syzbot


general protection fault in ioctl_standard_call
Status: fixed on 2021/02/25 13:45
Reported-by: syzbot+0b40ce3e073acb2fb4da@syzkaller.appspotmail.com
Fix commit: 173b67cf1e72 wext: fix NULL-ptr-dereference with cfg80211's lack of commit()
First crash: 584d, last: 488d

Fix bisection: fixed by (bisect log) :
commit 173b67cf1e72baff9cc02351cbe3c207b6ae29a4
Author: Johannes Berg <johannes.berg@intel.com>
Date: Thu Jan 21 16:16:22 2021 +0000

  wext: fix NULL-ptr-dereference with cfg80211's lack of commit()

similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in ioctl_standard_call C done 23 470d 584d 1/1 fixed on 2021/03/14 19:08

Sample crash report:
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 8012 Comm: syz-executor489 Not tainted 4.14.206-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880964ee300 task.stack: ffff8880955b0000
RIP: 0010:call_commit_handler net/wireless/wext-core.c:902 [inline]
RIP: 0010:ioctl_standard_call+0x19b/0x260 net/wireless/wext-core.c:1031
RSP: 0018:ffff8880955b7b48 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff11012ab6f5a
RDX: 0000000000000000 RSI: ffff8880964eeb88 RDI: ffff888097381060
RBP: ffff888097380e80 R08: ffff8880ba42abf0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880955b7cb8
R13: 0000000000008b04 R14: 0000000000000000 R15: ffff8880955b7bf0
FS:  0000000002341880(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f07d93df6c0 CR3: 000000009c3a1000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 wireless_process_ioctl+0x312/0x450 net/wireless/wext-core.c:956
 wext_ioctl_dispatch net/wireless/wext-core.c:989 [inline]
 wext_ioctl_dispatch net/wireless/wext-core.c:977 [inline]
 wext_handle_ioctl+0x17e/0x190 net/wireless/wext-core.c:1045
 dev_ioctl+0x24c/0xbe0 net/core/dev_ioctl.c:444
 sock_do_ioctl net/socket.c:981 [inline]
 sock_ioctl+0x164/0x4c0 net/socket.c:1071
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x441529
RSP: 002b:00007ffc0fe95788 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc0fe957b0 RCX: 0000000000441529
RDX: 00000000200000c0 RSI: 0000000000008b04 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000001300000000 R09: 0000001300000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
R13: 0000000000000000 R14: 000000000000000c R15: 0000000000000004
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 c8 00 00 00 48 8b 9d e0 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 99 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 
RIP: call_commit_handler net/wireless/wext-core.c:902 [inline] RSP: ffff8880955b7b48
RIP: ioctl_standard_call+0x19b/0x260 net/wireless/wext-core.c:1031 RSP: ffff8880955b7b48
---[ end trace e45806b6217eeeda ]---

Crashes (24):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2020/11/11 11:04 linux-4.14.y 27ce4f2a6817 cca87986 .config log report syz C
ci2-linux-4-14 2020/11/06 08:32 linux-4.14.y 6b6446efedb2 cba33199 .config log report syz C
ci2-linux-4-14 2020/11/06 07:12 linux-4.14.y 6b6446efedb2 cba33199 .config log report syz C
ci2-linux-4-14 2020/11/06 06:24 linux-4.14.y 6b6446efedb2 cba33199 .config log report syz C
ci2-linux-4-14 2020/10/21 14:54 linux-4.14.y 5b7a52cd2eef 99c64d5c .config log report syz C
ci2-linux-4-14 2020/11/26 03:50 linux-4.14.y 87335852c5d9 3f581b43 .config log report info
ci2-linux-4-14 2020/11/24 06:11 linux-4.14.y 0df445b0f0da 1ab681a4 .config log report info
ci2-linux-4-14 2020/11/22 00:03 linux-4.14.y 8961076ed318 0d27f508 .config log report info
ci2-linux-4-14 2020/11/17 08:26 linux-4.14.y 27ce4f2a6817 1bf9a662 .config log report info
ci2-linux-4-14 2020/11/15 19:24 linux-4.14.y 27ce4f2a6817 1bf9a662 .config log report info
ci2-linux-4-14 2020/11/10 11:57 linux-4.14.y e98f3c4269fd cca87986 .config log report info
ci2-linux-4-14 2020/11/10 11:08 linux-4.14.y e98f3c4269fd cca87986 .config log report info
ci2-linux-4-14 2020/11/10 09:33 linux-4.14.y 6b6446efedb2 cca87986 .config log report info
ci2-linux-4-14 2020/11/10 08:53 linux-4.14.y 6b6446efedb2 cca87986 .config log report info
ci2-linux-4-14 2020/11/09 00:15 linux-4.14.y 6b6446efedb2 cba33199 .config log report info
ci2-linux-4-14 2020/11/08 14:21 linux-4.14.y 6b6446efedb2 cba33199 .config log report info
ci2-linux-4-14 2020/11/01 12:27 linux-4.14.y 2b7915014161 8bc4594f .config log report info
ci2-linux-4-14 2020/10/31 02:51 linux-4.14.y 2b7915014161 18e33098 .config log report info
ci2-linux-4-14 2020/10/28 12:21 linux-4.14.y 5b7a52cd2eef 96e03c1c .config log report info
ci2-linux-4-14 2020/10/27 01:26 linux-4.14.y 5b7a52cd2eef 8b3eaf58 .config log report info
ci2-linux-4-14 2020/10/24 19:50 linux-4.14.y 5b7a52cd2eef a1839e81 .config log report info
ci2-linux-4-14 2020/10/23 18:06 linux-4.14.y 5b7a52cd2eef 4e740c00 .config log report info
ci2-linux-4-14 2020/10/21 13:36 linux-4.14.y 5b7a52cd2eef 99c64d5c .config log report info
ci2-linux-4-14 2020/10/21 11:55 linux-4.14.y 5b7a52cd2eef 99c64d5c .config log report info