lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZpFEJeNpwxW1aW9k@gmail.com>
Date: Fri, 12 Jul 2024 07:56:37 -0700
From: Breno Leitao <leitao@...ian.org>
To: michael.chan@...adcom.com, kuba@...nel.org
Cc: netdev@...r.kernel.org
Subject: net: bnxt: Crash on 6.10 ioctl

Hello,

Testing commit 24ca36a562 ("Merge tag 'wq-for-6.10-rc5-fixes' of
git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq") I am getting the
following crash in bnxt driver:

	BUG: kernel NULL pointer dereference, address: 00000000000000b8
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 0 P4D 0
	Oops: Oops: 0000 [#1] SMP
	Hardware name: ...
	RIP: 0010:bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
	Code: e7 03 44 89 ca 83 e2 fc 31 c0 eb 19 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 4d 8b 12 4d 39 f2 0f 84 92 00 00 00 45 85 c9 74 ef <49> 8b b2 b8 00 00 00 31 db 49 83 f8 03 73 30 48 85 ff 74 db 48 8d
	All code
	========
	   0:	e7 03                	out    %eax,$0x3
	   2:	44 89 ca             	mov    %r9d,%edx
	   5:	83 e2 fc             	and    $0xfffffffc,%edx
	   8:	31 c0                	xor    %eax,%eax
	   a:	eb 19                	jmp    0x25
	   c:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
	  13:	00 00 00
	  16:	0f 1f 00             	nopl   (%rax)
	  19:	4d 8b 12             	mov    (%r10),%r10
	  1c:	4d 39 f2             	cmp    %r14,%r10
	  1f:	0f 84 92 00 00 00    	je     0xb7
	  25:	45 85 c9             	test   %r9d,%r9d
	  28:	74 ef                	je     0x19
	  2a:*	49 8b b2 b8 00 00 00 	mov    0xb8(%r10),%rsi		<-- trapping instruction
	  31:	31 db                	xor    %ebx,%ebx
	  33:	49 83 f8 03          	cmp    $0x3,%r8
	  37:	73 30                	jae    0x69
	  39:	48 85 ff             	test   %rdi,%rdi
	  3c:	74 db                	je     0x19
	  3e:	48                   	rex.W
	  3f:	8d                   	.byte 0x8d

	Code starting with the faulting instruction
	===========================================
	   0:	49 8b b2 b8 00 00 00 	mov    0xb8(%r10),%rsi
	   7:	31 db                	xor    %ebx,%ebx
	   9:	49 83 f8 03          	cmp    $0x3,%r8
	   d:	73 30                	jae    0x3f
	   f:	48 85 ff             	test   %rdi,%rdi
	  12:	74 db                	je     0xffffffffffffffef
	  14:	48                   	rex.W
	  15:	8d                   	.byte 0x8d
	RSP: 0018:ffffc900014d3cb8 EFLAGS: 00010202
	RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000001
	RDX: 0000000000000080 RSI: 0000000000000206 RDI: 0000000000000000
	RBP: 00000000ffffffea R08: 000000000000007f R09: 0000000000000080
	R10: 0000000000000000 R11: 00000003246184b4 R12: 00007ffc260f65c0
	R13: ffff888103158000 R14: ffff888103158978 R15: ffff888103158840
	FS:  00007fbc65e3e940(0000) GS:ffff88903fe40000(0000) knlGS:0000000000000000
	CR2: 00000000000000b8 CR3: 0000000109c98003 CR4: 00000000007706f0
	05:56:10  PKRU: 55555554
	Call Trace:
	<TASK>
	? __die_body (arch/x86/kernel/dumpstack.c:421)
	? page_fault_oops (arch/x86/mm/fault.c:711)
	? schedule_hrtimeout_range_clock (kernel/time/hrtimer.c:1449 kernel/time/hrtimer.c:2293)
	? exc_page_fault (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
	? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
	? bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
	? bnxt_get_max_rss_ctx_ring (drivers/net/ethernet/broadcom/bnxt/bnxt.c:?)
	bnxt_set_channels
	ethtool_set_channels (net/ethtool/ioctl.c:1941)
	dev_ethtool (net/ethtool/ioctl.c:? net/ethtool/ioctl.c:3177)
	dev_ioctl (net/core/dev_ioctl.c:?)
	sock_do_ioctl (net/socket.c:1236)
	sock_ioctl (net/socket.c:1341)
	__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893)
	do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)

Are you aware of this problem?
Unfortunately I don't have a reproducer at this time.

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