Hello, We found the following crash when fuzzing^1 the Linux kernel 6.10 and we are able to reproduce it. To our knowledge, this crash has not been observed by SyzBot so we would like to report it for your reference. - Crash Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 59 Comm: kworker/u8:1 Not tainted 6.10.0 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:sysctl_print_dir.isra.0+0x6e/0xa0 linux-6.10/fs/proc/proc_sysctl.c:94 Code: 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 2b 48 b8 00 00 00 00 00 fc ff df 48 8b 1b 48 89 da 48 c1 ea 03 <80> 3c 02 00 75 1b 48 8b 33 48 c7 c7 c0 19 2f 84 5b 5d e9 3b 85 98 RSP: 0018:ffff88800ab27840 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88806d2288c0 RDX: 0000000000000000 RSI: ffffffff8191d8a3 RDI: ffff88801a00a400 RBP: 0000000000000000 R08: fffffbfff09d8001 R09: ffffed1001564ece R10: ffffed1001564ecd R11: ffff88800ab2766f R12: dffffc0000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88801a00a400 FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb37bb683a8 CR3: 000000000ac4c004 CR4: 0000000000170ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> put_links+0x214/0x490 linux-6.10/fs/proc/proc_sysctl.c:1480 drop_sysctl_table+0xce/0x350 linux-6.10/fs/proc/proc_sysctl.c:1494 unregister_sysctl_table linux-6.10/fs/proc/proc_sysctl.c:1520 [inline] unregister_sysctl_table+0x30/0x50 linux-6.10/fs/proc/proc_sysctl.c:1512 neigh_sysctl_unregister+0x5f/0x80 linux-6.10/net/core/neighbour.c:3882 inetdev_destroy linux-6.10/net/ipv4/devinet.c:333 [inline] inetdev_event+0x486/0x1390 linux-6.10/net/ipv4/devinet.c:1633 notifier_call_chain+0xef/0x2a0 linux-6.10/kernel/notifier.c:93 call_netdevice_notifiers_info linux-6.10/net/core/dev.c:1992 [inline] call_netdevice_notifiers_info+0x9b/0x100 linux-6.10/net/core/dev.c:1977 call_netdevice_notifiers_extack linux-6.10/net/core/dev.c:2030 [inline] call_netdevice_notifiers linux-6.10/net/core/dev.c:2044 [inline] unregister_netdevice_many_notify+0x6b7/0x1400 linux-6.10/net/core/dev.c:11219 cleanup_net+0x4df/0x930 linux-6.10/net/core/net_namespace.c:635 process_one_work linux-6.10/kernel/workqueue.c:3248 [inline] process_scheduled_works+0x91e/0x10d0 linux-6.10/kernel/workqueue.c:3329 worker_thread+0x431/0xa30 linux-6.10/kernel/workqueue.c:3409 kthread+0x2c4/0x3c0 linux-6.10/kernel/kthread.c:389 ret_from_fork+0x45/0x80 linux-6.10/arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 linux-6.10/arch/x86/entry/entry_64.S:244 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:sysctl_print_dir.isra.0+0x6e/0xa0 linux-6.10/fs/proc/proc_sysctl.c:94 Code: 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 2b 48 b8 00 00 00 00 00 fc ff df 48 8b 1b 48 89 da 48 c1 ea 03 <80> 3c 02 00 75 1b 48 8b 33 48 c7 c7 c0 19 2f 84 5b 5d e9 3b 85 98 RSP: 0018:ffff88800ab27840 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88806d2288c0 RDX: 0000000000000000 RSI: ffffffff8191d8a3 RDI: ffff88801a00a400 RBP: 0000000000000000 R08: fffffbfff09d8001 R09: ffffed1001564ece R10: ffffed1001564ecd R11: ffff88800ab2766f R12: dffffc0000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88801a00a400 FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb37bb683a8 CR3: 000000000ac4c004 CR4: 0000000000170ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 note: kworker/u8:1[59] exited with preempt_count 1 ---------------- Code disassembly (best guess): 0: 89 da mov %ebx,%edx 2: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 9: fc ff df c: 48 c1 ea 03 shr $0x3,%rdx 10: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 14: 75 2b jne 0x41 16: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1d: fc ff df 20: 48 8b 1b mov (%rbx),%rbx 23: 48 89 da mov %rbx,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 75 1b jne 0x4b 30: 48 8b 33 mov (%rbx),%rsi 33: 48 c7 c7 c0 19 2f 84 mov $0xffffffff842f19c0,%rdi 3a: 5b pop %rbx 3b: 5d pop %rbp 3c: e9 .byte 0xe9 3d: 3b .byte 0x3b 3e: 85 .byte 0x85 3f: 98 cwtl - reproducer socket$inet6_tcp(0xa, 0x1, 0x0) syz_genetlink_get_family_id$mptcp(0x0, 0xffffffffffffffff) socket$nl_generic(0x10, 0x3, 0x10) socket$inet6_tcp(0xa, 0x1, 0x0) r0 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) read(r0, &(0x7f0000000000), 0x2000) r1 = syz_open_dev$sg(&(0x7f0000000040), 0x0, 0x0) ioctl$SCSI_IOCTL_SEND_COMMAND(r1, 0x1, &(0x7f0000000000)=ANY=[@ANYBLOB="000000001d00000085", @ANYRES8=r1]) - kernel config https://drive.google.com/file/d/1LMJgfJPhTu78Cd2DfmDaRitF6cdxxcey/view?usp=sharing [^1] We used a customized Syzkaller but did not change the guest kernel or the hypervisor.
