[moderation] [net?] BUG: unable to handle kernel NULL pointer dereference in compat_sys_recvmmsg_time32
2 views
Skip to first unread message
syzbot
Aug 18, 2025, 12:32:38 PM8/18/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0cc53520e68b Merge tag 'probes-fixes-v6.17-rc1' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e62dbc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
dashboard link: https://syzkaller.appspot.com/bug?extid=aa8c78de89a49dadf2f5
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
CC: [da...@davemloft.net edum...@google.com ho...@kernel.org ku...@kernel.org linux-...@vger.kernel.org net...@vger.kernel.org pab...@redhat.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-0cc53520.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/edb35c9c5865/vmlinux-0cc53520.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab1445368ffe/bzImage-0cc53520.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa8c78...@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 57252067 P4D 57252067 PUD 0
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 2 UID: 0 PID: 11975 Comm: syz.3.2136 Not tainted 6.17.0-rc1-syzkaller-00038-g0cc53520e68b #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__x64_compat_sys_recvmmsg_time32+0x60/0x160 net/compat.c:414
Code: 4b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 f8 00 00 00 48 8d 7b 60 48 8b 4b 38 48 b8 00 00 00 <00> 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b9 00 00 00
RSP: 0018:ffffc90000648c60 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000648ca8 RCX: ffffffff81a7e2fe
RDX: ffff88802e8f4880 RSI: ffffffff81a7df61 RDI: ffff888047ecec10
RBP: ffff888047ecec10 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 1ffff920000c918f
R13: 0000000080000102 R14: ffffffff898bf890 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f6bc000 CR4: 0000000000352ef0
Call Trace:
<IRQ>
__pfx_call_timer_fn+0x10/0x10 include/trace/events/timer.h:52
</IRQ>
<TASK>
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:__x64_compat_sys_recvmmsg_time32+0x60/0x160 net/compat.c:414
Code: 4b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 f8 00 00 00 48 8d 7b 60 48 8b 4b 38 48 b8 00 00 00 <00> 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b9 00 00 00
RSP: 0018:ffffc90000648c60 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000648ca8 RCX: ffffffff81a7e2fe
RDX: ffff88802e8f4880 RSI: ffffffff81a7df61 RDI: ffff888047ecec10
RBP: ffff888047ecec10 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 1ffff920000c918f
R13: 0000000080000102 R14: ffffffff898bf890 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f6bc000 CR4: 0000000000352ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 0cc53520e68b Merge tag 'probes-fixes-v6.17-rc1' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e62dbc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f9319a42cfb3bf57
dashboard link: https://syzkaller.appspot.com/bug?extid=aa8c78de89a49dadf2f5
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
CC: [da...@davemloft.net edum...@google.com ho...@kernel.org ku...@kernel.org linux-...@vger.kernel.org net...@vger.kernel.org pab...@redhat.com]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-0cc53520.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/edb35c9c5865/vmlinux-0cc53520.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab1445368ffe/bzImage-0cc53520.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa8c78...@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 57252067 P4D 57252067 PUD 0
Oops: Oops: 0002 [#1] SMP KASAN NOPTI
CPU: 2 UID: 0 PID: 11975 Comm: syz.3.2136 Not tainted 6.17.0-rc1-syzkaller-00038-g0cc53520e68b #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__x64_compat_sys_recvmmsg_time32+0x60/0x160 net/compat.c:414
Code: 4b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 f8 00 00 00 48 8d 7b 60 48 8b 4b 38 48 b8 00 00 00 <00> 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b9 00 00 00
RSP: 0018:ffffc90000648c60 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000648ca8 RCX: ffffffff81a7e2fe
RDX: ffff88802e8f4880 RSI: ffffffff81a7df61 RDI: ffff888047ecec10
RBP: ffff888047ecec10 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 1ffff920000c918f
R13: 0000000080000102 R14: ffffffff898bf890 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f6bc000 CR4: 0000000000352ef0
Call Trace:
<IRQ>
__pfx_call_timer_fn+0x10/0x10 include/trace/events/timer.h:52
</IRQ>
<TASK>
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:__x64_compat_sys_recvmmsg_time32+0x60/0x160 net/compat.c:414
Code: 4b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 f8 00 00 00 48 8d 7b 60 48 8b 4b 38 48 b8 00 00 00 <00> 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 b9 00 00 00
RSP: 0018:ffffc90000648c60 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000648ca8 RCX: ffffffff81a7e2fe
RDX: ffff88802e8f4880 RSI: ffffffff81a7df61 RDI: ffff888047ecec10
RBP: ffff888047ecec10 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 1ffff920000c918f
R13: 0000000080000102 R14: ffffffff898bf890 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f6bc000 CR4: 0000000000352ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 12, 2025, 11:21:23 AM11/12/25
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages