Hi Pedro,
On 6/21/24 11:24 오후, Pedro Tammela wrote:
> On 21/06/2024 08:45, ysk...@gmail.com wrote:
>> From: Yunseong Kim <ysk...@gmail.com>
>>
>> In the TRACE_EVENT(qdisc_reset) NULL dereference occurred from
>>
>> qdisc->dev_queue->dev <NULL> ->name
>>
>> This situation simulated from bunch of veths and Bluetooth
>> dis/reconnection.
>>
>> During qdisc initialization, qdisc was being set to noop_queue.
>> In veth_init_queue, the initial tx_num was reduced back to one,
>> causing the qdisc reset to be called with noop, which led to the
>> kernel panic.
>>
>> I think this will happen on the kernel version.
>> Linux kernel version ≥ v6.7.10, ≥ v6.8 ≥ v6.9 and 6.10
>
> You should tag your patch for the net tree
Thank you for the code review, I will tag the next patch for the net tree.
>> This occurred from 51270d573a8d. I think this patch is absolutely
>> necessary. Previously, It was showing not intended string value of name.
> Add a 'Fixes:' tag with this commit
I will added 'Fixes: 51270d573a8d' Tag on patch v2 message.
>> I can attach a sys-execprog's executing program, kernel dump and dmesg
>> if someone need it, but I'm not sure how to safely attach large vmcore
>> with vmlinux.
>
> The syzkaller program + C reproducer is usually enough, please make it
> visible somewhere
I got it, I have a converted C syz program. So, I've attached the GitHub
gist link and C source code in this mail.
https://gist.github.com/yskelg/cc64562873ce249cdd0d5a358b77d740
>> Signed-off-by: Yunseong Kim <ysk...@gmail.com>, Yeoreum Yun
>> <yeoreum....@arm.com>
>
> Should be two SoB tags
Oh, It's the first time we've sent together, I made a mistake.. Sorry.
Thank you Pedro for the advice!
>> ---
>> include/trace/events/qdisc.h | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/include/trace/events/qdisc.h b/include/trace/events/qdisc.h
>> index f1b5e816e7e5..170b51fbe47a 100644
>> --- a/include/trace/events/qdisc.h
>> +++ b/include/trace/events/qdisc.h
>> @@ -81,7 +81,7 @@ TRACE_EVENT(qdisc_reset,
>> TP_ARGS(q),
>> TP_STRUCT__entry(
>> - __string( dev, qdisc_dev(q)->name )
>> + __string(dev, qdisc_dev(q) ? qdisc_dev(q)->name : "noop_queue")
>> __string( kind, q->ops->id )
>> __field( u32, parent )
>> __field( u32, handle )
>
Warm Regards,
Yunseong Kim
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef __NR_add_key
#define __NR_add_key 217
#endif
#ifndef __NR_bpf
#define __NR_bpf 280
#endif
#ifndef __NR_io_uring_register
#define __NR_io_uring_register 427
#endif
#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup 425
#endif
#ifndef __NR_keyctl
#define __NR_keyctl 219
#endif
#ifndef __NR_mlockall
#define __NR_mlockall 230
#endif
#ifndef __NR_mmap
#define __NR_mmap 222
#endif
#ifndef __NR_mremap
#define __NR_mremap 216
#endif
#ifndef __NR_munmap
#define __NR_munmap 215
#endif
#ifndef __NR_openat
#define __NR_openat 56
#endif
#ifndef __NR_read
#define __NR_read 63
#endif
#ifndef __NR_shmctl
#define __NR_shmctl 195
#endif
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
uint64_t r[7] = {0xffffffffffffffff,
0xffffffffffffffff,
0xffffffffffffffff,
0x0,
0xffffffffffffffff,
0xffffffffffffffff,
0x0};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
const char* reason;
(void)reason;
intptr_t res = 0;
if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
}
*(uint32_t*)0x20000004 = 0;
*(uint32_t*)0x20000008 = 0;
*(uint32_t*)0x2000000c = 0;
*(uint32_t*)0x20000010 = 0;
*(uint32_t*)0x20000018 = -1;
memset((void*)0x2000001c, 0, 12);
res =
syscall(__NR_io_uring_setup, /*entries=*/0xe68, /*params=*/0x20000000ul);
if (res != -1)
r[0] = res;
memset((void*)0x20000080, 111, 1);
syscall(__NR_io_uring_register, /*fd=*/r[0], /*opcode=*/0xaul,
/*arg=*/0x20000080ul, /*size=*/1ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xa000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0ul,
/*size=*/0xfffffffffffffc91ul);
if (res != -1)
r[1] = res;
*(uint32_t*)0x200000c0 = -1;
*(uint32_t*)0x200000c4 = 0;
res = syscall(__NR_bpf, /*cmd=*/0x21ul, /*arg=*/0x200000c0ul, /*size=*/8ul);
if (res != -1)
r[2] = res;
*(uint32_t*)0x20000c80 = -1;
*(uint32_t*)0x20000c84 = 0x20;
*(uint64_t*)0x20000c88 = 0x20000280;
*(uint64_t*)0x20000280 = 0x20000180;
*(uint32_t*)0x20000288 = 0x95;
*(uint64_t*)0x20000290 = 0x20000b80;
res = syscall(__NR_bpf, /*cmd=*/0xful, /*arg=*/0x20000c80ul, /*size=*/0x10ul);
if (res != -1)
r[3] = *(uint32_t*)0x2000028c;
memcpy((void*)0x20000040, "./file1\000", 8);
res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000040ul,
/*flags=*/0ul, /*mode=*/0ul);
if (res != -1)
r[4] = res;
syscall(__NR_read, /*fd=*/r[4], /*buf=*/0ul, /*count=*/0ul);
*(uint32_t*)0x20000cc0 = 0x1b;
*(uint32_t*)0x20000cc4 = 0;
*(uint32_t*)0x20000cc8 = 0;
*(uint32_t*)0x20000ccc = 0x9ff;
*(uint32_t*)0x20000cd0 = 0;
*(uint32_t*)0x20000cd4 = r[1];
*(uint32_t*)0x20000cd8 = 0;
memset((void*)0x20000cdc, 0, 16);
*(uint32_t*)0x20000cec = 0;
*(uint32_t*)0x20000cf0 = -1;
*(uint32_t*)0x20000cf4 = 4;
*(uint32_t*)0x20000cf8 = 4;
*(uint32_t*)0x20000cfc = 4;
*(uint64_t*)0x20000d00 = 0;
res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000cc0ul, /*size=*/0x48ul);
if (res != -1)
r[5] = res;
*(uint32_t*)0x20000e00 = 0;
*(uint32_t*)0x20000e04 = 6;
*(uint64_t*)0x20000e08 = 0x20000040;
*(uint8_t*)0x20000040 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x20000041, 7, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000041, 4, 4, 4);
*(uint16_t*)0x20000042 = 0;
*(uint32_t*)0x20000044 = 4;
*(uint8_t*)0x20000048 = 0;
*(uint8_t*)0x20000049 = 0;
*(uint16_t*)0x2000004a = 0;
*(uint32_t*)0x2000004c = 0;
STORE_BY_BITMASK(uint8_t, , 0x20000050, 4, 0, 3);
STORE_BY_BITMASK(uint8_t, , 0x20000050, 1, 3, 1);
STORE_BY_BITMASK(uint8_t, , 0x20000050, 0, 4, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000051, 0xa, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000051, 0, 4, 4);
*(uint16_t*)0x20000052 = 0xc;
*(uint32_t*)0x20000054 = 0;
*(uint8_t*)0x20000058 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x20000059, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000059, 4, 4, 4);
*(uint16_t*)0x2000005a = 0;
*(uint32_t*)0x2000005c = 5;
*(uint8_t*)0x20000060 = 0;
*(uint8_t*)0x20000061 = 0;
*(uint16_t*)0x20000062 = 0;
*(uint32_t*)0x20000064 = 0;
*(uint8_t*)0x20000068 = 0x85;
STORE_BY_BITMASK(uint8_t, , 0x20000069, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000069, 1, 4, 4);
*(uint16_t*)0x2000006a = 0;
*(uint32_t*)0x2000006c = 0xfffffff9;
*(uint64_t*)0x20000e10 = 0x20000080;
memcpy((void*)0x20000080, "GPL\000", 4);
*(uint32_t*)0x20000e18 = 3;
*(uint32_t*)0x20000e1c = 0;
*(uint64_t*)0x20000e20 = 0;
*(uint32_t*)0x20000e28 = 0x41100;
*(uint32_t*)0x20000e2c = 0x50;
memset((void*)0x20000e30, 0, 16);
*(uint32_t*)0x20000e40 = 0;
*(uint32_t*)0x20000e44 = 0x21;
*(uint32_t*)0x20000e48 = r[2];
*(uint32_t*)0x20000e4c = 8;
*(uint64_t*)0x20000e50 = 0x20000100;
*(uint32_t*)0x20000100 = 3;
*(uint32_t*)0x20000104 = 5;
*(uint32_t*)0x20000e58 = 8;
*(uint32_t*)0x20000e5c = 0x10;
*(uint64_t*)0x20000e60 = 0x20000140;
*(uint32_t*)0x20000140 = 3;
*(uint32_t*)0x20000144 = 9;
*(uint32_t*)0x20000148 = 0x62;
*(uint32_t*)0x2000014c = 0x5038;
*(uint32_t*)0x20000e68 = 0x10;
*(uint32_t*)0x20000e6c = r[3];
*(uint32_t*)0x20000e70 = r[4];
*(uint32_t*)0x20000e74 = 5;
*(uint64_t*)0x20000e78 = 0x20000d40;
*(uint32_t*)0x20000d40 = r[1];
*(uint32_t*)0x20000d44 = r[1];
*(uint32_t*)0x20000d48 = r[5];
*(uint64_t*)0x20000e80 = 0x20000d80;
*(uint32_t*)0x20000d80 = 2;
*(uint32_t*)0x20000d84 = 3;
*(uint32_t*)0x20000d88 = 2;
*(uint32_t*)0x20000d8c = 7;
*(uint32_t*)0x20000d90 = 0;
*(uint32_t*)0x20000d94 = 5;
*(uint32_t*)0x20000d98 = 7;
*(uint32_t*)0x20000d9c = 7;
*(uint32_t*)0x20000da0 = 4;
*(uint32_t*)0x20000da4 = 4;
*(uint32_t*)0x20000da8 = 6;
*(uint32_t*)0x20000dac = 0xa;
*(uint32_t*)0x20000db0 = 2;
*(uint32_t*)0x20000db4 = 5;
*(uint32_t*)0x20000db8 = 7;
*(uint32_t*)0x20000dbc = 7;
*(uint32_t*)0x20000dc0 = 4;
*(uint32_t*)0x20000dc4 = 1;
*(uint32_t*)0x20000dc8 = 0xf;
*(uint32_t*)0x20000dcc = 8;
*(uint32_t*)0x20000e88 = 0x10;
*(uint32_t*)0x20000e8c = 0x46f;
syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000e00ul, /*size=*/0x90ul);
memcpy((void*)0x20000000, "asymmetric\000", 11);
memcpy((void*)0x20000240, "syz", 3);
*(uint8_t*)0x20000243 = 0x21;
*(uint8_t*)0x20000244 = 0;
res = syscall(__NR_add_key, /*type=*/0x20000000ul, /*desc=*/0x20000240ul,
/*payload=*/0ul, /*paylen=*/0ul, /*keyring=*/0xfffffff9);
if (res != -1)
r[6] = res;
syscall(__NR_keyctl, /*code=*/0xbul, /*key=*/r[6], /*payload=*/0x20000300ul,
/*len=*/0x44ul, 0);
*(uint32_t*)0x200000c0 = 5;
*(uint32_t*)0x200000c4 = 0xb;
*(uint64_t*)0x200000c8 = 0x20000180;
*(uint8_t*)0x20000180 = r[2];
*(uint64_t*)0x200000d0 = 0x20000200;
memcpy((void*)0x20000200, "GPL\000", 4);
*(uint32_t*)0x200000d8 = 0x4000004;
*(uint32_t*)0x200000dc = 0;
*(uint64_t*)0x200000e0 = 0;
*(uint32_t*)0x200000e8 = 0x40f00;
*(uint32_t*)0x200000ec = 0;
memset((void*)0x200000f0, 0, 16);
*(uint32_t*)0x20000100 = 0;
*(uint32_t*)0x20000104 = 0x17;
*(uint32_t*)0x20000108 = 0;
*(uint32_t*)0x2000010c = 0;
*(uint64_t*)0x20000110 = 0;
*(uint32_t*)0x20000118 = 0;
*(uint32_t*)0x2000011c = 0;
*(uint64_t*)0x20000120 = 0;
*(uint32_t*)0x20000128 = 0;
*(uint32_t*)0x2000012c = r[3];
*(uint32_t*)0x20000130 = 0;
*(uint32_t*)0x20000134 = 0;
*(uint64_t*)0x20000138 = 0;
*(uint64_t*)0x20000140 = 0;
*(uint32_t*)0x20000148 = 0;
*(uint32_t*)0x2000014c = 0;
syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200000c0ul, /*size=*/0x90ul);
syscall(__NR_mlockall, /*flags=MCL_FUTURE|MCL_CURRENT*/ 3ul);
*(uint32_t*)0x20000280 = 0x798e2636;
*(uint32_t*)0x20000284 = 0;
*(uint32_t*)0x20000288 = 0;
*(uint32_t*)0x2000028c = 0;
*(uint32_t*)0x20000290 = 0xee00;
*(uint32_t*)0x20000294 = 0;
*(uint16_t*)0x20000298 = 0;
*(uint32_t*)0x2000029c = 0x80;
*(uint64_t*)0x200002a0 = 0;
*(uint64_t*)0x200002a8 = 0;
*(uint64_t*)0x200002b0 = 0;
*(uint32_t*)0x200002b8 = 0;
*(uint32_t*)0x200002bc = 0;
*(uint16_t*)0x200002c0 = 0;
*(uint16_t*)0x200002c2 = 0;
*(uint64_t*)0x200002c8 = 0;
*(uint64_t*)0x200002d0 = 0;
syscall(__NR_shmctl, /*shmid=*/0, /*cmd=*/1ul, /*buf=*/0x20000280ul);
syscall(__NR_munmap, /*addr=*/0x20000000ul, /*len=*/0x400000ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xa000ul,
/*prot=PROT_GROWSDOWN|PROT_SEM|PROT_READ|PROT_EXEC*/ 0x100000dul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mremap, /*addr=*/0x20000000ul, /*len=*/0xc00000ul,
/*newlen=*/0x3000ul, /*flags=MREMAP_FIXED|MREMAP_MAYMOVE*/ 3ul,
/*newaddr=*/0x20ffa000ul);
return 0;
}
