syzbot


general protection fault in qfq_reset_qdisc

Status: auto-obsoleted due to no activity on 2022/11/11 06:00
Subsystems: net
[Documentation on labels]
First crash: 682d, last: 610d
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 general protection fault in qfq_reset_qdisc (2) 2 1113d 1190d 0/1 auto-closed as invalid on 2021/07/26 19:48
upstream KASAN: slab-use-after-free Read in qfq_reset_qdisc net 3 259d 301d 0/26 closed as invalid on 2023/09/21 09:36
upstream general protection fault in qfq_reset_qdisc (3) net 2 55d 106d 0/26 closed as invalid on 2024/03/12 16:19
upstream general protection fault in qfq_reset_qdisc (2) net 1 182d 182d 0/26 closed as invalid on 2023/12/05 18:14
linux-4.14 general protection fault in qfq_reset_qdisc 1 1521d 1521d 0/1 auto-closed as invalid on 2020/06/13 20:08
upstream KASAN: use-after-free Read in qfq_reset_qdisc net 1 818d 818d 0/26 closed as invalid on 2022/02/17 02:00
linux-4.19 KASAN: use-after-free Read in qfq_reset_qdisc 2 1528d 1538d 0/1 auto-closed as invalid on 2020/06/06 11:35
linux-4.14 KASAN: use-after-free Read in qfq_reset_qdisc 6 1321d 1634d 0/1 auto-closed as invalid on 2020/12/30 04:03
linux-4.19 KASAN: use-after-free Read in qfq_reset_qdisc (2) 1 1356d 1356d 0/1 auto-closed as invalid on 2020/11/25 14:56
linux-4.19 KASAN: use-after-free Read in qfq_reset_qdisc (3) 1 1225d 1225d 0/1 auto-closed as invalid on 2021/04/05 19:15

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
CPU: 1 PID: 56 Comm: kworker/u4:4 Not tainted 5.18.0-syzkaller-11817-g8171acb8bc9b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:qfq_reset_qdisc+0x14d/0x4d0 net/sched/sch_qfq.c:1455
Code: f5 f9 4c 8d 73 50 4c 89 f0 48 c1 e8 03 80 3c 28 00 0f 85 70 02 00 00 4c 8b 63 50 49 8d bc 24 e8 00 00 00 48 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 74 08 3c 03 0f 8e 64 02 00 00 45 8b ac 24 e8 00
RSP: 0018:ffffc900013f78f8 EFLAGS: 00010206
RAX: 000000000000001d RBX: ffff88807a7e9300 RCX: 0000000000000000
RDX: ffff8880176ae1c0 RSI: ffffffff8783d9e5 RDI: 00000000000000e9
RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8880742d49d8 R14: ffff88807a7e9350 R15: ffff8880709d8000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f159a36a9ee CR3: 000000000ba8e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 qdisc_reset+0xdb/0x6e0 net/sched/sch_generic.c:1026
 qdisc_destroy+0x91/0x4f0 net/sched/sch_generic.c:1064
 qdisc_put+0xcd/0xe0 net/sched/sch_generic.c:1086
 dev_shutdown+0x2b5/0x520 net/sched/sch_generic.c:1473
 unregister_netdevice_many+0x7d3/0x1890 net/core/dev.c:10825
 default_device_exit_batch+0x449/0x590 net/core/dev.c:11328
 ops_exit_list+0x125/0x170 net/core/net_namespace.c:167
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:qfq_reset_qdisc+0x14d/0x4d0 net/sched/sch_qfq.c:1455
Code: f5 f9 4c 8d 73 50 4c 89 f0 48 c1 e8 03 80 3c 28 00 0f 85 70 02 00 00 4c 8b 63 50 49 8d bc 24 e8 00 00 00 48 89 f8 48 c1 e8 03 <0f> b6 04 28 84 c0 74 08 3c 03 0f 8e 64 02 00 00 45 8b ac 24 e8 00
RSP: 0018:ffffc900013f78f8 EFLAGS: 00010206
RAX: 000000000000001d RBX: ffff88807a7e9300 RCX: 0000000000000000
RDX: ffff8880176ae1c0 RSI: ffffffff8783d9e5 RDI: 00000000000000e9
RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8880742d49d8 R14: ffff88807a7e9350 R15: ffff8880709d8000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f159a36a9ee CR3: 000000007ea74000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	f5                   	cmc
   1:	f9                   	stc
   2:	4c 8d 73 50          	lea    0x50(%rbx),%r14
   6:	4c 89 f0             	mov    %r14,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	80 3c 28 00          	cmpb   $0x0,(%rax,%rbp,1)
  11:	0f 85 70 02 00 00    	jne    0x287
  17:	4c 8b 63 50          	mov    0x50(%rbx),%r12
  1b:	49 8d bc 24 e8 00 00 	lea    0xe8(%r12),%rdi
  22:	00
  23:	48 89 f8             	mov    %rdi,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	0f b6 04 28          	movzbl (%rax,%rbp,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e 64 02 00 00    	jle    0x29e
  3a:	45                   	rex.RB
  3b:	8b                   	.byte 0x8b
  3c:	ac                   	lods   %ds:(%rsi),%al
  3d:	24 e8                	and    $0xe8,%al

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/06/02 06:10 upstream 8171acb8bc9b b4bc6a3d .config console log report info ci-upstream-kasan-gce-selinux-root general protection fault in qfq_reset_qdisc
2022/08/13 05:55 net-next-old 7ebfc85e2cd7 8dfcaa3d .config console log report info ci-upstream-net-kasan-gce general protection fault in qfq_reset_qdisc
2022/07/01 21:35 net-next-old 087b79854b9b 1434eec0 .config console log report info ci-upstream-net-kasan-gce general protection fault in qfq_reset_qdisc
2022/07/04 05:49 net-next-old d0bf1fe6454e 1434eec0 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in qfq_reset_qdisc
2022/06/19 21:05 net-next-old 9776fe0f424b 8f633d84 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in qfq_reset_qdisc
* Struck through repros no longer work on HEAD.