| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6926f074.a70a0220.d98e3.00d4.GAE@google.com> Date: Wed, 26 Nov 2025 04:20:04 -0800 From: syzbot <syzbot+3a92d359bc2ec6255a33@...kaller.appspotmail.com> To: linux-kernel@...r.kernel.org, matttbe@...nel.org, pabeni@...hat.com, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] [net?] divide error in __tcp_select_window (4) Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: divide error in __tcp_select_window RSP: 002b:00007f86321dd038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f86315e5fa0 RCX: 00007f863138f749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f86321dd090 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007f86315e6038 R14: 00007f86315e5fa0 R15: 00007ffd93c62a18 </TASK> Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6439 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336 Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 da 10 01 f8 e9 9c 00 00 00 e8 d0 10 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00 RSP: 0018:ffffc900030a7640 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880258abc80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc900030a7730 R08: ffff8880310e8dc3 R09: 1ffff1100621d1b8 R10: dffffc0000000000 R11: ffffed100621d1b9 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f86321dd6c0(0000) GS:ffff888126235000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000007e366000 CR4: 00000000003526f0 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:281 [inline] __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568 tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline] tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836 mptcp_do_fastclose+0x286/0x390 net/mptcp/protocol.c:2896 mptcp_disconnect+0x238/0x730 net/mptcp/protocol.c:3380 mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1801 mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1880 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3bd/0x520 net/socket.c:2244 __do_sys_sendto net/socket.c:2251 [inline] __se_sys_sendto net/socket.c:2247 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2247 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f863138f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f86321dd038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f86315e5fa0 RCX: 00007f863138f749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f86321dd090 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007f86315e6038 R14: 00007f86315e5fa0 R15: 00007ffd93c62a18 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336 Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 da 10 01 f8 e9 9c 00 00 00 e8 d0 10 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00 RSP: 0018:ffffc900030a7640 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880258abc80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc900030a7730 R08: ffff8880310e8dc3 R09: 1ffff1100621d1b8 R10: dffffc0000000000 R11: ffffed100621d1b9 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f86321dd6c0(0000) GS:ffff888126235000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4311661286 CR3: 000000007e366000 CR4: 00000000003526f0 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: ff 44 89 f1 incl -0xf(%rcx,%rcx,4) 4: d3 e0 shl %cl,%eax 6: 89 c1 mov %eax,%ecx 8: f7 d1 not %ecx a: 41 01 cc add %ecx,%r12d d: 41 21 c4 and %eax,%r12d 10: e9 a9 00 00 00 jmp 0xbe 15: e8 da 10 01 f8 call 0xf80110f4 1a: e9 9c 00 00 00 jmp 0xbb 1f: e8 d0 10 01 f8 call 0xf80110f4 24: 44 89 e0 mov %r12d,%eax 27: 99 cltd * 28: f7 7c 24 1c idivl 0x1c(%rsp) <-- trapping instruction 2c: 41 29 d4 sub %edx,%r12d 2f: 48 bb 00 00 00 00 00 movabs $0xdffffc0000000000,%rbx 36: fc ff df 39: e9 80 00 00 00 jmp 0xbe Tested on: commit: ab084f0b drivers: net: fbnic: Return the true error in.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main console output: https://syzkaller.appspot.com/x/log.txt?x=1317ee92580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a881ccda32df4e75 dashboard link: https://syzkaller.appspot.com/bug?extid=3a92d359bc2ec6255a33 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=16cb0e12580000
Powered by blists - more mailing lists