syzbot


KASAN: null-ptr-deref Read in __netif_napi_del

Status: closed as invalid on 2024/10/17 12:22
Subsystems: net
[Documentation on labels]
First crash: 277d, last: 155d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: corrupted list in __netif_napi_del (3) net 1 825d 824d 0/28 auto-obsoleted due to no activity on 2023/03/16 19:11
upstream BUG: corrupted list in __netif_napi_del (2) net 3 1374d 1420d 0/28 auto-closed as invalid on 2021/08/14 18:06
upstream KASAN: use-after-free Read in __netif_napi_del net 5 1175d 1203d 0/28 auto-closed as invalid on 2022/03/02 04:36

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: null-ptr-deref in refcount_read include/linux/refcount.h:136 [inline]
BUG: KASAN: null-ptr-deref in skb_unref include/linux/skbuff.h:1222 [inline]
BUG: KASAN: null-ptr-deref in __kfree_skb_reason net/core/skbuff.c:1195 [inline]
BUG: KASAN: null-ptr-deref in kfree_skb_reason+0x36/0x210 net/core/skbuff.c:1222
Read of size 4 at addr 0000000000000109 by task kworker/u32:8/1092

CPU: 0 PID: 1092 Comm: kworker/u32:8 Not tainted 6.9.0-syzkaller-08544-g4b377b4868ef #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 refcount_read include/linux/refcount.h:136 [inline]
 skb_unref include/linux/skbuff.h:1222 [inline]
 __kfree_skb_reason net/core/skbuff.c:1195 [inline]
 kfree_skb_reason+0x36/0x210 net/core/skbuff.c:1222
 kfree_skb include/linux/skbuff.h:1257 [inline]
 napi_free_frags include/linux/netdevice.h:3881 [inline]
 __netif_napi_del net/core/dev.c:6695 [inline]
 __netif_napi_del+0x273/0x570 net/core/dev.c:6688
 gro_cells_destroy net/core/gro_cells.c:117 [inline]
 gro_cells_destroy+0x10a/0x4d0 net/core/gro_cells.c:106
 unregister_netdevice_many_notify+0xbd7/0x19f0 net/core/dev.c:11238
 cleanup_net+0x58c/0xbf0 net/core/net_namespace.c:635
 process_one_work+0x958/0x1ad0 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/18 07:38 upstream 4b377b4868ef c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: null-ptr-deref Read in __netif_napi_del
2024/06/10 16:32 upstream 83a7eefedc9b c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in __netif_napi_del
2024/06/04 10:27 upstream 2ab795141095 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in __netif_napi_del
2024/06/01 16:29 upstream cc8ed4d0a848 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 general protection fault in __netif_napi_del
2024/09/17 04:32 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 5f5673607153 c673ca06 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in __netif_napi_del
* Struck through repros no longer work on HEAD.