syzbot

 sign-in | mailing list | source | docs
🐞 Open [717]
🐞 Fixed [181]
🐞 Invalid [640]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: unable to handle kernel NULL pointer dereference in tc_bind_tclass

Status: fixed on 2019/12/12 17:16
Reported-by: syzbot+2448d1865fa8fd6e470b@syzkaller.appspotmail.com
Fix commit: 54b9f5791846 net_sched: check cops->tcf_block in tc_bind_tclass()
First crash: 1902d, last: 1862d
Fix bisection: fixed by (bisect log) :
commit 54b9f5791846d2de59e8c65502b3f1071f65424f
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date: Thu Oct 31 18:42:59 2019 +0000

  net_sched: check cops->tcf_block in tc_bind_tclass()

  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel NULL pointer dereference in tc_bind_tclass net C done 61 1893d 1901d 13/28 fixed on 2019/10/09 10:54
linux-4.19 BUG: unable to handle kernel NULL pointer dereference in tc_bind_tclass C done 18 1883d 1902d 1/1 fixed on 2019/12/09 13:28

Sample crash report:
audit: type=1400 audit(1569624024.196:36): avc:  denied  { map } for  pid=6864 comm="syz-executor858" path="/root/syz-executor858514599" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP:           (null)
PGD 8bf1b067 P4D 8bf1b067 PUD 970e6067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 6865 Comm: syz-executor858 Not tainted 4.14.146 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880a0d606c0 task.stack: ffff8880a11c0000
RIP: 0010:          (null)
RSP: 0018:ffff8880a11c75e8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff86f15e00 RCX: 0000000000000000
RDX: 1ffffffff0de2bc8 RSI: 0000000000000001 RDI: ffff8880a1342900
RBP: ffff8880a11c76c0 R08: 1ffff11014238ee8 R09: ffff8880a11c7740
R10: ffffed1014238ef3 R11: ffff8880a11c779f R12: ffff8880a11c7698
R13: ffff8880a1342900 R14: 0000000000000001 R15: 0000000000000000
FS:  00005555558b3880(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000009483c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tc_bind_tclass+0x124/0x400 net/sched/sch_api.c:1697
 tc_ctl_tclass+0x94a/0xa70 net/sched/sch_api.c:1831
 rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285
 netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297
 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
 netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312
 netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xce/0x110 net/socket.c:656
 ___sys_sendmsg+0x70a/0x840 net/socket.c:2062
 __sys_sendmsg+0xb9/0x140 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2103
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440d89
RSP: 002b:00007ffdb98ee9e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a26d0 RCX: 0000000000440d89
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000004a26d0 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000402290
R13: 0000000000402320 R14: 0000000000000000 R15: 0000000000000000
Code:  Bad RIP value.
RIP:           (null) RSP: ffff8880a11c75e8
CR2: 0000000000000000
---[ end trace 4fc9d8266c79524b ]---

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/27 22:43 linux-4.14.y f6e27dbb1afa d8074e0b .config console log report syz C ci2-linux-4-14
2019/09/23 01:11 linux-4.14.y f6e27dbb1afa d96e88f3 .config console log report syz C ci2-linux-4-14
2019/09/07 12:00 linux-4.14.y 414510bc00a5 a60cb4cd .config console log report syz ci2-linux-4-14
2019/09/07 11:31 linux-4.14.y 414510bc00a5 a60cb4cd .config console log report syz ci2-linux-4-14
2019/09/07 02:28 linux-4.14.y 414510bc00a5 acb5b744 .config console log report syz ci2-linux-4-14
2019/09/07 02:00 linux-4.14.y 414510bc00a5 acb5b744 .config console log report syz ci2-linux-4-14
2019/10/17 08:45 linux-4.14.y e132c8d7b58d 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/09 18:07 linux-4.14.y 42327896f194 312c6a5a .config console log report ci2-linux-4-14
2019/10/07 01:15 linux-4.14.y db1892238c55 f3f7d9c8 .config console log report ci2-linux-4-14
2019/10/03 18:05 linux-4.14.y f6e27dbb1afa fc17ba49 .config console log report ci2-linux-4-14
2019/10/03 00:21 linux-4.14.y f6e27dbb1afa 2e29b534 .config console log report ci2-linux-4-14
2019/09/25 16:44 linux-4.14.y f6e27dbb1afa a3355dba .config console log report ci2-linux-4-14
2019/09/23 00:38 linux-4.14.y f6e27dbb1afa d96e88f3 .config console log report ci2-linux-4-14
2019/09/19 03:33 linux-4.14.y 968722f5371a 46c0be24 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.