From: Eric Dumazet <edumazet@google.com>
To: Sam Sun <samsun1006219@gmail.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org,
pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
xrivendell7@gmail.com
Subject: Re: [Linux kernel bug] general protection fault in nexthop_is_blackhole
Date: Tue, 7 May 2024 09:31:03 +0200 [thread overview]
Message-ID: <CANn89iLFvGd+=YCbzm==fA3Q0dj=FC-gTZy3kVJ0DTpZ5hZC8w@mail.gmail.com> (raw)
In-Reply-To: <CAEkJfYOoJZZnXioMsaHNHVj8e77Ch8UqKhNcR_UrzU9tJUKoSg@mail.gmail.com>
On Tue, May 7, 2024 at 9:00 AM Sam Sun <samsun1006219@gmail.com> wrote:
>
> Dear developers and maintainers,
>
> We encountered a general protection fault in function
> nexthop_is_blackhole. It was tested against the latest upstream linux
> (tag 6.9-rc7). C repro and kernel config are attached to this email.
> Kernel crash log is listed below.
This is another reiserfs bug, please let's not be mistaken.
We have dozens of syzbot reports about reiserfs.
Thank you.
> ```
> general protection fault, probably for non-canonical address
> 0xdffffc0080008015: 0000 [#1] PREEMPT SMP KASAN NOPTI
> KASAN: probably user-memory-access in range
> [0x00000004000400a8-0x00000004000400af]
> CPU: 1 PID: 7959 Comm: kworker/u8:2 Not tainted 6.9.0-rc6 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Workqueue: ipv6_addrconf addrconf_dad_work
> RIP: 0010:nexthop_is_blackhole+0x23/0x2a0 include/net/nexthop.h:370
> Code: 00 00 00 0f 1f 40 00 55 41 57 41 56 53 48 89 fb 49 bf 00 00 00
> 00 00 fc ff df e8 58 c1 b6 f7 4c 8d 73 66 4c 89 f0 48 c1 e8 03 <42> 8a
> 04 38 84 c0 0f 85 17 02 00 00 41 0f b6 2e 31 ff 89 ee e8 44
> RSP: 0018:ffffc900001d81f8 EFLAGS: 00010203
> RAX: 0000000080008015 RBX: 0000000400040048 RCX: ffff88801cbfa500
> RDX: 0000000080000101 RSI: 0000000000000000 RDI: 0000000400040048
> RBP: ffffc900001d8398 R08: ffffffff89d8fd23 R09: 0000000000000021
> R10: ffffc900001d84c0 R11: fffffbfff2273299 R12: ffff88807857e800
> R13: 1ffff1100f0afd0c R14: 00000004000400ae R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa8a2420630 CR3: 00000000264f6000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <IRQ>
> __find_rr_leaf+0x521/0x890 net/ipv6/route.c:817
> find_rr_leaf net/ipv6/route.c:861 [inline]
> rt6_select net/ipv6/route.c:896 [inline]
> fib6_table_lookup+0x56f/0xbb0 net/ipv6/route.c:2193
> ip6_pol_route+0x272/0x1580 net/ipv6/route.c:2229
> pol_lookup_func include/net/ip6_fib.h:614 [inline]
> fib6_rule_lookup+0x571/0x780 net/ipv6/fib6_rules.c:116
> ip6_route_input_lookup net/ipv6/route.c:2298 [inline]
> ip6_route_input+0x839/0xd10 net/ipv6/route.c:2594
> ip6_rcv_finish net/ipv6/ip6_input.c:77 [inline]
> NF_HOOK include/linux/netfilter.h:314 [inline]
> ipv6_rcv+0x1dc/0x200 net/ipv6/ip6_input.c:310
> __netif_receive_skb_one_core net/core/dev.c:5544 [inline]
> __netif_receive_skb+0x1dc/0x640 net/core/dev.c:5658
> process_backlog+0x361/0x790 net/core/dev.c:5987
> __napi_poll+0xca/0x480 net/core/dev.c:6638
> napi_poll net/core/dev.c:6707 [inline]
> net_rx_action+0x7c0/0x10a0 net/core/dev.c:6822
> __do_softirq+0x272/0x734 kernel/softirq.c:554
> do_softirq+0xfe/0x1b0 kernel/softirq.c:455
