00 je 0x10d
> 9: 44 39 c7 cmp %r8d,%edi
> c: 41 0f 4d f8 cmovge %r8d,%edi
> 10: 4c 63 de movslq %esi,%r11
> 13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
> 18: 49 89 d6 mov %rdx,%r14
> 1b: 4d 29 ce sub %r9,%r14
> 1e: 49 c1 fe 06 sar $0x6,%r14
> 22: 49 d3 ee shr %cl,%r14
> 25: 4d 85 f6 test %r14,%r14
> 28: 74 24 je 0x4e
> 2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
> 2e: f6 c1 01 test $0x1,%cl
> 31: 0f 85 cb 00 00 00 jne 0x102
> 37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
> 3c: 31 c9 xor %ecx,%ecx
> 3e: 48 rex.W
> 3f: f7 .byte 0xf7
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
> 4: f6 c1 01 test $0x1,%cl
> 7: 0f 85 cb 00 00 00 jne 0xd8
> d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
> 12: 31 c9 xor %ecx,%ecx
> 14: 48 rex.W
> 15: f7 .byte 0xf7
> [ 991.201691] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
> [ 991.206910] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
> [ 991.214033] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
> [ 991.221156] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
> [ 991.228280] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
> [ 991.235406] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
> [ 991.242529] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
> knlGS:0000000000000000
> [ 991.250608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 991.256378] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
> [ 991.263513] Call Trace:
> [ 991.265956] <TASK>
> [ 991.268055] __zerocopy_sg_from_iter (net/core/datagram.c:?)
> [ 991.272674] ? kmalloc_reserve (net/core/skbuff.c:581)
> [ 991.276599] skb_zerocopy_iter_stream (net/core/skbuff.c:1867)
> [ 991.281219] tcp_sendmsg_locked (net/ipv4/tcp.c:1283)
> [ 991.285493] tcp_sendmsg (net/ipv4/tcp.c:1393)
> [ 991.288896] inet6_sendmsg (net/ipv6/af_inet6.c:661)
> [ 991.292466] __sock_sendmsg (net/socket.c:717)
> [ 991.296126] __sys_sendto (net/socket.c:?)
> [ 991.299785] __x64_sys_sendto (net/socket.c:2235 net/socket.c:2231
> net/socket.c:2231)
> [ 991.303622] x64_sys_call (arch/x86/entry/syscall_64.c:41)
> [ 991.307462] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
> [ 991.311128] ? irqentry_exit (kernel/entry/common.c:210)
> [ 991.314881] ? exc_page_fault (arch/x86/mm/fault.c:1536)
> [ 991.318720] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 991.323762] RIP: 0033:0x7f41e814b687
> [ 991.327352] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00
> 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10
> 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff
> ff
> All code
> ========
> 0: 48 89 fa mov %rdi,%rdx
> 3: 4c 89 df mov %r11,%rdi
> 6: e8 58 b3 00 00 call 0xb363
> b: 8b 93 08 03 00 00 mov 0x308(%rbx),%edx
> 11: 59 pop %rcx
> 12: 5e pop %rsi
> 13: 48 83 f8 fc cmp $0xfffffffffffffffc,%rax
> 17: 74 1a je 0x33
> 19: 5b pop %rbx
> 1a: c3 ret
> 1b: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
> 22: 00
> 23: 48 8b 44 24 10 mov 0x10(%rsp),%rax
> 28: 0f 05 syscall
> 2a:* 5b pop %rbx <-- trapping instruction
> 2b: c3 ret
> 2c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
> 33: 83 e2 39 and $0x39,%edx
> 36: 83 fa 08 cmp $0x8,%edx
> 39: 75 de jne 0x19
> 3b: e8 23 ff ff ff call 0xffffffffffffff63
>
> Code starting with the faulting instruction
> ===========================================
> 0: 5b pop %rbx
> 1: c3 ret
> 2: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
> 9: 83 e2 39 and $0x39,%edx
> c: 83 fa 08 cmp $0x8,%edx
> f: 75 de jne 0xffffffffffffffef
> 11: e8 23 ff ff ff call 0xffffffffffffff39
> [ 991.346124] RSP: 002b:00007ffdd843ba50 EFLAGS: 00000202 ORIG_RAX:
> 000000000000002c
> [ 991.353680] RAX: ffffffffffffffda RBX: 00007f41e80b9740 RCX: 00007f41e814b687
> [ 991.360806] RDX: 000000000000f180 RSI: 000056251f1fd100 RDI: 0000000000000005
> [ 991.367931] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> [ 991.375063] R10: 0000000004000000 R11: 0000000000000202 R12: 0000000000000000
> [ 991.382193] R13: 000056251f1fb080 R14: 000001a670e438d8 R15: 0000000000000005
> [ 991.389357] </TASK>
> [ 991.391571] Modules linked in: mptcp_diag tcp_diag inet_diag
> xt_conntrack xfrm_user ipip bridge stp llc geneve vxlan act_csum
> act_pedit openvswitch nsh nf_nat nf_conntrack nf_defrag_ipv6
> nf_defrag_ipv4 psample cls_flower sch_prio xt_mark nft_compat
> nf_tables sch_ingress act_mirred cls_basic sch_fq_codel vrf pktgen
> macvtap macvlan tap x86_pkg_temp_thermal ip_tables x_tables [last
> unloaded: test_bpf]
> [ 991.426812] CR2: 0000000000000008
> [ 991.430121] ---[ end trace 0000000000000000 ]---
> [ 991.434733] RIP: 0010:zerocopy_fill_skb_from_iter
> (include/linux/page-flags.h:284)
> [ 991.440477] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
> 63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
> 74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
> f7
> All code
> ========
> 0: 4d 85 c0 test %r8,%r8
> 3: 0f 84 04 01 00 00 je 0x10d
> 9: 44 39 c7 cmp %r8d,%edi
> c: 41 0f 4d f8 cmovge %r8d,%edi
> 10: 4c 63 de movslq %esi,%r11
> 13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
> 18: 49 89 d6 mov %rdx,%r14
> 1b: 4d 29 ce sub %r9,%r14
> 1e: 49 c1 fe 06 sar $0x6,%r14
> 22: 49 d3 ee shr %cl,%r14
> 25: 4d 85 f6 test %r14,%r14
> 28: 74 24 je 0x4e
> 2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
> 2e: f6 c1 01 test $0x1,%cl
> 31: 0f 85 cb 00 00 00 jne 0x102
> 37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
> 3c: 31 c9 xor %ecx,%ecx
> 3e: 48 rex.W
> 3f: f7 .byte 0xf7
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
> 4: f6 c1 01 test $0x1,%cl
> 7: 0f 85 cb 00 00 00 jne 0xd8
> d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
> 12: 31 c9 xor %ecx,%ecx
> 14: 48 rex.W
> 15: f7 .byte 0xf7
> [ 991.459215] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
> [ 991.464434] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
> [ 991.471557] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
> [ 991.478681] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
