syzbot


KASAN: null-ptr-deref Read in hrtimer_active

Status: closed as invalid on 2024/01/16 13:47
Subsystems: kernel
[Documentation on labels]
First crash: 324d, last: 186d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in hrtimer_active (3) kernel syz done error 34 843d 1148d 20/26 fixed on 2022/03/08 16:11
upstream general protection fault in hrtimer_active (5) kernel C error 22 467d 471d 22/26 fixed on 2023/06/08 14:41
upstream general protection fault in hrtimer_active (4) kernel 7 673d 782d 0/26 auto-obsoleted due to no activity on 2022/10/20 15:45
upstream BUG: unable to handle kernel NULL pointer dereference in hrtimer_active kernel 1 105d 103d 26/26 fixed on 2024/03/27 19:12
upstream general protection fault in hrtimer_active kernel C 669 2388d 2411d 3/26 fixed on 2017/11/28 03:36
upstream general protection fault in hrtimer_active (2) kernel C 10612 2274d 2279d 4/26 fixed on 2018/03/06 13:29
linux-4.19 general protection fault in hrtimer_active C error 66 976d 1719d 0/1 upstream: reported C repro on 2019/09/09 21:23

Sample crash report:
infiniband syz2: set active
infiniband syz0: set active
==================================================================
BUG: KASAN: null-ptr-deref in __seqprop_raw_spinlock_sequence include/linux/seqlock.h:274 [inline]
BUG: KASAN: null-ptr-deref in hrtimer_active+0x4e/0xf8 kernel/time/hrtimer.c:1614
Read of size 4 at addr 0000000000000010 by task syz-executor.0/16762

CPU: 1 PID: 16762 Comm: syz-executor.0 Not tainted 6.4.0-syzkaller-g533925cb7604 #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a660>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:121
[<ffffffff834fe364>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:127
[<ffffffff8353e58a>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff8353e58a>] dump_stack_lvl+0xe0/0x14c lib/dump_stack.c:106
[<ffffffff835056ae>] print_report+0x4e2/0x4fe mm/kasan/report.c:478
[<ffffffff80540136>] kasan_report+0xbc/0x182 mm/kasan/report.c:588
[<ffffffff805412a6>] check_region_inline mm/kasan/generic.c:180 [inline]
[<ffffffff805412a6>] __asan_load4+0x80/0xa8 mm/kasan/generic.c:258
[<ffffffff801b2404>] __seqprop_raw_spinlock_sequence include/linux/seqlock.h:274 [inline]
[<ffffffff801b2404>] hrtimer_active+0x4e/0xf8 kernel/time/hrtimer.c:1614
[<ffffffff801b448c>] hrtimer_try_to_cancel kernel/time/hrtimer.c:1331 [inline]
[<ffffffff801b448c>] hrtimer_cancel+0x18/0x60 kernel/time/hrtimer.c:1446
[<ffffffff829d0b08>] napi_disable+0x138/0x1ba net/core/dev.c:6386
[<ffffffff81a3fa12>] veth_napi_del_range+0xa2/0x45e drivers/net/veth.c:1107
[<ffffffff81a40768>] veth_napi_del drivers/net/veth.c:1127 [inline]
[<ffffffff81a40768>] veth_set_features drivers/net/veth.c:1589 [inline]
[<ffffffff81a40768>] veth_set_features+0x146/0x232 drivers/net/veth.c:1567
[<ffffffff829f762c>] __netdev_update_features+0x582/0x1370 net/core/dev.c:9713
[<ffffffff829f849a>] netdev_update_features+0x80/0xee net/core/dev.c:9787
[<ffffffff81a4258e>] veth_xdp_set drivers/net/veth.c:1690 [inline]
[<ffffffff81a4258e>] veth_xdp+0x3a6/0x554 drivers/net/veth.c:1703
[<ffffffff8196d422>] bond_xdp_set drivers/net/bonding/bond_main.c:5624 [inline]
[<ffffffff8196d422>] bond_xdp+0x22c/0x632 drivers/net/bonding/bond_main.c:5670
[<ffffffff829d1156>] dev_xdp_install+0xe8/0x20e net/core/dev.c:9103
[<ffffffff829d8790>] dev_xdp_attach+0x576/0xa46 net/core/dev.c:9255
[<ffffffff829f700c>] dev_change_xdp_fd+0x21e/0x2bc net/core/dev.c:9501
[<ffffffff82a1fbe6>] do_setlink+0x215a/0x23ee net/core/rtnetlink.c:3089
[<ffffffff82a2c62e>] rtnl_group_changelink net/core/rtnetlink.c:3409 [inline]
[<ffffffff82a2c62e>] __rtnl_newlink+0xa3c/0xfdc net/core/rtnetlink.c:3665
[<ffffffff82a2cc2e>] rtnl_newlink+0x60/0x8c net/core/rtnetlink.c:3702
[<ffffffff82a212ce>] rtnetlink_rcv_msg+0x35e/0xb3c net/core/rtnetlink.c:6424
[<ffffffff82c092b8>] netlink_rcv_skb+0x100/0x2ce net/netlink/af_netlink.c:2549
[<ffffffff82a17ed2>] rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6442
[<ffffffff82c07b78>] netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
[<ffffffff82c07b78>] netlink_unicast+0x410/0x600 net/netlink/af_netlink.c:1365
[<ffffffff82c0828c>] netlink_sendmsg+0x524/0x9f6 net/netlink/af_netlink.c:1914
[<ffffffff8297b406>] sock_sendmsg_nosec net/socket.c:725 [inline]
[<ffffffff8297b406>] sock_sendmsg+0xa0/0xf2 net/socket.c:748
[<ffffffff8297bc58>] ____sys_sendmsg+0x51e/0x558 net/socket.c:2494
[<ffffffff82982794>] ___sys_sendmsg+0x124/0x1b6 net/socket.c:2548
[<ffffffff829829e0>] __sys_sendmsg+0xfc/0x1a8 net/socket.c:2577
[<ffffffff82982ab8>] __do_sys_sendmsg net/socket.c:2586 [inline]
[<ffffffff82982ab8>] sys_sendmsg+0x2c/0x3a net/socket.c:2584
[<ffffffff800096ec>] syscall_handler+0xfa/0x148 arch/riscv/include/asm/syscall.h:90
[<ffffffff8353fb16>] do_trap_ecall_u+0xea/0xec arch/riscv/kernel/traps.c:302
[<ffffffff80005a10>] ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:102
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/07/06 10:14 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 533925cb7604 ba5dba36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-riscv64 KASAN: null-ptr-deref Read in hrtimer_active
2023/10/16 08:21 upstream 58720809f527 f757a323 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in hrtimer_active
2023/10/01 23:34 upstream e81a2dabc3f3 8e26a358 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream general protection fault in hrtimer_active
2023/11/07 23:47 upstream 13d88ac54ddd 83211397 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in hrtimer_active
2023/10/13 00:19 upstream 401644852d0b 08f99e71 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm64-mte BUG: unable to handle kernel NULL pointer dereference in hrtimer_active
2023/09/04 04:48 upstream 708283abf896 696ea0d2 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm64 BUG: unable to handle kernel paging request in hrtimer_active
2023/11/21 03:38 net-next 21612f52e429 cb976f63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce general protection fault in hrtimer_active
* Struck through repros no longer work on HEAD.