Hello,
syzbot found the following crash on:
HEAD commit: 09eb2ba5 ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=1071ba0a400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=59246eb7b3f7dd72
dashboard link:
https://syzkaller.appspot.com/bug?extid=62064b854cbe734a71f2
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=165f315a400000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=1237d7bc400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+62064b...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
IP: [<ffffffff836c473c>] l2tp_session_free+0x11c/0x200
net/l2tp/l2tp_core.c:1765
PGD 1c9a8b067 [ 55.140577] PUD 1c633a067
Oops: 0002 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3821 Comm: syz-executor049 Not tainted 4.9.124-g09eb2ba #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801c3d2c800 task.stack: ffff8801d9488000
RIP: 0010:[<ffffffff836c473c>] [<ffffffff836c473c>]
l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1765
RSP: 0018:ffff8801d948fc98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8801b6f2b180 RCX: 0000000000000000
RDX: 1ffff100395050d0 RSI: ffffffff836c4711 RDI: ffff8801ca828680
RBP: ffff8801d948fcb8 R08: ffff8801c3d2d0e8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801ca828500
R13: ffff8801b6f2b188 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000001947880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 00000001b7cda000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d94a0880 ffff8801b6f2b180 ffff8801d94a0c50 ffff8801d94a0b58
ffff8801d948fce0 ffffffff836cc022 ffff8801d94a0cc0 ffff8801d94a0880
ffffffff836cbf50 ffff8801d948fd18 ffffffff830281f5 ffff8801d94a0cc0
Call Trace:
[<ffffffff836cc022>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:297
[inline]
[<ffffffff836cc022>] pppol2tp_session_destruct+0xd2/0x110
net/l2tp/l2tp_ppp.c:460
[<ffffffff830281f5>] __sk_destruct+0x55/0x590 net/core/sock.c:1428
[<ffffffff8302fc83>] sk_destruct+0x63/0x80 net/core/sock.c:1463
[<ffffffff8302fcef>] __sk_free+0x4f/0x220 net/core/sock.c:1471
[<ffffffff8302feeb>] sk_free+0x2b/0x40 net/core/sock.c:1482
[<ffffffff836cf329>] sock_put include/net/sock.h:1588 [inline]
[<ffffffff836cf329>] pppol2tp_release+0x239/0x2e0 net/l2tp/l2tp_ppp.c:501
[<ffffffff83018357>] __sock_release+0xd7/0x260 net/socket.c:605
[<ffffffff830184f9>] sock_close+0x19/0x20 net/socket.c:1059
[<ffffffff8157ca73>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff8157cf95>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8119a66c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff8100559c>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
arch/x86/entry/common.c:161
[<ffffffff810064d4>] prepare_exit_to_usermode arch/x86/entry/common.c:191
[inline]
[<ffffffff810064d4>] syscall_return_slowpath arch/x86/entry/common.c:260
[inline]
[<ffffffff810064d4>] do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
[<ffffffff83a019d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 49 8d bc 24 80 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
ea 03 80 3c 02 00 0f 85 c6 00 00 00 4d 8b b4 24 80 01 00 00 <f0> 41 ff 8e
80 00 00 00 74 69 e8 a5 c5 c9 fd 4c 89 ea 48 b8 00
RIP [<ffffffff836c473c>] l2tp_session_free+0x11c/0x200
net/l2tp/l2tp_core.c:1765
RSP <ffff8801d948fc98>
CR2: 0000000000000080
---[ end trace 23ee9bb7740e99e9 ]---
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches