syzbot


BUG: unable to handle kernel NULL pointer dereference in corrupted (4)

Status: fixed on 2019/08/27 17:15
Reported-by: syzbot+4b5d77fdf765668f9eba@syzkaller.appspotmail.com
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1760d, last: 1760d
Cause bisection: introduced by (bisect log) :
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
  
Fix bisection: fixed by (bisect log) :
commit 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a
Author: John Fastabend <john.fastabend@gmail.com>
Date: Fri Jul 19 17:29:22 2019 +0000

  bpf: sockmap/tls, close can race with map free

  
Discussions (2)
Title Replies (including bot) Last reply
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
BUG: unable to handle kernel NULL pointer dereference in corrupted (4) 0 (1) 2019/06/25 21:47
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 BUG: unable to handle kernel NULL pointer dereference in corrupted C 401 17h23m 1228d 0/2 upstream: reported C repro on 2020/12/07 19:36
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted (5) C done error 3 1491d 1497d 0/26 auto-obsoleted due to no activity on 2022/09/14 04:18
linux-4.19 BUG: unable to handle kernel NULL pointer dereference in corrupted C done 6 1060d 1642d 1/1 fixed on 2021/06/24 20:09
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted (3) C 1 1929d 1928d 11/26 fixed on 2019/03/06 07:43
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in corrupted C inconclusive 3 1408d 1649d 0/1 upstream: reported C repro on 2019/10/14 10:06
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted (2) kernel C 1 2102d 2102d 8/26 fixed on 2018/08/07 13:43
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted net C 5 2142d 2142d 8/26 fixed on 2018/07/09 18:05

Sample crash report:
BUG: kernel NULL pointer dereference, address: 00000000000000fc

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/25 04:24 upstream 4b972a01a7da 82c13b6b .config console log report syz ci-upstream-kasan-gce-root
* Struck through repros no longer work on HEAD.