KASAN: null-ptr-deref Read in __netif_receive_skb

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KMSAN: uninit-value in __netif_receive_skb_core wireguard wireless	C	done		353	23d	1993d	23/25	upstream: reported C repro on 2018/04/12 08:01
linux-4.19	KASAN: use-after-free Read in __netif_receive_skb_core	syz		error	20	542d	1083d	0/1	upstream: reported syz repro on 2020/10/08 04:31
linux-4.14	KASAN: use-after-free Read in __netif_receive_skb_core	syz		error	19	810d	1227d	0/1	upstream: reported syz repro on 2020/05/16 19:24

================================================================== BUG: KASAN: null-ptr-deref in skb_end_pointer include/linux/skbuff.h:1471 [inline] BUG: KASAN: null-ptr-deref in skb_is_gso include/linux/skbuff.h:4623 [inline] BUG: KASAN: null-ptr-deref in bstats_update include/net/sch_generic.h:863 [inline] BUG: KASAN: null-ptr-deref in mini_qdisc_bstats_cpu_update include/net/sch_generic.h:1314 [inline] BUG: KASAN: null-ptr-deref in sch_handle_ingress net/core/dev.c:4995 [inline] BUG: KASAN: null-ptr-deref in __netif_receive_skb_core+0x111e/0x2730 net/core/dev.c:5211 Read of size 8 at addr 0000000000000002 by task kworker/0:5/2742 CPU: 0 PID: 2742 Comm: kworker/0:5 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Workqueue: wg-crypt-wg0 wg_packet_tx_worker Call Trace: [<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline] [<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [<ffffffff80474da6>] __kasan_report mm/kasan/report.c:446 [inline] [<ffffffff80474da6>] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459 [<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline] [<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256 [<ffffffff8273bc06>] skb_end_pointer include/linux/skbuff.h:1471 [inline] [<ffffffff8273bc06>] skb_is_gso include/linux/skbuff.h:4623 [inline] [<ffffffff8273bc06>] bstats_update include/net/sch_generic.h:863 [inline] [<ffffffff8273bc06>] mini_qdisc_bstats_cpu_update include/net/sch_generic.h:1314 [inline] [<ffffffff8273bc06>] sch_handle_ingress net/core/dev.c:4995 [inline] [<ffffffff8273bc06>] __netif_receive_skb_core+0x111e/0x2730 net/core/dev.c:5211 [<ffffffff8273d2cc>] __netif_receive_skb_one_core+0xb4/0x13a net/core/dev.c:5349 [<ffffffff8273d534>] __netif_receive_skb+0x36/0xd8 net/core/dev.c:5465 [<ffffffff8273e15e>] process_backlog+0x206/0x4bc net/core/dev.c:5797 [<ffffffff82740c14>] __napi_poll+0x7c/0x358 net/core/dev.c:6365 [<ffffffff827418a0>] napi_poll net/core/dev.c:6432 [inline] [<ffffffff827418a0>] net_rx_action+0x5d0/0x702 net/core/dev.c:6519 [<ffffffff831b082c>] __do_softirq+0x274/0x8fc kernel/softirq.c:558 [<ffffffff80060ea0>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] [<ffffffff80060ea0>] do_softirq kernel/softirq.c:459 [inline] [<ffffffff80060ea0>] do_softirq+0x158/0x15a kernel/softirq.c:446 [<ffffffff80061124>] __local_bh_enable_ip+0x282/0x2a4 kernel/softirq.c:383 [<ffffffff831b02e0>] __raw_read_unlock_bh include/linux/rwlock_api_smp.h:257 [inline] [<ffffffff831b02e0>] _raw_read_unlock_bh+0x34/0x40 kernel/locking/spinlock.c:284 [<ffffffff81766032>] wg_socket_send_skb_to_peer+0xf4/0x14c drivers/net/wireguard/socket.c:183 [<ffffffff8175f3b2>] wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline] [<ffffffff8175f3b2>] wg_packet_tx_worker+0x14a/0x5ca drivers/net/wireguard/send.c:276 [<ffffffff80093b44>] process_one_work+0x654/0xffe kernel/workqueue.c:2307 [<ffffffff8009484e>] worker_thread+0x360/0x8fa kernel/workqueue.c:2454 [<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377 [<ffffffff80005724>] ret_from_exception+0x0/0x10 ================================================================== Unable to handle kernel paging request at virtual address fffff5ef1aeb1800 Oops [#1] Modules linked in: CPU: 0 PID: 2742 Comm: kworker/0:5 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Workqueue: wg-crypt-wg0 wg_packet_tx_worker epc : bytes_is_nonzero mm/kasan/generic.c:85 [inline] epc : memory_is_nonzero mm/kasan/generic.c:102 [inline] epc : memory_is_poisoned_n mm/kasan/generic.c:128 [inline] epc : memory_is_poisoned mm/kasan/generic.c:159 [inline] epc : check_region_inline mm/kasan/generic.c:180 [inline] epc : kasan_check_range+0x102/0x136 mm/kasan/generic.c:189 ra : __kasan_check_write+0x14/0x1c mm/kasan/shadow.c:37 epc : ffffffff80475f7a ra : ffffffff8047658a sp : ffffaf800f9eb4e0 gp : ffffffff85863ac0 tp : ffffaf800d3f48c0 t0 : ffffffff86bcb657 t1 : fffff5ef1aeb1800 t2 : 0000000000000000 s0 : ffffaf800f9eb4f0 s1 : ffffaf802597b140 a0 : fffff5ef1aeb1801 a1 : 0000000000000008 a2 : 0000000000000001 a3 : ffffffff8273bc6e a4 : 0000000000000010 a5 : fffff5ef1aeb1800 a6 : ffffaf80d758c000 a7 : ffffaf80d758c007 s2 : ffffaf800fec94c0 s3 : ffffaf80d758c000 s4 : ffffaf800f9eb6a0 s5 : ffffffff85889780 s6 : ffffaf800c460000 s7 : ffffaf805a9d9c90 s8 : ffffffff8273e0b0 s9 : ffffaf800f9eb760 s10: 0000000000000000 s11: ffffaf800f9eb760 t3 : 0000000061736944 t4 : fffff5ef1aeb1800 t5 : fffff5ef1aeb1801 t6 : ffffaf800f9eaf38 status: 0000000000000120 badaddr: fffff5ef1aeb1800 cause: 000000000000000d [<ffffffff8273bc6e>] instrument_atomic_read_write include/linux/instrumented.h:101 [inline] [<ffffffff8273bc6e>] atomic_long_add include/linux/atomic/atomic-instrumented.h:1294 [inline] [<ffffffff8273bc6e>] u64_stats_add include/linux/u64_stats_sync.h:93 [inline] [<ffffffff8273bc6e>] _bstats_update include/net/sch_generic.h:853 [inline] [<ffffffff8273bc6e>] bstats_update include/net/sch_generic.h:861 [inline] [<ffffffff8273bc6e>] mini_qdisc_bstats_cpu_update include/net/sch_generic.h:1314 [inline] [<ffffffff8273bc6e>] sch_handle_ingress net/core/dev.c:4995 [inline] [<ffffffff8273bc6e>] __netif_receive_skb_core+0x1186/0x2730 net/core/dev.c:5211 [<ffffffff8273d2cc>] __netif_receive_skb_one_core+0xb4/0x13a net/core/dev.c:5349 [<ffffffff8273d534>] __netif_receive_skb+0x36/0xd8 net/core/dev.c:5465 [<ffffffff8273e15e>] process_backlog+0x206/0x4bc net/core/dev.c:5797 [<ffffffff82740c14>] __napi_poll+0x7c/0x358 net/core/dev.c:6365 [<ffffffff827418a0>] napi_poll net/core/dev.c:6432 [inline] [<ffffffff827418a0>] net_rx_action+0x5d0/0x702 net/core/dev.c:6519 [<ffffffff831b082c>] __do_softirq+0x274/0x8fc kernel/softirq.c:558 [<ffffffff80060ea0>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] [<ffffffff80060ea0>] do_softirq kernel/softirq.c:459 [inline] [<ffffffff80060ea0>] do_softirq+0x158/0x15a kernel/softirq.c:446 [<ffffffff80061124>] __local_bh_enable_ip+0x282/0x2a4 kernel/softirq.c:383 [<ffffffff831b02e0>] __raw_read_unlock_bh include/linux/rwlock_api_smp.h:257 [inline] [<ffffffff831b02e0>] _raw_read_unlock_bh+0x34/0x40 kernel/locking/spinlock.c:284 [<ffffffff81766032>] wg_socket_send_skb_to_peer+0xf4/0x14c drivers/net/wireguard/socket.c:183 [<ffffffff8175f3b2>] wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline] [<ffffffff8175f3b2>] wg_packet_tx_worker+0x14a/0x5ca drivers/net/wireguard/send.c:276 [<ffffffff80093b44>] process_one_work+0x654/0xffe kernel/workqueue.c:2307 [<ffffffff8009484e>] worker_thread+0x360/0x8fa kernel/workqueue.c:2454 [<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377 [<ffffffff80005724>] ret_from_exception+0x0/0x10 ---[ end trace 0000000000000000 ]---

Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2023/01/30 13:25	git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes	0966d385830d	7374c4e5	.config	console log	report	info		ci-qemu2-riscv64	KASAN: null-ptr-deref Read in __netif_receive_skb_core
2023/01/19 10:57	git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes	0966d385830d	7374c4e5	.config	console log	report	info		ci-qemu2-riscv64	KASAN: null-ptr-deref Read in __netif_receive_skb_core
2022/10/01 18:40	git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes	0966d385830d	feb56351	.config	console log	report	info		ci-qemu2-riscv64	KASAN: null-ptr-deref Read in __netif_receive_skb_core
2022/09/15 11:08	git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes	0966d385830d	dd9a85ff	.config	console log	report	info		ci-qemu2-riscv64	KASAN: null-ptr-deref Read in __netif_receive_skb_core
2022/07/04 00:51	git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes	0966d385830d	1434eec0	.config	console log	report	info		ci-qemu2-riscv64	KASAN: null-ptr-deref Read in __netif_receive_skb_core
2022/05/03 23:38	git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes	0966d385830d	dc9e5259	.config	console log	report	info		ci-qemu2-riscv64	KASAN: null-ptr-deref Read in __netif_receive_skb_core
2023/02/06 07:48	linux-next	129af7708234	be607b78	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	general protection fault in __netif_receive_skb_core
2022/11/09 23:30	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	56751c56c2a2	5fa28208	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	BUG: unable to handle kernel paging request in __netif_receive_skb_core