[syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e8d780dcd957 Merge tag 'slab-for-6.17' of git://git.kernel..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14382cf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c99a414773e8e8dd
dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-e8d780dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9d67cb9a6476/vmlinux-e8d780dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5b160fb5034b/bzImage-e8d780dc.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8aa80c6232008f7b957d@syzkaller.appspotmail.com

netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
BUG: unable to handle page fault for address: ffff88809782c020
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1b401067 P4D 1b401067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 8476 Comm: syz.1.251 Not tainted 6.16.0-syzkaller-06699-ge8d780dcd957 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:local_add arch/x86/include/asm/local.h:33 [inline]
RIP: 0010:u64_stats_add include/linux/u64_stats_sync.h:89 [inline]
RIP: 0010:dev_dstats_rx_dropped_add include/linux/netdevice.h:3027 [inline]
RIP: 0010:nsim_queue_free+0xba/0x120 drivers/net/netdevsim/netdev.c:714
Code: 07 77 6c 4a 8d 3c ed 20 7e f1 8d 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 46 4a 03 1c ed 20 7e f1 8d <4c> 01 63 20 be 00 02 00 00 48 8d 3d 00 00 00 00 e8 61 2f 58 fa 48
RSP: 0018:ffffc900044af150 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: ffff88809782c000 RCX: 00000000000079c3
RDX: 1ffffffff1be2fc7 RSI: ffffffff8c15f380 RDI: ffffffff8df17e38
RBP: ffff88805f59d000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000003 R14: ffff88806ceb3d00 R15: ffffed100dfd308e
FS:  0000000000000000(0000) GS:ffff88809782c000(0063) knlGS:00000000f505db40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: ffff88809782c020 CR3: 000000006fc6a000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 nsim_queue_uninit drivers/net/netdevsim/netdev.c:993 [inline]
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1049 [inline]
 nsim_create+0xd0a/0x1260 drivers/net/netdevsim/netdev.c:1101
 __nsim_dev_port_add+0x435/0x7d0 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all drivers/net/netdevsim/dev.c:1494 [inline]
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x5b8/0x860 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x322/0x7c0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xe31/0x1410 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x206/0x2f0 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg net/socket.c:729 [inline]
 ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
 __sys_sendmsg+0x16d/0x220 net/socket.c:2700
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf708e579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f505d55c EFLAGS: 00000296 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 0000000080000080
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
CR2: ffff88809782c020
---[ end trace 0000000000000000 ]---
RIP: 0010:local_add arch/x86/include/asm/local.h:33 [inline]
RIP: 0010:u64_stats_add include/linux/u64_stats_sync.h:89 [inline]
RIP: 0010:dev_dstats_rx_dropped_add include/linux/netdevice.h:3027 [inline]
RIP: 0010:nsim_queue_free+0xba/0x120 drivers/net/netdevsim/netdev.c:714
Code: 07 77 6c 4a 8d 3c ed 20 7e f1 8d 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 46 4a 03 1c ed 20 7e f1 8d <4c> 01 63 20 be 00 02 00 00 48 8d 3d 00 00 00 00 e8 61 2f 58 fa 48
RSP: 0018:ffffc900044af150 EFLAGS: 00010286
RAX: dffffc0000000000 RBX: ffff88809782c000 RCX: 00000000000079c3
RDX: 1ffffffff1be2fc7 RSI: ffffffff8c15f380 RDI: ffffffff8df17e38
RBP: ffff88805f59d000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000003 R14: ffff88806ceb3d00 R15: ffffed100dfd308e
FS:  0000000000000000(0000) GS:ffff88809782c000(0063) knlGS:00000000f505db40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: ffff88809782c020 CR3: 000000006fc6a000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	77 6c                	ja     0x6e
   2:	4a 8d 3c ed 20 7e f1 	lea    -0x720e81e0(,%r13,8),%rdi
   9:	8d
   a:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  11:	fc ff df
  14:	48 89 fa             	mov    %rdi,%rdx
  17:	48 c1 ea 03          	shr    $0x3,%rdx
  1b:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  1f:	75 46                	jne    0x67
  21:	4a 03 1c ed 20 7e f1 	add    -0x720e81e0(,%r13,8),%rbx
  28:	8d
* 29:	4c 01 63 20          	add    %r12,0x20(%rbx) <-- trapping instruction
  2d:	be 00 02 00 00       	mov    $0x200,%esi
  32:	48 8d 3d 00 00 00 00 	lea    0x0(%rip),%rdi        # 0x39
  39:	e8 61 2f 58 fa       	call   0xfa582f9f
  3e:	48                   	rex.W


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-53e760d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7f26eabe958a/vmlinux-53e760d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/60128fb74c23/bzImage-53e760d8.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8aa80c6232008f7b957d@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff88808d211020
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1a201067 P4D 1a201067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 6665 Comm: syz.1.416 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:local_add arch/x86/include/asm/local.h:33 [inline]
RIP: 0010:u64_stats_add include/linux/u64_stats_sync.h:89 [inline]
RIP: 0010:dev_dstats_rx_dropped_add include/linux/netdevice.h:3027 [inline]
RIP: 0010:nsim_queue_free+0xdc/0x150 drivers/net/netdevsim/netdev.c:714
Code: 10 1d be 8d 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 db 1a 0d fb 49 8b 07 48 8b 0c 24 <4a> 01 4c 28 20 4c 89 f7 be 00 02 00 00 e8 72 5a 6d fa 4c 89 e7 be
RSP: 0018:ffffc9000d7bede0 EFLAGS: 00010246
RAX: ffff88808d211000 RBX: ffff888044417000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 0000000000000000 R08: ffffffff8e1e6327 R09: 1ffffffff1c3cc64
R10: dffffc0000000000 R11: fffffbfff1c3cc65 R12: ffff888044417218
R13: 0000000000000000 R14: ffffffff87178ba3 R15: ffffffff8dbe1d10
FS:  00007f7dce64a6c0(0000) GS:ffff88808d211000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88808d211020 CR3: 0000000059d35000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 nsim_queue_uninit drivers/net/netdevsim/netdev.c:993 [inline]
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1049 [inline]
 nsim_create+0xbbf/0xf10 drivers/net/netdevsim/netdev.c:1101
 __nsim_dev_port_add+0x6b6/0xb10 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all+0x37/0xf0 drivers/net/netdevsim/dev.c:1494
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x451/0x780 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x4e9/0x8d0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7dcd78ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7dce64a038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f7dcd9b5fa0 RCX: 00007f7dcd78ebe9
RDX: 0000000000000000 RSI: 0000200000000080 RDI: 0000000000000003
RBP: 00007f7dcd811e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7dcd9b6038 R14: 00007f7dcd9b5fa0 R15: 00007ffc4b525678
 </TASK>
Modules linked in:
CR2: ffff88808d211020
---[ end trace 0000000000000000 ]---
RIP: 0010:local_add arch/x86/include/asm/local.h:33 [inline]
RIP: 0010:u64_stats_add include/linux/u64_stats_sync.h:89 [inline]
RIP: 0010:dev_dstats_rx_dropped_add include/linux/netdevice.h:3027 [inline]
RIP: 0010:nsim_queue_free+0xdc/0x150 drivers/net/netdevsim/netdev.c:714
Code: 10 1d be 8d 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 db 1a 0d fb 49 8b 07 48 8b 0c 24 <4a> 01 4c 28 20 4c 89 f7 be 00 02 00 00 e8 72 5a 6d fa 4c 89 e7 be
RSP: 0018:ffffc9000d7bede0 EFLAGS: 00010246
RAX: ffff88808d211000 RBX: ffff888044417000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 0000000000000000 R08: ffffffff8e1e6327 R09: 1ffffffff1c3cc64
R10: dffffc0000000000 R11: fffffbfff1c3cc65 R12: ffff888044417218
R13: 0000000000000000 R14: ffffffff87178ba3 R15: ffffffff8dbe1d10
FS:  00007f7dce64a6c0(0000) GS:ffff88808d211000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88808d211020 CR3: 0000000059d35000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	10 1d be 8d 4c 89    	adc    %bl,-0x76b37242(%rip)        # 0x894c8dc4
   6:	f8                   	clc
   7:	48 c1 e8 03          	shr    $0x3,%rax
   b:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  12:	fc ff df
  15:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1)
  19:	74 08                	je     0x23
  1b:	4c 89 ff             	mov    %r15,%rdi
  1e:	e8 db 1a 0d fb       	call   0xfb0d1afe
  23:	49 8b 07             	mov    (%r15),%rax
  26:	48 8b 0c 24          	mov    (%rsp),%rcx
* 2a:	4a 01 4c 28 20       	add    %rcx,0x20(%rax,%r13,1) <-- trapping instruction
  2f:	4c 89 f7             	mov    %r14,%rdi
  32:	be 00 02 00 00       	mov    $0x200,%esi
  37:	e8 72 5a 6d fa       	call   0xfa6d5aae
  3c:	4c 89 e7             	mov    %r12,%rdi
  3f:	be                   	.byte 0xbe


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[Hillf Danton]

> Date: Tue, 12 Aug 2025 02:58:28 -0700	[thread overview]
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000

#syz test

--- x/drivers/net/netdevsim/netdev.c
+++ y/drivers/net/netdevsim/netdev.c
@@ -981,6 +981,7 @@ err_free_prev:
 	while (i--)
 		kfree(ns->rq[i]);
 	kfree(ns->rq);
+	ns->rq = NULL;
 	return -ENOMEM;
 }
 
@@ -989,6 +990,8 @@ static void nsim_queue_uninit(struct net
 	struct net_device *dev = ns->netdev;
 	int i;
 
+	if (!ns->rq)
+		return;
 	for (i = 0; i < dev->num_rx_queues; i++)
 		nsim_queue_free(dev, ns->rq[i]);
 
