From: Eric Dumazet <edumazet@google.com>
To: Sam Sun <samsun1006219@gmail.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
davem@davemloft.net, dsahern@kernel.org, kuba@kernel.org,
pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
xrivendell7@gmail.com
Subject: Re: [Linux kernel bug] general protection fault in nexthop_is_blackhole
Date: Tue, 7 May 2024 09:31:03 +0200 [thread overview]
Message-ID: <CANn89iLFvGd+=YCbzm==fA3Q0dj=FC-gTZy3kVJ0DTpZ5hZC8w@mail.gmail.com> (raw)
In-Reply-To: <CAEkJfYOoJZZnXioMsaHNHVj8e77Ch8UqKhNcR_UrzU9tJUKoSg@mail.gmail.com>
On Tue, May 7, 2024 at 9:00 AM Sam Sun <samsun1006219@gmail.com> wrote:
>
> Dear developers and maintainers,
>
> We encountered a general protection fault in function
> nexthop_is_blackhole. It was tested against the latest upstream linux
> (tag 6.9-rc7). C repro and kernel config are attached to this email.
> Kernel crash log is listed below.
This is another reiserfs bug, please let's not be mistaken.
We have dozens of syzbot reports about reiserfs.
Thank you.
> ```
> general protection fault, probably for non-canonical address
> 0xdffffc0080008015: 0000 [#1] PREEMPT SMP KASAN NOPTI
> KASAN: probably user-memory-access in range
> [0x00000004000400a8-0x00000004000400af]
> CPU: 1 PID: 7959 Comm: kworker/u8:2 Not tainted 6.9.0-rc6 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Workqueue: ipv6_addrconf addrconf_dad_work
> RIP: 0010:nexthop_is_blackhole+0x23/0x2a0 include/net/nexthop.h:370
> Code: 00 00 00 0f 1f 40 00 55 41 57 41 56 53 48 89 fb 49 bf 00 00 00
> 00 00 fc ff df e8 58 c1 b6 f7 4c 8d 73 66 4c 89 f0 48 c1 e8 03 <42> 8a
> 04 38 84 c0 0f 85 17 02 00 00 41 0f b6 2e 31 ff 89 ee e8 44
> RSP: 0018:ffffc900001d81f8 EFLAGS: 00010203
> RAX: 0000000080008015 RBX: 0000000400040048 RCX: ffff88801cbfa500
> RDX: 0000000080000101 RSI: 0000000000000000 RDI: 0000000400040048
> RBP: ffffc900001d8398 R08: ffffffff89d8fd23 R09: 0000000000000021
> R10: ffffc900001d84c0 R11: fffffbfff2273299 R12: ffff88807857e800
> R13: 1ffff1100f0afd0c R14: 00000004000400ae R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa8a2420630 CR3: 00000000264f6000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <IRQ>
> __find_rr_leaf+0x521/0x890 net/ipv6/route.c:817
> find_rr_leaf net/ipv6/route.c:861 [inline]
> rt6_select net/ipv6/route.c:896 [inline]
> fib6_table_lookup+0x56f/0xbb0 net/ipv6/route.c:2193
> ip6_pol_route+0x272/0x1580 net/ipv6/route.c:2229
> pol_lookup_func include/net/ip6_fib.h:614 [inline]
> fib6_rule_lookup+0x571/0x780 net/ipv6/fib6_rules.c:116
> ip6_route_input_lookup net/ipv6/route.c:2298 [inline]
> ip6_route_input+0x839/0xd10 net/ipv6/route.c:2594
> ip6_rcv_finish net/ipv6/ip6_input.c:77 [inline]
> NF_HOOK include/linux/netfilter.h:314 [inline]
> ipv6_rcv+0x1dc/0x200 net/ipv6/ip6_input.c:310
> __netif_receive_skb_one_core net/core/dev.c:5544 [inline]
> __netif_receive_skb+0x1dc/0x640 net/core/dev.c:5658
> process_backlog+0x361/0x790 net/core/dev.c:5987
> __napi_poll+0xca/0x480 net/core/dev.c:6638
> napi_poll net/core/dev.c:6707 [inline]
> net_rx_action+0x7c0/0x10a0 net/core/dev.c:6822
> __do_softirq+0x272/0x734 kernel/softirq.c:554
