[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALAgD-6=bRtF++chjMwgTyMssCqyPzhXyY=zjB6w5SorVxuCcw@mail.gmail.com>
Date: Sat, 24 Aug 2024 21:53:29 -0700
From: Xingyu Li <xli399@....edu>
To: peterz@...radead.org, mingo@...hat.com, will@...nel.org,
longman@...hat.com, boqun.feng@...il.com, linux-kernel@...r.kernel.org
Subject: BUG: general protection fault in kernfs_remove_by_name_ns
Hi,
We found a bug in linux 6.10. It is probably a null pointer dereference bug.
The bug report is as follows, but unfortunately there is no generated
syzkaller reproducer.
netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2
family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2
family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2
family 0 port 6081 - 0
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000029: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
CPU: 0 PID: 10054 Comm: kworker/u4:29 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:__lock_acquire+0x106/0x8050 kernel/locking/lockdep.c:5005
Code: 85 5d 20 00 00 83 3d 14 d2 b5 0d 00 48 89 9c 24 18 01 00 00 0f
84 00 10 00 00 83 3d 33 3a 31 0c 00 74 31 48 89 d0 48 c1 e8 03 <42> 80
3c 00 00 74 17 48 89 d7 e8 fb 9c 85 00 48 8b 54 24 10 49 b8
RSP: 0018:ffffc9000a0bf540 EFLAGS: 00010002
RAX: 0000000000000029 RBX: 1ffff92001417ecc RCX: 0000000000000000
RDX: 0000000000000148 RSI: 0000000000000000 RDI: 0000000000000148
RBP: ffffc9000a0bf808 R08: dffffc0000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88801fc31e00
FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc6fba84cd0 CR3: 0000000020224000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1a9/0x400 kernel/locking/lockdep.c:5754
down_write+0x36/0x50 kernel/locking/rwsem.c:1579
kernfs_remove_by_name_ns+0x76/0x150 fs/kernfs/dir.c:1689
del_nbp+0xa6/0xb50 net/bridge/br_if.c:338
br_dev_delete+0x76/0x110 net/bridge/br_if.c:386
br_net_exit_batch_rtnl+0xee/0x1a0 net/bridge/br.c:369
cleanup_net+0x712/0xcd0 net/core/net_namespace.c:633
process_one_work kernel/workqueue.c:3248 [inline]
process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
kthread+0x2eb/0x380 kernel/kthread.c:389
ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x106/0x8050 kernel/locking/lockdep.c:5005
Code: 85 5d 20 00 00 83 3d 14 d2 b5 0d 00 48 89 9c 24 18 01 00 00 0f
84 00 10 00 00 83 3d 33 3a 31 0c 00 74 31 48 89 d0 48 c1 e8 03 <42> 80
3c 00 00 74 17 48 89 d7 e8 fb 9c 85 00 48 8b 54 24 10 49 b8
RSP: 0018:ffffc9000a0bf540 EFLAGS: 00010002
RAX: 0000000000000029 RBX: 1ffff92001417ecc RCX: 0000000000000000
RDX: 0000000000000148 RSI: 0000000000000000 RDI: 0000000000000148
RBP: ffffc9000a0bf808 R08: dffffc0000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88801fc31e00
FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc6fba84cd0 CR3: 0000000020224000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 85 5d 20 test %ebx,0x20(%rbp)
3: 00 00 add %al,(%rax)
5: 83 3d 14 d2 b5 0d 00 cmpl $0x0,0xdb5d214(%rip) # 0xdb5d220
c: 48 89 9c 24 18 01 00 mov %rbx,0x118(%rsp)
13: 00
14: 0f 84 00 10 00 00 je 0x101a
1a: 83 3d 33 3a 31 0c 00 cmpl $0x0,0xc313a33(%rip) # 0xc313a54
21: 74 31 je 0x54
23: 48 89 d0 mov %rdx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 00 00 cmpb $0x0,(%rax,%r8,1) <-- trapping instruction
2f: 74 17 je 0x48
31: 48 89 d7 mov %rdx,%rdi
34: e8 fb 9c 85 00 call 0x859d34
39: 48 8b 54 24 10 mov 0x10(%rsp),%rdx
3e: 49 rex.WB
3f: b8 .byte 0xb8
--
Yours sincerely,
Xingyu
Powered by blists - more mailing lists