[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANn89i+tGgQsPxtqFFK8Wdn1AcbWz_ygKfOqExwju7F02+RpHQ@mail.gmail.com>
Date: Mon, 19 Aug 2024 09:10:08 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: 김민성 <ii4gsp@...il.com>
Cc: jhs@...atatu.com, xiyou.wangcong@...il.com, jiri@...nulli.us,
davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com
Subject: Re: general protection fault in qdisc_reset
On Mon, Aug 19, 2024 at 9:04 AM 김민성 <ii4gsp@...il.com> wrote:
>
> Hi,
>
> I have been fuzzing Linux 6.10.0-rc3 with Syzkaller and found.
Please do not fuzz old rc kernels, this will avoid finding issues that
were already fixed.
For instance, this problem has been fixed two months ago
commit bab4923132feb3e439ae45962979c5d9d5c7c1f1
Author: Yunseong Kim <yskelg@...il.com>
Date: Tue Jun 25 02:33:23 2024 +0900
tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()
>
> kernel config: https://github.com/ii4gsp/etc/blob/main/200767fee68b8d90c9cf284390e34fa9b17542c9/config_v6.10.0_rc3
> C repro: https://github.com/ii4gsp/etc/blob/main/200767fee68b8d90c9cf284390e34fa9b17542c9/repro.cprog
> repro syscall steps: https://github.com/ii4gsp/etc/blob/main/200767fee68b8d90c9cf284390e34fa9b17542c9/repro.prog
>
> ==========================================
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000026: 0000 [#1] PREEMPT SMP KASAN NOPTI
> audit: type=1400 audit(1723346247.508:9): avc: denied { kernel } for pid=227 comm="syz-executor166" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=perf_event permissive=1
> KASAN: null-ptr-deref in range [0x0000000000000130-0x0000000000000137]
> CPU: 0 PID: 227 Comm: syz-executor166 Not tainted 6.10.0-rc3-00021-g2ef5971ff345 #1
> Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:strlen+0x1e/0xa0 lib/string.c:402
> Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 55 48 89 fa 48 89 fd 53 48 c1 ea 03 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 50 80 7d 00 00
> RSP: 0018:ffff888008b5f708 EFLAGS: 00010292
> RAX: dffffc0000000000 RBX: ffffffffabcde7c0 RCX: ffffffffa9d3584d
> RDX: 0000000000000026 RSI: ffffffffabcde7c0 RDI: 0000000000000130
> RBP: 0000000000000130 R08: 0000000000000000 R09: fffffbfff57c50aa
> R10: ffffffffabe28557 R11: 0000000000000000 R12: ffffffffabcde980
> R13: dffffc0000000000 R14: ffff888001e32428 R15: 0000000000000130
> FS: 00005555772cf380(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005555772cfca8 CR3: 000000000da8e006 CR4: 0000000000370ef0
> Call Trace:
> <TASK>
> trace_event_get_offsets_qdisc_reset include/trace/events/qdisc.h:77 [inline]
> perf_trace_qdisc_reset+0xf5/0x6a0 include/trace/events/qdisc.h:77
> trace_qdisc_reset include/trace/events/qdisc.h:77 [inline]
> qdisc_reset+0x3e1/0x550 net/sched/sch_generic.c:1029
> dev_reset_queue+0x80/0x120 net/sched/sch_generic.c:1306
> dev_deactivate_many+0x41f/0x830 net/sched/sch_generic.c:1375
> __dev_close_many+0x129/0x2e0 net/core/dev.c:1543
> __dev_close net/core/dev.c:1568 [inline]
> __dev_change_flags+0x3dc/0x5a0 net/core/dev.c:8779
> dev_change_flags+0x8e/0x160 net/core/dev.c:8853
> devinet_ioctl+0xcbf/0x1a30 net/ipv4/devinet.c:1177
> inet_ioctl+0x350/0x3b0 net/ipv4/af_inet.c:1003
> packet_ioctl+0xa8/0x230 net/packet/af_packet.c:4256
> sock_do_ioctl+0x119/0x2a0 net/socket.c:1222
> sock_ioctl+0x3eb/0x630 net/socket.c:1341
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:907 [inline]
> __se_sys_ioctl fs/ioctl.c:893 [inline]
> __x64_sys_ioctl+0x162/0x1e0 fs/ioctl.c:893
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f8b72ae3c0d
> Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe6b571178 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8b72ae3c0d
> RDX: 0000000020000200 RSI: 0000000000008914 RDI: 0000000000000005
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f8b72b7bcc8 R15: 0000000000000001
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:strlen+0x1e/0xa0 lib/string.c:402
> Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 b8 00 00 00 00 00 fc ff df 55 48 89 fa 48 89 fd 53 48 c1 ea 03 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 50 80 7d 00 00
> RSP: 0018:ffff888008b5f708 EFLAGS: 00010292
> RAX: dffffc0000000000 RBX: ffffffffabcde7c0 RCX: ffffffffa9d3584d
> RDX: 0000000000000026 RSI: ffffffffabcde7c0 RDI: 0000000000000130
> RBP: 0000000000000130 R08: 0000000000000000 R09: fffffbfff57c50aa
> R10: ffffffffabe28557 R11: 0000000000000000 R12: ffffffffabcde980
> R13: dffffc0000000000 R14: ffff888001e32428 R15: 0000000000000130
> FS: 00005555772cf380(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005555772cfca8 CR3: 000000000da8e006 CR4: 0000000000370ef0
> ----------------
> Code disassembly (best guess):
> 0: 90 nop
> 1: 90 nop
> 2: 90 nop
> 3: 90 nop
> 4: 90 nop
> 5: 90 nop
> 6: 90 nop
> 7: 90 nop
> 8: 90 nop
> 9: 90 nop
> a: 90 nop
> b: 90 nop
> c: f3 0f 1e fa endbr64
> 10: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
> 17: fc ff df
> 1a: 55 push %rbp
> 1b: 48 89 fa mov %rdi,%rdx
> 1e: 48 89 fd mov %rdi,%rbp
> 21: 53 push %rbx
> 22: 48 c1 ea 03 shr $0x3,%rdx
> 26: 48 83 ec 08 sub $0x8,%rsp
> * 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
> 2e: 48 89 fa mov %rdi,%rdx
> 31: 83 e2 07 and $0x7,%edx
> 34: 38 d0 cmp %dl,%al
> 36: 7f 04 jg 0x3c
> 38: 84 c0 test %al,%al
> 3a: 75 50 jne 0x8c
> 3c: 80 7d 00 00 cmpb $0x0,0x0(%rbp)
> ==========================================
>
> Thanks,
>
> ii4gsp
Powered by blists - more mailing lists