lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <000000000000e28242061dd80dc5@google.com>
Date: Mon, 22 Jul 2024 08:54:03 -0700
From: syzbot <syzbot+61a1cfc2b6632363d319@...kaller.appspotmail.com>
To: aha310510@...il.com, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bpf?] [net?] general protection fault in __xsk_map_flush

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in bpf_net_ctx_get_all_used_flush_lists

BUG: unable to handle page fault for address: ffffe630188daf02
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1503a067 P4D 1503a067 PUD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 7523 Comm: syz-executor288 Not tainted 6.10.0-syzkaller-11840-g933069701c1b-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:list_empty include/linux/list.h:373 [inline]
RIP: 0010:bpf_net_ctx_get_all_used_flush_lists+0x16b/0x390 include/linux/filter.h:846
Code: e6 08 31 ff e8 f6 c8 29 f8 4c 89 f8 48 83 e0 08 75 07 e8 08 c4 29 f8 eb 56 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 47 0f 91 f8 48 8b 03 48 39 d8 74 2a
RSP: 0000:ffffc90000007a28 EFLAGS: 00010a02
RAX: 1fffea30188daf02 RBX: ffff5180c46d7810 RCX: dffffc0000000000
RDX: 0000000080000100 RSI: 0000000000000008 RDI: 0000000000000000
RBP: ffffffff8ddf3a40 R08: ffffffff8969be0a R09: 1ffffffff1f5f50d
R10: dffffc0000000000 R11: fffffbfff1f5f50e R12: 1ffff92000000f5c
R13: ffffc9000b2d77c0 R14: ffffc90000007ae0 R15: 000000000165af0c
FS:  0000555589e57380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffe630188daf02 CR3: 000000007d0c8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 xdp_do_check_flushed+0x130/0x2f0 net/core/filter.c:4298
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 common_interrupt+0xaa/0xd0 arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5763
Code: 2b 00 74 08 4c 89 f7 e8 ba 1f 8b 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
RSP: 0000:ffffc9000b2d7620 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 1ffff9200165aed0 RCX: 697b9cec6cfc8500
RDX: dffffc0000000000 RSI: ffffffff8bcae720 RDI: ffffffff8c20a480
RBP: ffffc9000b2d7778 R08: ffffffff930028af R09: 1ffffffff2600515
R10: dffffc0000000000 R11: fffffbfff2600516 R12: 1ffff9200165aecc
R13: dffffc0000000000 R14: ffffc9000b2d7680 R15: 0000000000000246
 percpu_down_read include/linux/percpu-rwsem.h:51 [inline]
 __sb_start_write include/linux/fs.h:1675 [inline]
 sb_start_write+0x4d/0x1c0 include/linux/fs.h:1811
 mnt_want_write+0x3f/0x90 fs/namespace.c:515
 do_unlinkat+0x1fe/0x830 fs/namei.c:4469
 do_coredump+0x2247/0x2a30 fs/coredump.c:678
 get_signal+0x13fa/0x1740 kernel/signal.c:2902
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 irqentry_exit_to_user_mode+0x79/0x280 kernel/entry/common.c:231
 exc_page_fault+0x590/0x8c0 arch/x86/mm/fault.c:1542
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fdae0dfb15e
Code: fd d7 c9 0f bc d1 c5 fe 7f 27 c5 fe 7f 6f 20 c5 fe 7f 77 40 c5 fe 7f 7f 60 49 83 c0 1f 49 29 d0 48 8d 7c 17 61 e9 d2 04 00 00 <c5> fe 6f 1e c5 fe 6f 56 20 c5 fd 74 cb c5 fd d7 d1 49 83 f8 21 0f
RSP: 002b:00007ffcbd96f8c8 EFLAGS: 00010287
RAX: 00007ffcbd96f8e0 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 00000000000003ff RSI: 0000000000000000 RDI: 00007ffcbd96f8e0
RBP: 00007ffcbd96f8e0 R08: 00000000000003ff R09: 00007ffcbd96fe28
R10: 00007ffcbd96fe28 R11: 0000000000000246 R12: 6666666666666667
R13: 0000000000000000 R14: 00007ffcbd96fd30 R15: 00007ffcbd96fd20
 </TASK>
Modules linked in:
CR2: ffffe630188daf02
---[ end trace 0000000000000000 ]---
RIP: 0010:list_empty include/linux/list.h:373 [inline]
RIP: 0010:bpf_net_ctx_get_all_used_flush_lists+0x16b/0x390 include/linux/filter.h:846
Code: e6 08 31 ff e8 f6 c8 29 f8 4c 89 f8 48 83 e0 08 75 07 e8 08 c4 29 f8 eb 56 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 47 0f 91 f8 48 8b 03 48 39 d8 74 2a
RSP: 0000:ffffc90000007a28 EFLAGS: 00010a02
RAX: 1fffea30188daf02 RBX: ffff5180c46d7810 RCX: dffffc0000000000
RDX: 0000000080000100 RSI: 0000000000000008 RDI: 0000000000000000
RBP: ffffffff8ddf3a40 R08: ffffffff8969be0a R09: 1ffffffff1f5f50d
R10: dffffc0000000000 R11: fffffbfff1f5f50e R12: 1ffff92000000f5c
R13: ffffc9000b2d77c0 R14: ffffc90000007ae0 R15: 000000000165af0c
FS:  0000555589e57380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffe630188daf02 CR3: 000000007d0c8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e6 08                	out    %al,$0x8
   2:	31 ff                	xor    %edi,%edi
   4:	e8 f6 c8 29 f8       	call   0xf829c8ff
   9:	4c 89 f8             	mov    %r15,%rax
   c:	48 83 e0 08          	and    $0x8,%rax
  10:	75 07                	jne    0x19
  12:	e8 08 c4 29 f8       	call   0xf829c41f
  17:	eb 56                	jmp    0x6f
  19:	48 89 d8             	mov    %rbx,%rax
  1c:	48 c1 e8 03          	shr    $0x3,%rax
  20:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  27:	fc ff df
* 2a:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	48 89 df             	mov    %rbx,%rdi
  33:	e8 47 0f 91 f8       	call   0xf8910f7f
  38:	48 8b 03             	mov    (%rbx),%rax
  3b:	48 39 d8             	cmp    %rbx,%rax
  3e:	74 2a                	je     0x6a


Tested on:

commit:         93306970 Merge tag '6.11-rc-smb3-server-fixes' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=124846ad980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d04f9888ed34da73
dashboard link: https://syzkaller.appspot.com/bug?extid=61a1cfc2b6632363d319
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12158b79980000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