syzbot


BUG: unable to handle kernel NULL pointer dereference in corrupted (4)
Status: fixed on 2019/08/27 17:15
Reported-by: syzbot+4b5d77fdf765668f9eba@syzkaller.appspotmail.com
Fix commit: 95fa1454 bpf: sockmap/tls, close can race with map free
First crash: 339d, last: 339d

Cause bisection: introduced by (bisect log):

commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config

Fix bisection: fixed by (bisect log):

commit 95fa145479fbc0a0c1fd3274ceb42ec03c042a4a
Author: John Fastabend <john.fastabend@gmail.com>
Date: Fri Jul 19 17:29:22 2019 +0000

  bpf: sockmap/tls, close can race with map free

similar bugs (6):
Kernel Title Repro Bisected Count Last Reported Patched Status
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted (5) C cause+fix 3 69d 76d 0/17 upstream: reported C repro on 2020/03/14 06:37
linux-4.19 BUG: unable to handle kernel NULL pointer dereference in corrupted C 6 17h28m 220d 0/1 upstream: reported C repro on 2019/10/21 15:36
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted (3) C 1 507d 507d 12/17 fixed on 2019/03/06 07:43
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in corrupted C 3 17d 227d 0/1 upstream: reported C repro on 2019/10/14 10:06
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted (2) C 1 681d 681d 9/17 fixed on 2018/08/07 13:43
upstream BUG: unable to handle kernel NULL pointer dereference in corrupted C 5 720d 720d 9/17 fixed on 2018/07/09 18:05

Sample crash report:

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro
ci-upstream-kasan-gce-root 2019/06/25 04:24 upstream 4b972a01 82c13b6b .config log report syz