--

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in nsim_queue_free

BUG: unable to handle page fault for address: ffff88808d211020
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1a201067 P4D 1a201067 PUD 0 
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 6909 Comm: syz.5.346 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498-dirty #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:local_add arch/x86/include/asm/local.h:33 [inline]
RIP: 0010:u64_stats_add include/linux/u64_stats_sync.h:89 [inline]
RIP: 0010:dev_dstats_rx_dropped_add include/linux/netdevice.h:3027 [inline]
RIP: 0010:nsim_queue_free+0xdc/0x150 drivers/net/netdevsim/netdev.c:714
Code: 10 1d be 8d 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 9b 1a 0d fb 49 8b 07 48 8b 0c 24 <4a> 01 4c 28 20 4c 89 f7 be 00 02 00 00 e8 32 5a 6d fa 4c 89 e7 be
RSP: 0018:ffffc9000df2ede0 EFLAGS: 00010246
RAX: ffff88808d211000 RBX: ffff888033a85800 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 0000000000000000 R08: ffffffff8e1e6327 R09: 1ffffffff1c3cc64
R10: dffffc0000000000 R11: fffffbfff1c3cc65 R12: ffff888033a85a18
R13: 0000000000000000 R14: ffffffff87178be3 R15: ffffffff8dbe1d10
FS:  00007fd976a5a6c0(0000) GS:ffff88808d211000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88808d211020 CR3: 000000003f37a000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 nsim_queue_uninit drivers/net/netdevsim/netdev.c:996 [inline]
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1052 [inline]
 nsim_create+0xbee/0xf20 drivers/net/netdevsim/netdev.c:1104
 __nsim_dev_port_add+0x6b6/0xb10 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all+0x37/0xf0 drivers/net/netdevsim/dev.c:1494
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x451/0x780 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x4e9/0x8d0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd975b8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd976a5a038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fd975db5fa0 RCX: 00007fd975b8ebe9
RDX: 0000000000000000 RSI: 0000200000000080 RDI: 0000000000000003
RBP: 00007fd975c11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd975db6038 R14: 00007fd975db5fa0 R15: 00007ffea085f7f8
 </TASK>
Modules linked in:
CR2: ffff88808d211020
---[ end trace 0000000000000000 ]---
RIP: 0010:local_add arch/x86/include/asm/local.h:33 [inline]
RIP: 0010:u64_stats_add include/linux/u64_stats_sync.h:89 [inline]
RIP: 0010:dev_dstats_rx_dropped_add include/linux/netdevice.h:3027 [inline]
RIP: 0010:nsim_queue_free+0xdc/0x150 drivers/net/netdevsim/netdev.c:714
Code: 10 1d be 8d 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 4c 89 ff e8 9b 1a 0d fb 49 8b 07 48 8b 0c 24 <4a> 01 4c 28 20 4c 89 f7 be 00 02 00 00 e8 32 5a 6d fa 4c 89 e7 be
RSP: 0018:ffffc9000df2ede0 EFLAGS: 00010246
RAX: ffff88808d211000 RBX: ffff888033a85800 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 0000000000000000 R08: ffffffff8e1e6327 R09: 1ffffffff1c3cc64
R10: dffffc0000000000 R11: fffffbfff1c3cc65 R12: ffff888033a85a18
R13: 0000000000000000 R14: ffffffff87178be3 R15: ffffffff8dbe1d10
FS:  00007fd976a5a6c0(0000) GS:ffff88808d211000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88808d211020 CR3: 000000003f37a000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	10 1d be 8d 4c 89    	adc    %bl,-0x76b37242(%rip)        # 0x894c8dc4
   6:	f8                   	clc
   7:	48 c1 e8 03          	shr    $0x3,%rax
   b:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  12:	fc ff df
  15:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1)
  19:	74 08                	je     0x23
  1b:	4c 89 ff             	mov    %r15,%rdi
  1e:	e8 9b 1a 0d fb       	call   0xfb0d1abe
  23:	49 8b 07             	mov    (%r15),%rax
  26:	48 8b 0c 24          	mov    (%rsp),%rcx
* 2a:	4a 01 4c 28 20       	add    %rcx,0x20(%rax,%r13,1) <-- trapping instruction
  2f:	4c 89 f7             	mov    %r14,%rdi
  32:	be 00 02 00 00       	mov    $0x200,%esi
  37:	e8 32 5a 6d fa       	call   0xfa6d5a6e
  3c:	4c 89 e7             	mov    %r12,%rdi
  3f:	be                   	.byte 0xbe


Tested on:

commit:         53e760d8 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=109135a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11104c34580000

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[Hillf Danton]

> Date: Tue, 12 Aug 2025 02:58:28 -0700	[thread overview]
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000

#syz test

--- x/drivers/net/netdevsim/netdev.c
+++ y/drivers/net/netdevsim/netdev.c
@@ -709,10 +709,14 @@ static struct nsim_rq *nsim_queue_alloc(
 
 static void nsim_queue_free(struct net_device *dev, struct nsim_rq *rq)
 {
+	struct netdevsim *ns = netdev_priv(dev);
+
 	hrtimer_cancel(&rq->napi_timer);
-	local_bh_disable();
-	dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
-	local_bh_enable();
+	if (ns->registed) {
+		local_bh_disable();
+		dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
+		local_bh_enable();
+	}
 	skb_queue_purge_reason(&rq->skb_queue, SKB_DROP_REASON_QUEUE_PURGE);
 	kfree(rq);
 }
@@ -981,6 +985,7 @@ err_free_prev:
 	while (i--)
 		kfree(ns->rq[i]);
 	kfree(ns->rq);
+	ns->rq = NULL;
 	return -ENOMEM;
 }
 
@@ -989,6 +994,8 @@ static void nsim_queue_uninit(struct net
 	struct net_device *dev = ns->netdev;
 	int i;
 
+	if (!ns->rq)
+		return;
 	for (i = 0; i < dev->num_rx_queues; i++)
 		nsim_queue_free(dev, ns->rq[i]);
 
@@ -1001,6 +1008,7 @@ static int nsim_init_netdevsim(struct ne
 	struct mock_phc *phc;
 	int err;
 
+	ns->registed = 0;
 	phc = mock_phc_create(&ns->nsim_bus_dev->dev);
 	if (IS_ERR(phc))
 		return PTR_ERR(phc);
@@ -1038,6 +1046,7 @@ static int nsim_init_netdevsim(struct ne
 							&ns->nn))
 			ns->nb.notifier_call = NULL;
 	}
+	ns->registed = 1;
 
 	return 0;
 
--- x/drivers/net/netdevsim/netdevsim.h
+++ y/drivers/net/netdevsim/netdevsim.h
@@ -106,6 +106,7 @@ struct netdevsim {
 	struct mock_phc *phc;
 	struct nsim_rq **rq;
 
+	int registed;
 	int rq_reset_mode;
 
 	struct nsim_bus_dev *nsim_bus_dev;
--

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in udp_tunnel_nic_device_sync_work

netdevsim netdevsim1 eth3: set [1, 0] type 2 family 0 port 6081 - 0
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:577 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0x147/0x1360 kernel/locking/mutex.c:760
Read of size 8 at addr ffff88803f2c5eb0 by task kworker/u4:10/3078

CPU: 0 UID: 0 PID: 3078 Comm: kworker/u4:10 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498-dirty #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: udp_tunnel_nic udp_tunnel_nic_device_sync_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __mutex_lock_common kernel/locking/mutex.c:577 [inline]
 __mutex_lock+0x147/0x1360 kernel/locking/mutex.c:760
 udp_tunnel_nic_device_sync_work+0x39/0xa50 net/ipv4/udp_tunnel_nic.c:737
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 7292:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4365 [inline]
 __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 udp_tunnel_nic_alloc net/ipv4/udp_tunnel_nic.c:756 [inline]
 udp_tunnel_nic_register net/ipv4/udp_tunnel_nic.c:833 [inline]
 udp_tunnel_nic_netdevice_event+0x854/0x19f0 net/ipv4/udp_tunnel_nic.c:931
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 register_netdevice+0x1608/0x1ae0 net/core/dev.c:11227
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1038 [inline]
 nsim_create+0xb76/0xfc0 drivers/net/netdevsim/netdev.c:1110
 __nsim_dev_port_add+0x6b6/0xb10 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all+0x37/0xf0 drivers/net/netdevsim/dev.c:1494
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x451/0x780 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x4ec/0x8d0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x212/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 7304:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kfree+0x18e/0x440 mm/slub.c:4879
 udp_tunnel_nic_free net/ipv4/udp_tunnel_nic.c:785 [inline]
 udp_tunnel_nic_unregister net/ipv4/udp_tunnel_nic.c:910 [inline]
 udp_tunnel_nic_netdevice_event+0x1332/0x19f0 net/ipv4/udp_tunnel_nic.c:942
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 unregister_netdevice_many_notify+0x14d7/0x1ff0 net/core/dev.c:12148
 unregister_netdevice_many net/core/dev.c:12211 [inline]
 unregister_netdevice_queue+0x33c/0x380 net/core/dev.c:12055
 unregister_netdevice include/linux/netdevice.h:3382 [inline]
 nsim_destroy+0x1dd/0x6a0 drivers/net/netdevsim/netdev.c:1145
 __nsim_dev_port_del+0x14d/0x1b0 drivers/net/netdevsim/dev.c:1473
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1485 [inline]
 nsim_dev_reload_destroy+0x288/0x490 drivers/net/netdevsim/dev.c:1707
 nsim_dev_reload_down+0x8a/0xc0 drivers/net/netdevsim/dev.c:983
 devlink_reload+0x1b6/0x8d0 net/devlink/dev.c:461
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x212/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 insert_work+0x3d/0x330 kernel/workqueue.c:2184
 __queue_work+0xbaf/0xfb0 kernel/workqueue.c:2343
 queue_work_on+0x181/0x270 kernel/workqueue.c:2390
 queue_work include/linux/workqueue.h:669 [inline]
 udp_tunnel_nic_device_sync net/ipv4/udp_tunnel_nic.c:307 [inline]
 __udp_tunnel_nic_add_port+0xb71/0xd60 net/ipv4/udp_tunnel_nic.c:523
 udp_tunnel_nic_add_port include/net/udp_tunnel.h:371 [inline]
 udp_tunnel_push_rx_port+0x17d/0x200 net/ipv4/udp_tunnel_core.c:111
 geneve_offload_rx_ports+0xd7/0x160 drivers/net/geneve.c:1188
 geneve_netdevice_event+0x6a/0x80 drivers/net/geneve.c:-1
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers+0x88/0xc0 net/core/dev.c:2281
 udp_tunnel_get_rx_info include/net/udp_tunnel.h:438 [inline]
 udp_tunnel_nic_register net/ipv4/udp_tunnel_nic.c:855 [inline]
 udp_tunnel_nic_netdevice_event+0x134d/0x19f0 net/ipv4/udp_tunnel_nic.c:931
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 register_netdevice+0x1608/0x1ae0 net/core/dev.c:11227
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1038 [inline]
 nsim_create+0xb76/0xfc0 drivers/net/netdevsim/netdev.c:1110
 __nsim_dev_port_add+0x6b6/0xb10 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all+0x37/0xf0 drivers/net/netdevsim/dev.c:1494
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x451/0x780 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x4ec/0x8d0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x212/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Second to last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 insert_work+0x3d/0x330 kernel/workqueue.c:2184
 __queue_work+0xcd2/0xfb0 kernel/workqueue.c:2339
 queue_work_on+0x181/0x270 kernel/workqueue.c:2390
 queue_work include/linux/workqueue.h:669 [inline]
 udp_tunnel_nic_device_sync net/ipv4/udp_tunnel_nic.c:307 [inline]
 __udp_tunnel_nic_add_port+0xb71/0xd60 net/ipv4/udp_tunnel_nic.c:523
 udp_tunnel_nic_add_port include/net/udp_tunnel.h:371 [inline]
 udp_tunnel_push_rx_port+0x17d/0x200 net/ipv4/udp_tunnel_core.c:111
 geneve_offload_rx_ports+0xd7/0x160 drivers/net/geneve.c:1188
 geneve_netdevice_event+0x6a/0x80 drivers/net/geneve.c:-1
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers+0x88/0xc0 net/core/dev.c:2281
 udp_tunnel_get_rx_info include/net/udp_tunnel.h:438 [inline]
 udp_tunnel_nic_register net/ipv4/udp_tunnel_nic.c:855 [inline]
 udp_tunnel_nic_netdevice_event+0x134d/0x19f0 net/ipv4/udp_tunnel_nic.c:931
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 register_netdevice+0x1608/0x1ae0 net/core/dev.c:11227
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1038 [inline]
 nsim_create+0xb76/0xfc0 drivers/net/netdevsim/netdev.c:1110
 __nsim_dev_port_add+0x6b6/0xb10 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all+0x37/0xf0 drivers/net/netdevsim/dev.c:1494
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x451/0x780 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x4ec/0x8d0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x212/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x219/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88803f2c5e00
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 176 bytes inside of
 freed 256-byte region [ffff88803f2c5e00, ffff88803f2c5f00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3f2c5
ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff88801a441b40 ffffea00011756c0 dead000000000003
raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5917, tgid 5917 (syz-executor), ts 171623469790, free_ts 171406955544
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 __kmalloc_cache_noprof+0x296/0x3d0 mm/slub.c:4391
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 devl_region_create+0x14f/0x380 net/devlink/region.c:1058
 nsim_dev_dummy_region_init drivers/net/netdevsim/dev.c:581 [inline]
 nsim_drv_probe+0x614/0xba0 drivers/net/netdevsim/dev.c:1619
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9e0 drivers/base/dd.c:659
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
page last free pid 15 tgid 15 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 pagetable_free include/linux/mm.h:2898 [inline]
 pagetable_dtor_free include/linux/mm.h:2996 [inline]
 __tlb_remove_table+0x2d2/0x3b0 include/asm-generic/tlb.h:220
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:968
 smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff88803f2c5d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88803f2c5e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88803f2c5e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88803f2c5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88803f2c5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit:         53e760d8 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103535a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10ecc5a2580000

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[Hillf Danton]

> Date: Tue, 12 Aug 2025 02:58:28 -0700	[thread overview]
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000

#syz test

--- x/drivers/net/netdevsim/netdev.c
+++ y/drivers/net/netdevsim/netdev.c
@@ -709,10 +709,14 @@ static struct nsim_rq *nsim_queue_alloc(
 
 static void nsim_queue_free(struct net_device *dev, struct nsim_rq *rq)
 {
+	struct netdevsim *ns = netdev_priv(dev);
+
 	hrtimer_cancel(&rq->napi_timer);
-	local_bh_disable();
-	dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
-	local_bh_enable();
+	if (ns->registed) {
+		local_bh_disable();
+		dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
+		local_bh_enable();
+	}
 	skb_queue_purge_reason(&rq->skb_queue, SKB_DROP_REASON_QUEUE_PURGE);
 	kfree(rq);
 }
@@ -981,6 +985,7 @@ err_free_prev:
 	while (i--)
 		kfree(ns->rq[i]);
 	kfree(ns->rq);
+	ns->rq = NULL;
 	return -ENOMEM;
 }
 
@@ -989,6 +994,8 @@ static void nsim_queue_uninit(struct net
 	struct net_device *dev = ns->netdev;
 	int i;
 
+	if (!ns->rq)
+		return;
 	for (i = 0; i < dev->num_rx_queues; i++)
 		nsim_queue_free(dev, ns->rq[i]);
 
@@ -1001,6 +1008,7 @@ static int nsim_init_netdevsim(struct ne
 	struct mock_phc *phc;
 	int err;
 
+	ns->registed = 0;
 	phc = mock_phc_create(&ns->nsim_bus_dev->dev);
 	if (IS_ERR(phc))
 		return PTR_ERR(phc);
@@ -1038,6 +1046,7 @@ static int nsim_init_netdevsim(struct ne
 							&ns->nn))
 			ns->nb.notifier_call = NULL;
 	}
+	ns->registed = 1;
 
 	return 0;
 
--- x/drivers/net/netdevsim/netdevsim.h
+++ y/drivers/net/netdevsim/netdevsim.h
@@ -106,6 +106,7 @@ struct netdevsim {
 	struct mock_phc *phc;
 	struct nsim_rq **rq;
 
+	int registed;
 	int rq_reset_mode;
 
 	struct nsim_bus_dev *nsim_bus_dev;
--- x/net/ipv4/udp_tunnel_nic.c
+++ y/net/ipv4/udp_tunnel_nic.c
@@ -733,7 +733,8 @@ static void udp_tunnel_nic_device_sync_w
 	struct udp_tunnel_nic *utn =
 		container_of(work, struct udp_tunnel_nic, work);
 
-	rtnl_lock();
+	if (!rtnl_trylock())
+		return;
 	mutex_lock(&utn->lock);
 
 	utn->work_pending = 0;
@@ -782,6 +783,8 @@ static void udp_tunnel_nic_free(struct u
 
 	for (i = 0; i < utn->n_tables; i++)
 		kfree(utn->entries[i]);
+	disable_work(&utn->work);
+	cancel_work_sync(&utn->work);
 	kfree(utn);
 }
 
--

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for DEV to become free

unregister_netdevice: waiting for netdevsim3 to become free. Usage count = 2


Tested on:

commit:         53e760d8 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16a335a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13164c34580000

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[Breno Leitao]

On Tue, Aug 12, 2025 at 02:58:28AM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-53e760d8.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/7f26eabe958a/vmlinux-53e760d8.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/60128fb74c23/bzImage-53e760d8.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8aa80c6232008f7b957d@syzkaller.appspotmail.com
> 
> BUG: unable to handle page fault for address: ffff88808d211020
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD 1a201067 P4D 1a201067 PUD 0 
> Oops: Oops: 0002 [#1] SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 6665 Comm: syz.1.416 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full) 
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> RIP: 0010:local_add arch/x86/include/asm/local.h:33 [inline]
> RIP: 0010:u64_stats_add include/linux/u64_stats_sync.h:89 [inline]
> RIP: 0010:dev_dstats_rx_dropped_add include/linux/netdevice.h:3027 [inline]
> RIP: 0010:nsim_queue_free+0xdc/0x150 drivers/net/netdevsim/netdev.c:714

This is being fixed in this thread:

https://lore.kernel.org/all/20250731184829.1433735-1-kuniyu@google.com/

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[Hillf Danton]

On Tue, 12 Aug 2025 08:33:58 -0700 Breno Leitao wrote:
> On Tue, Aug 12, 2025 at 02:58:28AM -0700, syzbot wrote:
> > syzbot has found a reproducer for the following issue on:
> > 
> > HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> > compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000
> > 
> > Downloadable assets:
> > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-53e760d8.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/7f26eabe958a/vmlinux-53e760d8.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/60128fb74c23/bzImage-53e760d8.xz
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+8aa80c6232008f7b957d@syzkaller.appspotmail.com
> > 
> > BUG: unable to handle page fault for address: ffff88808d211020
> > #PF: supervisor write access in kernel mode
> > #PF: error_code(0x0002) - not-present page
> > PGD 1a201067 P4D 1a201067 PUD 0 
> > Oops: Oops: 0002 [#1] SMP KASAN NOPTI
> > CPU: 0 UID: 0 PID: 6665 Comm: syz.1.416 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full) 
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> > RIP: 0010:local_add arch/x86/include/asm/local.h:33 [inline]
> > RIP: 0010:u64_stats_add include/linux/u64_stats_sync.h:89 [inline]
> > RIP: 0010:dev_dstats_rx_dropped_add include/linux/netdevice.h:3027 [inline]
> > RIP: 0010:nsim_queue_free+0xdc/0x150 drivers/net/netdevsim/netdev.c:714
> 
> This is being fixed in this thread:
> 
> https://lore.kernel.org/all/20250731184829.1433735-1-kuniyu@google.com/

#syz test

Fixes: 2a68a22304f9 ("netdevsim: account dropped packet length in stats on queue free")
Reported-by: syzbot+8aa80c6232008f7b957d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/688bb9ca.a00a0220.26d0e1.0050.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
 drivers/net/netdevsim/netdev.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/net/netdevsim/netdev.c b/drivers/net/netdevsim/netdev.c
index 39fe28af48b9..5cbc005136d8 100644
--- a/drivers/net/netdevsim/netdev.c
+++ b/drivers/net/netdevsim/netdev.c
@@ -710,9 +710,13 @@ static struct nsim_rq *nsim_queue_alloc(void)
 static void nsim_queue_free(struct net_device *dev, struct nsim_rq *rq)
 {
 	hrtimer_cancel(&rq->napi_timer);
-	local_bh_disable();
-	dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
-	local_bh_enable();
+
+	if (likely(dev->reg_state != NETREG_UNINITIALIZED)) {
+		local_bh_disable();
+		dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
+		local_bh_enable();
+	}
+
 	skb_queue_purge_reason(&rq->skb_queue, SKB_DROP_REASON_QUEUE_PURGE);
 	kfree(rq);
 }
-- 
2.50.1.565.gc32cd1483b-goog

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[Hillf Danton]

> Date: Tue, 12 Aug 2025 02:58:28 -0700	[thread overview]
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000

#syz test

--- x/drivers/net/netdevsim/netdev.c
+++ y/drivers/net/netdevsim/netdev.c
@@ -709,10 +709,14 @@ static struct nsim_rq *nsim_queue_alloc(
 
 static void nsim_queue_free(struct net_device *dev, struct nsim_rq *rq)
 {
+	struct netdevsim *ns = netdev_priv(dev);
+
 	hrtimer_cancel(&rq->napi_timer);
-	local_bh_disable();
-	dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
-	local_bh_enable();
+	if (ns->registed) {
+		local_bh_disable();
+		dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
+		local_bh_enable();
+	}
 	skb_queue_purge_reason(&rq->skb_queue, SKB_DROP_REASON_QUEUE_PURGE);
 	kfree(rq);
 }
@@ -981,6 +985,7 @@ err_free_prev:
 	while (i--)
 		kfree(ns->rq[i]);
 	kfree(ns->rq);
+	ns->rq = NULL;
 	return -ENOMEM;
 }
 
@@ -989,6 +994,8 @@ static void nsim_queue_uninit(struct net
 	struct net_device *dev = ns->netdev;
 	int i;
 
+	if (!ns->rq)
+		return;
 	for (i = 0; i < dev->num_rx_queues; i++)
 		nsim_queue_free(dev, ns->rq[i]);
 
@@ -1001,6 +1008,7 @@ static int nsim_init_netdevsim(struct ne
 	struct mock_phc *phc;
 	int err;
 
+	ns->registed = 0;
 	phc = mock_phc_create(&ns->nsim_bus_dev->dev);
 	if (IS_ERR(phc))
 		return PTR_ERR(phc);
@@ -1038,6 +1046,7 @@ static int nsim_init_netdevsim(struct ne
 							&ns->nn))
 			ns->nb.notifier_call = NULL;
 	}
+	ns->registed = 1;
 
 	return 0;
 
--- x/drivers/net/netdevsim/netdevsim.h
+++ y/drivers/net/netdevsim/netdevsim.h
@@ -106,6 +106,7 @@ struct netdevsim {
 	struct mock_phc *phc;
 	struct nsim_rq **rq;
 
+	int registed;
 	int rq_reset_mode;
 
 	struct nsim_bus_dev *nsim_bus_dev;
--- x/net/ipv4/udp_tunnel_nic.c
+++ y/net/ipv4/udp_tunnel_nic.c
@@ -733,7 +733,8 @@ static void udp_tunnel_nic_device_sync_w
 	struct udp_tunnel_nic *utn =
 		container_of(work, struct udp_tunnel_nic, work);
 
-	rtnl_lock();
+	if (!rtnl_trylock())
+		return;
 	mutex_lock(&utn->lock);
 
 	utn->work_pending = 0;
@@ -782,6 +783,8 @@ static void udp_tunnel_nic_free(struct u
 
 	for (i = 0; i < utn->n_tables; i++)
 		kfree(utn->entries[i]);
+	disable_work(&utn->work);
+	cancel_work_sync(&utn->work);
 	kfree(utn);
 }
 
@@ -901,12 +904,6 @@ udp_tunnel_nic_unregister(struct net_dev
 	udp_tunnel_nic_flush(dev, utn);
 	udp_tunnel_nic_unlock(dev);
 
-	/* Wait for the work to be done using the state, netdev core will
-	 * retry unregister until we give up our reference on this device.
-	 */
-	if (utn->work_pending)
-		return;
-
 	udp_tunnel_nic_free(utn);
 release_dev:
 	dev->udp_tunnel_nic = NULL;
@@ -940,7 +937,7 @@ udp_tunnel_nic_netdevice_event(struct no
 
 	if (event == NETDEV_UNREGISTER) {
 		udp_tunnel_nic_unregister(dev, utn);
-		return NOTIFY_OK;
+		return NOTIFY_DONE;
 	}
 
 	/* All other events only matter if NIC has to be programmed open */
--

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in udp_tunnel_nic_device_sync_work

netdevsim netdevsim3 eth3: set [1, 0] type 2 family 0 port 6081 - 0
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:577 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0x147/0x1360 kernel/locking/mutex.c:760
Read of size 8 at addr ffff8880434426b0 by task kworker/u4:10/1096

CPU: 0 UID: 0 PID: 1096 Comm: kworker/u4:10 Not tainted 6.17.0-rc1-syzkaller-00016-g8742b2d8935f-dirty #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: udp_tunnel_nic udp_tunnel_nic_device_sync_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __mutex_lock_common kernel/locking/mutex.c:577 [inline]
 __mutex_lock+0x147/0x1360 kernel/locking/mutex.c:760
 udp_tunnel_nic_device_sync_work+0x39/0xa50 net/ipv4/udp_tunnel_nic.c:737
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6208:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4365 [inline]
 __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 udp_tunnel_nic_alloc net/ipv4/udp_tunnel_nic.c:756 [inline]
 udp_tunnel_nic_register net/ipv4/udp_tunnel_nic.c:833 [inline]
 udp_tunnel_nic_netdevice_event+0x854/0x19f0 net/ipv4/udp_tunnel_nic.c:931
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 register_netdevice+0x1608/0x1ae0 net/core/dev.c:11227
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1034 [inline]
 nsim_create+0xae8/0xf10 drivers/net/netdevsim/netdev.c:1105
 __nsim_dev_port_add+0x6b6/0xb10 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all+0x37/0xf0 drivers/net/netdevsim/dev.c:1494
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x451/0x780 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x4e9/0x8d0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6227:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kfree+0x18e/0x440 mm/slub.c:4879
 udp_tunnel_nic_free net/ipv4/udp_tunnel_nic.c:785 [inline]
 udp_tunnel_nic_unregister net/ipv4/udp_tunnel_nic.c:910 [inline]
 udp_tunnel_nic_netdevice_event+0x1332/0x19f0 net/ipv4/udp_tunnel_nic.c:942
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 unregister_netdevice_many_notify+0x14d7/0x1ff0 net/core/dev.c:12148
 unregister_netdevice_many net/core/dev.c:12211 [inline]
 unregister_netdevice_queue+0x33c/0x380 net/core/dev.c:12055
 unregister_netdevice include/linux/netdevice.h:3382 [inline]
 nsim_destroy+0x1dd/0x670 drivers/net/netdevsim/netdev.c:1140
 __nsim_dev_port_del+0x14d/0x1b0 drivers/net/netdevsim/dev.c:1473
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1485 [inline]
 nsim_dev_reload_destroy+0x288/0x490 drivers/net/netdevsim/dev.c:1707
 nsim_dev_reload_down+0x8a/0xc0 drivers/net/netdevsim/dev.c:983
 devlink_reload+0x1b3/0x8d0 net/devlink/dev.c:461
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 insert_work+0x3d/0x330 kernel/workqueue.c:2184
 __queue_work+0xbaf/0xfb0 kernel/workqueue.c:2343
 queue_work_on+0x181/0x270 kernel/workqueue.c:2390
 queue_work include/linux/workqueue.h:669 [inline]
 udp_tunnel_nic_device_sync net/ipv4/udp_tunnel_nic.c:307 [inline]
 __udp_tunnel_nic_add_port+0xb71/0xd60 net/ipv4/udp_tunnel_nic.c:523
 udp_tunnel_nic_add_port include/net/udp_tunnel.h:371 [inline]
 udp_tunnel_push_rx_port+0x180/0x200 net/ipv4/udp_tunnel_core.c:111
 geneve_offload_rx_ports+0xd7/0x160 drivers/net/geneve.c:1188
 geneve_netdevice_event+0x6a/0x80 drivers/net/geneve.c:-1
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers+0x88/0xc0 net/core/dev.c:2281
 udp_tunnel_get_rx_info include/net/udp_tunnel.h:438 [inline]
 udp_tunnel_nic_register net/ipv4/udp_tunnel_nic.c:855 [inline]
 udp_tunnel_nic_netdevice_event+0x134d/0x19f0 net/ipv4/udp_tunnel_nic.c:931
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 register_netdevice+0x1608/0x1ae0 net/core/dev.c:11227
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1034 [inline]
 nsim_create+0xae8/0xf10 drivers/net/netdevsim/netdev.c:1105
 __nsim_dev_port_add+0x6b6/0xb10 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all+0x37/0xf0 drivers/net/netdevsim/dev.c:1494
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x451/0x780 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x4e9/0x8d0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Second to last potentially related work creation:
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 insert_work+0x3d/0x330 kernel/workqueue.c:2184
 __queue_work+0xcd2/0xfb0 kernel/workqueue.c:2339
 queue_work_on+0x181/0x270 kernel/workqueue.c:2390
 queue_work include/linux/workqueue.h:669 [inline]
 udp_tunnel_nic_device_sync net/ipv4/udp_tunnel_nic.c:307 [inline]
 __udp_tunnel_nic_add_port+0xb71/0xd60 net/ipv4/udp_tunnel_nic.c:523
 udp_tunnel_nic_add_port include/net/udp_tunnel.h:371 [inline]
 udp_tunnel_push_rx_port+0x180/0x200 net/ipv4/udp_tunnel_core.c:111
 geneve_offload_rx_ports+0xd7/0x160 drivers/net/geneve.c:1188
 geneve_netdevice_event+0x6a/0x80 drivers/net/geneve.c:-1
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers+0x88/0xc0 net/core/dev.c:2281
 udp_tunnel_get_rx_info include/net/udp_tunnel.h:438 [inline]
 udp_tunnel_nic_register net/ipv4/udp_tunnel_nic.c:855 [inline]
 udp_tunnel_nic_netdevice_event+0x134d/0x19f0 net/ipv4/udp_tunnel_nic.c:931
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 register_netdevice+0x1608/0x1ae0 net/core/dev.c:11227
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:1034 [inline]
 nsim_create+0xae8/0xf10 drivers/net/netdevsim/netdev.c:1105
 __nsim_dev_port_add+0x6b6/0xb10 drivers/net/netdevsim/dev.c:1438
 nsim_dev_port_add_all+0x37/0xf0 drivers/net/netdevsim/dev.c:1494
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1546 [inline]
 nsim_dev_reload_up+0x451/0x780 drivers/net/netdevsim/dev.c:1003
 devlink_reload+0x4e9/0x8d0 net/devlink/dev.c:474
 devlink_nl_reload_doit+0xb35/0xd50 net/devlink/dev.c:584
 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 ____sys_sendmsg+0x505/0x830 net/socket.c:2614
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888043442600
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 176 bytes inside of
 freed 256-byte region [ffff888043442600, ffff888043442700)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43442
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff88801a441b40 ffffea00010d2d40 dead000000000006
raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5772, tgid 5772 (syz-executor), ts 159705044362, free_ts 159704611959
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 __do_kmalloc_node mm/slub.c:4364 [inline]
 __kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 fib_create_info+0x1728/0x3210 net/ipv4/fib_semantics.c:1402
 fib_table_insert+0xc6/0x1b50 net/ipv4/fib_trie.c:1212
 fib_magic+0x2c4/0x390 net/ipv4/fib_frontend.c:1133
 fib_add_ifaddr+0x38d/0x5f0 net/ipv4/fib_frontend.c:1170
 fib_netdev_event+0x382/0x490 net/ipv4/fib_frontend.c:1515
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 __dev_notify_flags+0x18d/0x2e0 net/core/dev.c:-1
 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9600
 do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3143
page last free pid 5772 tgid 5772 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 pagetable_free include/linux/mm.h:2898 [inline]
 pagetable_dtor_free+0x2d2/0x3b0 include/linux/mm.h:2996
 mm_free_pgd kernel/fork.c:541 [inline]
 __mmdrop+0xb5/0x580 kernel/fork.c:683
 mmdrop include/linux/sched/mm.h:55 [inline]
 mmdrop_sched include/linux/sched/mm.h:83 [inline]
 mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline]
 finish_task_switch+0x3ee/0x950 kernel/sched/core.c:5250
 context_switch kernel/sched/core.c:5360 [inline]
 __schedule+0x17a0/0x4cc0 kernel/sched/core.c:6961
 preempt_schedule_common+0x83/0xd0 kernel/sched/core.c:7145
 preempt_schedule+0xae/0xc0 kernel/sched/core.c:7169
 preempt_schedule_thunk+0x16/0x30 arch/x86/entry/thunk.S:12
 vprintk_emit+0x69a/0x7a0 kernel/printk/printk.c:2451
 _printk+0xcf/0x120 kernel/printk/printk.c:2475
 netdev_warn+0x10a/0x160 net/core/dev.c:12633
 hsr_dev_open+0x19d/0x260 net/hsr/hsr_device.c:159
 __dev_open+0x46d/0x880 net/core/dev.c:1682
 __dev_change_flags+0x1ea/0x6d0 net/core/dev.c:9532
 netif_change_flags+0x88/0x1a0 net/core/dev.c:9595
 do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3143

Memory state around the buggy address:
 ffff888043442580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888043442600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888043442680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff888043442700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888043442780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit:         8742b2d8 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11ffc5a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1185caf0580000

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+8aa80c6232008f7b957d@syzkaller.appspotmail.com
Tested-by: syzbot+8aa80c6232008f7b957d@syzkaller.appspotmail.com

Tested on:

commit:         8742b2d8 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1235caf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1083f5bc580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

[Kuniyuki Iwashima]

On Tue, Aug 12, 2025 at 6:17 PM syzbot
<syzbot+8aa80c6232008f7b957d@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-use-after-free Read in udp_tunnel_nic_device_sync_work
>
> netdevsim netdevsim3 eth3: set [1, 0] type 2 family 0 port 6081 - 0
> ==================================================================
> BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:577 [inline]
> BUG: KASAN: slab-use-after-free in __mutex_lock+0x147/0x1360 kernel/locking/mutex.c:760
> Read of size 8 at addr ffff8880434426b0 by task kworker/u4:10/1096
>
> CPU: 0 UID: 0 PID: 1096 Comm: kworker/u4:10 Not tainted 6.17.0-rc1-syzkaller-00016-g8742b2d8935f-dirty #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Workqueue: udp_tunnel_nic udp_tunnel_nic_device_sync_work
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
>  print_address_description mm/kasan/report.c:378 [inline]
>  print_report+0xca/0x240 mm/kasan/report.c:482
>  kasan_report+0x118/0x150 mm/kasan/report.c:595
>  __mutex_lock_common kernel/locking/mutex.c:577 [inline]
>  __mutex_lock+0x147/0x1360 kernel/locking/mutex.c:760
>  udp_tunnel_nic_device_sync_work+0x39/0xa50 net/ipv4/udp_tunnel_nic.c:737

This is apparently another issue that I hold in the syzbot queue.