syzbot

 sign-in | mailing list | source | docs
🐞 Open [82] 🐞 Fixed [21] 🐞 Invalid [285] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: null-ptr-deref Read in tcf_idrinfo_destroy

Status: upstream: reported C repro on 2023/05/10 22:23
Reported-by: syzbot+cf9750784f3e766f0fee@syzkaller.appspotmail.com
First crash: 361d, last: 1h35m
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: null-ptr-deref Read in tcf_idrinfo_destroy net C 115 1124d 1314d 20/26 fixed on 2021/04/09 19:46

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:162 [inline]
BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0xe2/0x280 net/sched/act_api.c:541
Read of size 4 at addr 0000000000000010 by task kworker/u4:2/179

CPU: 1 PID: 179 Comm: kworker/u4:2 Not tainted 5.4.259-syzkaller-00012-g57a39998c138 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 __kasan_report+0xe9/0x120 mm/kasan/report.c:520
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 check_memory_region_inline mm/kasan/generic.c:141 [inline]
 check_memory_region+0x272/0x280 mm/kasan/generic.c:191
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 __tcf_idr_release net/sched/act_api.c:162 [inline]
 tcf_idrinfo_destroy+0xe2/0x280 net/sched/act_api.c:541
 tc_action_net_exit include/net/act_api.h:145 [inline]
 police_exit_net+0xd7/0x140 net/sched/act_police.c:410
 ops_exit_list net/core/net_namespace.c:184 [inline]
 cleanup_net+0x6e2/0xc90 net/core/net_namespace.c:609
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 179 Comm: kworker/u4:2 Tainted: G    B             5.4.259-syzkaller-00012-g57a39998c138 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: netns cleanup_net
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:__tcf_idr_release net/sched/act_api.c:162 [inline]
RIP: 0010:tcf_idrinfo_destroy+0xe9/0x280 net/sched/act_api.c:541
Code: ee e8 3b 79 b6 00 48 85 c0 0f 84 54 01 00 00 49 89 c6 48 8d 58 20 48 89 df be 04 00 00 00 e8 7e 79 00 fe 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 f5 00 00 00 8b 1b 31 ff 89 de e8 1f d8
RSP: 0018:ffff8881e4dd7b60 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff8881e9f46e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
RBP: ffff8881e4dd7c30 R08: ffffffff813af605 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 1ffff1103c9baf78
R13: ffff8881e4dd7bc0 R14: fffffffffffffff0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f95dd0c10d0 CR3: 00000001ddae4000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tc_action_net_exit include/net/act_api.h:145 [inline]
 police_exit_net+0xd7/0x140 net/sched/act_police.c:410
 ops_exit_list net/core/net_namespace.c:184 [inline]
 cleanup_net+0x6e2/0xc90 net/core/net_namespace.c:609
 process_one_work+0x765/0xd20 kernel/workqueue.c:2290
 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436
 kthread+0x2da/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354
Modules linked in:
---[ end trace 87ba05ee6766aa7d ]---
RIP: 0010:__read_once_size include/linux/compiler.h:268 [inline]
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:31 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:__tcf_idr_release net/sched/act_api.c:162 [inline]
RIP: 0010:tcf_idrinfo_destroy+0xe9/0x280 net/sched/act_api.c:541
Code: ee e8 3b 79 b6 00 48 85 c0 0f 84 54 01 00 00 49 89 c6 48 8d 58 20 48 89 df be 04 00 00 00 e8 7e 79 00 fe 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 f5 00 00 00 8b 1b 31 ff 89 de e8 1f d8
RSP: 0018:ffff8881e4dd7b60 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000010 RCX: ffff8881e9f46e40
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffffffff
RBP: ffff8881e4dd7c30 R08: ffffffff813af605 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 1ffff1103c9baf78
R13: ffff8881e4dd7bc0 R14: fffffffffffffff0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd211b0d88 CR3: 00000001ee3c0000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	ee                   	out    %al,(%dx)
   1:	e8 3b 79 b6 00       	call   0xb67941
   6:	48 85 c0             	test   %rax,%rax
   9:	0f 84 54 01 00 00    	je     0x163
   f:	49 89 c6             	mov    %rax,%r14
  12:	48 8d 58 20          	lea    0x20(%rax),%rbx
  16:	48 89 df             	mov    %rbx,%rdi
  19:	be 04 00 00 00       	mov    $0x4,%esi
  1e:	e8 7e 79 00 fe       	call   0xfe0079a1
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 f5 00 00 00    	jne    0x12c
  37:	8b 1b                	mov    (%rbx),%ebx
  39:	31 ff                	xor    %edi,%edi
  3b:	89 de                	mov    %ebx,%esi
  3d:	e8                   	.byte 0xe8
  3e:	1f                   	(bad)
  3f:	d8                   	.byte 0xd8

Crashes (2917):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/13 02:38 android12-5.4 57a39998c138 551587c1 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/11/28 05:10 android12-5.4 2ac128c04e33 7ec6c044 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/05/10 22:14 android12-5.4 0fcb7cff9462 14b12a99 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/04 13:58 android12-5.4 51cf29fc2bfc 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/04 12:33 android12-5.4 51cf29fc2bfc 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/04 10:51 android12-5.4 51cf29fc2bfc 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/04 09:12 android12-5.4 51cf29fc2bfc 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/04 02:05 android12-5.4 51cf29fc2bfc 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/04 01:50 android12-5.4 51cf29fc2bfc 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/04 00:48 android12-5.4 51cf29fc2bfc 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 22:48 android12-5.4 51cf29fc2bfc dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 22:16 android12-5.4 51cf29fc2bfc dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 20:49 android12-5.4 51cf29fc2bfc dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 13:52 android12-5.4 51cf29fc2bfc dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 10:56 android12-5.4 51cf29fc2bfc dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 09:42 android12-5.4 51cf29fc2bfc dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 08:50 android12-5.4 51cf29fc2bfc dd26401e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 04:58 android12-5.4 51cf29fc2bfc ddfc15a1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/03 00:12 android12-5.4 51cf29fc2bfc ddfc15a1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 23:40 android12-5.4 51cf29fc2bfc ddfc15a1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 22:38 android12-5.4 2d5d8240a7cb ddfc15a1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 21:22 android12-5.4 2d5d8240a7cb ddfc15a1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 20:57 android12-5.4 2d5d8240a7cb ddfc15a1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 19:52 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 18:46 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 17:39 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 15:44 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 14:40 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 13:36 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 12:34 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 07:20 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 06:05 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 03:31 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/02 02:27 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 23:10 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 21:19 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 18:59 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 17:48 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 17:37 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 15:28 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 12:39 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 11:14 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 06:03 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 03:23 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 00:37 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/05/01 00:13 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/04/30 22:55 android12-5.4 2d5d8240a7cb 3ce4924c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/04/30 16:42 android12-5.4 2d5d8240a7cb 3ce4924c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2024/04/30 14:50 android12-5.4 2d5d8240a7cb 3ce4924c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
2023/05/08 21:25 android12-5.4 0fcb7cff9462 c7a5e2a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Read in tcf_idrinfo_destroy
* Struck through repros no longer work on HEAD.