general protection fault in em_u32_match
3 views
Skip to first unread message
syzbot
Aug 31, 2021, 11:06:30 AM8/31/21
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e23d55af0e1f Linux 4.19.205
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13b11625300000
kernel config: https://syzkaller.appspot.com/x/.config?x=2221dd564152b412
dashboard link: https://syzkaller.appspot.com/bug?extid=3b895505ea28dc6f5f78
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3b8955...@syzkaller.appspotmail.com
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12009 Comm: syz-executor.4 Not tainted 4.19.205-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:em_u32_match+0x156/0x300 net/sched/em_u32.c:33
Code: 9c 01 00 00 41 23 5c 24 0c 48 63 db 4c 01 fb e8 30 ff c2 fa 49 8d 7c 24 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 21
RSP: 0018:ffff8880618c6e48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88809636cd10 RCX: ffffc9000e647000
RDX: 0000000000000001 RSI: ffffffff869f9390 RDI: 0000000000000008
RBP: ffff8880a53278c0 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000004 R11: 0000000000074071 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88809636cd00 R15: dffffc0000000000
FS: 00007f11f1d81700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f73fff718 CR3: 00000000664c8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcf_em_match net/sched/ematch.c:496 [inline]
__tcf_em_tree_match+0x14a/0x530 net/sched/ematch.c:522
tcf_em_tree_match include/net/pkt_cls.h:531 [inline]
basic_classify+0x1c0/0x2b0 net/sched/cls_basic.c:49
tcf_classify+0x120/0x3c0 net/sched/cls_api.c:979
hfsc_classify net/sched/sch_hfsc.c:1141 [inline]
hfsc_enqueue+0x31a/0x10a0 net/sched/sch_hfsc.c:1545
__dev_xmit_skb net/core/dev.c:3494 [inline]
__dev_queue_xmit+0x140a/0x2e00 net/core/dev.c:3807
hfsplus: unable to find HFS+ superblock
neigh_resolve_output+0x55a/0x910 net/core/neighbour.c:1374
neigh_output include/net/neighbour.h:501 [inline]
ip_finish_output2+0xd76/0x15a0 net/ipv4/ip_output.c:230
ip_do_fragment+0x1e1a/0x2620 net/ipv4/ip_output.c:680
ip_fragment.constprop.0+0x174/0x240 net/ipv4/ip_output.c:551
ip_finish_output+0xa35/0x10b0 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip_mc_output+0x268/0xec0 net/ipv4/ip_output.c:391
dst_output include/net/dst.h:455 [inline]
ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
ip_send_skb net/ipv4/ip_output.c:1451 [inline]
ip_push_pending_frames+0x8b/0x140 net/ipv4/ip_output.c:1471
raw_sendmsg+0x1e9d/0x29e0 net/ipv4/raw.c:677
inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:661
sock_no_sendpage+0xf5/0x140 net/core/sock.c:2668
inet_sendpage+0x465/0x650 net/ipv4/af_inet.c:816
kernel_sendpage net/socket.c:3581 [inline]
sock_sendpage+0xdf/0x140 net/socket.c:912
pipe_to_sendpage+0x268/0x330 fs/splice.c:452
splice_from_pipe_feed fs/splice.c:503 [inline]
__splice_from_pipe+0x389/0x800 fs/splice.c:627
splice_from_pipe fs/splice.c:662 [inline]
generic_splice_sendpage+0xd4/0x140 fs/splice.c:833
do_splice_from fs/splice.c:852 [inline]
do_splice fs/splice.c:1154 [inline]
__do_sys_splice fs/splice.c:1428 [inline]
__se_sys_splice+0xfe7/0x16d0 fs/splice.c:1408
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665f9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f11f1d81188 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000004bfcc4 R08: 0000000000019403 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038
R13: 00007ffc1369e29f R14: 00007f11f1d81300 R15: 0000000000022000
Modules linked in:
---[ end trace c7533c8ec228fb52 ]---
RIP: 0010:em_u32_match+0x156/0x300 net/sched/em_u32.c:33
Code: 9c 01 00 00 41 23 5c 24 0c 48 63 db 4c 01 fb e8 30 ff c2 fa 49 8d 7c 24 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 21
RSP: 0018:ffff8880618c6e48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88809636cd10 RCX: ffffc9000e647000
RDX: 0000000000000001 RSI: ffffffff869f9390 RDI: 0000000000000008
RBP: ffff8880a53278c0 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000004 R11: 0000000000074071 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88809636cd00 R15: dffffc0000000000
FS: 00007f11f1d81700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f73fff718 CR3: 00000000664c8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 9c pushfq
1: 01 00 add %eax,(%rax)
3: 00 41 23 add %al,0x23(%rcx)
6: 5c pop %rsp
7: 24 0c and $0xc,%al
9: 48 63 db movslq %ebx,%rbx
c: 4c 01 fb add %r15,%rbx
f: e8 30 ff c2 fa callq 0xfac2ff44
14: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 f8 mov %rdi,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 21 test %esp,(%rcx)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: e23d55af0e1f Linux 4.19.205
