bisecting fixing commit since 01364dad1d4577e27a57729d41053f661bb8a5b9
building syzkaller on a34e2c332411388ed2b3f6f1a3acdc062feceb79
testing commit 01364dad1d4577e27a57729d41053f661bb8a5b9 with gcc (GCC) 8.1.0
kernel signature: c0358a8727628f097e226eee691cd9e05b402e543f01d4ae1f5027fefd9cfcb8
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
testing current HEAD 4f68020fef1c6cf1b680ffb6481ac41379283ea3
testing commit 4f68020fef1c6cf1b680ffb6481ac41379283ea3 with gcc (GCC) 8.1.0
kernel signature: 767ece5b455c2c58d7af515a6624947fa4f71df3418ca84edace29eec385b9d4
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
revisions tested: 2, total time: 24m16.498875538s (build: 17m3.91074351s, test: 6m14.312836257s)
the crash still happens on HEAD
commit msg: Linux 4.14.182
crash: BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
IP: refcount_dec_and_test arch/x86/include/asm/refcount.h:75 [inline]
IP: sock_put include/net/sock.h:1657 [inline]
IP: l2tp_session_free+0xfd/0x1d0 net/l2tp/l2tp_core.c:1719
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 3635 Comm: systemd-udevd Not tainted 4.14.182-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88808e6fe600 task.stack: ffff88808e700000
RIP: 0010:refcount_dec_and_test arch/x86/include/asm/refcount.h:75 [inline]
RIP: 0010:sock_put include/net/sock.h:1657 [inline]
RIP: 0010:l2tp_session_free+0xfd/0x1d0 net/l2tp/l2tp_core.c:1719
RSP: 0018:ffff8880aed07d38 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88808d994000 RCX: 0000000000000000
RDX: 1ffff11010f80631 RSI: ffff88808e6fee88 RDI: 0000000000000000
RBP: ffff8880aed07d50 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888087c03000
R13: ffff88808d994010 R14: dffffc0000000000 R15: ffff88808d994230
FS: 00007f29dd51d8c0(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000008e2f7000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:303 [inline]
pppol2tp_session_destruct+0xbb/0xf0 net/l2tp/l2tp_ppp.c:467
__sk_destruct+0x48/0x5a0 net/core/sock.c:1556
sk_destruct+0x83/0xb0 net/core/sock.c:1596
__sk_free+0x47/0x1f0 net/core/sock.c:1604
sk_free+0x1a/0x20 net/core/sock.c:1615
sock_put include/net/sock.h:1658 [inline]
pppol2tp_put_sk+0x3e/0x50 net/l2tp/l2tp_ppp.c:476
__rcu_reclaim kernel/rcu/rcu.h:195 [inline]
rcu_do_batch kernel/rcu/tree.c:2699 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
rcu_process_callbacks+0x7e0/0x11e0 kernel/rcu/tree.c:2946
__do_softirq+0x246/0x9b0 kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x15f/0x1a0 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:648 [inline]
smp_apic_timer_interrupt+0x149/0x5d0 arch/x86/kernel/apic/apic.c:1102
apic_timer_interrupt+0x9a/0xa0 arch/x86/entry/entry_64.S:793
RIP: 0010:memory_is_nonzero mm/kasan/kasan.c:196 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/kasan.c:210 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/kasan.c:241 [inline]
RIP: 0010:check_memory_region_inline mm/kasan/kasan.c:257 [inline]
RIP: 0010:check_memory_region+0xa2/0x1b0 mm/kasan/kasan.c:267
RSP: 0018:ffff88808e707d38 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: ffffed1013ffb990 RBX: ffffed1013ffba38 RCX: ffffffff831b5a63
RDX: 0000000000000001 RSI: 0000000000000fe4 RDI: ffff88809ffdc1dc
RBP: ffff88808e707d50 R08: 000000000000003e R09: 000000000000003f
R10: ffffed1013ffba37 R11: ffff88809ffdd1bf R12: ffffed1013ffba38
R13: 0000000000000005 R14: 0000000000000fe4 R15: ffff88809ffdc1dc
kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
strncpy_from_user+0x73/0x260 lib/strncpy_from_user.c:116
getname_flags+0xf6/0x520 fs/namei.c:149
user_path_at_empty+0x1e/0x40 fs/namei.c:2631
user_path_at include/linux/namei.h:57 [inline]
SYSC_faccessat fs/open.c:403 [inline]
SyS_faccessat fs/open.c:353 [inline]
SYSC_access fs/open.c:450 [inline]
SyS_access+0x225/0x610 fs/open.c:448
do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f29dc3909c7
RSP: 002b:00007ffe8f51de68 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 000055ad48d3dc00 RCX: 00007f29dc3909c7
RDX: 00746e657665752f RSI: 0000000000000000 RDI: 00007ffe8f51de70
RBP: 00007ffe8f51dee0 R08: 000000000000c480 R09: 0000000000001010
R10: 00007f29dc64eb58 R11: 0000000000000246 R12: 000055ad46fce856
R13: 000055ad48d17bc0 R14: 00007ffe8f51de70 R15: 000055ad48d18d90
Code: 49 8d bc 24 88 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 bd 00 00 00 49 8b bc 24 88 01 00 00 ff 8f 80 00 00 00 0f 88 6e 4c 7f 00 74 6d 48 b8 00 00 00 00
RIP: refcount_dec_and_test arch/x86/include/asm/refcount.h:75 [inline] RSP: ffff8880aed07d38
RIP: sock_put include/net/sock.h:1657 [inline] RSP: ffff8880aed07d38
RIP: l2tp_session_free+0xfd/0x1d0 net/l2tp/l2tp_core.c:1719 RSP: ffff8880aed07d38
CR2: 0000000000000080
---[ end trace c686a6c8badcd759 ]---