* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
2024-07-19 3:59 [syzbot] [net?] [bpf?] " syzbot
@ 2024-07-22 2:59 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-22 2:59 UTC (permalink / raw)
To: andrii, ast, bpf, daniel, davem, eddyz87, haoluo, hawk,
john.fastabend, jolsa, kpsingh, kuba, linux-kernel, martin.lau,
netdev, sdf, song, syzkaller-bugs, yonghong.song
syzbot has found a reproducer for the following issue on:
HEAD commit: 7846b618e0a4 Merge tag 'rtc-6.11' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142d3eb5980000
kernel config: https://syzkaller.appspot.com/x/.config?x=be4129de17851dbe
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154c40b1980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14f3e11d980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-7846b618.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3a2831ffe61c/vmlinux-7846b618.xz
kernel image: https://storage.googleapis.com/syzbot-assets/575e23a7c452/bzImage-7846b618.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 5389 Comm: syz-executor357 Not tainted 6.10.0-syzkaller-11323-g7846b618e0a4 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__dev_flush+0x49/0x1e0 kernel/bpf/devmap.c:424
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 98 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 2f 48 8d 5d 80 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 69 01 00 00 48 8b 45 00 49 39 ef 4c 8d 60 80 0f
RSP: 0018:ffffc900008b0c90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffffffffff80 RCX: ffffffff88d6a5bb
RDX: 0000000000000000 RSI: ffffffff81af9c56 RDI: ffffc9000345fa68
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000345fa58
R13: ffff888022ec0fb0 R14: ffffc9000345fa68 R15: ffffc9000345fa68
FS: 0000555568ea6380(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff4743880f0 CR3: 0000000023168000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
xdp_do_check_flushed+0x40a/0x4e0 net/core/filter.c:4300
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
do_softirq kernel/softirq.c:455 [inline]
do_softirq+0xb2/0xf0 kernel/softirq.c:442
</IRQ>
<TASK>
__local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
local_bh_enable include/linux/bottom_half.h:33 [inline]
tun_get_user+0x1d9b/0x3c30 drivers/net/tun.c:1936
tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2052
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x6b6/0x1140 fs/read_write.c:590
ksys_write+0x12f/0x260 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff47430af50
Code: 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 e1 07 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
RSP: 002b:00007ffde0326728 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffde03267c0 RCX: 00007ff47430af50
RDX: 0000000000000e80 RSI: 0000000020000100 RDI: 00000000000000c8
RBP: 00007ffde0326770 R08: 00007ffde0326750 R09: 00007ffde0326750
R10: 00007ffde0326750 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__dev_flush+0x49/0x1e0 kernel/bpf/devmap.c:424
Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 98 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 2f 48 8d 5d 80 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 69 01 00 00 48 8b 45 00 49 39 ef 4c 8d 60 80 0f
RSP: 0018:ffffc900008b0c90 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffffffffff80 RCX: ffffffff88d6a5bb
RDX: 0000000000000000 RSI: ffffffff81af9c56 RDI: ffffc9000345fa68
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000345fa58
R13: ffff888022ec0fb0 R14: ffffc9000345fa68 R15: ffffc9000345fa68
FS: 0000555568ea6380(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff4743880f0 CR3: 0000000023168000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 4 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 98 01 00 00 jne 0x1a6
e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
15: fc ff df
18: 49 8b 2f mov (%r15),%rbp
1b: 48 8d 5d 80 lea -0x80(%rbp),%rbx
1f: 48 89 ea mov %rbp,%rdx
22: 48 c1 ea 03 shr $0x3,%rdx
* 26: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2a: 0f 85 69 01 00 00 jne 0x199
30: 48 8b 45 00 mov 0x0(%rbp),%rax
34: 49 39 ef cmp %rbp,%r15
