lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <67e3f2f0.050a0220.2f068f.0004.GAE@google.com>
Date: Wed, 26 Mar 2025 05:28:32 -0700
From: syzbot <syzbot+38d72234503f2b05981f@...kaller.appspotmail.com>
To: bhelgaas@...gle.com, linux-kernel@...r.kernel.org, 
	linux-pci@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: [syzbot] [pci?] upstream test error: BUG: unable to handle kernel
 NULL pointer dereference in msix_capability_init

Hello,

syzbot found the following issue on:

HEAD commit:    1e26c5e28ca5 Merge tag 'media/v6.15-1' of git://git.kernel..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1697cbb0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ae7b143bbda6d951
dashboard link: https://syzkaller.appspot.com/bug?extid=38d72234503f2b05981f
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/91cf4f757ca2/disk-1e26c5e2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1415c0b3bc2e/vmlinux-1e26c5e2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d363b301f320/bzImage-1e26c5e2.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+38d72234503f2b05981f@...kaller.appspotmail.com

UDP-Lite hash table entries: 4096 (order: 6, 262144 bytes, linear)
NET: Registered PF_UNIX/PF_LOCAL protocol family
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp-with-tls transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
NET: Registered PF_XDP protocol family
pci_bus 0000:00: resource 4 [io  0x0000-0x0cf7 window]
pci_bus 0000:00: resource 5 [io  0x0d00-0xffff window]
pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfefff window]
pci 0000:00:00.0: Limiting direct PCI/PCI transfers
PCI: CLS 0 bytes, default 64
PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
software IO TLB: mapped [mem 0x00000000bbffd000-0x00000000bfffd000] (64MB)
ACPI: bus type thunderbolt registered
RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer
clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x1fb63109b96, max_idle_ns: 440795265316 ns
clocksource: Switched to clocksource tsc
Initialise system trusted keyrings
workingset: timestamp_bits=40 max_order=21 bucket_order=0
NFS: Registering the id_resolver key type
Key type id_resolver registered
Key type id_legacy registered
9p: Installing v9fs 9p2000 file system support
Key type asymmetric registered
Asymmetric key parser 'x509' registered
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246)
io scheduler mq-deadline registered
io scheduler kyber registered
usbcore: registered new interface driver udlfb
usbcore: registered new interface driver smscufx
input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
ACPI: button: Power Button [PWRF]
input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
ACPI: button: Sleep Button [SLPF]
ACPI: \_SB_.LNKC: Enabled at IRQ 11
virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
ACPI: \_SB_.LNKD: Enabled at IRQ 10
virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
ACPI: \_SB_.LNKB: Enabled at IRQ 10
virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
virtio-pci 0000:00:07.0: virtio_pci: leaving for legacy driver
Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
Non-volatile memory driver v1.3
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:msix_prepare_msi_desc drivers/pci/msi/msi.c:615 [inline]
RIP: 0010:msix_setup_msi_descs drivers/pci/msi/msi.c:639 [inline]
RIP: 0010:__msix_setup_interrupts drivers/pci/msi/msi.c:672 [inline]
RIP: 0010:msix_setup_interrupts drivers/pci/msi/msi.c:701 [inline]
RIP: 0010:msix_capability_init+0x3f7/0x8c0 drivers/pci/msi/msi.c:743
Code: e8 fe 3d 77 ff 41 8b 06 89 84 24 e0 00 00 00 4c 89 ff e8 bc 42 77 ff 4d 8b 3f 4c 89 bc 24 e8 00 00 00 48 89 df e8 d9 3d 77 ff <8b> 1b be 00 00 40 00 21 de 31 ff e8 29 9a 5d ff b8 00 00 40 00 21
RSP: 0000:ffffc900000174a8 EFLAGS: 00010246
RAX: ffff8881001b8a98 RBX: 0000000000000000 RCX: ffffffff81f5f7e7
