[syzbot] memory leak in j1939_sk_sendmsg
33 views
Skip to first unread message
syzbot
Jun 28, 2021, 12:28:17 AM6/28/21
to da...@davemloft.net, ker...@pengutronix.de, ku...@kernel.org, linu...@vger.kernel.org, linux-...@vger.kernel.org, li...@rempel-privat.de, m...@pengutronix.de, net...@vger.kernel.org, ro...@protonic.nl, sock...@hartkopp.net, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7266f203 Merge tag 'pm-5.13-rc8' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16e22d34300000
kernel config: https://syzkaller.appspot.com/x/.config?x=3aac8c6ef370586a
dashboard link: https://syzkaller.appspot.com/bug?extid=085305c4b952053c9437
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e0d6a4300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13528400300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+085305...@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888112d44400 (size 232):
comm "syz-executor006", pid 8628, jiffies 4294942391 (age 8.470s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 80 d7 0f 81 88 ff ff 00 64 db 16 81 88 ff ff .........d......
backtrace:
[<ffffffff836a0f8f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:413
[<ffffffff836ac44a>] alloc_skb include/linux/skbuff.h:1107 [inline]
[<ffffffff836ac44a>] alloc_skb_with_frags+0x6a/0x2c0 net/core/skbuff.c:5992
[<ffffffff83699e63>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2364
[<ffffffff83c54592>] j1939_sk_alloc_skb net/can/j1939/socket.c:858 [inline]
[<ffffffff83c54592>] j1939_sk_send_loop net/can/j1939/socket.c:1040 [inline]
[<ffffffff83c54592>] j1939_sk_sendmsg+0x2e2/0x7d0 net/can/j1939/socket.c:1175
[<ffffffff83690ad6>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<ffffffff83690ad6>] sock_sendmsg+0x56/0x80 net/socket.c:674
[<ffffffff83696e9f>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:2862
[<ffffffff836903db>] kernel_sendpage.part.0+0xeb/0x150 net/socket.c:3618
[<ffffffff836910bb>] kernel_sendpage net/socket.c:3615 [inline]
[<ffffffff836910bb>] sock_sendpage+0x5b/0x90 net/socket.c:947
[<ffffffff815b8862>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:364
[<ffffffff815ba702>] splice_from_pipe_feed fs/splice.c:418 [inline]
[<ffffffff815ba702>] __splice_from_pipe+0x1e2/0x330 fs/splice.c:562
[<ffffffff815baf2f>] splice_from_pipe fs/splice.c:597 [inline]
[<ffffffff815baf2f>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:746
[<ffffffff815b891b>] do_splice_from fs/splice.c:767 [inline]
[<ffffffff815b891b>] direct_splice_actor+0x4b/0x70 fs/splice.c:936
[<ffffffff815b9033>] splice_direct_to_actor+0x153/0x350 fs/splice.c:891
[<ffffffff815b9318>] do_splice_direct+0xe8/0x150 fs/splice.c:979
[<ffffffff8155a64f>] do_sendfile+0x51f/0x760 fs/read_write.c:1260
[<ffffffff8155cf82>] __do_sys_sendfile64 fs/read_write.c:1325 [inline]
[<ffffffff8155cf82>] __se_sys_sendfile64 fs/read_write.c:1311 [inline]
[<ffffffff8155cf82>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1311
BUG: memory leak
unreferenced object 0xffff888116d2d800 (size 1024):
comm "syz-executor006", pid 8628, jiffies 4294942391 (age 8.470s)
hex dump (first 32 bytes):
0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff836a0e5f>] kmalloc_reserve net/core/skbuff.c:354 [inline]
[<ffffffff836a0e5f>] __alloc_skb+0xdf/0x280 net/core/skbuff.c:425
[<ffffffff836ac44a>] alloc_skb include/linux/skbuff.h:1107 [inline]
[<ffffffff836ac44a>] alloc_skb_with_frags+0x6a/0x2c0 net/core/skbuff.c:5992
[<ffffffff83699e63>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2364
[<ffffffff83c54592>] j1939_sk_alloc_skb net/can/j1939/socket.c:858 [inline]
[<ffffffff83c54592>] j1939_sk_send_loop net/can/j1939/socket.c:1040 [inline]
[<ffffffff83c54592>] j1939_sk_sendmsg+0x2e2/0x7d0 net/can/j1939/socket.c:1175
[<ffffffff83690ad6>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<ffffffff83690ad6>] sock_sendmsg+0x56/0x80 net/socket.c:674
[<ffffffff83696e9f>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:2862
[<ffffffff836903db>] kernel_sendpage.part.0+0xeb/0x150 net/socket.c:3618
[<ffffffff836910bb>] kernel_sendpage net/socket.c:3615 [inline]
[<ffffffff836910bb>] sock_sendpage+0x5b/0x90 net/socket.c:947
[<ffffffff815b8862>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:364
[<ffffffff815ba702>] splice_from_pipe_feed fs/splice.c:418 [inline]
[<ffffffff815ba702>] __splice_from_pipe+0x1e2/0x330 fs/splice.c:562
[<ffffffff815baf2f>] splice_from_pipe fs/splice.c:597 [inline]
[<ffffffff815baf2f>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:746
[<ffffffff815b891b>] do_splice_from fs/splice.c:767 [inline]
[<ffffffff815b891b>] direct_splice_actor+0x4b/0x70 fs/splice.c:936
[<ffffffff815b9033>] splice_direct_to_actor+0x153/0x350 fs/splice.c:891
[<ffffffff815b9318>] do_splice_direct+0xe8/0x150 fs/splice.c:979
[<ffffffff8155a64f>] do_sendfile+0x51f/0x760 fs/read_write.c:1260
[<ffffffff8155cf82>] __do_sys_sendfile64 fs/read_write.c:1325 [inline]
[<ffffffff8155cf82>] __se_sys_sendfile64 fs/read_write.c:1311 [inline]
[<ffffffff8155cf82>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1311
BUG: memory leak
unreferenced object 0xffff888111010d00 (size 232):
comm "syz-executor006", pid 8628, jiffies 4294942391 (age 8.470s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 80 d7 0f 81 88 ff ff 00 64 db 16 81 88 ff ff .........d......
backtrace:
[<ffffffff836a0f8f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:413
[<ffffffff836ac44a>] alloc_skb include/linux/skbuff.h:1107 [inline]
[<ffffffff836ac44a>] alloc_skb_with_frags+0x6a/0x2c0 net/core/skbuff.c:5992
[<ffffffff83699e63>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2364
[<ffffffff83c54592>] j1939_sk_alloc_skb net/can/j1939/socket.c:858 [inline]
[<ffffffff83c54592>] j1939_sk_send_loop net/can/j1939/socket.c:1040 [inline]
[<ffffffff83c54592>] j1939_sk_sendmsg+0x2e2/0x7d0 net/can/j1939/socket.c:1175
[<ffffffff83690ad6>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<ffffffff83690ad6>] sock_sendmsg+0x56/0x80 net/socket.c:674
[<ffffffff83696e9f>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:2862
[<ffffffff836903db>] kernel_sendpage.part.0+0xeb/0x150 net/socket.c:3618
[<ffffffff836910bb>] kernel_sendpage net/socket.c:3615 [inline]
[<ffffffff836910bb>] sock_sendpage+0x5b/0x90 net/socket.c:947
[<ffffffff815b8862>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:364
[<ffffffff815ba702>] splice_from_pipe_feed fs/splice.c:418 [inline]
[<ffffffff815ba702>] __splice_from_pipe+0x1e2/0x330 fs/splice.c:562
[<ffffffff815baf2f>] splice_from_pipe fs/splice.c:597 [inline]
[<ffffffff815baf2f>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:746
[<ffffffff815b891b>] do_splice_from fs/splice.c:767 [inline]
[<ffffffff815b891b>] direct_splice_actor+0x4b/0x70 fs/splice.c:936
[<ffffffff815b9033>] splice_direct_to_actor+0x153/0x350 fs/splice.c:891
[<ffffffff815b9318>] do_splice_direct+0xe8/0x150 fs/splice.c:979
[<ffffffff8155a64f>] do_sendfile+0x51f/0x760 fs/read_write.c:1260
[<ffffffff8155cf82>] __do_sys_sendfile64 fs/read_write.c:1325 [inline]
[<ffffffff8155cf82>] __se_sys_sendfile64 fs/read_write.c:1311 [inline]
[<ffffffff8155cf82>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1311
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 7266f203 Merge tag 'pm-5.13-rc8' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16e22d34300000
kernel config: https://syzkaller.appspot.com/x/.config?x=3aac8c6ef370586a
dashboard link: https://syzkaller.appspot.com/bug?extid=085305c4b952053c9437
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e0d6a4300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13528400300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+085305...@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888112d44400 (size 232):
comm "syz-executor006", pid 8628, jiffies 4294942391 (age 8.470s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 80 d7 0f 81 88 ff ff 00 64 db 16 81 88 ff ff .........d......
backtrace:
[<ffffffff836a0f8f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:413
[<ffffffff836ac44a>] alloc_skb include/linux/skbuff.h:1107 [inline]
[<ffffffff836ac44a>] alloc_skb_with_frags+0x6a/0x2c0 net/core/skbuff.c:5992
[<ffffffff83699e63>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2364
[<ffffffff83c54592>] j1939_sk_alloc_skb net/can/j1939/socket.c:858 [inline]
[<ffffffff83c54592>] j1939_sk_send_loop net/can/j1939/socket.c:1040 [inline]
[<ffffffff83c54592>] j1939_sk_sendmsg+0x2e2/0x7d0 net/can/j1939/socket.c:1175
[<ffffffff83690ad6>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<ffffffff83690ad6>] sock_sendmsg+0x56/0x80 net/socket.c:674
[<ffffffff83696e9f>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:2862
[<ffffffff836903db>] kernel_sendpage.part.0+0xeb/0x150 net/socket.c:3618
[<ffffffff836910bb>] kernel_sendpage net/socket.c:3615 [inline]
[<ffffffff836910bb>] sock_sendpage+0x5b/0x90 net/socket.c:947
[<ffffffff815b8862>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:364
[<ffffffff815ba702>] splice_from_pipe_feed fs/splice.c:418 [inline]
[<ffffffff815ba702>] __splice_from_pipe+0x1e2/0x330 fs/splice.c:562
[<ffffffff815baf2f>] splice_from_pipe fs/splice.c:597 [inline]
[<ffffffff815baf2f>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:746
[<ffffffff815b891b>] do_splice_from fs/splice.c:767 [inline]
[<ffffffff815b891b>] direct_splice_actor+0x4b/0x70 fs/splice.c:936
[<ffffffff815b9033>] splice_direct_to_actor+0x153/0x350 fs/splice.c:891
[<ffffffff815b9318>] do_splice_direct+0xe8/0x150 fs/splice.c:979
[<ffffffff8155a64f>] do_sendfile+0x51f/0x760 fs/read_write.c:1260
[<ffffffff8155cf82>] __do_sys_sendfile64 fs/read_write.c:1325 [inline]
[<ffffffff8155cf82>] __se_sys_sendfile64 fs/read_write.c:1311 [inline]
[<ffffffff8155cf82>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1311
BUG: memory leak
unreferenced object 0xffff888116d2d800 (size 1024):
comm "syz-executor006", pid 8628, jiffies 4294942391 (age 8.470s)
hex dump (first 32 bytes):
0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff836a0e5f>] kmalloc_reserve net/core/skbuff.c:354 [inline]
[<ffffffff836a0e5f>] __alloc_skb+0xdf/0x280 net/core/skbuff.c:425
[<ffffffff836ac44a>] alloc_skb include/linux/skbuff.h:1107 [inline]
[<ffffffff836ac44a>] alloc_skb_with_frags+0x6a/0x2c0 net/core/skbuff.c:5992
[<ffffffff83699e63>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2364
[<ffffffff83c54592>] j1939_sk_alloc_skb net/can/j1939/socket.c:858 [inline]
[<ffffffff83c54592>] j1939_sk_send_loop net/can/j1939/socket.c:1040 [inline]
[<ffffffff83c54592>] j1939_sk_sendmsg+0x2e2/0x7d0 net/can/j1939/socket.c:1175
[<ffffffff83690ad6>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<ffffffff83690ad6>] sock_sendmsg+0x56/0x80 net/socket.c:674
[<ffffffff83696e9f>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:2862
[<ffffffff836903db>] kernel_sendpage.part.0+0xeb/0x150 net/socket.c:3618
[<ffffffff836910bb>] kernel_sendpage net/socket.c:3615 [inline]
[<ffffffff836910bb>] sock_sendpage+0x5b/0x90 net/socket.c:947
[<ffffffff815b8862>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:364
[<ffffffff815ba702>] splice_from_pipe_feed fs/splice.c:418 [inline]
[<ffffffff815ba702>] __splice_from_pipe+0x1e2/0x330 fs/splice.c:562
[<ffffffff815baf2f>] splice_from_pipe fs/splice.c:597 [inline]
[<ffffffff815baf2f>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:746
[<ffffffff815b891b>] do_splice_from fs/splice.c:767 [inline]
[<ffffffff815b891b>] direct_splice_actor+0x4b/0x70 fs/splice.c:936
[<ffffffff815b9033>] splice_direct_to_actor+0x153/0x350 fs/splice.c:891
[<ffffffff815b9318>] do_splice_direct+0xe8/0x150 fs/splice.c:979
[<ffffffff8155a64f>] do_sendfile+0x51f/0x760 fs/read_write.c:1260
[<ffffffff8155cf82>] __do_sys_sendfile64 fs/read_write.c:1325 [inline]
[<ffffffff8155cf82>] __se_sys_sendfile64 fs/read_write.c:1311 [inline]
[<ffffffff8155cf82>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1311
BUG: memory leak
unreferenced object 0xffff888111010d00 (size 232):
comm "syz-executor006", pid 8628, jiffies 4294942391 (age 8.470s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 80 d7 0f 81 88 ff ff 00 64 db 16 81 88 ff ff .........d......
backtrace:
[<ffffffff836a0f8f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:413
[<ffffffff836ac44a>] alloc_skb include/linux/skbuff.h:1107 [inline]
[<ffffffff836ac44a>] alloc_skb_with_frags+0x6a/0x2c0 net/core/skbuff.c:5992
[<ffffffff83699e63>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2364
[<ffffffff83c54592>] j1939_sk_alloc_skb net/can/j1939/socket.c:858 [inline]
[<ffffffff83c54592>] j1939_sk_send_loop net/can/j1939/socket.c:1040 [inline]
[<ffffffff83c54592>] j1939_sk_sendmsg+0x2e2/0x7d0 net/can/j1939/socket.c:1175
[<ffffffff83690ad6>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<ffffffff83690ad6>] sock_sendmsg+0x56/0x80 net/socket.c:674
[<ffffffff83696e9f>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:2862
[<ffffffff836903db>] kernel_sendpage.part.0+0xeb/0x150 net/socket.c:3618
[<ffffffff836910bb>] kernel_sendpage net/socket.c:3615 [inline]
[<ffffffff836910bb>] sock_sendpage+0x5b/0x90 net/socket.c:947
[<ffffffff815b8862>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:364
[<ffffffff815ba702>] splice_from_pipe_feed fs/splice.c:418 [inline]
[<ffffffff815ba702>] __splice_from_pipe+0x1e2/0x330 fs/splice.c:562
[<ffffffff815baf2f>] splice_from_pipe fs/splice.c:597 [inline]
[<ffffffff815baf2f>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:746
[<ffffffff815b891b>] do_splice_from fs/splice.c:767 [inline]
[<ffffffff815b891b>] direct_splice_actor+0x4b/0x70 fs/splice.c:936
[<ffffffff815b9033>] splice_direct_to_actor+0x153/0x350 fs/splice.c:891
[<ffffffff815b9318>] do_splice_direct+0xe8/0x150 fs/splice.c:979
[<ffffffff8155a64f>] do_sendfile+0x51f/0x760 fs/read_write.c:1260
[<ffffffff8155cf82>] __do_sys_sendfile64 fs/read_write.c:1325 [inline]
[<ffffffff8155cf82>] __se_sys_sendfile64 fs/read_write.c:1311 [inline]
[<ffffffff8155cf82>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1311
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Jun 28, 2021, 10:19:07 AM6/28/21
to kae...@yeah.net, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in kernel_execve
BUG: kernel NULL pointer dereference, address: 000000000000000e
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 126f3c067 P4D 126f3c067 PUD 126f24067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 10771 Comm: kworker/u4:3 Not tainted 5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:strnlen+0x17/0x30 lib/string.c:582
Code: 38 00 75 f7 48 29 f8 c3 31 c0 c3 0f 1f 84 00 00 00 00 00 48 8d 14 37 48 85 f6 48 89 f8 75 0b eb 19 48 83 c0 01 48 39 c2 74 09 <80> 38 00 75 f2 48 29 f8 c3 48 89 d0 48 29 f8 c3 31 c0 c3 66 0f 1f
RSP: 0018:ffffc90003293e78 EFLAGS: 00010206
RAX: 000000000000000e RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000002000e RSI: 0000000000020000 RDI: 000000000000000e
RBP: ffff888126894000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81566c4e R11: 0000000000000000 R12: ffff888126894000
R13: ffff888127508400 R14: ffff888119eac000 R15: 000000000000000e
FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000e CR3: 0000000126f3b000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
strnlen include/linux/fortify-string.h:71 [inline]
copy_string_kernel+0x28/0x300 fs/exec.c:610
copy_strings_kernel+0x6b/0xe0 fs/exec.c:653
kernel_execve+0x1a2/0x290 fs/exec.c:1969
call_usermodehelper_exec_async+0xea/0x1c0 kernel/umh.c:112
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
CR2: 000000000000000e
---[ end trace 96e7afbc0dbaccb9 ]---
RIP: 0010:strnlen+0x17/0x30 lib/string.c:582
