syzbot


BUG: unable to handle kernel NULL pointer dereference in dev_map_generic_redirect

Status: auto-obsoleted due to no activity on 2024/10/01 02:11
Subsystems: bpf net
[Documentation on labels]
Reported-by: syzbot+aa38edb98c8bd20d2915@syzkaller.appspotmail.com
First crash: 254d, last: 149d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in dev_map_generic_redirect 0 (1) 2024/04/08 03:43
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-6-1 general protection fault in dev_map_generic_redirect origin:lts syz 72 8d20h 254d 0/2 premoderation: reported syz repro on 2024/04/02 16:15
linux-6.1 KASAN: use-after-free Read in dev_map_generic_redirect 10 25d 115d 0/3 upstream: reported on 2024/08/19 13:49

Sample crash report:
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000008d when read
[0000008d] *pgd=85442003, *pmd=fc491003
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 13298 Comm: syz-executor.0 Not tainted 6.9.0-rc2-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at xdp_ok_fwd_dev include/linux/filter.h:1009 [inline]
PC is at dev_map_generic_redirect+0x24/0x23c kernel/bpf/devmap.c:681
LR is at xdp_do_generic_redirect_map net/core/filter.c:4463 [inline]
LR is at xdp_do_generic_redirect+0x1d8/0x4d4 net/core/filter.c:4520
pc : [<803f2e70>]    lr : [<813e318c>]    psr: 60000013
sp : dfa41d00  ip : dfa41d58  fp : dfa41d54
r10: 0000fdef  r9 : 83641800  r8 : dfa43000
r7 : 00000001  r6 : 841bb400  r5 : 855c8a80  r4 : 824b3560
r3 : 00000000  r2 : dfa43000  r1 : 855c8a80  r0 : 841bb400
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 85104f00  DAC: 00000000
Register r0 information: slab kmalloc-cg-64 start 841bb400 pointer offset 0 size 64
Register r1 information: slab skbuff_head_cache start 855c8a80 pointer offset 0 size 192
Register r2 information: 1-page vmalloc region starting at 0xdfa43000 allocated at bpf_prog_alloc_no_stats+0x38/0x1cc kernel/bpf/core.c:103
Register r3 information: NULL pointer
Register r4 information: non-slab/vmalloc memory
Register r5 information: slab skbuff_head_cache start 855c8a80 pointer offset 0 size 192
Register r6 information: slab kmalloc-cg-64 start 841bb400 pointer offset 0 size 64
Register r7 information: non-paged memory
Register r8 information: 1-page vmalloc region starting at 0xdfa43000 allocated at bpf_prog_alloc_no_stats+0x38/0x1cc kernel/bpf/core.c:103
Register r9 information: slab task_struct start 83641800 pointer offset 0 size 3072
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdfa40000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
Register r12 information: 2-page vmalloc region starting at 0xdfa40000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
Process syz-executor.0 (pid: 13298, stack limit = 0xdfa40000)
Stack: (0xdfa41d00 to 0xdfa42000)
1d00: 804a6614 8027b0a4 855c8a80 dfa41da4 854a0102 854afef1 dfa43000 0000000e
1d20: dfa41d3c dfa41d30 824b3560 824b3560 855c8a80 84c46000 dfa41da4 0000000e
1d40: 00000024 5b930000 dfa41d9c dfa41d58 813e318c 803f2e58 dfa41d9c dfa41d68
1d60: 0000aaaa 00000000 841bb400 dfa43000 dfa41db4 dfa41e40 00000004 0000000e
1d80: dfa43000 83641800 83404800 00000000 dfa41dec dfa41da0 813ae474 813e2fc0
1da0: dfa41ef0 854a0102 854afef1 854a0102 854a0000 85060400 00000000 00020000
1dc0: 00000000 d2f4c1d4 84c46660 00000001 855e52cc 84c47660 00000ebe 855c8a80
1de0: dfa41ea4 dfa41df0 80c29b04 813ae204 00000000 00000400 00000000 00000eb0
1e00: 00000000 83641800 dfa41ea4 dfa41e18 8031cb08 00010040 00000000 83641800
1e20: 00000000 0000ef31 0000fdef 00000000 855e5000 0000fdef 00000000 00080000
1e40: 855c8a80 00000000 00000000 00000000 00000000 00000000 00000400 00000000
1e60: 00000000 d2f4c1d4 8219b2bc 84c46660 84c46000 d2f4c1d4 83641800 dfa41f08
1e80: dfa41ef0 00000000 84c46660 855e5000 20000040 81b6cbe4 dfa41ed4 dfa41ea8
1ea0: 80c2acb8 80c290c4 00000001 00000000 00000008 80c2ac58 846f6d80 0000fdef
1ec0: 83641800 dfa41f68 dfa41f64 dfa41ed8 804f7298 80c2ac64 dfa41f04 dfa41ee8
1ee0: 8020c17c 8020d138 00000000 00000000 00010000 0000fdef 20000040 00000000
1f00: 00000001 00000000 846f6d80 00000000 0000002a 00000000 00000000 00000000
1f20: 00000000 00000000 00000000 00000000 0000fdef d2f4c1d4 83641800 846f6d81
1f40: 846f6d80 0000002a 00000000 80200288 83641800 00000004 dfa41f94 dfa41f68
1f60: 804f75e0 804f7030 0000002a 00000000 80203054 d2f4c1d4 0000fdef 20000040
1f80: 000000c8 00000004 dfa41fa4 dfa41f98 804f7670 804f7574 00000000 dfa41fa8
1fa0: 80200060 804f766c 0000fdef 20000040 000000c8 20000040 0000fdef 00000000
1fc0: 0000fdef 20000040 000000c8 00000004 7ed4d32e 7ed4d32f 003d0f00 76b160fc
1fe0: 0000005c 76b15ef0 00091154 0004f04c 40000010 000000c8 00000000 00000000
Call trace: 
[<803f2e4c>] (dev_map_generic_redirect) from [<813e318c>] (xdp_do_generic_redirect_map net/core/filter.c:4463 [inline])
[<803f2e4c>] (dev_map_generic_redirect) from [<813e318c>] (xdp_do_generic_redirect+0x1d8/0x4d4 net/core/filter.c:4520)
 r10:5b930000 r9:00000024 r8:0000000e r7:dfa41da4 r6:84c46000 r5:855c8a80
 r4:824b3560
[<813e2fb4>] (xdp_do_generic_redirect) from [<813ae474>] (do_xdp_generic+0x27c/0x440 net/core/dev.c:5021)
 r10:00000000 r9:83404800 r8:83641800 r7:dfa43000 r6:0000000e r5:00000004
 r4:dfa41e40
[<813ae1f8>] (do_xdp_generic) from [<80c29b04>] (tun_get_user+0xa4c/0x13f4 drivers/net/tun.c:1924)
 r9:855c8a80 r8:00000ebe r7:84c47660 r6:855e52cc r5:00000001 r4:84c46660
[<80c290b8>] (tun_get_user) from [<80c2acb8>] (tun_chr_write_iter+0x60/0xc8 drivers/net/tun.c:2048)
 r10:81b6cbe4 r9:20000040 r8:855e5000 r7:84c46660 r6:00000000 r5:dfa41ef0
 r4:dfa41f08
[<80c2ac58>] (tun_chr_write_iter) from [<804f7298>] (call_write_iter include/linux/fs.h:2108 [inline])
[<80c2ac58>] (tun_chr_write_iter) from [<804f7298>] (new_sync_write fs/read_write.c:497 [inline])
[<80c2ac58>] (tun_chr_write_iter) from [<804f7298>] (vfs_write+0x274/0x438 fs/read_write.c:590)
 r8:dfa41f68 r7:83641800 r6:0000fdef r5:846f6d80 r4:80c2ac58
[<804f7024>] (vfs_write) from [<804f75e0>] (ksys_write+0x78/0xf8 fs/read_write.c:643)
 r10:00000004 r9:83641800 r8:80200288 r7:00000000 r6:0000002a r5:846f6d80
 r4:846f6d81
[<804f7568>] (ksys_write) from [<804f7670>] (__do_sys_write fs/read_write.c:655 [inline])
[<804f7568>] (ksys_write) from [<804f7670>] (sys_write+0x10/0x14 fs/read_write.c:652)
 r7:00000004 r6:000000c8 r5:20000040 r4:0000fdef
[<804f7660>] (sys_write) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdfa41fa8 to 0xdfa41ff0)
1fa0:                   0000fdef 20000040 000000c8 20000040 0000fdef 00000000
1fc0: 0000fdef 20000040 000000c8 00000004 7ed4d32e 7ed4d32f 003d0f00 76b160fc
1fe0: 0000005c 76b15ef0 00091154 0004f04c
Code: ee1d9f70 e1a08002 e591a054 e1a06000 (e597508c) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	ee1d9f70 	mrc	15, 0, r9, cr13, cr0, {3}
   4:	e1a08002 	mov	r8, r2
   8:	e591a054 	ldr	sl, [r1, #84]	@ 0x54
   c:	e1a06000 	mov	r6, r0
* 10:	e597508c 	ldr	r5, [r7, #140]	@ 0x8c <-- trapping instruction

