| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6763681b.050a0220.15da49.0001.GAE@google.com> Date: Wed, 18 Dec 2024 16:26:03 -0800 From: syzbot <syzbot+38a095a81f30d82884c1@...kaller.appspotmail.com> To: hdanton@...a.com, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [net?] general protection fault in put_page (4) Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in put_page Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 UID: 0 PID: 5976 Comm: kworker/0:4 Not tainted 6.13.0-rc3-syzkaller-00073-geabcdba3ad40-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 Workqueue: rcu_gp srcu_invoke_callbacks RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 98 5b 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 3f bb 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0018:ffffc90000006df0 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888027620000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898caa7a R09: 1ffffffff2854734 R10: dffffc0000000000 R11: fffffbfff2854735 R12: 0000000000000007 R13: ffff88807a1efa42 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b3045ffff CR3: 000000007a6ec000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x480/0x9a0 net/core/skbuff.c:1128 skb_release_all net/core/skbuff.c:1199 [inline] __kfree_skb+0x55/0x70 net/core/skbuff.c:1213 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline] tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032 tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805 tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939 tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351 ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netif_receive_skb_one_core net/core/dev.c:5672 [inline] __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785 process_backlog+0x662/0x15b0 net/core/dev.c:6117 __napi_poll+0xcb/0x490 net/core/dev.c:6883 napi_poll net/core/dev.c:6952 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:7074 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 do_softirq+0x11b/0x1e0 kernel/softirq.c:462 </IRQ> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:389 local_bh_enable include/linux/bottom_half.h:33 [inline] srcu_invoke_callbacks+0x246/0x490 kernel/rcu/srcutree.c:1796 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline] RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552 Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 98 5b 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 3f bb 78 f8 48 8b 1b 48 89 de 48 83 RSP: 0018:ffffc90000006df0 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888027620000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff898caa7a R09: 1ffffffff2854734 R10: dffffc0000000000 R11: fffffbfff2854735 R12: 0000000000000007 R13: ffff88807a1efa42 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b3045ffff CR3: 000000007a6ec000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 90 nop 1: 90 nop 2: 90 nop 3: 90 nop 4: 90 nop 5: 90 nop 6: 90 nop 7: 55 push %rbp 8: 41 57 push %r15 a: 41 56 push %r14 c: 53 push %rbx d: 49 89 fe mov %rdi,%r14 10: 48 bd 00 00 00 00 00 movabs $0xdffffc0000000000,%rbp 17: fc ff df 1a: e8 98 5b 12 f8 call 0xf8125bb7 1f: 49 8d 5e 08 lea 0x8(%r14),%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) <-- trapping instruction 2e: 74 08 je 0x38 30: 48 89 df mov %rbx,%rdi 33: e8 3f bb 78 f8 call 0xf878bb77 38: 48 8b 1b mov (%rbx),%rbx 3b: 48 89 de mov %rbx,%rsi 3e: 48 rex.W 3f: 83 .byte 0x83 Tested on: commit: eabcdba3 Merge tag 'for-6.13-rc3-tag' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1292b730580000 kernel config: https://syzkaller.appspot.com/x/.config?x=6a2b862bf4a5409f dashboard link: https://syzkaller.appspot.com/bug?extid=38a095a81f30d82884c1 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1474b730580000
Powered by blists - more mailing lists