37: 4c 8d 60 80 lea -0x80(%rax),%r12
3b: 0f .byte 0xf
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240722103109.4668-1-aha310510@gmail.com>
@ 2024-07-22 10:52 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-22 10:52 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed
==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298
Read of size 4 at addr ffffc90003387a50 by task syz.0.105/5938
CPU: 0 UID: 0 PID: 5938 Comm: syz.0.105 Not tainted 6.10.0-syzkaller-g933069701c1b-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__schedule+0xe3f/0x5490 kernel/sched/core.c:6399
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 3f 00 00 48 8b bd 10 ff ff ff 4d 89 77 10 4c 89 f6 e8 c9 a5 0f f6 48 89 c7 e8 61 54 6a f6 <48> 8b 8d a0 fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 01 c1 48 c7
RSP: 0018:ffffc90003387980 EFLAGS: 00000206
RAX: 00000000000001a9 RBX: ffff888043a40000 RCX: 1ffffffff1fce089
RDX: 0000000000000000 RSI: ffffffff8b2cc580 RDI: ffffffff8b90c740
RBP: ffffc90003387b10 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe7489f R11: 0000000000000001 R12: ffff88806b03f908
R13: 0000000000000000 R14: ffff888043a40000 R15: ffff88806b03ee00
preempt_schedule_common+0x44/0xc0 kernel/sched/core.c:6708
preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk.S:12
class_preempt_destructor include/linux/preempt.h:480 [inline]
class_preempt_destructor include/linux/preempt.h:480 [inline]
try_to_wake_up+0xc08/0x13e0 kernel/sched/core.c:4022
wake_up_process kernel/sched/core.c:4299 [inline]
wake_up_q+0x91/0x140 kernel/sched/core.c:1029
futex_wake+0x43e/0x4e0 kernel/futex/waitwake.c:199
do_futex+0x1e5/0x350 kernel/futex/syscalls.c:107
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex kernel/futex/syscalls.c:160 [inline]
__x64_sys_futex+0x1e1/0x4c0 kernel/futex/syscalls.c:160
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faaa0975b59
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faaa16670f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007faaa0b05f68 RCX: 00007faaa0975b59
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007faaa0b05f6c
RBP: 00007faaa0b05f60 R08: 00007faaa1668080 R09: 00007faaa16676c0
R10: 0000000000000e80 R11: 0000000000000246 R12: 00007faaa0b05f6c
R13: 000000000000000b R14: 00007fff8e045980 R15: 00007fff8e045a68
</TASK>
The buggy address belongs to stack of task syz.0.105/5938
and is located at offset 40 in frame:
__schedule+0x0/0x5490
This frame has 3 objects:
[48, 52) 'cid'
[64, 80) 'rf'
[96, 120) 'ac'
The buggy address belongs to the virtual mapping at
[ffffc90003380000, ffffc90003389000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2781
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801f49d0f0 pfn:0x1f49d
memcg:ffff88802787e902
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88801f49d0f0 0000000000000000 00000001ffffffff ffff88802787e902
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5663, tgid 5663 (syz-executor), ts 127270798487, free_ts 127240380476
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781
__do_sys_clone+0xba/0x100 kernel/fork.c:2924
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5663 tgid 5663 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608
__folio_put+0x31c/0x3e0 mm/swap.c:128
folio_put include/linux/mm.h:1479 [inline]
free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2843
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Memory state around the buggy address:
ffffc90003387900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90003387980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90003387a00: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00 f2
^
ffffc90003387a80: f2 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00
ffffc90003387b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: fa cli
1: 48 c1 ea 03 shr $0x3,%rdx
5: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
9: 0f 85 ba 3f 00 00 jne 0x3fc9
f: 48 8b bd 10 ff ff ff mov -0xf0(%rbp),%rdi
16: 4d 89 77 10 mov %r14,0x10(%r15)
1a: 4c 89 f6 mov %r14,%rsi
1d: e8 c9 a5 0f f6 call 0xf60fa5eb
22: 48 89 c7 mov %rax,%rdi
25: e8 61 54 6a f6 call 0xf66a548b