> do_softirq+0xfe/0x1b0 kernel/softirq.c:455
> </IRQ>
> <TASK>
> __local_bh_enable_ip+0x18a/0x1c0 kernel/softirq.c:382
> local_bh_enable include/linux/bottom_half.h:33 [inline]
> rcu_read_unlock_bh include/linux/rcupdate.h:851 [inline]
> __dev_queue_xmit+0x1d13/0x3a60 net/core/dev.c:4368
> neigh_output include/net/neighbour.h:542 [inline]
> ip6_finish_output2+0xfcf/0x1600 net/ipv6/ip6_output.c:137
> ip6_finish_output+0x3c8/0x7f0 net/ipv6/ip6_output.c:222
> NF_HOOK include/linux/netfilter.h:314 [inline]
> ndisc_send_skb+0xa39/0xf40 net/ipv6/ndisc.c:509
> addrconf_dad_completed+0x734/0xc60 net/ipv6/addrconf.c:4358
> addrconf_dad_work+0xd82/0x16b0
> process_one_work kernel/workqueue.c:3254 [inline]
> process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3335
> worker_thread+0x85c/0xd50 kernel/workqueue.c:3416
> kthread+0x2ed/0x390 kernel/kthread.c:388
> ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:nexthop_is_blackhole+0x23/0x2a0 include/net/nexthop.h:370
> Code: 00 00 00 0f 1f 40 00 55 41 57 41 56 53 48 89 fb 49 bf 00 00 00
> 00 00 fc ff df e8 58 c1 b6 f7 4c 8d 73 66 4c 89 f0 48 c1 e8 03 <42> 8a
> 04 38 84 c0 0f 85 17 02 00 00 41 0f b6 2e 31 ff 89 ee e8 44
> RSP: 0018:ffffc900001d81f8 EFLAGS: 00010203
>
> RAX: 0000000080008015 RBX: 0000000400040048 RCX: ffff88801cbfa500
> RDX: 0000000080000101 RSI: 0000000000000000 RDI: 0000000400040048
> RBP: ffffc900001d8398 R08: ffffffff89d8fd23 R09: 0000000000000021
> R10: ffffc900001d84c0 R11: fffffbfff2273299 R12: ffff88807857e800
> R13: 1ffff1100f0afd0c R14: 00000004000400ae R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa8a2420630 CR3: 00000000264f6000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> ----------------
> Code disassembly (best guess), 1 bytes skipped:
> 0: 00 00 add %al,(%rax)
> 2: 0f 1f 40 00 nopl 0x0(%rax)
> 6: 55 push %rbp
> 7: 41 57 push %r15
> 9: 41 56 push %r14
> b: 53 push %rbx
> c: 48 89 fb mov %rdi,%rbx
> f: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
> 16: fc ff df
> 19: e8 58 c1 b6 f7 callq 0xf7b6c176
> 1e: 4c 8d 73 66 lea 0x66(%rbx),%r14
> 22: 4c 89 f0 mov %r14,%rax
> 25: 48 c1 e8 03 shr $0x3,%rax
> * 29: 42 8a 04 38 mov (%rax,%r15,1),%al <-- trapping instruction
> 2d: 84 c0 test %al,%al
> 2f: 0f 85 17 02 00 00 jne 0x24c
> 35: 41 0f b6 2e movzbl (%r14),%ebp
> 39: 31 ff xor %edi,%edi
> 3b: 89 ee mov %ebp,%esi
> 3d: e8 .byte 0xe8
> 3e: 44 rex.R
> ```
> If you have any questions, please contact us.
>
> Reported by Yue Sun <samsun1006219@gmail.com>
> Reported by xingwei lee <xrivendell7@gmail.com>
>
> Best Regards,
> Yue
next prev parent reply other threads:[~2024-05-07 7:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-07 7:00 [Linux kernel bug] general protection fault in nexthop_is_blackhole Sam Sun
2024-05-07 7:31 ` Eric Dumazet [this message]
2024-05-07 7:39 ` Sam Sun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANn89iLFvGd+=YCbzm==fA3Q0dj=FC-gTZy3kVJ0DTpZ5hZC8w@mail.gmail.com' \
--to=edumazet@google.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=samsun1006219@gmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=xrivendell7@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.