> [ 991.485807] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
> [ 991.492930] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
> [ 991.500054] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
> knlGS:0000000000000000
> [ 991.508132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 991.513870] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
> [ 991.520994] note: udpgso_bench_tx[64842] exited with irqs disabled
>
>
> ## Source
> * Kernel version: 6.17.0-rc4
> * Git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next.git
> * Git describe: next-20250905
> * Git commit: be5d4872e528796df9d7425f2bd9b3893eb3a42c
> * Architectures: x86_64
> * Toolchains: clang-nightly
> * Kconfigs: defconfig+selftests/*/config
>
> ## Build
> * Test log: https://qa-reports.linaro.org/api/testruns/29777495/log_file/
> * LAVA test log: https://lkft.validation.linaro.org/scheduler/job/8434053#L16943
> * Test details:
> https://regressions.linaro.org/lkft/linux-next-master/next-20250905/log-parser-test/oops-oops-oops-smp-pti/
> * Test plan: https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/32GkXBGNRNDEj5d64zd73eXhXQC
> * Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/
> * Kernel config:
> https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/config
>
> --
> Linaro LKFT
> https://lkft.linaro.org
I suspect a bug added in mm/gup.c recently
commit db076b5db550aa34169dceee81d0974c7b2a2482
Author: David Hildenbrand <david@redhat.com>
Date: Mon Sep 1 17:03:40 2025 +0200
mm/gup: remove record_subpages()
We can just cleanup the code by calculating the #refs earlier, so we can
just inline what remains of record_subpages().
Calculate the number of references/pages ahead of times, and record them
only once all our tests passed.
Link: https://lkml.kernel.org/r/20250901150359.867252-20-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: next-20250905: x86_64: udpgso_bench.sh triggers NULL deref in zerocopy_fill_skb_from_iter
2025-09-05 12:55 ` Eric Dumazet
@ 2025-09-05 13:07 ` David Hildenbrand
2025-09-05 13:28 ` David Hildenbrand
0 siblings, 1 reply; 5+ messages in thread
From: David Hildenbrand @ 2025-09-05 13:07 UTC (permalink / raw)
To: Eric Dumazet, Naresh Kamboju
Cc: Netdev, open list:KERNEL SELFTEST FRAMEWORK, open list,
lkft-triage, Linux Regressions, David S. Miller, Jakub Kicinski,
Paolo Abeni, Eric Biggers, Dan Carpenter, Arnd Bergmann,
Ben Copeland, Anders Roxell, Shuah Khan, Willem de Bruijn,
Pengtao He
On 05.09.25 14:55, Eric Dumazet wrote:
> On Fri, Sep 5, 2025 at 2:30 AM Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>>
>> The following kernel crash was noticed on x86_64 running selftests net
>> udpgso_bench.sh
>> on Linux next-20250905 tag.
>>
>> Regression Analysis:
>> - New regression? yes
>> - Reproducibility? Re-validation is in progress
>>
>> First seen on next-20250905
>> Bad: next-20250905
>> Good: next-20250904
>>
>> Test regression: next-20250905 x86_64 selftests net BUG kernel NULL
>> pointer dereference zerocopy_fill_skb_from_iter
>>
>> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>>
>> x86_64:
>> Test:
>> * selftests: net: udpgso_bench.sh
>>
>> Test error:
>> selftests: net: udpgso_bench.sh
>> ipv4
>> tcp
>>
>> <trim>
>>
>> # tcp zerocopy
>> [ 991.110488] SELinux: unrecognized netlink message: protocol=4
>> nlmsg_type=19 sclass=netlink_tcpdiag_socket pid=64835 comm=ss
>> # RTNETLINK answers: Invalid argument
>> [ 991.129878] BUG: kernel NULL pointer dereference, address: 0000000000000008
>> [ 991.136850] #PF: supervisor read access in kernel mode
>> [ 991.141986] #PF: error_code(0x0000) - not-present page
>> [ 991.147118] PGD 0 P4D 0
>> [ 991.149657] Oops: Oops: 0000 [#1] SMP PTI
>> [ 991.153661] CPU: 0 UID: 0 PID: 64842 Comm: udpgso_bench_tx Tainted:
>> G S 6.17.0-rc4-next-20250905 #1 PREEMPT(voluntary)
>> [ 991.165907] Tainted: [S]=CPU_OUT_OF_SPEC
>> [ 991.169825] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
>> 2.7 12/07/2021
>> [ 991.177209] RIP: 0010:zerocopy_fill_skb_from_iter
>> (include/linux/page-flags.h:284)
>> [ 991.182954] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
>> 63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
>> 74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
>> f7
>> All code
>> ========
>> 0: 4d 85 c0 test %r8,%r8
>> 3: 0f 84 04 01 00 00 je 0x10d
>> 9: 44 39 c7 cmp %r8d,%edi
>> c: 41 0f 4d f8 cmovge %r8d,%edi
>> 10: 4c 63 de movslq %esi,%r11
>> 13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
>> 18: 49 89 d6 mov %rdx,%r14
>> 1b: 4d 29 ce sub %r9,%r14
>> 1e: 49 c1 fe 06 sar $0x6,%r14
>> 22: 49 d3 ee shr %cl,%r14
>> 25: 4d 85 f6 test %r14,%r14
>> 28: 74 24 je 0x4e
>> 2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
>> 2e: f6 c1 01 test $0x1,%cl
>> 31: 0f 85 cb 00 00 00 jne 0x102
>> 37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>> 3c: 31 c9 xor %ecx,%ecx
>> 3e: 48 rex.W
>> 3f: f7 .byte 0xf7
>>
>> Code starting with the faulting instruction
>> ===========================================
>> 0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
>> 4: f6 c1 01 test $0x1,%cl
>> 7: 0f 85 cb 00 00 00 jne 0xd8
>> d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>> 12: 31 c9 xor %ecx,%ecx
>> 14: 48 rex.W
>> 15: f7 .byte 0xf7
>> [ 991.201691] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
>> [ 991.206910] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
>> [ 991.214033] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
>> [ 991.221156] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
>> [ 991.228280] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
>> [ 991.235406] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
>> [ 991.242529] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
>> knlGS:0000000000000000
>> [ 991.250608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 991.256378] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
>> [ 991.263513] Call Trace:
>> [ 991.265956] <TASK>
>> [ 991.268055] __zerocopy_sg_from_iter (net/core/datagram.c:?)
