| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAM0EoM=JWBb-Ap8Wutic8-7k7_+5rrt-t65h5Bv-iyiJ+JtOCA@mail.gmail.com> Date: Thu, 3 Jul 2025 11:05:57 -0400 From: Jamal Hadi Salim <jhs@...atatu.com> To: syzbot <syzbot+d8b58d7b0ad89a678a16@...kaller.appspotmail.com>, Lion <nnamrec@...il.com> Cc: David Miller <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Simon Horman <horms@...nel.org>, Jiri Pirko <jiri@...nulli.us>, Jakub Kicinski <kuba@...nel.org>, LKML <linux-kernel@...r.kernel.org>, Linux Kernel Network Developers <netdev@...r.kernel.org>, Paolo Abeni <pabeni@...hat.com>, syzkaller-bugs <syzkaller-bugs@...glegroups.com>, Cong Wang <xiyou.wangcong@...il.com> Subject: Lion, can you take a look at his? WAS(Re: [syzbot] [net?] general protection fault in htb_qlen_notify On Thu, Jul 3, 2025 at 7:32 AM syzbot <syzbot+d8b58d7b0ad89a678a16@...kaller.appspotmail.com> wrote: > > syzbot has found a reproducer for the following issue on: > > HEAD commit: bd475eeaaf3c Merge branch '200GbE' of git://git.kernel.org.. > git tree: net > console output: https://syzkaller.appspot.com/x/log.txt?x=15cc0582580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=36b0e72cad5298f8 > dashboard link: https://syzkaller.appspot.com/bug?extid=d8b58d7b0ad89a678a16 > compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1113748c580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10909ebc580000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/d59bc82a55e0/disk-bd475eea.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/2a83759fceb6/vmlinux-bd475eea.xz > kernel image: https://storage.googleapis.com/syzbot-assets/07576fd8e432/bzImage-bd475eea.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+d8b58d7b0ad89a678a16@...kaller.appspotmail.com > > Oops: general protection fault, probably for non-canonical address 0xdffffc0000000035: 0000 [#1] SMP KASAN PTI > KASAN: null-ptr-deref in range [0x00000000000001a8-0x00000000000001af] > CPU: 1 UID: 0 PID: 6017 Comm: syz.0.16 Not tainted 6.16.0-rc3-syzkaller-00144-gbd475eeaaf3c #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 > RIP: 0010:htb_deactivate net/sched/sch_htb.c:613 [inline] > RIP: 0010:htb_qlen_notify+0x31/0xc0 net/sched/sch_htb.c:1489 > Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 3d c6 46 f8 49 8d 9e a8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 4d 8b 2b 31 ff 89 ee e8 5a ca 46 f8 85 > RSP: 0018:ffffc900034f6fb0 EFLAGS: 00010206 > RAX: ffffffff89798833 RBX: 00000000000001a8 RCX: ffff88802714bc00 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88807a6ac000 > RBP: dffffc0000000000 R08: ffff88802714bc00 R09: 0000000000000002 > R10: 00000000ffffffff R11: ffffffff89798810 R12: dffffc0000000000 > R13: 0000000000000035 R14: 0000000000000000 R15: ffff88807a6ac000 > FS: 00007fa0c3df16c0(0000) GS:ffff888125d50000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fa0c3dd0d58 CR3: 00000000743e8000 CR4: 00000000003526f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > qdisc_tree_reduce_backlog+0x29c/0x480 net/sched/sch_api.c:811 > fq_change+0x1519/0x1f50 net/sched/sch_fq.c:1147 > fq_init+0x699/0x960 net/sched/sch_fq.c:1201 > qdisc_create+0x7ac/0xea0 net/sched/sch_api.c:1324 > __tc_modify_qdisc net/sched/sch_api.c:1749 [inline] > tc_modify_qdisc+0x1426/0x2010 net/sched/sch_api.c:1813 > rtnetlink_rcv_msg+0x779/0xb70 net/core/rtnetlink.c:6953 > netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2534 > netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] > netlink_unicast+0x75b/0x8d0 net/netlink/af_netlink.c:1339 > netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 > sock_sendmsg_nosec net/socket.c:712 [inline] > __sock_sendmsg+0x21c/0x270 net/socket.c:727 > ____sys_sendmsg+0x505/0x830 net/socket.c:2566 > ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 > __sys_sendmsg net/socket.c:2652 [inline] > __do_sys_sendmsg net/socket.c:2657 [inline] > __se_sys_sendmsg net/socket.c:2655 [inline] > __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7fa0c2f8e929 > Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fa0c3df1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e > RAX: ffffffffffffffda RBX: 00007fa0c31b5fa0 RCX: 00007fa0c2f8e929 > RDX: 0000000000044080 RSI: 0000200000000040 RDI: 0000000000000006 > RBP: 00007fa0c3010b39 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 0000000000000000 R14: 00007fa0c31b5fa0 R15: 00007ffd14aa8178 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:htb_deactivate net/sched/sch_htb.c:613 [inline] > RIP: 0010:htb_qlen_notify+0x31/0xc0 net/sched/sch_htb.c:1489 > Code: 41 56 41 55 41 54 53 49 89 f6 49 89 ff 49 bc 00 00 00 00 00 fc ff df e8 3d c6 46 f8 49 8d 9e a8 01 00 00 49 89 dd 49 c1 ed 03 <43> 0f b6 44 25 00 84 c0 75 4d 8b 2b 31 ff 89 ee e8 5a ca 46 f8 85 > RSP: 0018:ffffc900034f6fb0 EFLAGS: 00010206 > RAX: ffffffff89798833 RBX: 00000000000001a8 RCX: ffff88802714bc00 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88807a6ac000 > RBP: dffffc0000000000 R08: ffff88802714bc00 R09: 0000000000000002 > R10: 00000000ffffffff R11: ffffffff89798810 R12: dffffc0000000000 > R13: 0000000000000035 R14: 0000000000000000 R15: ffff88807a6ac000 > FS: 00007fa0c3df16c0(0000) GS:ffff888125d50000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fa0c3dd0d58 CR3: 00000000743e8000 CR4: 00000000003526f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > ---------------- > Code disassembly (best guess): > 0: 41 56 push %r14 > 2: 41 55 push %r13 > 4: 41 54 push %r12 > 6: 53 push %rbx > 7: 49 89 f6 mov %rsi,%r14 > a: 49 89 ff mov %rdi,%r15 > d: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12 > 14: fc ff df > 17: e8 3d c6 46 f8 call 0xf846c659 > 1c: 49 8d 9e a8 01 00 00 lea 0x1a8(%r14),%rbx > 23: 49 89 dd mov %rbx,%r13 > 26: 49 c1 ed 03 shr $0x3,%r13 > * 2a: 43 0f b6 44 25 00 movzbl 0x0(%r13,%r12,1),%eax <-- trapping instruction > 30: 84 c0 test %al,%al > 32: 75 4d jne 0x81 > 34: 8b 2b mov (%rbx),%ebp > 36: 31 ff xor %edi,%edi > 38: 89 ee mov %ebp,%esi > 3a: e8 5a ca 46 f8 call 0xf846ca99 > 3f: 85 .byte 0x85 > > > --- > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. It is triggered by your patch. On the first try, removing your patch seems to fix it. It may have nothing to do with your patch i.e your patch may have opened it up to trigger an existing bug. You removed that if n=0, len=0 check which earlier code was using to terminate the processing. cheers, jamal
Powered by blists - more mailing lists