CINXE.COM
LKML: Jakub Kicinski: Re: [syzbot] [net?] general protection fault in generic_hwtstamp_ioctl_lower (2)
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>LKML: Jakub Kicinski: Re: [syzbot] [net?] general protection fault in generic_hwtstamp_ioctl_lower (2)</title><link href="/css/message.css" rel="stylesheet" type="text/css" /><link href="/css/wrap.css" rel="alternate stylesheet" type="text/css" title="wrap" /><link href="/css/nowrap.css" rel="stylesheet" type="text/css" title="nowrap" /><link href="/favicon.ico" rel="shortcut icon" /><script src="/js/simple-calendar.js" type="text/javascript"></script><script src="/js/styleswitcher.js" type="text/javascript"></script><link rel="alternate" type="application/rss+xml" title="lkml.org : last 100 messages" href="/rss.php" /><link rel="alternate" type="application/rss+xml" title="lkml.org : last messages by Jakub Kicinski" href="/groupie.php?aid=" /><!--Matomo--><script> var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(["setDoNotTrack", true]); _paq.push(["disableCookies"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//m.lkml.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '1']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script><!--End Matomo Code--></head><body onload="es.jasper.simpleCalendar.init();" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><table border="0" cellpadding="0" cellspacing="0"><tr><td width="180" align="center"><a href="/"><img style="border:0;width:135px;height:32px" src="/images/toprowlk.gif" alt="lkml.org" /></a></td><td width="32">聽</td><td class="nb"><div><a class="nb" href="/lkml"> [lkml]</a> 聽 <a class="nb" href="/lkml/2025"> [2025]</a> 聽 <a class="nb" href="/lkml/2025/2"> [Feb]</a> 聽 <a class="nb" href="/lkml/2025/2/6"> [6]</a> 聽 <a class="nb" href="/lkml/last100"> [last100]</a> 聽 <a href="/rss.php"><img src="/images/rss-or.gif" border="0" alt="RSS Feed" /></a></div><div>Views: <a href="#" class="nowrap" onclick="setActiveStyleSheet('wrap');return false;">[wrap]</a><a href="#" class="wrap" onclick="setActiveStyleSheet('nowrap');return false;">[no wrap]</a> 聽 <a class="nb" href="/lkml/mheaders/2025/2/6/1830" onclick="this.href='/lkml/headers'+'/2025/2/6/1830';">[headers]</a>聽 <a href="/lkml/bounce/2025/2/6/1830">[forward]</a>聽 </div></td><td width="32">聽</td></tr><tr><td valign="top"><div class="es-jasper-simpleCalendar" baseurl="/lkml/"></div><div class="threadlist">Messages in this thread</div><ul class="threadlist"><li class="root"><a href="/lkml/2025/2/4/838">First message in thread</a></li><li><a href="/lkml/2025/2/4/838">syzbot</a><ul><li><a href="/lkml/2025/2/5/676">Hillf Danton</a><ul><li><a href="/lkml/2025/2/5/684">syzbot</a></li></ul></li><li class="origin"><a href="/lkml/2025/2/7/608">Jakub Kicinski</a><ul><li><a href="/lkml/2025/2/7/608">Kory Maincent</a></li></ul></li></ul></li></ul></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerl.gif" width="32" height="32" alt="/" /></td><td class="c" rowspan="2" valign="top" style="padding-top: 1em"><table><tr><td><table><tr><td class="lp">Date</td><td class="rp" itemprop="datePublished">Thu, 6 Feb 2025 17:56:18 -0800</td></tr><tr><td class="lp">From</td><td class="rp" itemprop="author">Jakub Kicinski <></td></tr><tr><td class="lp">Subject</td><td class="rp" itemprop="name">Re: [syzbot] [net?] general protection fault in generic_hwtstamp_ioctl_lower (2)</td></tr></table></td><td></td></tr></table><pre itemprop="articleBody">On Tue, 04 Feb 2025 07:22:16 -0800 syzbot wrote:<br />> Hello,<br />> <br />> syzbot found the following issue on:<br />> <br />> HEAD commit: 69e858e0b8b2 Merge tag 'uml-for-linus-6.14-rc1' of git://g..<br />> git tree: upstream<br />> console output: <a href="https://syzkaller.appspot.com/x/log.txt?x=13324b24580000">https://syzkaller.appspot.com/x/log.txt?x=13324b24580000</a><br />> kernel config: <a href="https://syzkaller.appspot.com/x/.config?x=98d83cc1742b7377">https://syzkaller.appspot.com/x/.config?x=98d83cc1742b7377</a><br />> dashboard link: <a href="https://syzkaller.appspot.com/bug?extid=86a8ab09a0f655f1ff19">https://syzkaller.appspot.com/bug?extid=86a8ab09a0f655f1ff19</a><br />> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40<br />> syz repro: <a href="https://syzkaller.appspot.com/x/repro.syz?x=17324b24580000">https://syzkaller.appspot.com/x/repro.syz?x=17324b24580000</a><br />> C reproducer: <a href="https://syzkaller.appspot.com/x/repro.c?x=161595f8580000">https://syzkaller.appspot.com/x/repro.c?x=161595f8580000</a><br /><br />Hi Kory!