>> [ 991.272674] ? kmalloc_reserve (net/core/skbuff.c:581)
>> [ 991.276599] skb_zerocopy_iter_stream (net/core/skbuff.c:1867)
>> [ 991.281219] tcp_sendmsg_locked (net/ipv4/tcp.c:1283)
>> [ 991.285493] tcp_sendmsg (net/ipv4/tcp.c:1393)
>> [ 991.288896] inet6_sendmsg (net/ipv6/af_inet6.c:661)
>> [ 991.292466] __sock_sendmsg (net/socket.c:717)
>> [ 991.296126] __sys_sendto (net/socket.c:?)
>> [ 991.299785] __x64_sys_sendto (net/socket.c:2235 net/socket.c:2231
>> net/socket.c:2231)
>> [ 991.303622] x64_sys_call (arch/x86/entry/syscall_64.c:41)
>> [ 991.307462] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
>> [ 991.311128] ? irqentry_exit (kernel/entry/common.c:210)
>> [ 991.314881] ? exc_page_fault (arch/x86/mm/fault.c:1536)
>> [ 991.318720] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>> [ 991.323762] RIP: 0033:0x7f41e814b687
>> [ 991.327352] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00
>> 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10
>> 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff
>> ff
>> All code
>> ========
>> 0: 48 89 fa mov %rdi,%rdx
>> 3: 4c 89 df mov %r11,%rdi
>> 6: e8 58 b3 00 00 call 0xb363
>> b: 8b 93 08 03 00 00 mov 0x308(%rbx),%edx
>> 11: 59 pop %rcx
>> 12: 5e pop %rsi
>> 13: 48 83 f8 fc cmp $0xfffffffffffffffc,%rax
>> 17: 74 1a je 0x33
>> 19: 5b pop %rbx
>> 1a: c3 ret
>> 1b: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
>> 22: 00
>> 23: 48 8b 44 24 10 mov 0x10(%rsp),%rax
>> 28: 0f 05 syscall
>> 2a:* 5b pop %rbx <-- trapping instruction
>> 2b: c3 ret
>> 2c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
>> 33: 83 e2 39 and $0x39,%edx
>> 36: 83 fa 08 cmp $0x8,%edx
>> 39: 75 de jne 0x19
>> 3b: e8 23 ff ff ff call 0xffffffffffffff63
>>
>> Code starting with the faulting instruction
>> ===========================================
>> 0: 5b pop %rbx
>> 1: c3 ret
>> 2: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
>> 9: 83 e2 39 and $0x39,%edx
>> c: 83 fa 08 cmp $0x8,%edx
>> f: 75 de jne 0xffffffffffffffef
>> 11: e8 23 ff ff ff call 0xffffffffffffff39
>> [ 991.346124] RSP: 002b:00007ffdd843ba50 EFLAGS: 00000202 ORIG_RAX:
>> 000000000000002c
>> [ 991.353680] RAX: ffffffffffffffda RBX: 00007f41e80b9740 RCX: 00007f41e814b687
>> [ 991.360806] RDX: 000000000000f180 RSI: 000056251f1fd100 RDI: 0000000000000005
>> [ 991.367931] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
>> [ 991.375063] R10: 0000000004000000 R11: 0000000000000202 R12: 0000000000000000
>> [ 991.382193] R13: 000056251f1fb080 R14: 000001a670e438d8 R15: 0000000000000005
>> [ 991.389357] </TASK>
>> [ 991.391571] Modules linked in: mptcp_diag tcp_diag inet_diag
>> xt_conntrack xfrm_user ipip bridge stp llc geneve vxlan act_csum
>> act_pedit openvswitch nsh nf_nat nf_conntrack nf_defrag_ipv6
>> nf_defrag_ipv4 psample cls_flower sch_prio xt_mark nft_compat
>> nf_tables sch_ingress act_mirred cls_basic sch_fq_codel vrf pktgen
>> macvtap macvlan tap x86_pkg_temp_thermal ip_tables x_tables [last
>> unloaded: test_bpf]
>> [ 991.426812] CR2: 0000000000000008
>> [ 991.430121] ---[ end trace 0000000000000000 ]---
>> [ 991.434733] RIP: 0010:zerocopy_fill_skb_from_iter
>> (include/linux/page-flags.h:284)
>> [ 991.440477] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
>> 63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
>> 74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
>> f7
>> All code
>> ========
>> 0: 4d 85 c0 test %r8,%r8
>> 3: 0f 84 04 01 00 00 je 0x10d
>> 9: 44 39 c7 cmp %r8d,%edi
>> c: 41 0f 4d f8 cmovge %r8d,%edi
>> 10: 4c 63 de movslq %esi,%r11
>> 13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
>> 18: 49 89 d6 mov %rdx,%r14
>> 1b: 4d 29 ce sub %r9,%r14
>> 1e: 49 c1 fe 06 sar $0x6,%r14
>> 22: 49 d3 ee shr %cl,%r14
>> 25: 4d 85 f6 test %r14,%r14
>> 28: 74 24 je 0x4e
>> 2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
>> 2e: f6 c1 01 test $0x1,%cl
>> 31: 0f 85 cb 00 00 00 jne 0x102
>> 37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>> 3c: 31 c9 xor %ecx,%ecx
>> 3e: 48 rex.W
>> 3f: f7 .byte 0xf7
>>
>> Code starting with the faulting instruction
>> ===========================================
>> 0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
>> 4: f6 c1 01 test $0x1,%cl
>> 7: 0f 85 cb 00 00 00 jne 0xd8
>> d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>> 12: 31 c9 xor %ecx,%ecx
>> 14: 48 rex.W
>> 15: f7 .byte 0xf7
>> [ 991.459215] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
>> [ 991.464434] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
>> [ 991.471557] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
>> [ 991.478681] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
>> [ 991.485807] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
>> [ 991.492930] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
>> [ 991.500054] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
>> knlGS:0000000000000000
>> [ 991.508132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [ 991.513870] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
>> [ 991.520994] note: udpgso_bench_tx[64842] exited with irqs disabled
>>
>>
>> ## Source
>> * Kernel version: 6.17.0-rc4
>> * Git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next.git
>> * Git describe: next-20250905
>> * Git commit: be5d4872e528796df9d7425f2bd9b3893eb3a42c
>> * Architectures: x86_64
>> * Toolchains: clang-nightly
>> * Kconfigs: defconfig+selftests/*/config
>>
>> ## Build
>> * Test log: https://qa-reports.linaro.org/api/testruns/29777495/log_file/
>> * LAVA test log: https://lkft.validation.linaro.org/scheduler/job/8434053#L16943
>> * Test details:
>> https://regressions.linaro.org/lkft/linux-next-master/next-20250905/log-parser-test/oops-oops-oops-smp-pti/
>> * Test plan: https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/32GkXBGNRNDEj5d64zd73eXhXQC
>> * Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/
>> * Kernel config:
>> https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/config
>>
>> --
>> Linaro LKFT
>> https://lkft.linaro.org
>
> I suspect a bug added in mm/gup.c recently
>
> commit db076b5db550aa34169dceee81d0974c7b2a2482
> Author: David Hildenbrand <david@redhat.com>
> Date: Mon Sep 1 17:03:40 2025 +0200
>
> mm/gup: remove record_subpages()
>
> We can just cleanup the code by calculating the #refs earlier, so we can
> just inline what remains of record_subpages().
