Re: [syzbot] KASAN: null-ptr-deref Write in rhashtable_free_and_destroy (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+860268315ba86ea6b96b@syzkaller.appspotmail.com>
To: davem@davemloft.net, johannes@sipsolutions.net, kuba@kernel.org,
	linux-kernel@vger.kernel.org, linux-wireless@vger.kernel.org,
	netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KASAN: null-ptr-deref Write in rhashtable_free_and_destroy (2)
Date: Mon, 26 Apr 2021 00:17:14 -0700	[thread overview]
Message-ID: <00000000000054c19f05c0daef75@google.com> (raw)
In-Reply-To: <000000000000174a1c05bfd45183@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    9f4ad9e4 Linux 5.12
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e92c5dd00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=39164acdef826e06
dashboard link: https://syzkaller.appspot.com/bug?extid=860268315ba86ea6b96b
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13438cb9d00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10d37705d00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+860268315ba86ea6b96b@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:70 [inline]
BUG: KASAN: null-ptr-deref in try_to_grab_pending.part.0+0x26/0x770 kernel/workqueue.c:1257
Write of size 8 at addr 0000000000000088 by task kworker/0:0/5

CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events cfg80211_destroy_iface_wk
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 __kasan_report mm/kasan/report.c:403 [inline]
 kasan_report.cold+0x5f/0xd8 mm/kasan/report.c:416
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:70 [inline]
 try_to_grab_pending.part.0+0x26/0x770 kernel/workqueue.c:1257
 try_to_grab_pending+0xa1/0xd0 kernel/workqueue.c:1310
 __cancel_work_timer+0xa6/0x570 kernel/workqueue.c:3098
 rhashtable_free_and_destroy+0x2b/0x920 lib/rhashtable.c:1137
 mesh_table_free net/mac80211/mesh_pathtbl.c:70 [inline]
 mesh_pathtbl_unregister+0x42/0xa0 net/mac80211/mesh_pathtbl.c:812
 ieee80211_teardown_sdata+0x216/0x2d0 net/mac80211/iface.c:691
 unregister_netdevice_many+0xc4c/0x1760 net/core/dev.c:10953
 unregister_netdevice_queue+0x2dd/0x3c0 net/core/dev.c:10870
 unregister_netdevice include/linux/netdevice.h:2884 [inline]
 _cfg80211_unregister_wdev+0x485/0x740 net/wireless/core.c:1127
 ieee80211_if_remove+0x1df/0x300 net/mac80211/iface.c:2020
 ieee80211_del_iface+0x12/0x20 net/mac80211/cfg.c:144
 rdev_del_virtual_intf net/wireless/rdev-ops.h:57 [inline]
 cfg80211_destroy_ifaces+0x223/0x770 net/wireless/core.c:341
 cfg80211_destroy_iface_wk+0x2c/0x40 net/wireless/core.c:354
 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
==================================================================

     prev parent reply	other threads:[~2021-04-26  7:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-13  5:58 [syzbot] KASAN: null-ptr-deref Write in rhashtable_free_and_destroy (2) syzbot
2021-04-26  7:17 ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000054c19f05c0daef75@google.com \
    --to=syzbot+860268315ba86ea6b96b@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=johannes@sipsolutions.net \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.