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13b11625300000
kernel config: https://syzkaller.appspot.com/x/.config?x=2221dd564152b412
dashboard link: https://syzkaller.appspot.com/bug?extid=3b895505ea28dc6f5f78
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3b8955...@syzkaller.appspotmail.com
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12009 Comm: syz-executor.4 Not tainted 4.19.205-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:em_u32_match+0x156/0x300 net/sched/em_u32.c:33
Code: 9c 01 00 00 41 23 5c 24 0c 48 63 db 4c 01 fb e8 30 ff c2 fa 49 8d 7c 24 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 21
RSP: 0018:ffff8880618c6e48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88809636cd10 RCX: ffffc9000e647000
RDX: 0000000000000001 RSI: ffffffff869f9390 RDI: 0000000000000008
RBP: ffff8880a53278c0 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000004 R11: 0000000000074071 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88809636cd00 R15: dffffc0000000000
FS: 00007f11f1d81700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f73fff718 CR3: 00000000664c8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcf_em_match net/sched/ematch.c:496 [inline]
__tcf_em_tree_match+0x14a/0x530 net/sched/ematch.c:522
tcf_em_tree_match include/net/pkt_cls.h:531 [inline]
basic_classify+0x1c0/0x2b0 net/sched/cls_basic.c:49
tcf_classify+0x120/0x3c0 net/sched/cls_api.c:979
hfsc_classify net/sched/sch_hfsc.c:1141 [inline]
hfsc_enqueue+0x31a/0x10a0 net/sched/sch_hfsc.c:1545
__dev_xmit_skb net/core/dev.c:3494 [inline]
__dev_queue_xmit+0x140a/0x2e00 net/core/dev.c:3807
hfsplus: unable to find HFS+ superblock
neigh_resolve_output+0x55a/0x910 net/core/neighbour.c:1374
neigh_output include/net/neighbour.h:501 [inline]
ip_finish_output2+0xd76/0x15a0 net/ipv4/ip_output.c:230
ip_do_fragment+0x1e1a/0x2620 net/ipv4/ip_output.c:680
ip_fragment.constprop.0+0x174/0x240 net/ipv4/ip_output.c:551
ip_finish_output+0xa35/0x10b0 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip_mc_output+0x268/0xec0 net/ipv4/ip_output.c:391
dst_output include/net/dst.h:455 [inline]
ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
ip_send_skb net/ipv4/ip_output.c:1451 [inline]
ip_push_pending_frames+0x8b/0x140 net/ipv4/ip_output.c:1471
raw_sendmsg+0x1e9d/0x29e0 net/ipv4/raw.c:677
inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:661
sock_no_sendpage+0xf5/0x140 net/core/sock.c:2668
inet_sendpage+0x465/0x650 net/ipv4/af_inet.c:816
kernel_sendpage net/socket.c:3581 [inline]
sock_sendpage+0xdf/0x140 net/socket.c:912
pipe_to_sendpage+0x268/0x330 fs/splice.c:452
splice_from_pipe_feed fs/splice.c:503 [inline]
__splice_from_pipe+0x389/0x800 fs/splice.c:627
splice_from_pipe fs/splice.c:662 [inline]
generic_splice_sendpage+0xd4/0x140 fs/splice.c:833
do_splice_from fs/splice.c:852 [inline]
do_splice fs/splice.c:1154 [inline]
__do_sys_splice fs/splice.c:1428 [inline]
__se_sys_splice+0xfe7/0x16d0 fs/splice.c:1408
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665f9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f11f1d81188 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000004bfcc4 R08: 0000000000019403 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038
R13: 00007ffc1369e29f R14: 00007f11f1d81300 R15: 0000000000022000
Modules linked in:
---[ end trace c7533c8ec228fb52 ]---
RIP: 0010:em_u32_match+0x156/0x300 net/sched/em_u32.c:33
Code: 9c 01 00 00 41 23 5c 24 0c 48 63 db 4c 01 fb e8 30 ff c2 fa 49 8d 7c 24 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 21
RSP: 0018:ffff8880618c6e48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88809636cd10 RCX: ffffc9000e647000
RDX: 0000000000000001 RSI: ffffffff869f9390 RDI: 0000000000000008
RBP: ffff8880a53278c0 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000004 R11: 0000000000074071 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88809636cd00 R15: dffffc0000000000
FS: 00007f11f1d81700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f73fff718 CR3: 00000000664c8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 9c pushfq
1: 01 00 add %eax,(%rax)
3: 00 41 23 add %al,0x23(%rcx)
6: 5c pop %rsp
7: 24 0c and $0xc,%al
9: 48 63 db movslq %ebx,%rbx
c: 4c 01 fb add %r15,%rbx
f: e8 30 ff c2 fa callq 0xfac2ff44
14: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
2e: 48 89 f8 mov %rdi,%rax
31: 83 e0 07 and $0x7,%eax
34: 83 c0 03 add $0x3,%eax
37: 38 d0 cmp %dl,%al
39: 7c 08 jl 0x43
3b: 84 d2 test %dl,%dl
3d: 0f .byte 0xf
3e: 85 21 test %esp,(%rcx)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Dec 29, 2021, 10:06:15 AM12/29/21
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages