syzbot

 sign-in | mailing list | source | docs
🐞 Open [84] 🐞 Fixed [21] 🐞 Invalid [288] 📈 Kernel Health 📈 Bugs/Month 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: null-ptr-deref Read in tcf_idrinfo_destroy

Status: upstream: reported C repro on 2023/05/10 22:23
Reported-by: syzbot+cf9750784f3e766f0fee@syzkaller.appspotmail.com
First crash: 389d, last: 2h37m
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: null-ptr-deref Read in tcf_idrinfo_destroy net C 115 1151d 1342d 20/26 fixed on 2021/04/09 19:46

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:162 [inline]
BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0xe2/0x280 net/sched/act_api.c:541
Read of size 4 at addr 0000000000000010 by task kworker/u4:2/179

CPU: 1 PID: 179 Comm: kworker/u4:2 Not tainted 5.4.259-syzkaller-00012-g57a39998c138 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 __kasan_report+0xe9/0x120 mm/kasan/report.c:520
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 check_memory_region_inline mm/kasan/generic.c:141 [inline]
 check_memory_region+0x272/0x280 mm/kasan/generic.c:191
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 __tcf_idr_release net/sched/act_api.c:162 [inline]
 tcf_idrinfo_destroy+0xe2/0x280 net/sched/act_api.c:541
 tc_action_net_exit include/net/act_api.h:145 [inline]
 police_exit_net+0xd7/0x140 net/sched/act_police.c:410
 ops_exit_list net/core/net_namespace.c:184 [inline]
 cleanup_net+0x6e2/0xc90 net/core/net_namespace.c:609
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 179 Comm: kworker/u4:2 Tainted: G    B             5.4.259-syzkaller-00012-g57a39998c138 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: netns cleanup_net
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:__tcf_idr_release net/sched/act_api.c:162 [inline]
RIP: 0010:tcf_idrinfo_destroy+0xe9/0x280 net/sched/act_api.c:541
Code: ee e8 3b 79 b6 00 48 85 c0 0f 84 54 01 00 00 49 89 c6 48 8d 58 20 48 89 df be 04 00 00 00 e8 7e 79 00 fe 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 f5 00 00 00 8b 1b 31 ff 89 de e8 1f d8
RSP: 0018:ffff8881e4dd7b60 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff8881e9f46e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
RBP: ffff8881e4dd7c30 R08: ffffffff813af605 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 1ffff1103c9baf78
R13: ffff8881e4dd7bc0 R14: fffffffffffffff0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f95dd0c10d0 CR3: 00000001ddae4000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tc_action_net_exit include/net/act_api.h:145 [inline]
 police_exit_net+0xd7/0x140 net/sched/act_police.c:410
 ops_exit_list net/core/net_namespace.c:184 [inline]
 cleanup_net+0x6e2/0xc90 net/core/net_namespace.c:609
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
---[ end trace 87ba05ee6766aa7d ]---
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:__tcf_idr_release net/sched/act_api.c:162 [inline]
RIP: 0010:tcf_idrinfo_destroy+0xe9/0x280 net/sched/act_api.c:541
Code: ee e8 3b 79 b6 00 48 85 c0 0f 84 54 01 00 00 49 89 c6 48 8d 58 20 48 89 df be 04 00 00 00 e8 7e 79 00 fe 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 f5 00 00 00 8b 1b 31 ff 89 de e8 1f d8
RSP: 0018:ffff8881e4dd7b60 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff8881e9f46e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
RBP: ffff8881e4dd7c30 R08: ffffffff813af605 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 1ffff1103c9baf78
R13: ffff8881e4dd7bc0 R14: fffffffffffffff0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd211b0d88 CR3: 00000001ee3c0000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ee                   	out    %al,(%dx)
   1:	e8 3b 79 b6 00       	call   0xb67941
   6:	48 85 c0             	test   %rax,%rax
   9:	0f 84 54 01 00 00    	je     0x163
   f:	49 89 c6             	mov    %rax,%r14
  12:	48 8d 58 20          	lea    0x20(%rax),%rbx
  16:	48 89 df             	mov    %rbx,%rdi
  19:	be 04 00 00 00       	mov    $0x4,%esi
  1e:	e8 7e 79 00 fe       	call   0xfe0079a1
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 f5 00 00 00    	jne    0x12c
  37:	8b 1b                	mov    (%rbx),%ebx
  39:	31 ff                	xor    %edi,%edi
  3b:	89 de                	mov    %ebx,%esi
  3d:	e8                   	.byte 0xe8
  3e:	1f                   	(bad)
  3f:	d8                   	.byte 0xd8

Crashes (3842):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/13 02:38 android12-5.4 57a39998c138 551587c1 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/11/28 05:10 android12-5.4 2ac128c04e33 7ec6c044 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/05/10 22:14 android12-5.4 0fcb7cff9462 14b12a99 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/01 10:48 android12-5.4 70fafe094510 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/01 10:45 android12-5.4 70fafe094510 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/01 09:42 android12-5.4 70fafe094510 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/01 07:55 android12-5.4 70fafe094510 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/01 00:32 android12-5.4 8322246edffa 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/31 23:31 android12-5.4 8322246edffa 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/31 22:52 android12-5.4 8322246edffa 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/31 21:49 android12-5.4 8322246edffa 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/31 12:54 android12-5.4 8322246edffa 0c378259 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/31 10:57 android12-5.4 8322246edffa 0c378259 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/31 09:39 android12-5.4 8322246edffa 0c378259 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/30 01:33 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/29 16:12 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/29 16:09 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/28 19:38 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/28 18:25 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/28 17:22 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/28 02:14 android12-5.4 8322246edffa f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/28 01:46 android12-5.4 8322246edffa f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/28 00:45 android12-5.4 8322246edffa f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 23:08 android12-5.4 8322246edffa 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 21:34 android12-5.4 8322246edffa 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 14:36 android12-5.4 8322246edffa 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 13:35 android12-5.4 8322246edffa 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 12:42 android12-5.4 8322246edffa 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 10:57 android12-5.4 8322246edffa 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 08:33 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 06:17 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/27 04:39 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/26 23:40 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/26 21:35 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/26 16:21 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/26 15:02 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/26 13:01 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/26 11:56 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/25 22:12 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/25 20:55 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/25 16:33 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/25 13:49 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/25 12:29 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/25 04:52 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/25 03:51 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/05/08 21:25 android12-5.4 0fcb7cff9462 c7a5e2a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
* Struck through repros no longer work on HEAD.