* 2a: 48 8b 8d a0 fe ff ff mov -0x160(%rbp),%rcx <-- trapping instruction
31: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
38: fc ff df
3b: 48 01 c1 add %rax,%rcx
3e: 48 rex.W
3f: c7 .byte 0xc7
Tested on:
commit: 93306970 Merge tag '6.11-rc-smb3-server-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1162fe3d980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c043ce4607a33671
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1214995e980000
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240722103139.4718-1-aha310510@gmail.com>
@ 2024-07-22 11:11 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-22 11:11 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed
==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
Read of size 4 at addr ffffc9000167fa50 by task syz.0.111/5959
CPU: 1 UID: 0 PID: 5959 Comm: syz.0.111 Not tainted 6.10.0-syzkaller-g933069701c1b #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:write_comp_data+0x0/0x90 kernel/kcov.c:230
Code: 48 8b 05 e3 5c 79 7e 48 8b 80 10 16 00 00 c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <49> 89 d2 49 89 f8 49 89 f1 65 48 8b 15 af 5c 79 7e 65 8b 05 b0 5c
RSP: 0018:ffffc9000167f618 EFLAGS: 00000246
RAX: 0000000000000003 RBX: ffffea0000d86e40 RCX: ffffffff81d6e231
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000005
RBP: ffffea0000d86e40 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: ffffc9000167fab8
__folio_rmap_sanity_checks+0x61/0x550 include/linux/rmap.h:201
__folio_remove_rmap mm/rmap.c:1514 [inline]
folio_remove_rmap_ptes+0x31/0x3d0 mm/rmap.c:1595
zap_present_folio_ptes mm/memory.c:1517 [inline]
zap_present_ptes mm/memory.c:1576 [inline]
zap_pte_range mm/memory.c:1618 [inline]
zap_pmd_range mm/memory.c:1736 [inline]
zap_pud_range mm/memory.c:1765 [inline]
zap_p4d_range mm/memory.c:1786 [inline]
unmap_page_range+0x1997/0x3c10 mm/memory.c:1807
unmap_single_vma+0x194/0x2b0 mm/memory.c:1853
unmap_vmas+0x22f/0x490 mm/memory.c:1897
exit_mmap+0x1b8/0xb20 mm/mmap.c:3382
__mmput+0x12a/0x480 kernel/fork.c:1345
mmput+0x62/0x70 kernel/fork.c:1367
exit_mm kernel/exit.c:571 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:869
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031
get_signal+0x25fd/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66e7375b59
Code: Unable to access opcode bytes at 0x7f66e7375b2f.
RSP: 002b:00007f66e809c0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f66e7505f68 RCX: 00007f66e7375b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f66e7505f68
RBP: 00007f66e7505f60 R08: 00007f66e809c6c0 R09: 00007f66e809c6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f66e7505f6c
R13: 000000000000000b R14: 00007ffd814e49e0 R15: 00007ffd814e4ac8
</TASK>
The buggy address belongs to stack of task syz.0.111/5959
and is located at offset 24 in frame:
exit_mmap+0x0/0xb20 mm/mmap.c:3202
This frame has 2 objects:
[32, 96) 'vmi'
[128, 256) 'tlb'
The buggy address belongs to the virtual mapping at
[ffffc90001678000, ffffc90001681000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2781
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801ec13150 pfn:0x1ec13
memcg:ffff8880261f3b82
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88801ec13150 0000000000000000 00000001ffffffff ffff8880261f3b82
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5636, tgid 5636 (syz-executor), ts 121181133330, free_ts 121100052787
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781
__do_sys_clone+0xba/0x100 kernel/fork.c:2924
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 0 tgid 0 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608
__folio_put+0x31c/0x3e0 mm/swap.c:128
folio_put include/linux/mm.h:1479 [inline]
free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2843
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Memory state around the buggy address:
ffffc9000167f900: 00 f2 f2 f2 00 f2 f2 f2 00 00 f2 f2 00 00 00 00
ffffc9000167f980: 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
>ffffc9000167fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
^
ffffc9000167fa80: 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
ffffc9000167fb00: 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 48 8b 05 e3 5c 79 7e mov 0x7e795ce3(%rip),%rax # 0x7e795cea
7: 48 8b 80 10 16 00 00 mov 0x1610(%rax),%rax
e: c3 ret
f: cc int3
10: cc int3
11: cc int3
12: cc int3
13: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: 90 nop
23: 90 nop
24: 90 nop
25: 90 nop
26: 90 nop
27: 90 nop
28: 90 nop
29: 90 nop
* 2a: 49 89 d2 mov %rdx,%r10 <-- trapping instruction
2d: 49 89 f8 mov %rdi,%r8
30: 49 89 f1 mov %rsi,%r9
33: 65 48 8b 15 af 5c 79 mov %gs:0x7e795caf(%rip),%rdx # 0x7e795cea
3a: 7e
3b: 65 gs
3c: 8b .byte 0x8b
3d: 05 .byte 0x5
3e: b0 5c mov $0x5c,%al
Tested on:
commit: 93306970 Merge tag '6.11-rc-smb3-server-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17687d79980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c043ce4607a33671
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240722114035.5337-1-aha310510@gmail.com>
@ 2024-07-22 12:01 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-22 12:01 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed
==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298
Read of size 4 at addr ffffc9000336fa50 by task syz.0.70/5863
CPU: 1 PID: 5863 Comm: syz.0.70 Not tainted 6.10.0-syzkaller-11323-g7846b618e0a4-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
xdp_do_check_flushed+0x355/0x3f0 net/core/filter.c:4298
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__schedule+0xe3f/0x5490 kernel/sched/core.c:6399
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 ba 3f 00 00 48 8b bd 10 ff ff ff 4d 89 77 10 4c 89 f6 e8 b9 6e 0f f6 48 89 c7 e8 71 e8 69 f6 <48> 8b 8d a0 fe ff ff 48 b8 00 00 00 00 00 fc ff df 48 01 c1 48 c7
RSP: 0018:ffffc9000336f980 EFLAGS: 00000206
RAX: 000000000000018b RBX: ffff8880256b0000 RCX: 1ffffffff1fce461
RDX: 0000000000000000 RSI: ffffffff8b2cbac0 RDI: ffffffff8b909e40
RBP: ffffc9000336fb10 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8fe7675f R11: 0000000000000001 R12: ffff88806b13f788
R13: 0000000000000000 R14: ffff8880256b0000 R15: ffff88806b13ec80
preempt_schedule_common+0x44/0xc0 kernel/sched/core.c:6708
preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk.S:12
class_preempt_destructor include/linux/preempt.h:480 [inline]
class_preempt_destructor include/linux/preempt.h:480 [inline]
try_to_wake_up+0xc08/0x13e0 kernel/sched/core.c:4022
wake_up_process kernel/sched/core.c:4299 [inline]
wake_up_q+0x91/0x140 kernel/sched/core.c:1029
futex_wake+0x43e/0x4e0 kernel/futex/waitwake.c:199
do_futex+0x1e5/0x350 kernel/futex/syscalls.c:107
__do_sys_futex kernel/futex/syscalls.c:179 [inline]
__se_sys_futex kernel/futex/syscalls.c:160 [inline]
__x64_sys_futex+0x1e1/0x4c0 kernel/futex/syscalls.c:160
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc830f75b59
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc831d8e0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007fc831105f68 RCX: 00007fc830f75b59
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fc831105f6c
RBP: 00007fc831105f60 R08: 00007fc831d8f080 R09: 00007fc831d8e6c0
R10: 0000000000000e80 R11: 0000000000000246 R12: 00007fc831105f6c
R13: 000000000000000b R14: 00007ffea9d2b330 R15: 00007ffea9d2b418
</TASK>
The buggy address belongs to stack of task syz.0.70/5863
and is located at offset 40 in frame:
__schedule+0x0/0x5490
This frame has 3 objects:
[48, 52) 'cid'
[64, 80) 'rf'
[96, 120) 'ac'
The buggy address belongs to the virtual mapping at
[ffffc90003368000, ffffc90003371000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2780
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802b714360 pfn:0x2b714
memcg:ffff888021296f02
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88802b714360 0000000000000000 00000001ffffffff ffff888021296f02
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5862, tgid 5862 (syz.0.70), ts 130256428069, free_ts 129532353425
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1473
prep_new_page mm/page_alloc.c:1481 [inline]
get_page_from_freelist+0x1353/0x2e50 mm/page_alloc.c:3425
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4683
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2265
