BUG: unable to handle kernel NULL pointer dereference in bpf_trace_run2

[梅开彦]

Our fuzzer discovered a vulnerability in the BPF subsystem. The crash can be trigger on bpf-next(93ce3bee311d6f885bffb4a83843bddbe6b126be). We have not yet been able to develop a stable Proof of Concept (PoC) to reproduce this vulnerability, but we will continue to analyze it further.

Reported-by: Kaiyan Mei <M2024...@hust.edu.cn>
Reported-by: Yinhao Hu <ddd...@hust.edu.cn>
Reviewed-by: Dongliang Mu <dz...@hust.edu.cn>

# Crash Report
```
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 29233067 P4D 0
Oops: Oops: 0010 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5217 Comm: systemd-udevd Not tainted 6.17.0-g39e9d5f63075 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffa0000003967e08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffff9127cbc0 RCX: ffffffff81c6f602
RDX: 1ffffffff224f981 RSI: ffffffff9127cc20 RDI: ffa0000003967e58
RBP: 1ff400000072cfc3 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffffffff9127cc00 R15: 0000000000000000
FS: 00007f831cfb98c0(0000) GS:ff1100010d2a7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001113a9000 CR4: 0000000000753ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<TASK>
bpf_dispatcher_nop_func include/linux/bpf.h:1357 [inline]
__bpf_prog_run include/linux/filter.h:721 [inline]
bpf_prog_run include/linux/filter.h:728 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2075 [inline]
bpf_trace_run2+0x228/0x580 kernel/trace/bpf_trace.c:2116
__bpf_trace_sys_enter+0x38/0x60 include/trace/events/syscalls.h:18
__do_trace_sys_enter include/trace/events/syscalls.h:18 [inline]
trace_sys_enter include/trace/events/syscalls.h:18 [inline]
syscall_trace_enter+0x1b9/0x240 kernel/entry/syscall-common.c:53
syscall_enter_from_user_mode_work include/linux/entry-common.h:95 [inline]
syscall_enter_from_user_mode include/linux/entry-common.h:125 [inline]
do_syscall_64+0x3cb/0xfa0 arch/x86/entry/syscall_64.c:90
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f831d23afc1
Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 2a 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
RSP: 002b:00007ffd1f0d7bf0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000000a0101 RCX: 00007f831d23afc1
RDX: 00000000000a0101 RSI: 0000557a68b99690 RDI: 00000000ffffff9c
RBP: 0000557a68b99690 R08: 00007f831d315c60 R09: 0000557a68bcc258
R10: 0000000000000000 R11: 0000000000000202 R12: 0000557a68b91ec0
R13: 0000000000000006 R14: 0000557a4eb70f97 R15: 0000000000000180
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffa0000003967e08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffff9127cbc0 RCX: ffffffff81c6f602
RDX: 1ffffffff224f981 RSI: ffffffff9127cc20 RDI: ffa0000003967e58
RBP: 1ff400000072cfc3 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffffffff9127cc00 R15: 0000000000000000
FS: 00007f831cfb98c0(0000) GS:ff1100010d2a7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001113a9000 CR4: 0000000000753ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 55555554
```

## Kernel Configuration Requirements for Reproduction

The vulnerability can be triggered with the kernel config in the attachment.

[Alexei Starovoitov]

On Sat, Jan 31, 2026 at 6:26 PM 梅开彦 <kai...@hust.edu.cn> wrote:
>
> Our fuzzer discovered a vulnerability in the BPF subsystem. The crash can be trigger on bpf-next(93ce3bee311d6f885bffb4a83843bddbe6b126be).

...

> CPU: 0 UID: 0 PID: 5217 Comm: systemd-udevd Not tainted 6.17.0-g39e9d5f63075 #1 PREEMPT(full)

I don't believe it. The splat says 6.17.
Maybe stop trusting AI so much?

[Dongliang Mu]

Hi Alexei,

This report is generated by our customized syzkaller, not generated from AI.

Because syzkaller cannot stably reproduce this crash and generate a PoC,
we share it with this public mailing list in case someone may understand
this crash, or help us reproduce and fix it. BTW, if our fuzz can
reproduce it stably and generate a PoC in the future, we will analyze it
and send an email about its root cause like before.

Dongliang Mu

[Alexei Starovoitov]

Again... the crash is from 6.17. NOT from bpf-next.

So, NO, no one is going to look at the crash from 6.17 that could have
been fixed already.

[梅开彦]

> -----原始邮件-----
> 发件人: "Alexei Starovoitov" <alexei.st...@gmail.com>
> 发送时间: 2026-02-01 10:29:00 (星期日)
> 收件人: "梅开彦" <kai...@hust.edu.cn>
> 抄送: bpf <b...@vger.kernel.org>, "Yinhao Hu" <ddd...@hust.edu.cn>, "Dongliang Mu" <dz...@hust.edu.cn>, hust-os-ker...@googlegroups.com, "Matt Bobrowski" <mattbo...@google.com>, "KP Singh" <kps...@kernel.org>
> 主题: Re: BUG: unable to handle kernel NULL pointer dereference in bpf_trace_run2

Hi Alex,
Thanks for your reminding. The commit id should be 39e9d5f63075f4d54e3b59b8238478c32af92755. This crash was indeed discovered in the bpf-next branch, but it was identified relatively early—around last November. We will continue to analyze whether this vulnerability can be triggered in the latest branch and will strive to provide a PoC if possible.
I've attached both the syzkaller logs and the repro logs as proof.