syzbot

 sign-in | mailing list | source | docs
🐞 Open [78]
🐞 Fixed [22]
🐞 Invalid [342]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: null-ptr-deref Read in tcf_idrinfo_destroy

Status: upstream: reported C repro on 2023/05/10 22:23
Reported-by: syzbot+cf9750784f3e766f0fee@syzkaller.appspotmail.com
First crash: 738d, last: now
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: null-ptr-deref Read in tcf_idrinfo_destroy net C 115 1500d 1690d 20/28 fixed on 2021/04/09 19:46
Last patch testing requests (9)
Created Duration User Patch Repo Result
2024/12/07 00:08 1m retest repro android12-5.4 error
2024/12/07 00:08 1m retest repro android12-5.4 error
2024/12/07 00:08 2m retest repro android12-5.4 error
2024/09/27 22:46 16m retest repro android12-5.4 report log
2024/09/27 22:46 16m retest repro android12-5.4 report log
2024/09/27 22:46 8m retest repro android12-5.4 report log
2024/07/17 22:28 21m retest repro android12-5.4 report log
2024/07/17 22:28 5m retest repro android12-5.4 report log
2024/07/17 22:28 15m retest repro android12-5.4 report log

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:162 [inline]
BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0xe2/0x280 net/sched/act_api.c:541
Read of size 4 at addr 0000000000000010 by task kworker/u4:2/179

CPU: 1 PID: 179 Comm: kworker/u4:2 Not tainted 5.4.259-syzkaller-00012-g57a39998c138 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 __kasan_report+0xe9/0x120 mm/kasan/report.c:520
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 check_memory_region_inline mm/kasan/generic.c:141 [inline]
 check_memory_region+0x272/0x280 mm/kasan/generic.c:191
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 __tcf_idr_release net/sched/act_api.c:162 [inline]
 tcf_idrinfo_destroy+0xe2/0x280 net/sched/act_api.c:541
 tc_action_net_exit include/net/act_api.h:145 [inline]
 police_exit_net+0xd7/0x140 net/sched/act_police.c:410
 ops_exit_list net/core/net_namespace.c:184 [inline]
 cleanup_net+0x6e2/0xc90 net/core/net_namespace.c:609
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 179 Comm: kworker/u4:2 Tainted: G    B             5.4.259-syzkaller-00012-g57a39998c138 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: netns cleanup_net
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:__tcf_idr_release net/sched/act_api.c:162 [inline]
RIP: 0010:tcf_idrinfo_destroy+0xe9/0x280 net/sched/act_api.c:541
Code: ee e8 3b 79 b6 00 48 85 c0 0f 84 54 01 00 00 49 89 c6 48 8d 58 20 48 89 df be 04 00 00 00 e8 7e 79 00 fe 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 f5 00 00 00 8b 1b 31 ff 89 de e8 1f d8
RSP: 0018:ffff8881e4dd7b60 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff8881e9f46e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
RBP: ffff8881e4dd7c30 R08: ffffffff813af605 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 1ffff1103c9baf78
R13: ffff8881e4dd7bc0 R14: fffffffffffffff0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f95dd0c10d0 CR3: 00000001ddae4000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tc_action_net_exit include/net/act_api.h:145 [inline]
 police_exit_net+0xd7/0x140 net/sched/act_police.c:410
 ops_exit_list net/core/net_namespace.c:184 [inline]
 cleanup_net+0x6e2/0xc90 net/core/net_namespace.c:609
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
---[ end trace 87ba05ee6766aa7d ]---
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:__tcf_idr_release net/sched/act_api.c:162 [inline]
RIP: 0010:tcf_idrinfo_destroy+0xe9/0x280 net/sched/act_api.c:541
Code: ee e8 3b 79 b6 00 48 85 c0 0f 84 54 01 00 00 49 89 c6 48 8d 58 20 48 89 df be 04 00 00 00 e8 7e 79 00 fe 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 f5 00 00 00 8b 1b 31 ff 89 de e8 1f d8
RSP: 0018:ffff8881e4dd7b60 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff8881e9f46e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
RBP: ffff8881e4dd7c30 R08: ffffffff813af605 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 1ffff1103c9baf78
R13: ffff8881e4dd7bc0 R14: fffffffffffffff0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd211b0d88 CR3: 00000001ee3c0000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ee                   	out    %al,(%dx)
   1:	e8 3b 79 b6 00       	call   0xb67941
   6:	48 85 c0             	test   %rax,%rax
   9:	0f 84 54 01 00 00    	je     0x163
   f:	49 89 c6             	mov    %rax,%r14
  12:	48 8d 58 20          	lea    0x20(%rax),%rbx
  16:	48 89 df             	mov    %rbx,%rdi
  19:	be 04 00 00 00       	mov    $0x4,%esi
  1e:	e8 7e 79 00 fe       	call   0xfe0079a1
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 f5 00 00 00    	jne    0x12c
  37:	8b 1b                	mov    (%rbx),%ebx
  39:	31 ff                	xor    %edi,%edi
  3b:	89 de                	mov    %ebx,%esi
  3d:	e8                   	.byte 0xe8
  3e:	1f                   	(bad)
  3f:	d8                   	.byte 0xd8

Crashes (10702):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/13 02:38 android12-5.4 57a39998c138 551587c1 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/11/28 05:10 android12-5.4 2ac128c04e33 7ec6c044 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/05/10 22:14 android12-5.4 0fcb7cff9462 14b12a99 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/16 06:47 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/16 06:09 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/16 05:03 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/16 03:54 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/16 02:42 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/16 01:42 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/16 00:33 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 23:50 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 22:43 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 21:41 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 21:16 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 19:54 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 18:53 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 17:50 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 16:42 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 15:37 android12-5.4 cd8e74fa0fa3 cfde8269 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 14:29 android12-5.4 cd8e74fa0fa3 d6b2ee52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 13:20 android12-5.4 cd8e74fa0fa3 d6b2ee52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 13:05 android12-5.4 cd8e74fa0fa3 d6b2ee52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 11:52 android12-5.4 cd8e74fa0fa3 d6b2ee52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 09:40 android12-5.4 cd8e74fa0fa3 d6b2ee52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 09:07 android12-5.4 cd8e74fa0fa3 d6b2ee52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 06:06 android12-5.4 cd8e74fa0fa3 d6b2ee52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/15 00:58 android12-5.4 cd8e74fa0fa3 d6b2ee52 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 23:51 android12-5.4 cd8e74fa0fa3 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 23:39 android12-5.4 cd8e74fa0fa3 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 22:27 android12-5.4 cd8e74fa0fa3 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 21:24 android12-5.4 cd8e74fa0fa3 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 20:15 android12-5.4 cd8e74fa0fa3 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 19:05 android12-5.4 cd8e74fa0fa3 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 14:28 android12-5.4 cd8e74fa0fa3 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 13:16 android12-5.4 cd8e74fa0fa3 a4fa04ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 12:15 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 10:59 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 09:25 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 07:50 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 06:38 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 05:32 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 05:12 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 03:50 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 02:43 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2025/05/14 02:36 android12-5.4 cd8e74fa0fa3 7344edeb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/05/08 21:25 android12-5.4 0fcb7cff9462 c7a5e2a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
* Struck through repros no longer work on HEAD.