From: syzbot <syzbot+8433ca0841e308ef4cc7@syzkaller.appspotmail.com>
To: davem@davemloft.net, kuznet@ms2.inr.ac.ru,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com, yoshfuji@linux-ipv6.org
Subject: KASAN: null-ptr-deref Read in ip6_hold_safe
Date: Sun, 13 Jan 2019 22:52:03 -0800 [thread overview]
Message-ID: <00000000000075c0ef057f657b8d@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: b71acb0e3721 Merge branch 'linus' of git://git.kernel.org/..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1492759f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=b03c5892bb940c76
dashboard link: https://syzkaller.appspot.com/bug?extid=8433ca0841e308ef4cc7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8433ca0841e308ef4cc7@syzkaller.appspotmail.com
kernel msg: ebtables bug: please report to author: EBT_ENTRY_OR_ENTRIES
shouldn't be set in distinguisher
==================================================================
BUG: KASAN: null-ptr-deref in atomic_read
include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_add_unless
include/linux/atomic.h:575 [inline]
BUG: KASAN: null-ptr-deref in atomic_add_unless include/linux/atomic.h:597
[inline]
BUG: KASAN: null-ptr-deref in dst_hold_safe include/net/dst.h:308 [inline]
BUG: KASAN: null-ptr-deref in ip6_hold_safe+0xca/0x620 net/ipv6/route.c:1021
Read of size 4 at addr 0000000000000068 by task syz-executor4/21421
CPU: 0 PID: 21421 Comm: syz-executor4 Not tainted 4.20.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
kasan_report_error mm/kasan/report.c:352 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x19f/0x2ba mm/kasan/report.c:396
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
atomic_fetch_add_unless include/linux/atomic.h:575 [inline]
atomic_add_unless include/linux/atomic.h:597 [inline]
dst_hold_safe include/net/dst.h:308 [inline]
ip6_hold_safe+0xca/0x620 net/ipv6/route.c:1021
rt6_get_pcpu_route net/ipv6/route.c:1241 [inline]
ip6_pol_route+0x3a3/0x1490 net/ipv6/route.c:1890
ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2066
fib6_rule_lookup+0x277/0x870 net/ipv6/fib6_rules.c:122
ip6_route_output_flags+0x2c4/0x350 net/ipv6/route.c:2095
ip6_route_output include/net/ip6_route.h:88 [inline]
ip6_dst_lookup_tail+0xe18/0x1d50 net/ipv6/ip6_output.c:958
ip6_dst_lookup_flow+0xca/0x270 net/ipv6/ip6_output.c:1086
ip6_sk_dst_lookup_flow net/ipv6/ip6_output.c:1124 [inline]
ip6_sk_dst_lookup_flow+0x5d6/0xbf0 net/ipv6/ip6_output.c:1114
udpv6_sendmsg+0x20d7/0x3550 net/ipv6/udp.c:1441
inet_sendmsg+0x1af/0x740 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg+0xdd/0x130 net/socket.c:631
___sys_sendmsg+0x7ec/0x910 net/socket.c:2116
__sys_sendmsg+0x112/0x270 net/socket.c:2154
__do_sys_sendmsg net/socket.c:2163 [inline]
__se_sys_sendmsg net/socket.c:2161 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2161
protocol 88fb is buggy, dev hsr_slave_0
do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
protocol 88fb is buggy, dev hsr_slave_1
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb05ac4ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
RDX: 0000000000000000 RSI: 0000000020013000 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb05ac4b6d4
R13: 00000000004c4d2e R14: 00000000004d8650 R15: 00000000ffffffff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
next reply other threads:[~2019-01-14 6:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-14 6:52 syzbot [this message]
2019-01-14 6:55 ` KASAN: null-ptr-deref Read in ip6_hold_safe Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000075c0ef057f657b8d@google.com \
--to=syzbot+8433ca0841e308ef4cc7@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.