Crashes (20):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/02 16:15 upstream 026e680b0a08 f861ecca .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in dev_map_generic_redirect
2024/07/11 21:02 upstream 9d9a2f29aefd c699c2eb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in dev_map_generic_redirect
2024/07/11 21:01 upstream 9d9a2f29aefd c699c2eb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in dev_map_generic_redirect
2024/07/07 14:04 upstream c6653f49e4fd bc4ebbb5 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root general protection fault in dev_map_generic_redirect
2024/06/23 20:26 upstream 7c16f0a4ed1c edc5149a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root general protection fault in dev_map_generic_redirect
2024/04/11 10:11 upstream e8c39d0f57f3 3023abf0 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in dev_map_generic_redirect
2024/04/08 03:42 upstream 9fe30842a90b ca620dd8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in dev_map_generic_redirect
2024/07/16 17:10 upstream d67978318827 74c18f46 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_generic_redirect
2024/07/02 22:55 upstream 734610514cb0 1ecfa2d8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_generic_redirect
2024/07/02 07:51 upstream 1dfe225e9af5 b294e901 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_generic_redirect
2024/06/29 07:46 upstream de0a9f448633 757f06b1 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_generic_redirect
2024/06/23 01:14 upstream 563a50672d8a c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_generic_redirect
2024/04/02 21:34 upstream b1e6ec0a0fd0 f861ecca .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_generic_redirect
2024/04/02 20:49 upstream b1e6ec0a0fd0 f861ecca .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in dev_map_generic_redirect
2024/06/11 07:03 linux-next a957267fa7e9 048c640a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in dev_map_generic_redirect
2024/06/10 15:56 linux-next d35b2284e966 048c640a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in dev_map_generic_redirect
2024/06/10 15:56 linux-next d35b2284e966 048c640a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in dev_map_generic_redirect
2024/04/02 22:27 linux-next c0b832517f62 7925100d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in dev_map_generic_redirect
2024/06/09 22:53 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8867bbd4a056 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in dev_map_generic_redirect
2024/04/08 21:49 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 707081b61156 53df08b6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in dev_map_generic_redirect
* Struck through repros no longer work on HEAD.