>
> Calculate the number of references/pages ahead of times, and record them
> only once all our tests passed.
>
> Link: https://lkml.kernel.org/r/20250901150359.867252-20-david@redhat.com
> Signed-off-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>
Yes, fix already on its way:
https://lkml.kernel.org/r/5090355d-546a-4d06-99e1-064354d156b5@redhat.com
--
Cheers
David / dhildenb
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: next-20250905: x86_64: udpgso_bench.sh triggers NULL deref in zerocopy_fill_skb_from_iter
2025-09-05 13:07 ` David Hildenbrand
@ 2025-09-05 13:28 ` David Hildenbrand
2025-09-05 13:33 ` David Hildenbrand
0 siblings, 1 reply; 5+ messages in thread
From: David Hildenbrand @ 2025-09-05 13:28 UTC (permalink / raw)
To: Eric Dumazet, Naresh Kamboju
Cc: Netdev, open list:KERNEL SELFTEST FRAMEWORK, open list,
lkft-triage, Linux Regressions, David S. Miller, Jakub Kicinski,
Paolo Abeni, Eric Biggers, Dan Carpenter, Arnd Bergmann,
Ben Copeland, Anders Roxell, Shuah Khan, Willem de Bruijn,
Pengtao He
On 05.09.25 15:07, David Hildenbrand wrote:
> On 05.09.25 14:55, Eric Dumazet wrote:
>> On Fri, Sep 5, 2025 at 2:30 AM Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>>>
>>> The following kernel crash was noticed on x86_64 running selftests net
>>> udpgso_bench.sh
>>> on Linux next-20250905 tag.
>>>
>>> Regression Analysis:
>>> - New regression? yes
>>> - Reproducibility? Re-validation is in progress
>>>
>>> First seen on next-20250905
>>> Bad: next-20250905
>>> Good: next-20250904
>>>
>>> Test regression: next-20250905 x86_64 selftests net BUG kernel NULL
>>> pointer dereference zerocopy_fill_skb_from_iter
>>>
>>> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>>>
>>> x86_64:
>>> Test:
>>> * selftests: net: udpgso_bench.sh
>>>
>>> Test error:
>>> selftests: net: udpgso_bench.sh
>>> ipv4
>>> tcp
>>>
>>> <trim>
>>>
>>> # tcp zerocopy
>>> [ 991.110488] SELinux: unrecognized netlink message: protocol=4
>>> nlmsg_type=19 sclass=netlink_tcpdiag_socket pid=64835 comm=ss
>>> # RTNETLINK answers: Invalid argument
>>> [ 991.129878] BUG: kernel NULL pointer dereference, address: 0000000000000008
>>> [ 991.136850] #PF: supervisor read access in kernel mode
>>> [ 991.141986] #PF: error_code(0x0000) - not-present page
>>> [ 991.147118] PGD 0 P4D 0
>>> [ 991.149657] Oops: Oops: 0000 [#1] SMP PTI
>>> [ 991.153661] CPU: 0 UID: 0 PID: 64842 Comm: udpgso_bench_tx Tainted:
>>> G S 6.17.0-rc4-next-20250905 #1 PREEMPT(voluntary)
>>> [ 991.165907] Tainted: [S]=CPU_OUT_OF_SPEC
>>> [ 991.169825] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
>>> 2.7 12/07/2021
>>> [ 991.177209] RIP: 0010:zerocopy_fill_skb_from_iter
>>> (include/linux/page-flags.h:284)
>>> [ 991.182954] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
>>> 63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
>>> 74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
>>> f7
>>> All code
>>> ========
>>> 0: 4d 85 c0 test %r8,%r8
>>> 3: 0f 84 04 01 00 00 je 0x10d
>>> 9: 44 39 c7 cmp %r8d,%edi
>>> c: 41 0f 4d f8 cmovge %r8d,%edi
>>> 10: 4c 63 de movslq %esi,%r11
>>> 13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
>>> 18: 49 89 d6 mov %rdx,%r14
>>> 1b: 4d 29 ce sub %r9,%r14
>>> 1e: 49 c1 fe 06 sar $0x6,%r14
>>> 22: 49 d3 ee shr %cl,%r14
>>> 25: 4d 85 f6 test %r14,%r14
>>> 28: 74 24 je 0x4e
>>> 2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
>>> 2e: f6 c1 01 test $0x1,%cl
>>> 31: 0f 85 cb 00 00 00 jne 0x102
>>> 37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>>> 3c: 31 c9 xor %ecx,%ecx
>>> 3e: 48 rex.W
>>> 3f: f7 .byte 0xf7
>>>
>>> Code starting with the faulting instruction
>>> ===========================================
>>> 0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
>>> 4: f6 c1 01 test $0x1,%cl
>>> 7: 0f 85 cb 00 00 00 jne 0xd8
>>> d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>>> 12: 31 c9 xor %ecx,%ecx
>>> 14: 48 rex.W
>>> 15: f7 .byte 0xf7
>>> [ 991.201691] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
>>> [ 991.206910] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
>>> [ 991.214033] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
>>> [ 991.221156] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
>>> [ 991.228280] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
>>> [ 991.235406] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
>>> [ 991.242529] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
>>> knlGS:0000000000000000
>>> [ 991.250608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [ 991.256378] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
>>> [ 991.263513] Call Trace:
>>> [ 991.265956] <TASK>
>>> [ 991.268055] __zerocopy_sg_from_iter (net/core/datagram.c:?)