> </IRQ>
> <TASK>
> __local_bh_enable_ip+0x18a/0x1c0 kernel/softirq.c:382
> local_bh_enable include/linux/bottom_half.h:33 [inline]
> rcu_read_unlock_bh include/linux/rcupdate.h:851 [inline]
> __dev_queue_xmit+0x1d13/0x3a60 net/core/dev.c:4368
> neigh_output include/net/neighbour.h:542 [inline]
> ip6_finish_output2+0xfcf/0x1600 net/ipv6/ip6_output.c:137
> ip6_finish_output+0x3c8/0x7f0 net/ipv6/ip6_output.c:222
> NF_HOOK include/linux/netfilter.h:314 [inline]
> ndisc_send_skb+0xa39/0xf40 net/ipv6/ndisc.c:509
> addrconf_dad_completed+0x734/0xc60 net/ipv6/addrconf.c:4358
> addrconf_dad_work+0xd82/0x16b0
> process_one_work kernel/workqueue.c:3254 [inline]
> process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3335
> worker_thread+0x85c/0xd50 kernel/workqueue.c:3416
> kthread+0x2ed/0x390 kernel/kthread.c:388
> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:nexthop_is_blackhole+0x23/0x2a0 include/net/nexthop.h:370
> Code: 00 00 00 0f 1f 40 00 55 41 57 41 56 53 48 89 fb 49 bf 00 00 00
> 00 00 fc ff df e8 58 c1 b6 f7 4c 8d 73 66 4c 89 f0 48 c1 e8 03 <42> 8a
> 04 38 84 c0 0f 85 17 02 00 00 41 0f b6 2e 31 ff 89 ee e8 44
> RSP: 0018:ffffc900001d81f8 EFLAGS: 00010203
>
> RAX: 0000000080008015 RBX: 0000000400040048 RCX: ffff88801cbfa500
> RDX: 0000000080000101 RSI: 0000000000000000 RDI: 0000000400040048
> RBP: ffffc900001d8398 R08: ffffffff89d8fd23 R09: 0000000000000021
> R10: ffffc900001d84c0 R11: fffffbfff2273299 R12: ffff88807857e800
> R13: 1ffff1100f0afd0c R14: 00000004000400ae R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa8a2420630 CR3: 00000000264f6000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> ----------------
> Code disassembly (best guess), 1 bytes skipped:
> 0: 00 00 add %al,(%rax)
> 2: 0f 1f 40 00 nopl 0x0(%rax)
> 6: 55 push %rbp
> 7: 41 57 push %r15
> 9: 41 56 push %r14
> b: 53 push %rbx
> c: 48 89 fb mov %rdi,%rbx
> f: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
> 16: fc ff df
> 19: e8 58 c1 b6 f7 callq 0xf7b6c176
> 1e: 4c 8d 73 66 lea 0x66(%rbx),%r14
> 22: 4c 89 f0 mov %r14,%rax
> 25: 48 c1 e8 03 shr $0x3,%rax
> * 29: 42 8a 04 38 mov (%rax,%r15,1),%al <-- trapping instruction
> 2d: 84 c0 test %al,%al
> 2f: 0f 85 17 02 00 00 jne 0x24c
> 35: 41 0f b6 2e movzbl (%r14),%ebp
> 39: 31 ff xor %edi,%edi
> 3b: 89 ee mov %ebp,%esi
> 3d: e8 .byte 0xe8
> 3e: 44 rex.R
> ```
> If you have any questions, please contact us.
>
> Reported by Yue Sun <samsun1006219@gmail.com>
> Reported by xingwei lee <xrivendell7@gmail.com>
>
> Best Regards,
> Yue
next prev parent reply other threads:[~2024-05-07 7:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-07 7:00 [Linux kernel bug] general protection fault in nexthop_is_blackhole Sam Sun
2024-05-07 7:31 ` Eric Dumazet [this message]
2024-05-07 7:39 ` Sam Sun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANn89iLFvGd+=YCbzm==fA3Q0dj=FC-gTZy3kVJ0DTpZ5hZC8w@mail.gmail.com' \
--to=edumazet@google.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=samsun1006219@gmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=xrivendell7@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).