[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANikGpd2u3=GH8TLL40UuOJroe0-WdYCjj1vZJyCBgmSRvtNWQ@mail.gmail.com>
Date: Sun, 25 Aug 2024 00:45:30 -0700
From: Juefei Pu <juefei.pu@...il.ucr.edu>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: BUG: unable to handle kernel paging request in __netif_receive_skb_core
Hello,
We found the following issue using syzkaller on Linux v6.10.
In function `__netif_receive_skb_core`, an error of "unable to handle
kernel paging request" happend when executing `if (ptype->type !=
type)`. It happened because the register $r12 became an unexpected
value 0xffffffffffffffc0, because it was propagated from $r15 whose
value was null. So it's likely that this is an null-pointer
dereference issue.
The full report including the Syzkaller reproducer:
https://gist.github.com/TomAPU/38bb00292b33d52a6dd2d1b629247146/revisions
The brief report is below:
Syzkaller hit 'BUG: unable to handle kernel paging request in
__netif_receive_skb_core' bug.
BUG: unable to handle page fault for address: ffffffffffffffc0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD d936067 P4D d936067 PUD d938067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 8484 Comm: kworker/0:5 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: wg-crypt-wg0 wg_packet_tx_worker
RIP: 0010:deliver_ptype_list_skb net/core/dev.c:2247 [inline]
RIP: 0010:__netif_receive_skb_core+0x3163/0x3ef0 net/core/dev.c:5581
Code: 48 8d 41 10 48 89 44 24 48 4d 8d 67 c0 4c 89 e0 48 c1 e8 03 48
b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 0f 85 61 02 00 00 <41> 0f
b7 1c 24 89 df 44 89 f6 e8 ee f5 b8 f8 66 44 39 f3 0f 85 a0
RSP: 0018:ffffc90000007880 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000080000101 RSI: 000000000000dd86 RDI: 0000000000000000
RBP: ffffc90000007a50 R08: ffffffff88d85c72 R09: ffffffff88d82f9b
R10: 0000000000000002 R11: ffff8880244b5a00 R12: ffffffffffffffc0
R13: ffffffff8f260cb0 R14: 000000000000dd86 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffc0 CR3: 000000000d932000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__netif_receive_skb_one_core net/core/dev.c:5623 [inline]
__netif_receive_skb+0x11e/0x640 net/core/dev.c:5739
process_backlog+0x37d/0x7a0 net/core/dev.c:6068
__napi_poll+0xcc/0x480 net/core/dev.c:6722
napi_poll net/core/dev.c:6791 [inline]
net_rx_action+0x7ed/0x1040 net/core/dev.c:6907
handle_softirqs+0x272/0x750 kernel/softirq.c:554
do_softirq+0x117/0x1e0 kernel/softirq.c:455
</IRQ>
<TASK>
__local_bh_enable_ip+0x1b0/0x1f0 kernel/softirq.c:382
wg_socket_send_skb_to_peer+0x172/0x1d0 drivers/net/wireguard/socket.c:184
wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]
wg_packet_tx_worker+0x1ba/0x960 drivers/net/wireguard/send.c:276
process_one_work kernel/workqueue.c:3248 [inline]
process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
kthread+0x2eb/0x380 kernel/kthread.c:389
ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
CR2: ffffffffffffffc0
---[ end trace 0000000000000000 ]---
RIP: 0010:deliver_ptype_list_skb net/core/dev.c:2247 [inline]
RIP: 0010:__netif_receive_skb_core+0x3163/0x3ef0 net/core/dev.c:5581
Code: 48 8d 41 10 48 89 44 24 48 4d 8d 67 c0 4c 89 e0 48 c1 e8 03 48
b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 0f 85 61 02 00 00 <41> 0f
b7 1c 24 89 df 44 89 f6 e8 ee f5 b8 f8 66 44 39 f3 0f 85 a0
RSP: 0018:ffffc90000007880 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000080000101 RSI: 000000000000dd86 RDI: 0000000000000000
RBP: ffffc90000007a50 R08: ffffffff88d85c72 R09: ffffffff88d82f9b
R10: 0000000000000002 R11: ffff8880244b5a00 R12: ffffffffffffffc0
R13: ffffffff8f260cb0 R14: 000000000000dd86 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffc0 CR3: 000000000d932000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 8d 41 10 lea 0x10(%rcx),%rax
4: 48 89 44 24 48 mov %rax,0x48(%rsp)
9: 4d 8d 67 c0 lea -0x40(%r15),%r12
d: 4c 89 e0 mov %r12,%rax
10: 48 c1 e8 03 shr $0x3,%rax
14: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
1b: fc ff df
1e: 0f b6 04 08 movzbl (%rax,%rcx,1),%eax
22: 84 c0 test %al,%al
24: 0f 85 61 02 00 00 jne 0x28b
* 2a: 41 0f b7 1c 24 movzwl (%r12),%ebx <-- trapping instruction
2f: 89 df mov %ebx,%edi
31: 44 89 f6 mov %r14d,%esi
34: e8 ee f5 b8 f8 call 0xf8b8f627
39: 66 44 39 f3 cmp %r14w,%bx
3d: 0f .byte 0xf
3e: 85 .byte 0x85
3f: a0 .byte 0xa0
Powered by blists - more mailing lists