>>> [ 991.272674] ? kmalloc_reserve (net/core/skbuff.c:581)
>>> [ 991.276599] skb_zerocopy_iter_stream (net/core/skbuff.c:1867)
>>> [ 991.281219] tcp_sendmsg_locked (net/ipv4/tcp.c:1283)
>>> [ 991.285493] tcp_sendmsg (net/ipv4/tcp.c:1393)
>>> [ 991.288896] inet6_sendmsg (net/ipv6/af_inet6.c:661)
>>> [ 991.292466] __sock_sendmsg (net/socket.c:717)
>>> [ 991.296126] __sys_sendto (net/socket.c:?)
>>> [ 991.299785] __x64_sys_sendto (net/socket.c:2235 net/socket.c:2231
>>> net/socket.c:2231)
>>> [ 991.303622] x64_sys_call (arch/x86/entry/syscall_64.c:41)
>>> [ 991.307462] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
>>> [ 991.311128] ? irqentry_exit (kernel/entry/common.c:210)
>>> [ 991.314881] ? exc_page_fault (arch/x86/mm/fault.c:1536)
>>> [ 991.318720] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>>> [ 991.323762] RIP: 0033:0x7f41e814b687
>>> [ 991.327352] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00
>>> 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10
>>> 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff
>>> ff
>>> All code
>>> ========
>>> 0: 48 89 fa mov %rdi,%rdx
>>> 3: 4c 89 df mov %r11,%rdi
>>> 6: e8 58 b3 00 00 call 0xb363
>>> b: 8b 93 08 03 00 00 mov 0x308(%rbx),%edx
>>> 11: 59 pop %rcx
>>> 12: 5e pop %rsi
>>> 13: 48 83 f8 fc cmp $0xfffffffffffffffc,%rax
>>> 17: 74 1a je 0x33
>>> 19: 5b pop %rbx
>>> 1a: c3 ret
>>> 1b: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
>>> 22: 00
>>> 23: 48 8b 44 24 10 mov 0x10(%rsp),%rax
>>> 28: 0f 05 syscall
>>> 2a:* 5b pop %rbx <-- trapping instruction
>>> 2b: c3 ret
>>> 2c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
>>> 33: 83 e2 39 and $0x39,%edx
>>> 36: 83 fa 08 cmp $0x8,%edx
>>> 39: 75 de jne 0x19
>>> 3b: e8 23 ff ff ff call 0xffffffffffffff63
>>>
>>> Code starting with the faulting instruction
>>> ===========================================
>>> 0: 5b pop %rbx
>>> 1: c3 ret
>>> 2: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
>>> 9: 83 e2 39 and $0x39,%edx
>>> c: 83 fa 08 cmp $0x8,%edx
>>> f: 75 de jne 0xffffffffffffffef
>>> 11: e8 23 ff ff ff call 0xffffffffffffff39
>>> [ 991.346124] RSP: 002b:00007ffdd843ba50 EFLAGS: 00000202 ORIG_RAX:
>>> 000000000000002c
>>> [ 991.353680] RAX: ffffffffffffffda RBX: 00007f41e80b9740 RCX: 00007f41e814b687
>>> [ 991.360806] RDX: 000000000000f180 RSI: 000056251f1fd100 RDI: 0000000000000005
>>> [ 991.367931] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
>>> [ 991.375063] R10: 0000000004000000 R11: 0000000000000202 R12: 0000000000000000
>>> [ 991.382193] R13: 000056251f1fb080 R14: 000001a670e438d8 R15: 0000000000000005
>>> [ 991.389357] </TASK>
>>> [ 991.391571] Modules linked in: mptcp_diag tcp_diag inet_diag
>>> xt_conntrack xfrm_user ipip bridge stp llc geneve vxlan act_csum
>>> act_pedit openvswitch nsh nf_nat nf_conntrack nf_defrag_ipv6
>>> nf_defrag_ipv4 psample cls_flower sch_prio xt_mark nft_compat
>>> nf_tables sch_ingress act_mirred cls_basic sch_fq_codel vrf pktgen
>>> macvtap macvlan tap x86_pkg_temp_thermal ip_tables x_tables [last
>>> unloaded: test_bpf]
>>> [ 991.426812] CR2: 0000000000000008
>>> [ 991.430121] ---[ end trace 0000000000000000 ]---
>>> [ 991.434733] RIP: 0010:zerocopy_fill_skb_from_iter
>>> (include/linux/page-flags.h:284)
>>> [ 991.440477] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
>>> 63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
>>> 74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
>>> f7
>>> All code
>>> ========
>>> 0: 4d 85 c0 test %r8,%r8
>>> 3: 0f 84 04 01 00 00 je 0x10d
>>> 9: 44 39 c7 cmp %r8d,%edi
>>> c: 41 0f 4d f8 cmovge %r8d,%edi
>>> 10: 4c 63 de movslq %esi,%r11
>>> 13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
>>> 18: 49 89 d6 mov %rdx,%r14
>>> 1b: 4d 29 ce sub %r9,%r14
>>> 1e: 49 c1 fe 06 sar $0x6,%r14
>>> 22: 49 d3 ee shr %cl,%r14
>>> 25: 4d 85 f6 test %r14,%r14
>>> 28: 74 24 je 0x4e
>>> 2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
>>> 2e: f6 c1 01 test $0x1,%cl
>>> 31: 0f 85 cb 00 00 00 jne 0x102
>>> 37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>>> 3c: 31 c9 xor %ecx,%ecx
>>> 3e: 48 rex.W
>>> 3f: f7 .byte 0xf7
>>>
>>> Code starting with the faulting instruction
>>> ===========================================
>>> 0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
>>> 4: f6 c1 01 test $0x1,%cl
>>> 7: 0f 85 cb 00 00 00 jne 0xd8
>>> d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>>> 12: 31 c9 xor %ecx,%ecx
>>> 14: 48 rex.W
>>> 15: f7 .byte 0xf7
>>> [ 991.459215] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
>>> [ 991.464434] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
>>> [ 991.471557] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
>>> [ 991.478681] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
>>> [ 991.485807] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
>>> [ 991.492930] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
>>> [ 991.500054] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
>>> knlGS:0000000000000000
>>> [ 991.508132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [ 991.513870] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
>>> [ 991.520994] note: udpgso_bench_tx[64842] exited with irqs disabled
>>>
>>>
>>> ## Source
>>> * Kernel version: 6.17.0-rc4
>>> * Git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next.git
>>> * Git describe: next-20250905
>>> * Git commit: be5d4872e528796df9d7425f2bd9b3893eb3a42c
>>> * Architectures: x86_64
>>> * Toolchains: clang-nightly
>>> * Kconfigs: defconfig+selftests/*/config
>>>
>>> ## Build
>>> * Test log: https://qa-reports.linaro.org/api/testruns/29777495/log_file/
>>> * LAVA test log: https://lkft.validation.linaro.org/scheduler/job/8434053#L16943
>>> * Test details:
>>> https://regressions.linaro.org/lkft/linux-next-master/next-20250905/log-parser-test/oops-oops-oops-smp-pti/
>>> * Test plan: https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/32GkXBGNRNDEj5d64zd73eXhXQC
>>> * Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/
>>> * Kernel config:
>>> https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/config
>>>
>>> --
>>> Linaro LKFT
>>> https://lkft.linaro.org
>>
>> I suspect a bug added in mm/gup.c recently
>>
>> commit db076b5db550aa34169dceee81d0974c7b2a2482
>> Author: David Hildenbrand <david@redhat.com>
>> Date: Mon Sep 1 17:03:40 2025 +0200
>>
>> mm/gup: remove record_subpages()
>>
>> We can just cleanup the code by calculating the #refs earlier, so we can
>> just inline what remains of record_subpages().
>>
>> Calculate the number of references/pages ahead of times, and record them
>> only once all our tests passed.
>>
>> Link: https://lkml.kernel.org/r/20250901150359.867252-20-david@redhat.com
>> Signed-off-by: David Hildenbrand <david@redhat.com>
>> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>>
>
> Yes, fix already on its way:
>
> https://lkml.kernel.org/r/5090355d-546a-4d06-99e1-064354d156b5@redhat.com
>
#syz dup: [syzbot] [io-uring?] KASAN: null-ptr-deref Read in io_sqe_buffer_register
--
Cheers
David / dhildenb
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: next-20250905: x86_64: udpgso_bench.sh triggers NULL deref in zerocopy_fill_skb_from_iter
2025-09-05 13:28 ` David Hildenbrand
@ 2025-09-05 13:33 ` David Hildenbrand
0 siblings, 0 replies; 5+ messages in thread
From: David Hildenbrand @ 2025-09-05 13:33 UTC (permalink / raw)
To: Eric Dumazet, Naresh Kamboju
Cc: Netdev, open list:KERNEL SELFTEST FRAMEWORK, open list,
lkft-triage, Linux Regressions, David S. Miller, Jakub Kicinski,
Paolo Abeni, Eric Biggers, Dan Carpenter, Arnd Bergmann,
Ben Copeland, Anders Roxell, Shuah Khan, Willem de Bruijn,
Pengtao He
On 05.09.25 15:28, David Hildenbrand wrote:
> On 05.09.25 15:07, David Hildenbrand wrote:
>> On 05.09.25 14:55, Eric Dumazet wrote:
>>> On Fri, Sep 5, 2025 at 2:30 AM Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>>>>
>>>> The following kernel crash was noticed on x86_64 running selftests net
>>>> udpgso_bench.sh
>>>> on Linux next-20250905 tag.
>>>>
>>>> Regression Analysis:
>>>> - New regression? yes
>>>> - Reproducibility? Re-validation is in progress
>>>>
>>>> First seen on next-20250905
>>>> Bad: next-20250905
>>>> Good: next-20250904
>>>>
>>>> Test regression: next-20250905 x86_64 selftests net BUG kernel NULL
>>>> pointer dereference zerocopy_fill_skb_from_iter
>>>>
>>>> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>>>>
>>>> x86_64:
>>>> Test:
>>>> * selftests: net: udpgso_bench.sh
>>>>
>>>> Test error:
>>>> selftests: net: udpgso_bench.sh
>>>> ipv4
>>>> tcp
>>>>
>>>> <trim>
>>>>
>>>> # tcp zerocopy
>>>> [ 991.110488] SELinux: unrecognized netlink message: protocol=4
>>>> nlmsg_type=19 sclass=netlink_tcpdiag_socket pid=64835 comm=ss
>>>> # RTNETLINK answers: Invalid argument
>>>> [ 991.129878] BUG: kernel NULL pointer dereference, address: 0000000000000008
>>>> [ 991.136850] #PF: supervisor read access in kernel mode
>>>> [ 991.141986] #PF: error_code(0x0000) - not-present page
>>>> [ 991.147118] PGD 0 P4D 0
>>>> [ 991.149657] Oops: Oops: 0000 [#1] SMP PTI
>>>> [ 991.153661] CPU: 0 UID: 0 PID: 64842 Comm: udpgso_bench_tx Tainted:
>>>> G S 6.17.0-rc4-next-20250905 #1 PREEMPT(voluntary)
>>>> [ 991.165907] Tainted: [S]=CPU_OUT_OF_SPEC
>>>> [ 991.169825] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
>>>> 2.7 12/07/2021
>>>> [ 991.177209] RIP: 0010:zerocopy_fill_skb_from_iter
>>>> (include/linux/page-flags.h:284)
>>>> [ 991.182954] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
>>>> 63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
>>>> 74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
>>>> f7
>>>> All code
>>>> ========
>>>> 0: 4d 85 c0 test %r8,%r8
>>>> 3: 0f 84 04 01 00 00 je 0x10d
>>>> 9: 44 39 c7 cmp %r8d,%edi
>>>> c: 41 0f 4d f8 cmovge %r8d,%edi
>>>> 10: 4c 63 de movslq %esi,%r11
>>>> 13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
>>>> 18: 49 89 d6 mov %rdx,%r14
>>>> 1b: 4d 29 ce sub %r9,%r14
>>>> 1e: 49 c1 fe 06 sar $0x6,%r14
>>>> 22: 49 d3 ee shr %cl,%r14
>>>> 25: 4d 85 f6 test %r14,%r14
>>>> 28: 74 24 je 0x4e
>>>> 2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
>>>> 2e: f6 c1 01 test $0x1,%cl
>>>> 31: 0f 85 cb 00 00 00 jne 0x102
>>>> 37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>>>> 3c: 31 c9 xor %ecx,%ecx
>>>> 3e: 48 rex.W
>>>> 3f: f7 .byte 0xf7
>>>>
>>>> Code starting with the faulting instruction
>>>> ===========================================
>>>> 0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
>>>> 4: f6 c1 01 test $0x1,%cl
>>>> 7: 0f 85 cb 00 00 00 jne 0xd8
>>>> d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>>>> 12: 31 c9 xor %ecx,%ecx
>>>> 14: 48 rex.W
>>>> 15: f7 .byte 0xf7
>>>> [ 991.201691] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
>>>> [ 991.206910] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
>>>> [ 991.214033] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
>>>> [ 991.221156] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
>>>> [ 991.228280] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
>>>> [ 991.235406] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
>>>> [ 991.242529] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
>>>> knlGS:0000000000000000
>>>> [ 991.250608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> [ 991.256378] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
>>>> [ 991.263513] Call Trace:
>>>> [ 991.265956] <TASK>
>>>> [ 991.268055] __zerocopy_sg_from_iter (net/core/datagram.c:?)
>>>> [ 991.272674] ? kmalloc_reserve (net/core/skbuff.c:581)
>>>> [ 991.276599] skb_zerocopy_iter_stream (net/core/skbuff.c:1867)
>>>> [ 991.281219] tcp_sendmsg_locked (net/ipv4/tcp.c:1283)
>>>> [ 991.285493] tcp_sendmsg (net/ipv4/tcp.c:1393)
>>>> [ 991.288896] inet6_sendmsg (net/ipv6/af_inet6.c:661)
>>>> [ 991.292466] __sock_sendmsg (net/socket.c:717)
>>>> [ 991.296126] __sys_sendto (net/socket.c:?)
>>>> [ 991.299785] __x64_sys_sendto (net/socket.c:2235 net/socket.c:2231
>>>> net/socket.c:2231)
>>>> [ 991.303622] x64_sys_call (arch/x86/entry/syscall_64.c:41)
>>>> [ 991.307462] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
>>>> [ 991.311128] ? irqentry_exit (kernel/entry/common.c:210)
>>>> [ 991.314881] ? exc_page_fault (arch/x86/mm/fault.c:1536)
>>>> [ 991.318720] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>>>> [ 991.323762] RIP: 0033:0x7f41e814b687
>>>> [ 991.327352] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00
>>>> 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10
>>>> 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff
>>>> ff
>>>> All code
>>>> ========
>>>> 0: 48 89 fa mov %rdi,%rdx
>>>> 3: 4c 89 df mov %r11,%rdi
>>>> 6: e8 58 b3 00 00 call 0xb363
>>>> b: 8b 93 08 03 00 00 mov 0x308(%rbx),%edx
>>>> 11: 59 pop %rcx
>>>> 12: 5e pop %rsi
>>>> 13: 48 83 f8 fc cmp $0xfffffffffffffffc,%rax
>>>> 17: 74 1a je 0x33
>>>> 19: 5b pop %rbx
>>>> 1a: c3 ret
>>>> 1b: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
>>>> 22: 00
>>>> 23: 48 8b 44 24 10 mov 0x10(%rsp),%rax
>>>> 28: 0f 05 syscall
>>>> 2a:* 5b pop %rbx <-- trapping instruction
>>>> 2b: c3 ret
>>>> 2c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
>>>> 33: 83 e2 39 and $0x39,%edx
>>>> 36: 83 fa 08 cmp $0x8,%edx
>>>> 39: 75 de jne 0x19
>>>> 3b: e8 23 ff ff ff call 0xffffffffffffff63
>>>>
>>>> Code starting with the faulting instruction
>>>> ===========================================
>>>> 0: 5b pop %rbx
>>>> 1: c3 ret
>>>> 2: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
>>>> 9: 83 e2 39 and $0x39,%edx
>>>> c: 83 fa 08 cmp $0x8,%edx
>>>> f: 75 de jne 0xffffffffffffffef
>>>> 11: e8 23 ff ff ff call 0xffffffffffffff39
>>>> [ 991.346124] RSP: 002b:00007ffdd843ba50 EFLAGS: 00000202 ORIG_RAX:
>>>> 000000000000002c
>>>> [ 991.353680] RAX: ffffffffffffffda RBX: 00007f41e80b9740 RCX: 00007f41e814b687
>>>> [ 991.360806] RDX: 000000000000f180 RSI: 000056251f1fd100 RDI: 0000000000000005
>>>> [ 991.367931] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
>>>> [ 991.375063] R10: 0000000004000000 R11: 0000000000000202 R12: 0000000000000000
>>>> [ 991.382193] R13: 000056251f1fb080 R14: 000001a670e438d8 R15: 0000000000000005
>>>> [ 991.389357] </TASK>
>>>> [ 991.391571] Modules linked in: mptcp_diag tcp_diag inet_diag
>>>> xt_conntrack xfrm_user ipip bridge stp llc geneve vxlan act_csum
>>>> act_pedit openvswitch nsh nf_nat nf_conntrack nf_defrag_ipv6
>>>> nf_defrag_ipv4 psample cls_flower sch_prio xt_mark nft_compat
