syzbot


BUG: unable to handle kernel NULL pointer dereference in do_syscall_64 (2)

Status: fixed on 2020/09/03 09:58
Reported-by: syzbot+8952118ab986b02621b4@syzkaller.appspotmail.com
Fix commit: dd58bd1b95b7 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
First crash: 1336d, last: 1323d
Fix bisection: fixed by (bisect log) :
commit dd58bd1b95b7127bb975942e14c4a9bd878c28db
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Wed Jul 15 01:51:02 2020 +0000

  fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.

  
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: unable to handle kernel NULL pointer dereference in do_syscall_64 (3) 2 1284d 1289d 0/1 auto-closed as invalid on 2021/01/09 06:14
upstream BUG: unable to handle kernel NULL pointer dereference in do_syscall_64 (2) kernel C done 9 1369d 1473d 0/26 closed as dup on 2020/08/15 13:48
upstream BUG: unable to handle kernel NULL pointer dereference in do_syscall_64 net 2 2100d 2099d 0/26 auto-closed as invalid on 2019/02/22 10:29
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in do_syscall_64 1 1600d 1600d 0/1 auto-closed as invalid on 2020/02/28 23:04
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in do_syscall_64 (2) 7 1398d 1436d 0/1 auto-closed as invalid on 2020/09/17 05:58
linux-4.19 BUG: unable to handle kernel NULL pointer dereference in do_syscall_64 3 1464d 1479d 0/1 auto-closed as invalid on 2020/07/13 07:25

Sample crash report:
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD a7a0d067 P4D a7a0d067 PUD 8cc6e067 PMD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6464 Comm: syz-executor088 Not tainted 4.19.133-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
RIP: 0010:do_syscall_64+0x19c/0x620 arch/x86/entry/common.c:296
Code: 03 00 00 e8 56 0f 69 00 9c 58 0f 1f 44 00 00 25 00 02 00 00 31 ff 48 89 c3 48 89 c6 e8 cd 10 69 00 48 85 db 0f 84 00 03 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffff888085b27f28 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000200 RCX: ffffffff81009993
RDX: 0000000000000200 RSI: ffff88808b772700 RDI: 0000000000000007
RBP: ffff888085b27f58 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff88d25b58 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000001803940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a0249000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4757f0
Code: 05 48 3d 01 f0 ff ff 0f 83 4d 02 f9 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 61 9c 26 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 24 02 f9 ff c3 48 83 ec 08 e8 aa 60 fd ff
RSP: 002b:00007ffed0576708 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00000000004757f0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffed0576710
RBP: 00007ffed0576740 R08: 0000000000000001 R09: 0000000001803940
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000a3ae
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
CR2: 0000000000000000
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#2] PREEMPT SMP KASAN
CPU: 0 PID: 6464 Comm: syz-executor088 Tainted: G      D           4.19.133-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:update_vsyscall+0x0/0x370 arch/x86/entry/vsyscall/vsyscall_gtod.c:31
Code: 05 b9 a0 8f 0a 89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffff8880ae607c68 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: ffffffff8b905c20 RCX: ffffffff815bba7f
RDX: 1ffffffff1720b90 RSI: ffffffff815bba96 RDI: ffffffff8b905c20
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000003b9ac9ff
R10: 0000000000000005 R11: ffffffff8ad2501b R12: 0000000000000000
R13: ffffffff8b905cb0 R14: 0000000039d57897 R15: ffffffff8b905c48
FS:  0000000001803940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a0249000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 timekeeping_update+0x264/0x4a0 kernel/time/timekeeping.c:670
 timekeeping_advance+0x663/0x9b0 kernel/time/timekeeping.c:2124
 tick_do_update_jiffies64.part.0+0x188/0x290 kernel/time/tick-sched.c:101
 tick_do_update_jiffies64 kernel/time/tick-sched.c:67 [inline]
 tick_sched_do_timer kernel/time/tick-sched.c:139 [inline]
 tick_sched_timer+0x220/0x290 kernel/time/tick-sched.c:1271
 __run_hrtimer kernel/time/hrtimer.c:1401 [inline]
 __hrtimer_run_queues+0x3f6/0xe60 kernel/time/hrtimer.c:1463
 hrtimer_interrupt+0x32a/0x930 kernel/time/hrtimer.c:1521
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1067 [inline]
 smp_apic_timer_interrupt+0x10c/0x550 arch/x86/kernel/apic/apic.c:1092
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline]
RIP: 0010:oops_end+0x74/0xe0 arch/x86/kernel/dumpstack.c:343
Code: 01 75 18 48 83 3d c3 c4 ac 07 00 74 4c 48 c7 c7 cc b7 d0 8a e8 bd 65 2c 00 66 90 48 83 3d cb c3 ac 07 00 74 36 48 89 df 57 9d <0f> 1f 44 00 00 e8 72 0b 18 00 be 02 00 00 00 48 c7 c7 e0 b7 d0 8a
RSP: 0018:ffff888085b27c58 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000001 RBX: 0000000000000282 RCX: ffffffff813d9d24
RDX: 0000000000000000 RSI: ffffffff813d9cf1 RDI: 0000000000000282
RBP: ffff888085b27e78 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000005 R11: ffffffff8ad2501b R12: 0000000000000009
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
 no_context+0x75a/0x940 arch/x86/mm/fault.c:830
 __bad_area_nosemaphore+0x2de/0x400 arch/x86/mm/fault.c:918
 __do_page_fault+0xa53/0xde0 arch/x86/mm/fault.c:1382
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205
RIP: 0010:syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
RIP: 0010:do_syscall_64+0x19c/0x620 arch/x86/entry/common.c:296
Code: 03 00 00 e8 56 0f 69 00 9c 58 0f 1f 44 00 00 25 00 02 00 00 31 ff 48 89 c3 48 89 c6 e8 cd 10 69 00 48 85 db 0f 84 00 03 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffff888085b27f28 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000200 RCX: ffffffff81009993
RDX: 0000000000000200 RSI: ffff88808b772700 RDI: 0000000000000007
RBP: ffff888085b27f58 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff88d25b58 R14: 0000000000000000 R15: 0000000000000000
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4757f0
Code: 05 48 3d 01 f0 ff ff 0f 83 4d 02 f9 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 61 9c 26 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 24 02 f9 ff c3 48 83 ec 08 e8 aa 60 fd ff
RSP: 002b:00007ffed0576708 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00000000004757f0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffed0576710
RBP: 00007ffed0576740 R08: 0000000000000001 R09: 0000000001803940
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000a3ae
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 980d15824d2f4748 ]---
RIP: 0010:syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
RIP: 0010:do_syscall_64+0x19c/0x620 arch/x86/entry/common.c:296
Code: 03 00 00 e8 56 0f 69 00 9c 58 0f 1f 44 00 00 25 00 02 00 00 31 ff 48 89 c3 48 89 c6 e8 cd 10 69 00 48 85 db 0f 84 00 03 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RSP: 0018:ffff888085b27f28 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000200 RCX: ffffffff81009993
RDX: 0000000000000200 RSI: ffff88808b772700 RDI: 0000000000000007
RBP: ffff888085b27f58 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff88d25b58 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000001803940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a0249000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/21 15:34 linux-4.19.y 17a87580a885 e562dd8a .config console log report syz C ci2-linux-4-19
2020/08/03 08:25 linux-4.19.y 13af6c74b14a 96dd3623 .config console log report ci2-linux-4-19
2020/08/02 21:56 linux-4.19.y 13af6c74b14a 96dd3623 .config console log report ci2-linux-4-19
2020/07/21 14:10 linux-4.19.y 17a87580a885 e562dd8a .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.