================================================================== BUG: KASAN: null-ptr-deref in __wake_up_common+0x108/0x236 kernel/sched/wait.c:101 Read of size 8 at addr 000000000000000b by task sshd/2015 CPU: 1 PID: 2015 Comm: sshd Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119 [] __dump_stack lib/dump_stack.c:88 [inline] [] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106 [] __kasan_report mm/kasan/report.c:446 [inline] [] kasan_report+0x1de/0x1e0 mm/kasan/report.c:459 [] check_region_inline mm/kasan/generic.c:183 [inline] [] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256 [] __wake_up_common+0x108/0x236 kernel/sched/wait.c:101 [] __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138 [] __wake_up+0x10/0x18 kernel/sched/wait.c:157 [] ep_poll_callback+0x194/0xa40 fs/eventpoll.c:1201 [] __wake_up_common+0xb6/0x236 kernel/sched/wait.c:108 [] __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138 [] __wake_up_sync_key+0x14/0x1e kernel/sched/wait.c:205 [] sock_def_readable+0xe4/0x50e net/core/sock.c:3147 [] tcp_data_ready+0xa6/0x2e0 net/ipv4/tcp_input.c:4977 [] tcp_data_queue+0x17b6/0x24e6 net/ipv4/tcp_input.c:5047 [] tcp_rcv_established+0x6dc/0x15e6 net/ipv4/tcp_input.c:5945 [] tcp_v4_do_rcv+0x4b4/0x66e net/ipv4/tcp_ipv4.c:1719 [] tcp_v4_rcv+0x1d22/0x1f46 net/ipv4/tcp_ipv4.c:2119 [] ip_protocol_deliver_rcu+0x9c/0x8c0 net/ipv4/ip_input.c:204 [] ip_local_deliver_finish+0x12c/0x278 net/ipv4/ip_input.c:231 [] NF_HOOK include/linux/netfilter.h:307 [inline] [] NF_HOOK include/linux/netfilter.h:301 [inline] [] ip_local_deliver+0x2fc/0x464 net/ipv4/ip_input.c:252 [] dst_input include/net/dst.h:461 [inline] [] ip_rcv_finish+0x162/0x1f6 net/ipv4/ip_input.c:429 [] NF_HOOK include/linux/netfilter.h:307 [inline] [] NF_HOOK include/linux/netfilter.h:301 [inline] [] ip_rcv+0xd4/0x3be net/ipv4/ip_input.c:540 [] __netif_receive_skb_one_core+0xf0/0x13a net/core/dev.c:5351 [] __netif_receive_skb+0x36/0xd8 net/core/dev.c:5465 [] process_backlog+0x206/0x4bc net/core/dev.c:5797 [] __napi_poll+0x7c/0x358 net/core/dev.c:6365 [] napi_poll net/core/dev.c:6432 [inline] [] net_rx_action+0x5d0/0x702 net/core/dev.c:6519 [] __do_softirq+0x274/0x8fc kernel/softirq.c:558 [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] [] do_softirq kernel/softirq.c:459 [inline] [] do_softirq+0x158/0x15a kernel/softirq.c:446 [] __local_bh_enable_ip+0x282/0x2a4 kernel/softirq.c:383 [] local_bh_enable include/linux/bottom_half.h:33 [inline] [] rcu_read_unlock_bh include/linux/rcupdate.h:764 [inline] [] ip_finish_output2+0x57c/0x1720 net/ipv4/ip_output.c:222 [] __ip_finish_output net/ipv4/ip_output.c:299 [inline] [] __ip_finish_output+0x25a/0x3ee net/ipv4/ip_output.c:281 [] ip_finish_output+0x3e/0x176 net/ipv4/ip_output.c:309 [] NF_HOOK_COND include/linux/netfilter.h:296 [inline] [] ip_output+0x1d0/0x2d0 net/ipv4/ip_output.c:423 [] dst_output include/net/dst.h:451 [inline] [] ip_local_out net/ipv4/ip_output.c:126 [inline] [] __ip_queue_xmit+0x4a0/0xeb2 net/ipv4/ip_output.c:525 [] ip_queue_xmit+0x36/0x44 net/ipv4/ip_output.c:539 [] __tcp_transmit_skb+0xce4/0x1f5e net/ipv4/tcp_output.c:1402 [] tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline] [] tcp_write_xmit+0xd40/0x3344 net/ipv4/tcp_output.c:2680 [] __tcp_push_pending_frames+0x7a/0x22c net/ipv4/tcp_output.c:2864 [] tcp_push+0x19c/0x3b4 net/ipv4/tcp.c:725 [] tcp_sendmsg_locked+0x5fc/0x1d9e net/ipv4/tcp.c:1412 [] tcp_sendmsg+0x32/0x4e net/ipv4/tcp.c:1440 [] inet_sendmsg+0x74/0x94 net/ipv4/af_inet.c:819 [] sock_sendmsg_nosec net/socket.c:705 [inline] [] sock_sendmsg+0xa0/0xc4 net/socket.c:725 [] sock_write_iter+0x1c0/0x272 net/socket.c:1061 [] call_write_iter include/linux/fs.h:2074 [inline] [] new_sync_write+0x296/0x3aa fs/read_write.c:503 [] vfs_write+0x2de/0x334 fs/read_write.c:590 [] ksys_write+0x1c4/0x224 fs/read_write.c:643 [] __do_sys_write fs/read_write.c:655 [inline] [] sys_write+0x28/0x36 fs/read_write.c:652 [] ret_from_syscall+0x0/0x2 ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 000000000000000b Oops [#1] Modules linked in: CPU: 1 PID: 2015 Comm: sshd Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0 Hardware name: riscv-virtio,qemu (DT) epc : __wake_up_common+0x108/0x236 kernel/sched/wait.c:101 ra : __wake_up_common+0x108/0x236 kernel/sched/wait.c:101 epc : ffffffff800f76ca ra : ffffffff800f76ca sp : ffffaf8009f8e090 gp : ffffffff85863ac0 tp : ffffaf800f103080 t0 : ffffffff86bdb090 t1 : fffff5ef0b53c90c t2 : 0000000000000000 s0 : ffffaf8009f8e100 s1 : ffffaf8011183cf0 a0 : 0000000000000001 a1 : 0000000000000003 a2 : 1ffff5f001e20611 a3 : ffffffff831afd3a a4 : 0000000000000000 a5 : ffffaf800f104080 a6 : 0000000000f00000 a7 : ffffaf805a9e4863 s2 : fffffffffffffff3 s3 : 000000000000000b s4 : 0000000000000000 s5 : ffffaf800e5a0cd0 s6 : ffffaf8009f8e150 s7 : 0000000000000001 s8 : 0000000000000003 s9 : 0000000000000000 s10: 0000000000000000 s11: ffffffff80110fdc t3 : 00000000746e6961 t4 : fffff5ef0b53c90c t5 : fffff5ef0b53c90d t6 : ffffffff86bdb0bf status: 0000000000000100 badaddr: 000000000000000b cause: 000000000000000d [] __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138 [] __wake_up+0x10/0x18 kernel/sched/wait.c:157 [] ep_poll_callback+0x194/0xa40 fs/eventpoll.c:1201 [] __wake_up_common+0xb6/0x236 kernel/sched/wait.c:108 [] __wake_up_common_lock+0xd6/0x136 kernel/sched/wait.c:138 [] __wake_up_sync_key+0x14/0x1e kernel/sched/wait.c:205 [] sock_def_readable+0xe4/0x50e net/core/sock.c:3147 [] tcp_data_ready+0xa6/0x2e0 net/ipv4/tcp_input.c:4977 [] tcp_data_queue+0x17b6/0x24e6 net/ipv4/tcp_input.c:5047 [] tcp_rcv_established+0x6dc/0x15e6 net/ipv4/tcp_input.c:5945 [] tcp_v4_do_rcv+0x4b4/0x66e net/ipv4/tcp_ipv4.c:1719 [] tcp_v4_rcv+0x1d22/0x1f46 net/ipv4/tcp_ipv4.c:2119 [] ip_protocol_deliver_rcu+0x9c/0x8c0 net/ipv4/ip_input.c:204 [] ip_local_deliver_finish+0x12c/0x278 net/ipv4/ip_input.c:231 [] NF_HOOK include/linux/netfilter.h:307 [inline] [] NF_HOOK include/linux/netfilter.h:301 [inline] [] ip_local_deliver+0x2fc/0x464 net/ipv4/ip_input.c:252 [] dst_input include/net/dst.h:461 [inline] [] ip_rcv_finish+0x162/0x1f6 net/ipv4/ip_input.c:429 [] NF_HOOK include/linux/netfilter.h:307 [inline] [] NF_HOOK include/linux/netfilter.h:301 [inline] [] ip_rcv+0xd4/0x3be net/ipv4/ip_input.c:540 [] __netif_receive_skb_one_core+0xf0/0x13a net/core/dev.c:5351 [] __netif_receive_skb+0x36/0xd8 net/core/dev.c:5465 [] process_backlog+0x206/0x4bc net/core/dev.c:5797 [] __napi_poll+0x7c/0x358 net/core/dev.c:6365 [] napi_poll net/core/dev.c:6432 [inline] [] net_rx_action+0x5d0/0x702 net/core/dev.c:6519 [] __do_softirq+0x274/0x8fc kernel/softirq.c:558 [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] [] do_softirq kernel/softirq.c:459 [inline] [] do_softirq+0x158/0x15a kernel/softirq.c:446 [] __local_bh_enable_ip+0x282/0x2a4 kernel/softirq.c:383 [] local_bh_enable include/linux/bottom_half.h:33 [inline] [] rcu_read_unlock_bh include/linux/rcupdate.h:764 [inline] [] ip_finish_output2+0x57c/0x1720 net/ipv4/ip_output.c:222 [] __ip_finish_output net/ipv4/ip_output.c:299 [inline] [] __ip_finish_output+0x25a/0x3ee net/ipv4/ip_output.c:281 [] ip_finish_output+0x3e/0x176 net/ipv4/ip_output.c:309 [] NF_HOOK_COND include/linux/netfilter.h:296 [inline] [] ip_output+0x1d0/0x2d0 net/ipv4/ip_output.c:423 [] dst_output include/net/dst.h:451 [inline] [] ip_local_out net/ipv4/ip_output.c:126 [inline] [] __ip_queue_xmit+0x4a0/0xeb2 net/ipv4/ip_output.c:525 [] ip_queue_xmit+0x36/0x44 net/ipv4/ip_output.c:539 [] __tcp_transmit_skb+0xce4/0x1f5e net/ipv4/tcp_output.c:1402 [] tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline] [] tcp_write_xmit+0xd40/0x3344 net/ipv4/tcp_output.c:2680 [] __tcp_push_pending_frames+0x7a/0x22c net/ipv4/tcp_output.c:2864 [] tcp_push+0x19c/0x3b4 net/ipv4/tcp.c:725 [] tcp_sendmsg_locked+0x5fc/0x1d9e net/ipv4/tcp.c:1412 [] tcp_sendmsg+0x32/0x4e net/ipv4/tcp.c:1440 [] inet_sendmsg+0x74/0x94 net/ipv4/af_inet.c:819 [] sock_sendmsg_nosec net/socket.c:705 [inline] [] sock_sendmsg+0xa0/0xc4 net/socket.c:725 [] sock_write_iter+0x1c0/0x272 net/socket.c:1061 [] call_write_iter include/linux/fs.h:2074 [inline] [] new_sync_write+0x296/0x3aa fs/read_write.c:503 [] vfs_write+0x2de/0x334 fs/read_write.c:590 [] ksys_write+0x1c4/0x224 fs/read_write.c:643 [] __do_sys_write fs/read_write.c:655 [inline] [] sys_write+0x28/0x36 fs/read_write.c:652 [] ret_from_syscall+0x0/0x2