BUG: unable to handle kernel NULL pointer dereference in tc_bind_tclass
11 views
Skip to first unread message
syzbot
Sep 6, 2019, 5:38:11 PM9/6/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 0fed55c2 Linux 4.19.70
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=113761fa600000
kernel config: https://syzkaller.appspot.com/x/.config?x=2964bf2f89c3f203
dashboard link: https://syzkaller.appspot.com/bug?extid=6ccecf683a047d7bcd97
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1370846e600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6ccecf...@syzkaller.appspotmail.com
8021q: adding VLAN 0 to HW filter on device batadv0
audit: type=1400 audit(1567802030.398:38): avc: denied { associate } for
pid=7644 comm="syz-executor.0" name="syz0"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 82a23067 P4D 82a23067 PUD 9237c067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7726 Comm: syz-executor.0 Not tainted 4.19.70 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff88809c3bf4d8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff87e1f620 RCX: ffffffff857e5ec4
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888081353640
RBP: ffff88809c3bf5d0 R08: ffff888080e62040 R09: ffff88809c3bf658
R10: ffffed1013877ed9 R11: ffff88809c3bf6cf R12: ffff88809c3bf5a8
R13: ffff888081353640 R14: 0000000000000001 R15: ffffffff87e1f620
FS: 00007f0178f06700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000089abc000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tc_bind_tclass+0x13c/0x490 net/sched/sch_api.c:1834
tc_ctl_tclass+0xaa9/0xc60 net/sched/sch_api.c:1968
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459879
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0178f05c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459879
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0178f066d4
R13: 00000000004c77c2 R14: 00000000004dd018 R15: 00000000ffffffff
Modules linked in:
CR2: 0000000000000000
---[ end trace c69cc42f8400bd31 ]---
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff88809c3bf4d8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff87e1f620 RCX: ffffffff857e5ec4
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888081353640
RBP: ffff88809c3bf5d0 R08: ffff888080e62040 R09: ffff88809c3bf658
R10: ffffed1013877ed9 R11: ffff88809c3bf6cf R12: ffff88809c3bf5a8
R13: ffff888081353640 R14: 0000000000000001 R15: ffffffff87e1f620
FS: 00007f0178f06700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000089abc000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 0fed55c2 Linux 4.19.70
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=113761fa600000
kernel config: https://syzkaller.appspot.com/x/.config?x=2964bf2f89c3f203
dashboard link: https://syzkaller.appspot.com/bug?extid=6ccecf683a047d7bcd97
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1370846e600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6ccecf...@syzkaller.appspotmail.com
8021q: adding VLAN 0 to HW filter on device batadv0
audit: type=1400 audit(1567802030.398:38): avc: denied { associate } for
pid=7644 comm="syz-executor.0" name="syz0"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 82a23067 P4D 82a23067 PUD 9237c067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7726 Comm: syz-executor.0 Not tainted 4.19.70 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff88809c3bf4d8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff87e1f620 RCX: ffffffff857e5ec4
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888081353640
RBP: ffff88809c3bf5d0 R08: ffff888080e62040 R09: ffff88809c3bf658
R10: ffffed1013877ed9 R11: ffff88809c3bf6cf R12: ffff88809c3bf5a8
R13: ffff888081353640 R14: 0000000000000001 R15: ffffffff87e1f620
FS: 00007f0178f06700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000089abc000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tc_bind_tclass+0x13c/0x490 net/sched/sch_api.c:1834
tc_ctl_tclass+0xaa9/0xc60 net/sched/sch_api.c:1968
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459879
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0178f05c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459879
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0178f066d4
R13: 00000000004c77c2 R14: 00000000004dd018 R15: 00000000ffffffff
Modules linked in:
CR2: 0000000000000000
---[ end trace c69cc42f8400bd31 ]---
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff88809c3bf4d8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff87e1f620 RCX: ffffffff857e5ec4
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888081353640
RBP: ffff88809c3bf5d0 R08: ffff888080e62040 R09: ffff88809c3bf658
R10: ffffed1013877ed9 R11: ffff88809c3bf6cf R12: ffff88809c3bf5a8
R13: ffff888081353640 R14: 0000000000000001 R15: ffffffff87e1f620
FS: 00007f0178f06700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000089abc000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Sep 6, 2019, 11:01:07 PM9/6/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 414510bc Linux 4.14.142
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=158ceb0a600000
kernel config: https://syzkaller.appspot.com/x/.config?x=9aa0b2ccd827f416
dashboard link: https://syzkaller.appspot.com/bug?extid=2448d1865fa8fd6e470b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160fa449600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: (null)
PGD a63dc067 P4D a63dc067 PUD 9338b067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 7165 Comm: syz-executor.0 Not tainted 4.14.142 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff88809f3a4100 task.stack: ffff888087620000
Google 01/01/2011
RIP: 0010: (null)
RSP: 0018:ffff8880876275e8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff86f156e0 RCX: 0000000000000000
RDX: 1ffffffff0de2ae4 RSI: 0000000000000001 RDI: ffff8880a552c480
RBP: ffff8880876276c0 R08: 1ffff11010ec4ee8 R09: ffff888087627740
R10: ffffed1010ec4ef3 R11: ffff88808762779f R12: ffff888087627698
R13: ffff8880a552c480 R14: 0000000000000001 R15: 0000000000000000
FS: 00007ff52cb0d700(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a02b6000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tc_bind_tclass+0x124/0x400 net/sched/sch_api.c:1697
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tc_ctl_tclass+0x94a/0xa70 net/sched/sch_api.c:1831
rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459879
RSP: 002b:00007ff52cb0cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459879
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff52cb0d6d4
R13: 00000000004c77c2 R14: 00000000004dd018 R15: 00000000ffffffff
Code: Bad RIP value.
RIP: (null) RSP: ffff8880876275e8
CR2: 0000000000000000
---[ end trace f673ca410adb0e3c ]---
syzbot
Sep 13, 2019, 12:02:07 AM9/13/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: ee809c7e Linux 4.19.72
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11177fc1600000
kernel config: https://syzkaller.appspot.com/x/.config?x=ad6c5c98f4231da9
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ebeb3e600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6ccecf...@syzkaller.appspotmail.com
audit: type=1400 audit(1568347098.118:36): avc: denied { map } for
pid=7545 comm="syz-executor842" path="/root/syz-executor842175912"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
RAX: dffffc0000000000 RBX: ffffffff87e1f680 RCX: ffffffff857e4ea4
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88808fb3d5c0
RBP: ffff88808f0175d0 R08: ffff8880a805c0c0 R09: ffff88808f017658
R10: ffffed1011e02ed9 R11: ffff88808f0176cf R12: ffff88808f0175a8
R13: ffff88808fb3d5c0 R14: 0000000000000001 R15: ffffffff87e1f680
FS: 00000000017e7880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
RSP: 002b:00007fffa1c02458 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a26d0 RCX: 0000000000440d89
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000004a26d0 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000402290
R13: 0000000000402320 R14: 0000000000000000 R15: 0000000000000000
RAX: dffffc0000000000 RBX: ffffffff87e1f680 RCX: ffffffff857e4ea4
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88808fb3d5c0
RBP: ffff88808f0175d0 R08: ffff8880a805c0c0 R09: ffff88808f017658
R10: ffffed1011e02ed9 R11: ffff88808f0176cf R12: ffff88808f0175a8
R13: ffff88808fb3d5c0 R14: 0000000000000001 R15: ffffffff87e1f680
FS: 00000000017e7880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
HEAD commit: ee809c7e Linux 4.19.72
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11177fc1600000
kernel config: https://syzkaller.appspot.com/x/.config?x=ad6c5c98f4231da9
dashboard link: https://syzkaller.appspot.com/bug?extid=6ccecf683a047d7bcd97
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134fca2d600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ebeb3e600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6ccecf...@syzkaller.appspotmail.com
pid=7545 comm="syz-executor842" path="/root/syz-executor842175912"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 94f8e067 P4D 94f8e067 PUD a517a067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7546 Comm: syz-executor842 Not tainted 4.19.72 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff88808f0174d8 EFLAGS: 00010246
Google 01/01/2011
RIP: 0010: (null)
Code: Bad RIP value.
RAX: dffffc0000000000 RBX: ffffffff87e1f680 RCX: ffffffff857e4ea4
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88808fb3d5c0
RBP: ffff88808f0175d0 R08: ffff8880a805c0c0 R09: ffff88808f017658
R10: ffffed1011e02ed9 R11: ffff88808f0176cf R12: ffff88808f0175a8
R13: ffff88808fb3d5c0 R14: 0000000000000001 R15: ffffffff87e1f680
FS: 00000000017e7880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000a5584000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tc_bind_tclass+0x13c/0x490 net/sched/sch_api.c:1834
tc_ctl_tclass+0xaa9/0xc60 net/sched/sch_api.c:1968
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440d89
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tc_bind_tclass+0x13c/0x490 net/sched/sch_api.c:1834
tc_ctl_tclass+0xaa9/0xc60 net/sched/sch_api.c:1968
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffa1c02458 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a26d0 RCX: 0000000000440d89
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000004a26d0 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000402290
R13: 0000000000402320 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
CR2: 0000000000000000
---[ end trace 22083a15b87b1d03 ]---
CR2: 0000000000000000
RIP: 0010: (null)
Code: Bad RIP value.
RSP: 0018:ffff88808f0174d8 EFLAGS: 00010246
Code: Bad RIP value.
RAX: dffffc0000000000 RBX: ffffffff87e1f680 RCX: ffffffff857e4ea4
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88808fb3d5c0
RBP: ffff88808f0175d0 R08: ffff8880a805c0c0 R09: ffff88808f017658
R10: ffffed1011e02ed9 R11: ffff88808f0176cf R12: ffff88808f0175a8
R13: ffff88808fb3d5c0 R14: 0000000000000001 R15: ffffffff87e1f680
FS: 00000000017e7880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000a5584000 CR4: 00000000001406f0
syzbot
Sep 22, 2019, 9:12:10 PM9/22/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14294a29600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16439d03600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2448d1...@syzkaller.appspotmail.com
audit: type=1400 audit(1569200902.980:36): avc: denied { map } for
pid=6918 comm="syz-executor183" path="/root/syz-executor183537952"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
RIP: 0010: (null)
RSP: 0018:ffff88809f9775e8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff86f15e00 RCX: 0000000000000000
RDX: 1ffffffff0de2bc8 RSI: 0000000000000001 RDI: ffff8880a843f240
RBP: ffff88809f9776c0 R08: 1ffff11013f2eee8 R09: ffff88809f977740
R10: ffffed1013f2eef3 R11: ffff88809f97779f R12: ffff88809f977698
R13: ffff8880a843f240 R14: 0000000000000001 R15: 0000000000000000
FS: 0000555556b97880(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
RSP: 002b:00007ffc1bf743b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440d89
RIP: (null) RSP: ffff88809f9775e8
CR2: 0000000000000000
---[ end trace e3508857f25e534c ]---
HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14294a29600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=2448d1865fa8fd6e470b
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12076e7e600000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16439d03600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2448d1...@syzkaller.appspotmail.com
pid=6918 comm="syz-executor183" path="/root/syz-executor183537952"
dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: (null)
PGD 91876067 P4D 91876067 PUD 910c7067 PMD 0
IP: (null)
Oops: 0010 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 6919 Comm: syz-executor183 Not tainted 4.14.146 #0
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff888081738180 task.stack: ffff88809f970000
Google 01/01/2011
RIP: 0010: (null)
RSP: 0018:ffff88809f9775e8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff86f15e00 RCX: 0000000000000000
RDX: 1ffffffff0de2bc8 RSI: 0000000000000001 RDI: ffff8880a843f240
RBP: ffff88809f9776c0 R08: 1ffff11013f2eee8 R09: ffff88809f977740
R10: ffffed1013f2eef3 R11: ffff88809f97779f R12: ffff88809f977698
R13: ffff8880a843f240 R14: 0000000000000001 R15: 0000000000000000
FS: 0000555556b97880(0000) GS:ffff8880aef00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a0a1c000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tc_bind_tclass+0x124/0x400 net/sched/sch_api.c:1697
tc_ctl_tclass+0x94a/0xa70 net/sched/sch_api.c:1831
rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440d89
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tc_bind_tclass+0x124/0x400 net/sched/sch_api.c:1697
tc_ctl_tclass+0x94a/0xa70 net/sched/sch_api.c:1831
rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RSP: 002b:00007ffc1bf743b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440d89
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00000000004a2650 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000402290
R13: 0000000000402320 R14: 0000000000000000 R15: 0000000000000000
Code: Bad RIP value.
R13: 0000000000402320 R14: 0000000000000000 R15: 0000000000000000
RIP: (null) RSP: ffff88809f9775e8
CR2: 0000000000000000
---[ end trace e3508857f25e534c ]---
syzbot
Dec 8, 2019, 11:40:02 PM12/8/19
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 07f7ec87b5f6e1c9d954e967e971efa696ecb018
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Sun Sep 8 19:11:23 2019 +0000
net_sched: check cops->tcf_block in tc_bind_tclass()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=179af42ae00000
start commit: ee809c7e Linux 4.19.72
git tree: linux-4.19.y
#syz fix: net_sched: check cops->tcf_block in tc_bind_tclass()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 07f7ec87b5f6e1c9d954e967e971efa696ecb018
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Sun Sep 8 19:11:23 2019 +0000
net_sched: check cops->tcf_block in tc_bind_tclass()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=179af42ae00000
start commit: ee809c7e Linux 4.19.72
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=ad6c5c98f4231da9
dashboard link: https://syzkaller.appspot.com/bug?extid=6ccecf683a047d7bcd97
dashboard link: https://syzkaller.appspot.com/bug?extid=6ccecf683a047d7bcd97
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134fca2d600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ebeb3e600000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ebeb3e600000
#syz fix: net_sched: check cops->tcf_block in tc_bind_tclass()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Dec 12, 2019, 10:25:01 AM12/12/19
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 54b9f5791846d2de59e8c65502b3f1071f65424f
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Thu Oct 31 18:42:59 2019 +0000
net_sched: check cops->tcf_block in tc_bind_tclass()
start commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=2448d1865fa8fd6e470b
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15163ea9600000
dashboard link: https://syzkaller.appspot.com/bug?extid=2448d1865fa8fd6e470b
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1030eb9d600000
Reply all
Reply to author
Forward
0 new messages