>>>> nf_tables sch_ingress act_mirred cls_basic sch_fq_codel vrf pktgen
>>>> macvtap macvlan tap x86_pkg_temp_thermal ip_tables x_tables [last
>>>> unloaded: test_bpf]
>>>> [ 991.426812] CR2: 0000000000000008
>>>> [ 991.430121] ---[ end trace 0000000000000000 ]---
>>>> [ 991.434733] RIP: 0010:zerocopy_fill_skb_from_iter
>>>> (include/linux/page-flags.h:284)
>>>> [ 991.440477] Code: 4d 85 c0 0f 84 04 01 00 00 44 39 c7 41 0f 4d f8 4c
>>>> 63 de 4a 8b 54 dc 30 49 89 d6 4d 29 ce 49 c1 fe 06 49 d3 ee 4d 85 f6
>>>> 74 24 <48> 8b 4a 08 f6 c1 01 0f 85 cb 00 00 00 0f 1f 44 00 00 31 c9 48
>>>> f7
>>>> All code
>>>> ========
>>>> 0: 4d 85 c0 test %r8,%r8
>>>> 3: 0f 84 04 01 00 00 je 0x10d
>>>> 9: 44 39 c7 cmp %r8d,%edi
>>>> c: 41 0f 4d f8 cmovge %r8d,%edi
>>>> 10: 4c 63 de movslq %esi,%r11
>>>> 13: 4a 8b 54 dc 30 mov 0x30(%rsp,%r11,8),%rdx
>>>> 18: 49 89 d6 mov %rdx,%r14
>>>> 1b: 4d 29 ce sub %r9,%r14
>>>> 1e: 49 c1 fe 06 sar $0x6,%r14
>>>> 22: 49 d3 ee shr %cl,%r14
>>>> 25: 4d 85 f6 test %r14,%r14
>>>> 28: 74 24 je 0x4e
>>>> 2a:* 48 8b 4a 08 mov 0x8(%rdx),%rcx <-- trapping instruction
>>>> 2e: f6 c1 01 test $0x1,%cl
>>>> 31: 0f 85 cb 00 00 00 jne 0x102
>>>> 37: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>>>> 3c: 31 c9 xor %ecx,%ecx
>>>> 3e: 48 rex.W
>>>> 3f: f7 .byte 0xf7
>>>>
>>>> Code starting with the faulting instruction
>>>> ===========================================
>>>> 0: 48 8b 4a 08 mov 0x8(%rdx),%rcx
>>>> 4: f6 c1 01 test $0x1,%cl
>>>> 7: 0f 85 cb 00 00 00 jne 0xd8
>>>> d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>>>> 12: 31 c9 xor %ecx,%ecx
>>>> 14: 48 rex.W
>>>> 15: f7 .byte 0xf7
>>>> [ 991.459215] RSP: 0018:ffffb11281d0ba90 EFLAGS: 00010202
>>>> [ 991.464434] RAX: ffffe14ec4208000 RBX: 0000000000005000 RCX: 0000000000000009
>>>> [ 991.471557] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000001000
>>>> [ 991.478681] RBP: ffffb11281d0bb88 R08: 00000000000020ff R09: ffffe14ec4208000
>>>> [ 991.485807] R10: 0000000000000005 R11: 0000000000000006 R12: ffff96b4825f4200
>>>> [ 991.492930] R13: 0000000000000001 R14: 000000003d6277bf R15: 0000000000000000
>>>> [ 991.500054] FS: 00007f41e80b9740(0000) GS:ffff96b83bc1b000(0000)
>>>> knlGS:0000000000000000
>>>> [ 991.508132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> [ 991.513870] CR2: 0000000000000008 CR3: 0000000106c42003 CR4: 00000000003706f0
>>>> [ 991.520994] note: udpgso_bench_tx[64842] exited with irqs disabled
>>>>
>>>>
>>>> ## Source
>>>> * Kernel version: 6.17.0-rc4
>>>> * Git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next.git
>>>> * Git describe: next-20250905
>>>> * Git commit: be5d4872e528796df9d7425f2bd9b3893eb3a42c
>>>> * Architectures: x86_64
>>>> * Toolchains: clang-nightly
>>>> * Kconfigs: defconfig+selftests/*/config
>>>>
>>>> ## Build
>>>> * Test log: https://qa-reports.linaro.org/api/testruns/29777495/log_file/
>>>> * LAVA test log: https://lkft.validation.linaro.org/scheduler/job/8434053#L16943
>>>> * Test details:
>>>> https://regressions.linaro.org/lkft/linux-next-master/next-20250905/log-parser-test/oops-oops-oops-smp-pti/
>>>> * Test plan: https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/32GkXBGNRNDEj5d64zd73eXhXQC
>>>> * Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/
>>>> * Kernel config:
>>>> https://storage.tuxsuite.com/public/linaro/lkft/builds/32GkU7mdlpISpPeeeEwIfAJuzqG/config
>>>>
>>>> --
>>>> Linaro LKFT
>>>> https://lkft.linaro.org
>>>
>>> I suspect a bug added in mm/gup.c recently
>>>
>>> commit db076b5db550aa34169dceee81d0974c7b2a2482
>>> Author: David Hildenbrand <david@redhat.com>
>>> Date: Mon Sep 1 17:03:40 2025 +0200
>>>
>>> mm/gup: remove record_subpages()
>>>
>>> We can just cleanup the code by calculating the #refs earlier, so we can
>>> just inline what remains of record_subpages().
>>>
>>> Calculate the number of references/pages ahead of times, and record them
>>> only once all our tests passed.
>>>
>>> Link: https://lkml.kernel.org/r/20250901150359.867252-20-david@redhat.com
>>> Signed-off-by: David Hildenbrand <david@redhat.com>
>>> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>>>
>>
>> Yes, fix already on its way:
>>
>> https://lkml.kernel.org/r/5090355d-546a-4d06-99e1-064354d156b5@redhat.com
>>
>
> #syz dup: [syzbot] [io-uring?] KASAN: null-ptr-deref Read in io_sqe_buffer_register
Sorry for the noise, realized just now that this was not a syzkaller
report. :)
--
Cheers
David / dhildenb
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-09-05 13:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-05 9:30 next-20250905: x86_64: udpgso_bench.sh triggers NULL deref in zerocopy_fill_skb_from_iter Naresh Kamboju
2025-09-05 12:55 ` Eric Dumazet
2025-09-05 13:07 ` David Hildenbrand
2025-09-05 13:28 ` David Hildenbrand
2025-09-05 13:33 ` David Hildenbrand
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox