syzbot


KASAN: null-ptr-deref Read in futex_wake

Status: moderation: reported on 2022/08/14 08:45
Reported-by: syzbot+a738b5a72da9ddeae7c6@syzkaller.appspotmail.com
First crash: 48d, last: 48d
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in futex_wake (2) 2 431d 435d 0/24 auto-closed as invalid on 2021/10/21 19:26
linux-4.19 general protection fault in futex_wake (2) 1 549d 549d 0/1 auto-closed as invalid on 2021/07/25 11:26

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in futex_wake+0x1ce/0x2f4 kernel/futex/waitwake.c:166
Read of size 8 at addr 0000000000000000 by task syz-executor.1/3292

CPU: 1 PID: 3292 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff80474da6>] __kasan_report mm/kasan/report.c:446 [inline]
[<ffffffff80474da6>] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff80198b2e>] futex_wake+0x1ce/0x2f4 kernel/futex/waitwake.c:166
[<ffffffff80194dbc>] do_futex+0x21a/0x284 kernel/futex/syscalls.c:111
[<ffffffff80194f1e>] __do_sys_futex kernel/futex/syscalls.c:183 [inline]
[<ffffffff80194f1e>] sys_futex+0xf8/0x310 kernel/futex/syscalls.c:164
[<ffffffff80005716>] ret_from_syscall+0x0/0x2
==================================================================
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Oops [#1]
Modules linked in:
CPU: 1 PID: 3292 Comm: syz-executor.1 Tainted: G    B             5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : futex_wake+0x1ce/0x2f4 kernel/futex/waitwake.c:166
 ra : futex_wake+0x1ce/0x2f4 kernel/futex/waitwake.c:166
epc : ffffffff80198b2e ra : ffffffff80198b2e sp : ffffaf800734fb70
 gp : ffffffff85863ac0 tp : ffffaf8009c0e100 t0 : ffffffff86bcb657
 t1 : fffff5ef0b53c90c t2 : 0000000000000000 s0 : ffffaf800734fcc0
 s1 : ffffaf801063bd48 a0 : 0000000000000001 a1 : 0000000000000003
 a2 : 1ffff5f001381c21 a3 : ffffffff831afd3a a4 : 0000000000000000
 a5 : ffffaf8009c0f100 a6 : 0000000000f00000 a7 : ffffaf805a9e4863
 s2 : ffffffffffffffe8 s3 : ffffaf800734fc40 s4 : 0000000000000000
 s5 : 0000000000000000 s6 : ffffffffffffffff s7 : ffffaf80093fc5c8
 s8 : 00000000000f4240 s9 : ffffaf800734fbc0 s10: 000000000011b000
 s11: ffffaf800db0d3c8 t3 : 0000000061736944 t4 : fffff5ef0b53c90c
 t5 : fffff5ef0b53c90d t6 : ffffaf800734f5b8
status: 0000000000000120 badaddr: 0000000000000000 cause: 000000000000000d
[<ffffffff80194dbc>] do_futex+0x21a/0x284 kernel/futex/syscalls.c:111
[<ffffffff80194f1e>] __do_sys_futex kernel/futex/syscalls.c:183 [inline]
[<ffffffff80194f1e>] sys_futex+0xf8/0x310 kernel/futex/syscalls.c:164
[<ffffffff80005716>] ret_from_syscall+0x0/0x2
---[ end trace 0000000000000000 ]---

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu2-riscv64 2022/08/10 08:41 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d aaa9eaa0 .config log report info KASAN: null-ptr-deref Read in futex_wake
* Struck through repros no longer work on HEAD.