syzbot

 sign-in | mailing list | source | docs
🐞 Open [142]
🐞 Fixed [16]
🐞 Invalid [163]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free

Status: public: reported C repro on 2019/04/13 00:00
Reported-by: syzbot+fedb6726c4a8c66824bb@syzkaller.appspotmail.com
First crash: 2481d, last: 2279d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free C 2818 2275d 2050d 0/3 public: reported C repro on 2019/04/12 00:00
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free C inconclusive 5 1642d 1791d 0/1 upstream: reported C repro on 2019/12/27 14:04

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read, 65 bits of entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 74 bits of entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 76 bits of entropy available)
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
IP: [<ffffffff835a59bc>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671
PGD 1d7348067 PUD 1cdaef067 PMD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 1805 Comm: kworker/1:2 Not tainted 4.4.150-g5541782 #83
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: sock_diag_events sock_diag_broadcast_destroy_work
task: ffff8800b6836000 task.stack: ffff8801d4210000
RIP: 0010:[<ffffffff835a59bc>]  [<ffffffff835a59bc>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671
RSP: 0018:ffff8801d4217b28  EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8800b1f1a780 RCX: 0000000000000000
RDX: 1ffff100163e3610 RSI: ffffffff835a5991 RDI: ffff8800b1f1b080
RBP: ffff8801d4217b48 R08: ffff8800b6836928 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800b1f1af00
R13: ffff8800b1f1a788 R14: 0000000000000000 R15: ffff8800b1f1af58
FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 00000001d3b8f000 CR4: 00000000001606f0
Stack:
 ffff8800b1f1a828 dffffc0000000000 ffff8800b1f1a780 ffffffff835af470
 ffff8801d4217ba0 ffffffff835a7dc9 ffff8800b1f1afd8 ffffed00163e35eb
 ffff8800b1f1af58 ffff8800b1f1af20 ffff8800b1f1af00 ffff8801ce3d8000
Call Trace:
 [<ffffffff835a7dc9>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:293 [inline]
 [<ffffffff835a7dc9>] l2tp_tunnel_closeall+0x2b9/0x350 net/l2tp/l2tp_core.c:1279
 [<ffffffff835a85b2>] l2tp_tunnel_destruct+0x2f2/0x590 net/l2tp/l2tp_core.c:1230
 [<ffffffff82f36e3c>] sk_destruct+0x4c/0x4c0 net/core/sock.c:1447
 [<ffffffff82fd3f2a>] sock_diag_broadcast_destroy_work+0x21a/0x390 net/core/sock_diag.c:153
 [<ffffffff81184eff>] process_one_work+0x7df/0x1600 kernel/workqueue.c:2064
 [<ffffffff81185df9>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196
 [<ffffffff81193908>] kthread+0x268/0x300 kernel/kthread.c:211
 [<ffffffff838cb4d5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510
Code: 49 8d bc 24 80 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 d0 00 00 00 4d 8b b4 24 80 01 00 00 <f0> 41 ff 8e 80 00 00 00 74 64 e8 15 eb da fd e8 10 eb da fd 4c 
RIP  [<ffffffff835a59bc>] l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1671
 RSP <ffff8801d4217b28>
CR2: 0000000000000080
---[ end trace 954b4d16b6b65573 ]---

Crashes (23):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/21 07:19 https://android.googlesource.com/kernel/common android-4.4 5541782ce2bb 95b5c82b .config console log report syz C ci-android-44-kasan-gce
2018/02/24 01:22 https://android.googlesource.com/kernel/common android-4.4 17c7c494f718 5c1e0207 .config console log report syz C ci-android-44-kasan-gce
2018/02/05 01:40 https://android.googlesource.com/kernel/common android-4.4 aa856bd83c43 a1bc9d40 .config console log report syz C ci-android-44-kasan-gce
2018/08/21 07:40 https://android.googlesource.com/kernel/common android-4.4 5541782ce2bb 95b5c82b .config console log report syz C ci-android-44-kasan-gce-386
2018/08/12 20:40 https://android.googlesource.com/kernel/common android-4.4 a5fc66599b61 7a88b141 .config console log report syz C ci-android-44-kasan-gce-386
2018/08/22 18:58 https://android.googlesource.com/kernel/common android-4.4 e917467d9786 95b5c82b .config console log report syz ci-android-44-kasan-gce
2018/06/27 22:39 https://android.googlesource.com/kernel/common android-4.4 cf21a9ac5ee4 43e60f7e .config console log report syz ci-android-44-kasan-gce-386
2018/08/25 18:50 https://android.googlesource.com/kernel/common android-4.4 e5c5f1fae55d 76e7c3df .config console log report ci-android-44-kasan-gce
2018/08/22 00:34 https://android.googlesource.com/kernel/common android-4.4 5541782ce2bb 95b5c82b .config console log report ci-android-44-kasan-gce
2018/08/20 00:22 https://android.googlesource.com/kernel/common android-4.4 5541782ce2bb 2dc4378f .config console log report ci-android-44-kasan-gce
2018/08/14 12:10 https://android.googlesource.com/kernel/common android-4.4 a5fc66599b61 7a88b141 .config console log report ci-android-44-kasan-gce
2018/08/11 02:43 https://android.googlesource.com/kernel/common android-4.4 a5fc66599b61 7a88b141 .config console log report ci-android-44-kasan-gce
2018/08/08 14:52 https://android.googlesource.com/kernel/common android-4.4 139622602304 ddeb9f8d .config console log report ci-android-44-kasan-gce
2018/08/05 17:58 https://android.googlesource.com/kernel/common android-4.4 2241aa98c9aa 1beb8136 .config console log report ci-android-44-kasan-gce
2018/07/11 15:49 https://android.googlesource.com/kernel/common android-4.4 789274d6967d 2e0e3130 .config console log report ci-android-44-kasan-gce
2018/07/01 13:09 https://android.googlesource.com/kernel/common android-4.4 cf21a9ac5ee4 dba0b50e .config console log report ci-android-44-kasan-gce
2018/06/26 14:56 https://android.googlesource.com/kernel/common android-4.4 cf21a9ac5ee4 b0294c53 .config console log report ci-android-44-kasan-gce
2018/06/21 01:08 https://android.googlesource.com/kernel/common android-4.4 226f96b03dc2 095ef806 .config console log report ci-android-44-kasan-gce
2018/08/05 21:27 https://android.googlesource.com/kernel/common android-4.4 2241aa98c9aa 1beb8136 .config console log report ci-android-44-kasan-gce-386
2018/07/31 23:12 https://android.googlesource.com/kernel/common android-4.4 7bbfac190345 1477993e .config console log report ci-android-44-kasan-gce-386
2018/06/21 22:14 https://android.googlesource.com/kernel/common android-4.4 226f96b03dc2 095ef806 .config console log report ci-android-44-kasan-gce-386
2018/06/13 07:32 https://android.googlesource.com/kernel/common android-4.4 e4798d7f13c7 27c5f59f .config console log report ci-android-44-kasan-gce-386
2018/05/20 01:43 https://android.googlesource.com/kernel/common android-4.4 4f75c34feee6 f48c20b8 .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.