syzbot

 sign-in | mailing list | source | docs
🐞 Open [70]
🐞 Fixed [22]
🐞 Invalid [333]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: null-ptr-deref Read in tcf_idrinfo_destroy

Status: upstream: reported C repro on 2023/05/10 22:23
Reported-by: syzbot+cf9750784f3e766f0fee@syzkaller.appspotmail.com
First crash: 562d, last: 54d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: null-ptr-deref Read in tcf_idrinfo_destroy net C 115 1325d 1515d 20/28 fixed on 2021/04/09 19:46
Last patch testing requests (6)
Created Duration User Patch Repo Result
2024/09/27 22:46 16m retest repro android12-5.4 report log
2024/09/27 22:46 16m retest repro android12-5.4 report log
2024/09/27 22:46 8m retest repro android12-5.4 report log
2024/07/17 22:28 21m retest repro android12-5.4 report log
2024/07/17 22:28 5m retest repro android12-5.4 report log
2024/07/17 22:28 15m retest repro android12-5.4 report log

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:162 [inline]
BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0xe2/0x280 net/sched/act_api.c:541
Read of size 4 at addr 0000000000000010 by task kworker/u4:2/179

CPU: 1 PID: 179 Comm: kworker/u4:2 Not tainted 5.4.259-syzkaller-00012-g57a39998c138 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 __kasan_report+0xe9/0x120 mm/kasan/report.c:520
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 check_memory_region_inline mm/kasan/generic.c:141 [inline]
 check_memory_region+0x272/0x280 mm/kasan/generic.c:191
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 __tcf_idr_release net/sched/act_api.c:162 [inline]
 tcf_idrinfo_destroy+0xe2/0x280 net/sched/act_api.c:541
 tc_action_net_exit include/net/act_api.h:145 [inline]
 police_exit_net+0xd7/0x140 net/sched/act_police.c:410
 ops_exit_list net/core/net_namespace.c:184 [inline]
 cleanup_net+0x6e2/0xc90 net/core/net_namespace.c:609
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 179 Comm: kworker/u4:2 Tainted: G    B             5.4.259-syzkaller-00012-g57a39998c138 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: netns cleanup_net
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:__tcf_idr_release net/sched/act_api.c:162 [inline]
RIP: 0010:tcf_idrinfo_destroy+0xe9/0x280 net/sched/act_api.c:541
Code: ee e8 3b 79 b6 00 48 85 c0 0f 84 54 01 00 00 49 89 c6 48 8d 58 20 48 89 df be 04 00 00 00 e8 7e 79 00 fe 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 f5 00 00 00 8b 1b 31 ff 89 de e8 1f d8
RSP: 0018:ffff8881e4dd7b60 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff8881e9f46e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
RBP: ffff8881e4dd7c30 R08: ffffffff813af605 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 1ffff1103c9baf78
R13: ffff8881e4dd7bc0 R14: fffffffffffffff0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f95dd0c10d0 CR3: 00000001ddae4000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tc_action_net_exit include/net/act_api.h:145 [inline]
 police_exit_net+0xd7/0x140 net/sched/act_police.c:410
 ops_exit_list net/core/net_namespace.c:184 [inline]
 cleanup_net+0x6e2/0xc90 net/core/net_namespace.c:609
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
---[ end trace 87ba05ee6766aa7d ]---
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:__tcf_idr_release net/sched/act_api.c:162 [inline]
RIP: 0010:tcf_idrinfo_destroy+0xe9/0x280 net/sched/act_api.c:541
Code: ee e8 3b 79 b6 00 48 85 c0 0f 84 54 01 00 00 49 89 c6 48 8d 58 20 48 89 df be 04 00 00 00 e8 7e 79 00 fe 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 f5 00 00 00 8b 1b 31 ff 89 de e8 1f d8
RSP: 0018:ffff8881e4dd7b60 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff8881e9f46e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
RBP: ffff8881e4dd7c30 R08: ffffffff813af605 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 1ffff1103c9baf78
R13: ffff8881e4dd7bc0 R14: fffffffffffffff0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd211b0d88 CR3: 00000001ee3c0000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ee                   	out    %al,(%dx)
   1:	e8 3b 79 b6 00       	call   0xb67941
   6:	48 85 c0             	test   %rax,%rax
   9:	0f 84 54 01 00 00    	je     0x163
   f:	49 89 c6             	mov    %rax,%r14
  12:	48 8d 58 20          	lea    0x20(%rax),%rbx
  16:	48 89 df             	mov    %rbx,%rdi
  19:	be 04 00 00 00       	mov    $0x4,%esi
  1e:	e8 7e 79 00 fe       	call   0xfe0079a1
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 f5 00 00 00    	jne    0x12c
  37:	8b 1b                	mov    (%rbx),%ebx
  39:	31 ff                	xor    %edi,%edi
  3b:	89 de                	mov    %ebx,%esi
  3d:	e8                   	.byte 0xe8
  3e:	1f                   	(bad)
  3f:	d8                   	.byte 0xd8

Crashes (5017):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/13 02:38 android12-5.4 57a39998c138 551587c1 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/11/28 05:10 android12-5.4 2ac128c04e33 7ec6c044 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/05/10 22:14 android12-5.4 0fcb7cff9462 14b12a99 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/03 16:40 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/03 13:41 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/03 05:48 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/03 04:25 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/02 10:43 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/02 09:49 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/02 06:02 android12-5.4 58de09405d1e b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/02 04:45 android12-5.4 58de09405d1e b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 22:17 android12-5.4 58de09405d1e b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 22:17 android12-5.4 58de09405d1e b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 20:56 android12-5.4 4275fce9fe94 b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 16:54 android12-5.4 4275fce9fe94 b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 14:15 android12-5.4 4275fce9fe94 b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 12:55 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 11:14 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 08:24 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 07:34 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 05:39 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 03:53 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 02:48 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/07/01 01:18 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 22:33 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 20:11 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 20:05 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 18:30 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 16:38 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 15:28 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 12:21 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 11:19 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 10:14 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 08:49 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 08:08 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 05:11 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 03:11 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/30 01:19 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 18:27 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 17:23 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 16:04 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 14:35 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 09:46 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 07:18 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 07:18 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 06:04 android12-5.4 51e9abf68baf 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/29 03:33 android12-5.4 51e9abf68baf 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/28 23:49 android12-5.4 51e9abf68baf 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/06/28 21:19 android12-5.4 51e9abf68baf 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/05/08 21:25 android12-5.4 0fcb7cff9462 c7a5e2a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
* Struck through repros no longer work on HEAD.