<br /><br />Looks like syzbot wasn't able to bisect and didn't CC you.<br />Please take a look, looks like struct kernel_hwtstamp_config<br />gets into the ioctl paths.<br /><br />> Downloadable assets:<br />> disk image: <a href="https://storage.googleapis.com/syzbot-assets/3d07b0558b0e/disk-69e858e0.raw.xz">https://storage.googleapis.com/syzbot-assets/3d07b0558b0e/disk-69e858e0.raw.xz</a><br />> vmlinux: <a href="https://storage.googleapis.com/syzbot-assets/e5e2250eb3b1/vmlinux-69e858e0.xz">https://storage.googleapis.com/syzbot-assets/e5e2250eb3b1/vmlinux-69e858e0.xz</a><br />> kernel image: <a href="https://storage.googleapis.com/syzbot-assets/3e676d17effc/bzImage-69e858e0.xz">https://storage.googleapis.com/syzbot-assets/3e676d17effc/bzImage-69e858e0.xz</a><br />> <br />> IMPORTANT: if you fix the issue, please add the following tag to the commit:<br />> Reported-by: syzbot+86a8ab09a0f655f1ff19@syzkaller.appspotmail.com<br />> <br />> netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0<br />> netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0<br />> netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0<br />> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI<br />> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]<br />> CPU: 0 UID: 0 PID: 5827 Comm: syz-executor976 Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0<br />> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024<br />> RIP: 0010:generic_hwtstamp_ioctl_lower+0x125/0x420 net/core/dev_ioctl.c:456<br />> Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 b7 02 00 00 48 ba 00 00 00 00 00 fc ff df 4d 8b 75 10 49 8d 7e 10 48 89 f8 48 c1 e8 03 <0f> b6 0c 10 49 8d 46 27 48 89 c6 83 e0 07 48 c1 ee 03 0f b6 14 16<br />> RSP: 0018:ffffc90003e4f250 EFLAGS: 00010202<br />> RAX: 0000000000000002 RBX: ffff88807c788000 RCX: 0000000000000000<br />> RDX: dffffc0000000000 RSI: ffffffff893547b8 RDI: 0000000000000010<br />> RBP: ffffc90003e4f338 R08: 0000000000000007 R09: 0000000000000003<br />> R10: ffffc90003e4f2ab R11: 0000000000000001 R12: 1ffff920007c9e4e<br />> R13: ffffc90003e4f410 R14: 0000000000000000 R15: 1ffff920007c9e9b<br />> FS: 0000555562e35380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br />> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />> CR2: 0000000020000180 CR3: 0000000078b1a000 CR4: 00000000003526f0<br />> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />> Call Trace:<br />> <TASK><br />> generic_hwtstamp_get_lower net/core/dev_ioctl.c:480 [inline]<br />> generic_hwtstamp_get_lower+0xe8/0x130 net/core/dev_ioctl.c:468<br />> dev_get_hwtstamp_phylib+0x181/0x610 net/core/dev_ioctl.c:291<br />> tsconfig_prepare_data+0x15f/0x650 net/ethtool/tsconfig.c:51<br />> ethnl_default_doit+0x31a/0xbd0 net/ethtool/netlink.c:493<br />> genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115<br />> genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]<br />> genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210<br />> netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2543<br />> genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219<br />> netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]<br />> netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1348<br />> netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1892<br />> sock_sendmsg_nosec net/socket.c:713 [inline]<br />> __sock_sendmsg net/socket.c:728 [inline]<br />> ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2568<br />> ___sys_sendmsg+0x135/0x1e0 net/socket.c:2622<br />> __sys_sendmsg+0x16e/0x220 net/socket.c:2654<br />> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br />> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83<br />> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />> RIP: 0033:0x7f098155c919<br />> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br />> RSP: 002b:00007ffca30ea5f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br />> RAX: ffffffffffffffda