Code: 38 00 75 f7 48 29 f8 c3 31 c0 c3 0f 1f 84 00 00 00 00 00 48 8d 14 37 48 85 f6 48 89 f8 75 0b eb 19 48 83 c0 01 48 39 c2 74 09 <80> 38 00 75 f2 48 29 f8 c3 48 89 d0 48 29 f8 c3 31 c0 c3 66 0f 1f
RSP: 0018:ffffc90003293e78 EFLAGS: 00010206
RAX: 000000000000000e RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000002000e RSI: 0000000000020000 RDI: 000000000000000e
RBP: ffff888126894000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81566c4e R11: 0000000000000000 R12: ffff888126894000
R13: ffff888127508400 R14: ffff888119eac000 R15: 000000000000000e
FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000e CR3: 0000000126f3b000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: 4b7d586b can: j1939: Fix a memery leak
git tree: https://github.com/wanjb2115/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=132acd1c300000
kernel config: https://syzkaller.appspot.com/x/.config?x=c4e5a6ab3f0c624e
dashboard link: https://syzkaller.appspot.com/bug?extid=085305c4b952053c9437
compiler:
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in kernel_execve
BUG: kernel NULL pointer dereference, address: 000000000000000e
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 126f3c067 P4D 126f3c067 PUD 126f24067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 10771 Comm: kworker/u4:3 Not tainted 5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:strnlen+0x17/0x30 lib/string.c:582
Code: 38 00 75 f7 48 29 f8 c3 31 c0 c3 0f 1f 84 00 00 00 00 00 48 8d 14 37 48 85 f6 48 89 f8 75 0b eb 19 48 83 c0 01 48 39 c2 74 09 <80> 38 00 75 f2 48 29 f8 c3 48 89 d0 48 29 f8 c3 31 c0 c3 66 0f 1f
RSP: 0018:ffffc90003293e78 EFLAGS: 00010206
RAX: 000000000000000e RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000002000e RSI: 0000000000020000 RDI: 000000000000000e
RBP: ffff888126894000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81566c4e R11: 0000000000000000 R12: ffff888126894000
R13: ffff888127508400 R14: ffff888119eac000 R15: 000000000000000e
FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000e CR3: 0000000126f3b000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
strnlen include/linux/fortify-string.h:71 [inline]
copy_string_kernel+0x28/0x300 fs/exec.c:610
copy_strings_kernel+0x6b/0xe0 fs/exec.c:653
kernel_execve+0x1a2/0x290 fs/exec.c:1969
call_usermodehelper_exec_async+0xea/0x1c0 kernel/umh.c:112
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
CR2: 000000000000000e
---[ end trace 96e7afbc0dbaccb9 ]---
RIP: 0010:strnlen+0x17/0x30 lib/string.c:582
Code: 38 00 75 f7 48 29 f8 c3 31 c0 c3 0f 1f 84 00 00 00 00 00 48 8d 14 37 48 85 f6 48 89 f8 75 0b eb 19 48 83 c0 01 48 39 c2 74 09 <80> 38 00 75 f2 48 29 f8 c3 48 89 d0 48 29 f8 c3 31 c0 c3 66 0f 1f
RSP: 0018:ffffc90003293e78 EFLAGS: 00010206
RAX: 000000000000000e RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000002000e RSI: 0000000000020000 RDI: 000000000000000e
RBP: ffff888126894000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81566c4e R11: 0000000000000000 R12: ffff888126894000
R13: ffff888127508400 R14: ffff888119eac000 R15: 000000000000000e
FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000e CR3: 0000000126f3b000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: 4b7d586b can: j1939: Fix a memery leak
git tree: https://github.com/wanjb2115/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=132acd1c300000
kernel config: https://syzkaller.appspot.com/x/.config?x=c4e5a6ab3f0c624e
dashboard link: https://syzkaller.appspot.com/bug?extid=085305c4b952053c9437
compiler:
syzbot
Dec 21, 2023, 7:18:17 PM12/21/23
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages