lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250812133111.4277-1-hdanton@sina.com>
Date: Tue, 12 Aug 2025 21:31:10 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+8aa80c6232008f7b957d@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free

> Date: Tue, 12 Aug 2025 02:58:28 -0700	[thread overview]
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000

#syz test

--- x/drivers/net/netdevsim/netdev.c
+++ y/drivers/net/netdevsim/netdev.c
@@ -709,10 +709,14 @@ static struct nsim_rq *nsim_queue_alloc(
 
 static void nsim_queue_free(struct net_device *dev, struct nsim_rq *rq)
 {
+	struct netdevsim *ns = netdev_priv(dev);
+
 	hrtimer_cancel(&rq->napi_timer);
-	local_bh_disable();
-	dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
-	local_bh_enable();
+	if (ns->registed) {
+		local_bh_disable();
+		dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
+		local_bh_enable();
+	}
 	skb_queue_purge_reason(&rq->skb_queue, SKB_DROP_REASON_QUEUE_PURGE);
 	kfree(rq);
 }
@@ -981,6 +985,7 @@ err_free_prev:
 	while (i--)
 		kfree(ns->rq[i]);
 	kfree(ns->rq);
+	ns->rq = NULL;
 	return -ENOMEM;
 }
 
@@ -989,6 +994,8 @@ static void nsim_queue_uninit(struct net
 	struct net_device *dev = ns->netdev;
 	int i;
 
+	if (!ns->rq)
+		return;
 	for (i = 0; i < dev->num_rx_queues; i++)
 		nsim_queue_free(dev, ns->rq[i]);
 
@@ -1001,6 +1008,7 @@ static int nsim_init_netdevsim(struct ne
 	struct mock_phc *phc;
 	int err;
 
+	ns->registed = 0;
 	phc = mock_phc_create(&ns->nsim_bus_dev->dev);
 	if (IS_ERR(phc))
 		return PTR_ERR(phc);
@@ -1038,6 +1046,7 @@ static int nsim_init_netdevsim(struct ne
 							&ns->nn))
 			ns->nb.notifier_call = NULL;
 	}
+	ns->registed = 1;
 
 	return 0;
 
--- x/drivers/net/netdevsim/netdevsim.h
+++ y/drivers/net/netdevsim/netdevsim.h
@@ -106,6 +106,7 @@ struct netdevsim {
 	struct mock_phc *phc;
 	struct nsim_rq **rq;
 
+	int registed;
 	int rq_reset_mode;
 
 	struct nsim_bus_dev *nsim_bus_dev;
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