Re: [syzbot] [net?] BUG: unable to handle kernel paging request in nsim_queue_free
From: Hillf Danton
Date: Tue Aug 12 2025 - 09:34:45 EST
> Date: Tue, 12 Aug 2025 02:58:28 -0700 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 53e760d89498 Merge tag 'nfsd-6.17-1' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c415a2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d67d3af29f50297e
> dashboard link: https://syzkaller.appspot.com/bug?extid=8aa80c6232008f7b957d
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=151be9a2580000
#syz test
--- x/drivers/net/netdevsim/netdev.c
+++ y/drivers/net/netdevsim/netdev.c
@@ -709,10 +709,14 @@ static struct nsim_rq *nsim_queue_alloc(
static void nsim_queue_free(struct net_device *dev, struct nsim_rq *rq)
{
+ struct netdevsim *ns = netdev_priv(dev);
+
hrtimer_cancel(&rq->napi_timer);
- local_bh_disable();
- dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
- local_bh_enable();
+ if (ns->registed) {
+ local_bh_disable();
+ dev_dstats_rx_dropped_add(dev, rq->skb_queue.qlen);
+ local_bh_enable();
+ }
skb_queue_purge_reason(&rq->skb_queue, SKB_DROP_REASON_QUEUE_PURGE);
kfree(rq);
}
@@ -981,6 +985,7 @@ err_free_prev:
while (i--)
kfree(ns->rq[i]);
kfree(ns->rq);
+ ns->rq = NULL;
return -ENOMEM;
}
@@ -989,6 +994,8 @@ static void nsim_queue_uninit(struct net
struct net_device *dev = ns->netdev;
int i;
+ if (!ns->rq)
+ return;
for (i = 0; i < dev->num_rx_queues; i++)
nsim_queue_free(dev, ns->rq[i]);
@@ -1001,6 +1008,7 @@ static int nsim_init_netdevsim(struct ne
struct mock_phc *phc;
int err;
+ ns->registed = 0;
phc = mock_phc_create(&ns->nsim_bus_dev->dev);
if (IS_ERR(phc))
return PTR_ERR(phc);
@@ -1038,6 +1046,7 @@ static int nsim_init_netdevsim(struct ne
&ns->nn))
ns->nb.notifier_call = NULL;
}
+ ns->registed = 1;
return 0;
--- x/drivers/net/netdevsim/netdevsim.h
+++ y/drivers/net/netdevsim/netdevsim.h
@@ -106,6 +106,7 @@ struct netdevsim {
struct mock_phc *phc;
struct nsim_rq **rq;
+ int registed;
int rq_reset_mode;
struct nsim_bus_dev *nsim_bus_dev;
--