vm_area_alloc_pages mm/vmalloc.c:3583 [inline]
__vmalloc_area_node mm/vmalloc.c:3659 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3840
alloc_thread_stack_node kernel/fork.c:311 [inline]
dup_task_struct kernel/fork.c:1111 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2203
kernel_clone+0xfd/0x980 kernel/fork.c:2780
__do_sys_clone3+0x1f5/0x270 kernel/fork.c:3084
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5829 tgid 5828 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1093 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2588
tlb_batch_list_free mm/mmu_gather.c:159 [inline]
tlb_finish_mmu+0x237/0x7b0 mm/mmu_gather.c:468
exit_mmap+0x3d1/0xb20 mm/mmap.c:3354
__mmput+0x12a/0x480 kernel/fork.c:1343
mmput+0x62/0x70 kernel/fork.c:1365
exit_mm kernel/exit.c:566 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:864
do_group_exit+0xd3/0x2a0 kernel/exit.c:1026
get_signal+0x25fb/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffffc9000336f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000336f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000336fa00: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00 f2
^
ffffc9000336fa80: f2 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00
ffffc9000336fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: fa cli
1: 48 c1 ea 03 shr $0x3,%rdx
5: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
9: 0f 85 ba 3f 00 00 jne 0x3fc9
f: 48 8b bd 10 ff ff ff mov -0xf0(%rbp),%rdi
16: 4d 89 77 10 mov %r14,0x10(%r15)
1a: 4c 89 f6 mov %r14,%rsi
1d: e8 b9 6e 0f f6 call 0xf60f6edb
22: 48 89 c7 mov %rax,%rdi
25: e8 71 e8 69 f6 call 0xf669e89b
* 2a: 48 8b 8d a0 fe ff ff mov -0x160(%rbp),%rcx <-- trapping instruction
31: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
38: fc ff df
3b: 48 01 c1 add %rax,%rcx
3e: 48 rex.W
3f: c7 .byte 0xc7
Tested on:
commit: 7846b618 Merge tag 'rtc-6.11' of git://git.kernel.org/..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11d729b5980000
kernel config: https://syzkaller.appspot.com/x/.config?x=be4129de17851dbe
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=148939c3980000
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240724093902.8331-1-aha310510@gmail.com>
@ 2024-07-24 9:59 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-24 9:59 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed
==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
Read of size 4 at addr ffffc9000331fa50 by task syz.0.36/5802
CPU: 0 UID: 0 PID: 5802 Comm: syz.0.36 Not tainted 6.10.0-syzkaller-12246-g786c8248dbd3-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_call_function arch/x86/kernel/smp.c:257 [inline]
sysvec_call_function+0x95/0xb0 arch/x86/kernel/smp.c:257
</IRQ>
<TASK>
asm_sysvec_call_function+0x1a/0x20 arch/x86/include/asm/idtentry.h:710
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:200
Code: be b0 01 00 00 e8 a0 ff ff ff 31 c0 c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 65 48 8b 15 94 54 79 7e 65 8b 05 95 54 79 7e a9 00 01
RSP: 0018:ffffc9000331f3e8 EFLAGS: 00000283
RAX: dffffc0000000000 RBX: ffffc9000331f470 RCX: ffffffff813cf026
RDX: 1ffff92000663e90 RSI: ffffffff813cf082 RDI: ffffc9000331f480
RBP: ffffc9000331fcd0 R08: 0000000000000004 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90003318000
R13: ffffc90003320000 R14: 0000000000000001 R15: 0000000000000001
on_stack arch/x86/include/asm/stacktrace.h:60 [inline]
unwind_next_frame+0x11af/0x23a0 arch/x86/kernel/unwind_orc.c:665
arch_stack_walk+0x100/0x170 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kmem_cache_free+0x12f/0x3a0 mm/slub.c:4548
anon_vma_chain_free mm/rmap.c:147 [inline]
unlink_anon_vmas+0x173/0x820 mm/rmap.c:421
free_pgtables+0x33c/0x950 mm/memory.c:409
exit_mmap+0x3c9/0xb20 mm/mmap.c:3393
__mmput+0x12a/0x480 kernel/fork.c:1345
mmput+0x62/0x70 kernel/fork.c:1367
exit_mm kernel/exit.c:571 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:869
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031
get_signal+0x25fd/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0dd5175b59
Code: Unable to access opcode bytes at 0x7f0dd5175b2f.
RSP: 002b:00007f0dd5f6a0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f0dd5305f68 RCX: 00007f0dd5175b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0dd5305f68
RBP: 00007f0dd5305f60 R08: 00007f0dd5f6a6c0 R09: 00007f0dd5f6a6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0dd5305f6c
R13: 000000000000000b R14: 00007ffd8748bdc0 R15: 00007ffd8748bea8
</TASK>
The buggy address belongs to stack of task syz.0.36/5802
and is located at offset 24 in frame:
exit_mmap+0x0/0xb20 mm/mmap.c:3202
This frame has 2 objects:
[32, 96) 'vmi'
[128, 256) 'tlb'
The buggy address belongs to the virtual mapping at
[ffffc90003318000, ffffc90003321000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2781
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888029ce3690 pfn:0x29ce3
memcg:ffff88801dd09c02
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff888029ce3690 0000000000000000 00000001ffffffff ffff88801dd09c02
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5781, tgid 5781 (syz.0.26), ts 125931643135, free_ts 125907940889
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781
__do_sys_clone3+0x1f5/0x270 kernel/fork.c:3085
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5780 tgid 5779 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608
__folio_put+0x31c/0x3e0 mm/swap.c:128
folio_put include/linux/mm.h:1479 [inline]
free_page_and_swap_cache+0x249/0x2c0 mm/swap_state.c:308
__tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:282
rcu_do_batch kernel/rcu/tree.c:2569 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2843
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Memory state around the buggy address:
ffffc9000331f900: 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00
ffffc9000331f980: 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
>ffffc9000331fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
^
ffffc9000331fa80: 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
ffffc9000331fb00: 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: be b0 01 00 00 mov $0x1b0,%esi
5: e8 a0 ff ff ff call 0xffffffaa
a: 31 c0 xor %eax,%eax
c: c3 ret
d: cc int3
e: cc int3
f: cc int3
10: cc int3
11: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
18: 00 00
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: 90 nop
23: 90 nop
24: 90 nop
25: 90 nop
26: 90 nop
27: 90 nop
28: 90 nop
29: 90 nop
* 2a: f3 0f 1e fa endbr64 <-- trapping instruction
2e: 65 48 8b 15 94 54 79 mov %gs:0x7e795494(%rip),%rdx # 0x7e7954ca
35: 7e
36: 65 8b 05 95 54 79 7e mov %gs:0x7e795495(%rip),%eax # 0x7e7954d2
3d: a9 .byte 0xa9
3e: 00 01 add %al,(%rcx)
Tested on:
commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e39145980000
kernel config: https://syzkaller.appspot.com/x/.config?x=47beaba1a1054668
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=138553b5980000
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240724114325.8995-1-aha310510@gmail.com>
@ 2024-07-24 12:20 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-24 12:20 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xdp_do_check_flushed
==================================================================
BUG: KASAN: stack-out-of-bounds in bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
BUG: KASAN: stack-out-of-bounds in xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
Read of size 4 at addr ffffc900032bfa50 by task syz.0.42/5811
CPU: 0 UID: 0 PID: 5811 Comm: syz.0.42 Not tainted 6.10.0-syzkaller-12246-g786c8248dbd3-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
bpf_net_ctx_get_all_used_flush_lists include/linux/filter.h:837 [inline]
xdp_do_check_flushed+0x41c/0x4e0 net/core/filter.c:4298
__napi_poll.constprop.0+0xd1/0x550 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6962
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:const_folio_flags.constprop.0+0x56/0x150 include/linux/page-flags.h:310
Code: 8b 6b 08 31 ff 83 e5 01 48 89 ee e8 84 cc ab ff 48 85 ed 0f 85 d4 00 00 00 e8 46 d1 ab ff 66 90 e8 3f d1 ab ff e8 3a d1 ab ff <48> 89 d8 5b 5d 41 5c c3 cc cc cc cc e8 29 d1 ab ff 48 89 dd 31 ff
RSP: 0018:ffffc900032bf6d0 EFLAGS: 00000293
RAX: 0000000000000000 RBX: ffffea00010118c0 RCX: ffffffff81deb54c
RDX: ffff8880274e8000 RSI: ffffffff81deb566 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000127
R13: ffff88802305c948 R14: ffffea00010118c0 R15: 0000000000000000
folio_test_swapbacked include/linux/page-flags.h:534 [inline]
folio_test_swapcache include/linux/page-flags.h:576 [inline]
free_swap_cache mm/swap_state.c:291 [inline]
free_pages_and_swap_cache+0x24e/0x510 mm/swap_state.c:325
__tlb_batch_free_encoded_pages+0xf9/0x290 mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu mm/mmu_gather.c:373 [inline]
tlb_finish_mmu+0x168/0x7b0 mm/mmu_gather.c:465
exit_mmap+0x3d1/0xb20 mm/mmap.c:3395
__mmput+0x12a/0x480 kernel/fork.c:1345
mmput+0x62/0x70 kernel/fork.c:1367
exit_mm kernel/exit.c:571 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:869
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031
get_signal+0x25fd/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6f7c575b59
Code: Unable to access opcode bytes at 0x7f6f7c575b2f.
RSP: 002b:00007f6f7d27b0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6f7c705f68 RCX: 00007f6f7c575b59
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6f7c705f68
RBP: 00007f6f7c705f60 R08: 00007f6f7d27b6c0 R09: 00007f6f7d27b6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6f7c705f6c
R13: 000000000000000b R14: 00007ffd97f8d280 R15: 00007ffd97f8d368
</TASK>
The buggy address belongs to stack of task syz.0.42/5811
and is located at offset 24 in frame:
exit_mmap+0x0/0xb20 mm/mmap.c:3202
This frame has 2 objects:
[32, 96) 'vmi'
[128, 256) 'tlb'
The buggy address belongs to the virtual mapping at
[ffffc900032b8000, ffffc900032c1000) created by:
kernel_clone+0xfd/0x980 kernel/fork.c:2781
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802b3e0000 pfn:0x2b3e0
memcg:ffff8880206d0182
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88802b3e0000 0000000000000000 00000001ffffffff ffff8880206d0182
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 5653, tgid 5653 (syz-executor), ts 116595661744, free_ts 116458660012
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3438
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4696
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
vm_area_alloc_pages mm/vmalloc.c:3584 [inline]
__vmalloc_area_node mm/vmalloc.c:3660 [inline]
__vmalloc_node_range_noprof+0xa6a/0x1520 mm/vmalloc.c:3841
alloc_thread_stack_node kernel/fork.c:313 [inline]
dup_task_struct kernel/fork.c:1113 [inline]
copy_process+0x2f3b/0x8de0 kernel/fork.c:2204
kernel_clone+0xfd/0x980 kernel/fork.c:2781
__do_sys_clone+0xba/0x100 kernel/fork.c:2924
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5653 tgid 5653 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2608
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3988 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
__kmalloc_cache_node_noprof+0x173/0x350 mm/slub.c:4197
kmalloc_node_noprof include/linux/slab.h:704 [inline]
__get_vm_area_node+0xe1/0x2d0 mm/vmalloc.c:3109
__vmalloc_node_range_noprof+0x276/0x1520 mm/vmalloc.c:3801
__vmalloc_node_noprof mm/vmalloc.c:3906 [inline]
vzalloc_noprof+0x6b/0x90 mm/vmalloc.c:3979
alloc_counters net/ipv4/netfilter/ip_tables.c:799 [inline]
copy_entries_to_user net/ipv4/netfilter/ip_tables.c:821 [inline]
get_entries net/ipv4/netfilter/ip_tables.c:1022 [inline]
do_ipt_get_ctl+0x6b8/0xaa0 net/ipv4/netfilter/ip_tables.c:1668
nf_getsockopt+0x79/0xe0 net/netfilter/nf_sockopt.c:116
ip_getsockopt+0x18e/0x1e0 net/ipv4/ip_sockglue.c:1777
tcp_getsockopt+0x9e/0x100 net/ipv4/tcp.c:4409
do_sock_getsockopt+0x2e5/0x760 net/socket.c:2386
__sys_getsockopt+0x1a1/0x270 net/socket.c:2415
__do_sys_getsockopt net/socket.c:2425 [inline]
__se_sys_getsockopt net/socket.c:2422 [inline]
__x64_sys_getsockopt+0xbd/0x160 net/socket.c:2422
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
Memory state around the buggy address:
ffffc900032bf900: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900032bf980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900032bfa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
^
ffffc900032bfa80: 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00
ffffc900032bfb00: 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 8b 6b 08 mov 0x8(%rbx),%ebp
3: 31 ff xor %edi,%edi
5: 83 e5 01 and $0x1,%ebp
8: 48 89 ee mov %rbp,%rsi
b: e8 84 cc ab ff call 0xffabcc94
10: 48 85 ed test %rbp,%rbp
13: 0f 85 d4 00 00 00 jne 0xed
19: e8 46 d1 ab ff call 0xffabd164
1e: 66 90 xchg %ax,%ax
20: e8 3f d1 ab ff call 0xffabd164
25: e8 3a d1 ab ff call 0xffabd164
* 2a: 48 89 d8 mov %rbx,%rax <-- trapping instruction
2d: 5b pop %rbx
2e: 5d pop %rbp
2f: 41 5c pop %r12
31: c3 ret
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: e8 29 d1 ab ff call 0xffabd164
3b: 48 89 dd mov %rbx,%rbp
3e: 31 ff xor %edi,%edi
Tested on:
commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1293bca1980000
kernel config: https://syzkaller.appspot.com/x/.config?x=47beaba1a1054668
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11c0adad980000
