BUG: general protection fault in sctp_inet6addr_event

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
We found the following issue using syzkaller on Linux v6.10.
In `sctp_inet6addr_event`, a general protection fault error is
triggered when trying to execute `list_for_each_entry_safe(addr, temp,
&net->sctp.local_addr_list, list) { ...`
According to the report, it looks like the register $rax (propagated
from $r15) is unexpectedly set to null, causing an null-pointer
dereference issue.


Unfortunately, the syzkaller failed to generate a reproducer.
But at least we have the report:

bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): Released all slaves
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 16764 Comm: kworker/u4:10 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:sctp_inet6addr_event+0x118/0x6e0
Code: 44 24 08 48 89 44 24 40 4c 89 e0 48 c1 e8 03 48 89 44 24 38 4c
89 64 24 28 4c 89 74 24 30 4c 89 f8 48 c1 e8 03 48 89 44 24 48 <42> 80
3c 28 00 74 08 4c 89 ff e8 89 25 b3 f7 49 8b 07 48 89 44 24
RSP: 0018:ffffc9000a037340 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888024170000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a
RBP: ffff88802e8ed520 R08: ffffffff8a413727 R09: fffff52001406e58
R10: dffffc0000000000 R11: fffff52001406e58 R12: ffff88801856d000
R13: dffffc0000000000 R14: ffff88802cd22b88 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f10a8812088 CR3: 0000000028e84000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 notifier_call_chain kernel/notifier.c:93 [inline]
 atomic_notifier_call_chain+0x195/0x2d0 kernel/notifier.c:231
 addrconf_ifdown+0xedb/0x1b50 net/ipv6/addrconf.c:3980
 addrconf_notify+0x3c4/0x1000
 notifier_call_chain kernel/notifier.c:93 [inline]
 raw_notifier_call_chain+0xe0/0x180 kernel/notifier.c:461
 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
 call_netdevice_notifiers net/core/dev.c:2044 [inline]
 dev_close_many+0x352/0x4e0 net/core/dev.c:1585
 dev_close+0x1bb/0x2c0 net/core/dev.c:1607
 cfg80211_shutdown_all_interfaces+0xbc/0x1d0 net/wireless/core.c:280
 ieee80211_remove_interfaces+0x111/0x690 net/mac80211/iface.c:2278
 ieee80211_unregister_hw+0x59/0x2d0 net/mac80211/main.c:1659
 mac80211_hwsim_del_radio+0x2ba/0x4b0
drivers/net/wireless/virtual/mac80211_hwsim.c:5576
 hwsim_exit_net+0x5bd/0x660 drivers/net/wireless/virtual/mac80211_hwsim.c:6453
 ops_exit_list net/core/net_namespace.c:173 [inline]
 cleanup_net+0x810/0xcd0 net/core/net_namespace.c:640
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
 kthread+0x2eb/0x380 kernel/kthread.c:389
 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:sctp_inet6addr_event+0x118/0x6e0
Code: 44 24 08 48 89 44 24 40 4c 89 e0 48 c1 e8 03 48 89 44 24 38 4c
89 64 24 28 4c 89 74 24 30 4c 89 f8 48 c1 e8 03 48 89 44 24 48 <42> 80
3c 28 00 74 08 4c 89 ff e8 89 25 b3 f7 49 8b 07 48 89 44 24
RSP: 0018:ffffc9000a037340 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888024170000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a
RBP: ffff88802e8ed520 R08: ffffffff8a413727 R09: fffff52001406e58
R10: dffffc0000000000 R11: fffff52001406e58 R12: ffff88801856d000
R13: dffffc0000000000 R14: ffff88802cd22b88 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f10a8812088 CR3: 0000000028e84000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: 44 24 08             rex.R and $0x8,%al
   3: 48 89 44 24 40       mov    %rax,0x40(%rsp)
   8: 4c 89 e0             mov    %r12,%rax
   b: 48 c1 e8 03           shr    $0x3,%rax
   f: 48 89 44 24 38       mov    %rax,0x38(%rsp)
  14: 4c 89 64 24 28       mov    %r12,0x28(%rsp)
  19: 4c 89 74 24 30       mov    %r14,0x30(%rsp)
  1e: 4c 89 f8             mov    %r15,%rax
  21: 48 c1 e8 03           shr    $0x3,%rax
  25: 48 89 44 24 48       mov    %rax,0x48(%rsp)
* 2a: 42 80 3c 28 00       cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f: 74 08                 je     0x39
  31: 4c 89 ff             mov    %r15,%rdi
  34: e8 89 25 b3 f7       call   0xf7b325c2
  39: 49 8b 07             mov    (%r15),%rax
  3c: 48                   rex.W
  3d: 89                   .byte 0x89
  3e: 44                   rex.R
  3f: 24                   .byte 0x24
[Index of Archives]     [Linux Networking Development]     [Linux OMAP]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     SCTP

  Powered by Linux