[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000e28242061dd80dc5@google.com>
Date: Mon, 22 Jul 2024 08:54:03 -0700
From: syzbot <syzbot+61a1cfc2b6632363d319@...kaller.appspotmail.com>
To: aha310510@...il.com, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bpf?] [net?] general protection fault in __xsk_map_flush
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in bpf_net_ctx_get_all_used_flush_lists
BUG: unable to handle page fault for address: ffffe630188daf02
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1503a067 P4D 1503a067 PUD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 7523 Comm: syz-executor288 Not tainted 6.10.0-syzkaller-11840-g933069701c1b-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:list_empty include/linux/list.h:373 [inline]
RIP: 0010:bpf_net_ctx_get_all_used_flush_lists+0x16b/0x390 include/linux/filter.h:846
Code: e6 08 31 ff e8 f6 c8 29 f8 4c 89 f8 48 83 e0 08 75 07 e8 08 c4 29 f8 eb 56 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 47 0f 91 f8 48 8b 03 48 39 d8 74 2a
RSP: 0000:ffffc90000007a28 EFLAGS: 00010a02
RAX: 1fffea30188daf02 RBX: ffff5180c46d7810 RCX: dffffc0000000000
RDX: 0000000080000100 RSI: 0000000000000008 RDI: 0000000000000000
RBP: ffffffff8ddf3a40 R08: ffffffff8969be0a R09: 1ffffffff1f5f50d
R10: dffffc0000000000 R11: fffffbfff1f5f50e R12: 1ffff92000000f5c
R13: ffffc9000b2d77c0 R14: ffffc90000007ae0 R15: 000000000165af0c
FS: 0000555589e57380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffe630188daf02 CR3: 000000007d0c8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
xdp_do_check_flushed+0x130/0x2f0 net/core/filter.c:4298
__napi_poll+0xe4/0x490 net/core/dev.c:6774
napi_poll net/core/dev.c:6840 [inline]
net_rx_action+0x89b/0x1240 net/core/dev.c:6962
handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:278
</IRQ>
<TASK>
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5763
Code: 2b 00 74 08 4c 89 f7 e8 ba 1f 8b 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
RSP: 0000:ffffc9000b2d7620 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 1ffff9200165aed0 RCX: 697b9cec6cfc8500
RDX: dffffc0000000000 RSI: ffffffff8bcae720 RDI: ffffffff8c20a480
RBP: ffffc9000b2d7778 R08: ffffffff930028af R09: 1ffffffff2600515
R10: dffffc0000000000 R11: fffffbfff2600516 R12: 1ffff9200165aecc
R13: dffffc0000000000 R14: ffffc9000b2d7680 R15: 0000000000000246
percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
__sb_start_write include/linux/fs.h:1675 [inline]
sb_start_write+0x4d/0x1c0 include/linux/fs.h:1811
mnt_want_write+0x3f/0x90 fs/namespace.c:515
do_unlinkat+0x1fe/0x830 fs/namei.c:4469
do_coredump+0x2247/0x2a30 fs/coredump.c:678
get_signal+0x13fa/0x1740 kernel/signal.c:2902
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
irqentry_exit_to_user_mode+0x79/0x280 kernel/entry/common.c:231
exc_page_fault+0x590/0x8c0 arch/x86/mm/fault.c:1542
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fdae0dfb15e
Code: fd d7 c9 0f bc d1 c5 fe 7f 27 c5 fe 7f 6f 20 c5 fe 7f 77 40 c5 fe 7f 7f 60 49 83 c0 1f 49 29 d0 48 8d 7c 17 61 e9 d2 04 00 00 <c5> fe 6f 1e c5 fe 6f 56 20 c5 fd 74 cb c5 fd d7 d1 49 83 f8 21 0f
RSP: 002b:00007ffcbd96f8c8 EFLAGS: 00010287
RAX: 00007ffcbd96f8e0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 00000000000003ff RSI: 0000000000000000 RDI: 00007ffcbd96f8e0
RBP: 00007ffcbd96f8e0 R08: 00000000000003ff R09: 00007ffcbd96fe28
R10: 00007ffcbd96fe28 R11: 0000000000000246 R12: 6666666666666667
R13: 0000000000000000 R14: 00007ffcbd96fd30 R15: 00007ffcbd96fd20
</TASK>
Modules linked in:
CR2: ffffe630188daf02
---[ end trace 0000000000000000 ]---
RIP: 0010:list_empty include/linux/list.h:373 [inline]
RIP: 0010:bpf_net_ctx_get_all_used_flush_lists+0x16b/0x390 include/linux/filter.h:846
Code: e6 08 31 ff e8 f6 c8 29 f8 4c 89 f8 48 83 e0 08 75 07 e8 08 c4 29 f8 eb 56 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 47 0f 91 f8 48 8b 03 48 39 d8 74 2a
RSP: 0000:ffffc90000007a28 EFLAGS: 00010a02
RAX: 1fffea30188daf02 RBX: ffff5180c46d7810 RCX: dffffc0000000000
RDX: 0000000080000100 RSI: 0000000000000008 RDI: 0000000000000000
RBP: ffffffff8ddf3a40 R08: ffffffff8969be0a R09: 1ffffffff1f5f50d
R10: dffffc0000000000 R11: fffffbfff1f5f50e R12: 1ffff92000000f5c
R13: ffffc9000b2d77c0 R14: ffffc90000007ae0 R15: 000000000165af0c
FS: 0000555589e57380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffe630188daf02 CR3: 000000007d0c8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: e6 08 out %al,$0x8
2: 31 ff xor %edi,%edi
4: e8 f6 c8 29 f8 call 0xf829c8ff
9: 4c 89 f8 mov %r15,%rax
c: 48 83 e0 08 and $0x8,%rax
10: 75 07 jne 0x19
12: e8 08 c4 29 f8 call 0xf829c41f
17: eb 56 jmp 0x6f
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 df mov %rbx,%rdi
33: e8 47 0f 91 f8 call 0xf8910f7f
38: 48 8b 03 mov (%rbx),%rax
3b: 48 39 d8 cmp %rbx,%rax
3e: 74 2a je 0x6a
Tested on:
commit: 93306970 Merge tag '6.11-rc-smb3-server-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=124846ad980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d04f9888ed34da73
dashboard link: https://syzkaller.appspot.com/bug?extid=61a1cfc2b6632363d319
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12158b79980000
Powered by blists - more mailing lists