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240724122756.9572-1-aha310510@gmail.com>
@ 2024-07-24 13:02 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-24 13:02 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Tested-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Tested on:
commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=167af1f1980000
kernel config: https://syzkaller.appspot.com/x/.config?x=47beaba1a1054668
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=174a58e3980000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240724134011.10477-1-aha310510@gmail.com>
@ 2024-07-24 13:51 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-24 13:51 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
net/core/dev.c:5476:17: error: 'bpf_net_context' undeclared (first use in this function)
Tested on:
commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=be4129de17851dbe
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11ad573d980000
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240724141325.10569-1-aha310510@gmail.com>
@ 2024-07-24 14:38 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-24 14:38 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Tested-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Tested on:
commit: 786c8248 Merge tag 'perf-tools-fixes-for-v6.11-2024-07..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=146f5203980000
kernel config: https://syzkaller.appspot.com/x/.config?x=47beaba1a1054668
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=122626e6980000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240725112730.15279-1-aha310510@gmail.com>
@ 2024-07-25 11:53 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-25 11:53 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Tested-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Tested on:
commit: c33ffdb7 Merge tag 'phy-for-6.11' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13c4d29d980000
kernel config: https://syzkaller.appspot.com/x/.config?x=582add3de1ac8f6
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12337145980000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [syzbot] [bpf?] [net?] general protection fault in __dev_flush
[not found] <20240725112758.15367-1-aha310510@gmail.com>
@ 2024-07-25 12:18 ` syzbot
0 siblings, 0 replies; 11+ messages in thread
From: syzbot @ 2024-07-25 12:18 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Tested-by: syzbot+44623300f057a28baf1e@syzkaller.appspotmail.com
Tested on:
commit: c33ffdb7 Merge tag 'phy-for-6.11' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=108cff95980000
kernel config: https://syzkaller.appspot.com/x/.config?x=582add3de1ac8f6
dashboard link: https://syzkaller.appspot.com/bug?extid=44623300f057a28baf1e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1462adad980000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2024-07-25 12:18 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20240722114035.5337-1-aha310510@gmail.com>
2024-07-22 12:01 ` [syzbot] [bpf?] [net?] general protection fault in __dev_flush syzbot
[not found] <20240725112758.15367-1-aha310510@gmail.com>
2024-07-25 12:18 ` syzbot
[not found] <20240725112730.15279-1-aha310510@gmail.com>
2024-07-25 11:53 ` syzbot
[not found] <20240724141325.10569-1-aha310510@gmail.com>
2024-07-24 14:38 ` syzbot
[not found] <20240724134011.10477-1-aha310510@gmail.com>
2024-07-24 13:51 ` syzbot
[not found] <20240724122756.9572-1-aha310510@gmail.com>
2024-07-24 13:02 ` syzbot
[not found] <20240724114325.8995-1-aha310510@gmail.com>
2024-07-24 12:20 ` syzbot
[not found] <20240724093902.8331-1-aha310510@gmail.com>
2024-07-24 9:59 ` syzbot
[not found] <20240722103139.4718-1-aha310510@gmail.com>
2024-07-22 11:11 ` syzbot
[not found] <20240722103109.4668-1-aha310510@gmail.com>
2024-07-22 10:52 ` syzbot
2024-07-19 3:59 [syzbot] [net?] [bpf?] " syzbot
2024-07-22 2:59 ` [syzbot] [bpf?] [net?] " syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox