syzbot


BUG: unable to handle kernel NULL pointer dereference in corrupted (4)
Status: fixed on 2019/08/27 17:15
Reported-by: syzbot+4b5d77fdf765668f9eba@syzkaller.appspotmail.com
Fix commit: 95fa1454 bpf: sockmap/tls, close can race with map free
First crash: 115d, last: 115d
Bisection: introduced by (bisect log):

commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Tree: upstream
Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
Bisection: fixed by (bisect log):

commit 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a
Author: John Fastabend <john.fastabend@gmail.com>
Date: Fri Jul 19 17:29:22 2019 +0000

  bpf: sockmap/tls, close can race with map free

Tree: upstream
similar bugs (4):
Kernel Title Repro Bisected Count Last Reported Patched Status
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted (3) C 1 284d 283d 12/14 fixed on 2019/03/06 07:43
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in corrupted C 2 1d13h 4d08h 0/1 upstream: reported C repro on 2019/10/14 10:06
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted (2) C 1 457d 457d 9/14 fixed on 2018/08/07 13:43
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted C 5 497d 497d 9/14 fixed on 2018/07/09 18:05

Sample crash report:

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro
ci-upstream-kasan-gce-root 2019/06/25 04:24 upstream 4b972a01 82c13b6b .config log report syz