RDX: 000000000000004c RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000101 R08: 0000000000000003 R09: 0000000000000000
R10: 0001ffffffffffff R11: 0001c90000017476 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8881013d239c R15: ffffc90000029008
FS:  0000000000000000(0000) GS:ffff8882aee5d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000006836000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __pci_enable_msix_range+0x435/0x4d0 drivers/pci/msi/msi.c:851
 pci_alloc_irq_vectors_affinity+0xae/0x1f0 drivers/pci/msi/api.c:268
 vp_request_msix_vectors drivers/virtio/virtio_pci_common.c:160 [inline]
 vp_find_vqs_msix+0x412/0x8b0 drivers/virtio/virtio_pci_common.c:417
 vp_find_vqs+0x50/0x510 drivers/virtio/virtio_pci_common.c:525
 virtio_find_vqs include/linux/virtio_config.h:226 [inline]
 virtio_find_single_vq include/linux/virtio_config.h:237 [inline]
 probe_common+0x1f0/0x3d0 drivers/char/hw_random/virtio-rng.c:155
 virtrng_probe+0x15/0x20 drivers/char/hw_random/virtio-rng.c:193
 virtio_dev_probe+0x632/0x7b0 drivers/virtio/virtio.c:341
 really_probe+0x1cf/0x5d0 drivers/base/dd.c:658
 __driver_probe_device+0x12d/0x200 drivers/base/dd.c:800
 driver_probe_device+0x38/0x2f0 drivers/base/dd.c:830
 __driver_attach+0x311/0x400 drivers/base/dd.c:1216
 bus_for_each_dev+0x1af/0x210 drivers/base/bus.c:370
 driver_attach+0x2b/0x40 drivers/base/dd.c:1234
 bus_add_driver+0x272/0x470 drivers/base/bus.c:678
 driver_register+0x163/0x220 drivers/base/driver.c:249
 __register_virtio_driver+0x7a/0x90 drivers/virtio/virtio.c:415
 virtio_rng_driver_init+0x17/0x20 drivers/char/hw_random/virtio-rng.c:256
 do_one_initcall+0x10d/0x580 init/main.c:1257
 do_initcall_level+0x91/0x190 init/main.c:1319
 do_initcalls+0x89/0xf0 init/main.c:1335
 do_basic_setup+0x5b/0x70 init/main.c:1354
 kernel_init_freeable+0x1d5/0x280 init/main.c:1567
 kernel_init+0x1b/0x300 init/main.c:1457
 ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:msix_prepare_msi_desc drivers/pci/msi/msi.c:615 [inline]
RIP: 0010:msix_setup_msi_descs drivers/pci/msi/msi.c:639 [inline]
RIP: 0010:__msix_setup_interrupts drivers/pci/msi/msi.c:672 [inline]
RIP: 0010:msix_setup_interrupts drivers/pci/msi/msi.c:701 [inline]
RIP: 0010:msix_capability_init+0x3f7/0x8c0 drivers/pci/msi/msi.c:743
Code: e8 fe 3d 77 ff 41 8b 06 89 84 24 e0 00 00 00 4c 89 ff e8 bc 42 77 ff 4d 8b 3f 4c 89 bc 24 e8 00 00 00 48 89 df e8 d9 3d 77 ff <8b> 1b be 00 00 40 00 21 de 31 ff e8 29 9a 5d ff b8 00 00 40 00 21
RSP: 0000:ffffc900000174a8 EFLAGS: 00010246
RAX: ffff8881001b8a98 RBX: 0000000000000000 RCX: ffffffff81f5f7e7
RDX: 000000000000004c RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000101 R08: 0000000000000003 R09: 0000000000000000
R10: 0001ffffffffffff R11: 0001c90000017476 R12: 0000000000000000
R13: 0000000000000000 R14: ffff8881013d239c R15: ffffc90000029008
FS:  0000000000000000(0000) GS:ffff8882aee5d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000006836000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	e8 fe 3d 77 ff       	call   0xff773e03
   5:	41 8b 06             	mov    (%r14),%eax
   8:	89 84 24 e0 00 00 00 	mov    %eax,0xe0(%rsp)
   f:	4c 89 ff             	mov    %r15,%rdi
  12:	e8 bc 42 77 ff       	call   0xff7742d3
  17:	4d 8b 3f             	mov    (%r15),%r15
  1a:	4c 89 bc 24 e8 00 00 	mov    %r15,0xe8(%rsp)
  21:	00
  22:	48 89 df             	mov    %rbx,%rdi
  25:	e8 d9 3d 77 ff       	call   0xff773e03
* 2a:	8b 1b                	mov    (%rbx),%ebx <-- trapping instruction
  2c:	be 00 00 40 00       	mov    $0x400000,%esi
  31:	21 de                	and    %ebx,%esi
  33:	31 ff                	xor    %edi,%edi
  35:	e8 29 9a 5d ff       	call   0xff5d9a63
  3a:	b8 00 00 40 00       	mov    $0x400000,%eax
  3f:	21                   	.byte 0x21


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