RBX: 00007f09815aa4ad RCX: 00007f098155c919<br />> RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003<br />> RBP: 00007f09815aa47d R08: 0000000000000000 R09: 0000555500000000<br />> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f09815aa3e5<br />> R13: 0000000000000001 R14: 00007ffca30ea640 R15: 0000000000000003<br />> </TASK><br />> Modules linked in:<br />> ---[ end trace 0000000000000000 ]---<br />> RIP: 0010:generic_hwtstamp_ioctl_lower+0x125/0x420 net/core/dev_ioctl.c:456<br />> Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 b7 02 00 00 48 ba 00 00 00 00 00 fc ff df 4d 8b 75 10 49 8d 7e 10 48 89 f8 48 c1 e8 03 <0f> b6 0c 10 49 8d 46 27 48 89 c6 83 e0 07 48 c1 ee 03 0f b6 14 16<br />> RSP: 0018:ffffc90003e4f250 EFLAGS: 00010202<br />> RAX: 0000000000000002 RBX: ffff88807c788000 RCX: 0000000000000000<br />> RDX: dffffc0000000000 RSI: ffffffff893547b8 RDI: 0000000000000010<br />> RBP: ffffc90003e4f338 R08: 0000000000000007 R09: 0000000000000003<br />> R10: ffffc90003e4f2ab R11: 0000000000000001 R12: 1ffff920007c9e4e<br />> R13: ffffc90003e4f410 R14: 0000000000000000 R15: 1ffff920007c9e9b<br />> FS: 0000555562e35380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br />> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />> CR2: 0000000020000180 CR3: 0000000078b1a000 CR4: 00000000003526f0<br />> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />> ----------------<br />> Code disassembly (best guess), 3 bytes skipped:<br />> 0: 48 c1 ea 03 shr $0x3,%rdx<br />> 4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)<br />> 8: 0f 85 b7 02 00 00 jne 0x2c5<br />> e: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx<br />> 15: fc ff df<br />> 18: 4d 8b 75 10 mov 0x10(%r13),%r14<br />> 1c: 49 8d 7e 10 lea 0x10(%r14),%rdi<br />> 20: 48 89 f8 mov %rdi,%rax<br />> 23: 48 c1 e8 03 shr $0x3,%rax<br />> * 27: 0f b6 0c 10 movzbl (%rax,%rdx,1),%ecx <-- trapping instruction<br />> 2b: 49 8d 46 27 lea 0x27(%r14),%rax<br />> 2f: 48 89 c6 mov %rax,%rsi<br />> 32: 83 e0 07 and $0x7,%eax<br />> 35: 48 c1 ee 03 shr $0x3,%rsi<br />> 39: 0f b6 14 16 movzbl (%rsi,%rdx,1),%edx<br />> <br />> <br />> ---<br />> This report is generated by a bot. It may contain errors.<br />> See <a href="https://goo.gl/tpsmEJ">https://goo.gl/tpsmEJ</a> for more information about syzbot.<br />> syzbot engineers can be reached at syzkaller@googlegroups.com.<br />> <br />> syzbot will keep track of this issue. See:<br />> <a href="https://goo.gl/tpsmEJ#status">https://goo.gl/tpsmEJ#status</a> for how to communicate with syzbot.<br />> <br />> If the report is already addressed, let syzbot know by replying with:<br />> #syz fix: exact-commit-title<br />> <br />> If you want syzbot to run the reproducer, reply with:<br />> #syz test: git://repo/address.git branch-or-commit-hash<br />> If you attach or paste a git patch, syzbot will apply it before testing.<br />> <br />> If you want to overwrite report's subsystems, reply with:<br />> #syz set subsystems: new-subsystem<br />> (See the list of subsystem names on the web dashboard)<br />> <br />> If the report is a duplicate of another one, reply with:<br />> #syz dup: exact-subject-of-another-report<br />> <br />> If you want to undo deduplication, reply with:<br />> #syz undup<br /><br /><br /></pre></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerr.gif" width="32" height="32" alt="\" /></td></tr><tr><td align="right" valign="bottom"> 聽 </td></tr><tr><td align="right" valign="bottom">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerl.gif" width="32" height="32" alt="\" /></td><td class="c">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerr.gif" width="32" height="32" alt="/" /></td></tr><tr><td align="right" valign="top" colspan="2"> 聽 </td><td class="lm">Last update: 2025-02-07 02:56 聽聽 [W:0.275 / U:0.077 seconds]<br />漏2003-2020 <a href="http://blog.jasper.es/"><span itemprop="editor">Jasper Spaans</span></a>|hosted at <a href="https://www.digitalocean.com/?refcode=9a8e99d24cf9">Digital Ocean</a> and my Meterkast|<a href="http://blog.jasper.es/categories.html#lkml-ref">Read the blog</a></td><td>聽</td></tr></table><script language="javascript" src="/js/styleswitcher.js" type="text/javascript"></script></body></html>