[syzbot] [net?] KASAN: null-ptr-deref Write in rcuref_put (4)

[syzbot] [net?] KASAN: null-ptr-deref Write in rcuref_put (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    a52a3c18cdf3 Merge tag 'ntb-6.15' of https://github.com/jo..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15764be4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=695196aa2bd08d99
dashboard link: https://syzkaller.appspot.com/bug?extid=27d7cfbc93457e472e00
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/326c7eeab15a/disk-a52a3c18.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/10c3ccb3546c/vmlinux-a52a3c18.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0bd8832c1d9c/bzImage-a52a3c18.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+27d7cfbc93457e472e00@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: null-ptr-deref in atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:326 [inline]
BUG: KASAN: null-ptr-deref in __rcuref_put include/linux/rcuref.h:89 [inline]
BUG: KASAN: null-ptr-deref in rcuref_put+0x1a1/0x240 include/linux/rcuref.h:153
Write of size 4 at addr 0000000000000041 by task udevd/6807

CPU: 1 UID: 0 PID: 6807 Comm: udevd Not tainted 6.14.0-syzkaller-13389-ga52a3c18cdf3 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_report+0xe3/0x5b0 mm/kasan/report.c:524
 kasan_report+0x143/0x180 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x28f/0x2a0 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:326 [inline]
 __rcuref_put include/linux/rcuref.h:89 [inline]
 rcuref_put+0x1a1/0x240 include/linux/rcuref.h:153
 dst_release+0x24/0x1b0 net/core/dst.c:167
 dst_cache_reset_now+0x1b0/0x220 net/core/dst_cache.c:183
 wg_socket_clear_peer_endpoint_src+0x40/0x50 drivers/net/wireguard/socket.c:312
 wg_expired_retransmit_handshake+0xd3/0x2d0 drivers/net/wireguard/timers.c:73
 call_timer_fn+0x189/0x650 kernel/time/timer.c:1789
 expire_timers kernel/time/timer.c:1840 [inline]
 __run_timers kernel/time/timer.c:2414 [inline]
 __run_timer_base+0x66e/0x8e0 kernel/time/timer.c:2426
 run_timer_base kernel/time/timer.c:2435 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2445
 handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xfb/0x220 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd9/0x140 kernel/locking/spinlock.c:194
Code: 9c 8f 44 24 20 42 80 3c 2b 00 74 08 4c 89 f7 e8 3d bd ff f5 f6 44 24 21 02 75 55 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 32 58 65 f5 65 8b 05 0b 1e 3a 07 85 c0 74 46 48 c7 04 24 0e 36
RSP: 0018:ffffc90003f97280 EFLAGS: 00000206
RAX: ba8754475f048600 RBX: 1ffff920007f2e54 RCX: ffffffff81cb37bc
RDX: 0000000000000000 RSI: ffffffff8e687288 RDI: 0000000000000001
RBP: ffffc90003f97310 R08: ffffffff905eac77 R09: 1ffffffff20bd58e
R10: dffffc0000000000 R11: fffffbfff20bd58f R12: 1ffff920007f2e50
R13: dffffc0000000000 R14: ffffc90003f972a0 R15: 0000000000000246
 __debug_check_no_obj_freed lib/debugobjects.c:1108 [inline]
 debug_check_no_obj_freed+0x572/0x590 lib/debugobjects.c:1129
 free_pages_prepare mm/page_alloc.c:1269 [inline]
 free_unref_folios+0x576/0x17e0 mm/page_alloc.c:2737
 folios_put_refs+0x70a/0x800 mm/swap.c:992
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x595/0x1820 mm/shmem.c:1125
 shmem_truncate_range mm/shmem.c:1237 [inline]
 shmem_evict_inode+0x29d/0xa80 mm/shmem.c:1365
 evict+0x4f9/0x9b0 fs/inode.c:810
 __dentry_kill+0x20d/0x630 fs/dcache.c:660
 dput+0x19f/0x2b0 fs/dcache.c:902
 __fput+0x60b/0x9f0 fs/file_table.c:473
 task_work_run+0x251/0x310 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x13f/0x340 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f833170a8
Code: 48 8b 05 83 9d 0d 00 64 c7 00 16 00 00 00 83 c8 ff 48 83 c4 20 5b c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 5b 48 8b 15 51 9d 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffc3678eaf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 00007f8f83761ae0 RCX: 00007f8f833170a8
RDX: 00005574fff315c8 RSI: 00007ffc3678e2f8 RDI: 0000000000000008
RBP: 00005571a8e7a620 R08: 0000000000000006 R09: cd47be37b8f960f8
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000002
R13: 00005571a8e8a890 R14: 0000000000000008 R15: 00005571a8e73910
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	9c                   	pushf
   1:	8f 44 24 20          	pop    0x20(%rsp)
   5:	42 80 3c 2b 00       	cmpb   $0x0,(%rbx,%r13,1)
   a:	74 08                	je     0x14
   c:	4c 89 f7             	mov    %r14,%rdi
   f:	e8 3d bd ff f5       	call   0xf5ffbd51
  14:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  19:	75 55                	jne    0x70
  1b:	41 f7 c7 00 02 00 00 	test   $0x200,%r15d
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 32 58 65 f5       	call   0xf5655861 <-- trapping instruction
  2f:	65 8b 05 0b 1e 3a 07 	mov    %gs:0x73a1e0b(%rip),%eax        # 0x73a1e41
  36:	85 c0                	test   %eax,%eax
  38:	74 46                	je     0x80
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [net?] KASAN: null-ptr-deref Write in rcuref_put (4)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    5c5a10f0be96 Add linux-next specific files for 20250804
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14f23aa2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4ccbd076877954b
dashboard link: https://syzkaller.appspot.com/bug?extid=27d7cfbc93457e472e00
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1628faa2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12490434580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cb2134de7be8/disk-5c5a10f0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fe8a36605e0c/vmlinux-5c5a10f0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/12df22603d55/bzImage-5c5a10f0.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+27d7cfbc93457e472e00@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffffffffffffffdb
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD df3b067 P4D df3b067 PUD df3d067 PMD 0 
Oops: Oops: 0002 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6346 Comm: syz.0.336 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_sub_return_release include/linux/atomic/atomic-arch-fallback.h:846 [inline]
RIP: 0010:atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:327 [inline]
RIP: 0010:__rcuref_put include/linux/rcuref.h:109 [inline]
RIP: 0010:rcuref_put+0x172/0x210 include/linux/rcuref.h:173
Code: c7 c7 80 72 94 8c be 68 00 00 00 48 c7 c2 c0 72 94 8c e8 21 f7 35 f8 48 89 df be 04 00 00 00 e8 84 90 bb f8 41 be ff ff ff ff <f0> 44 0f c1 33 41 8d 76 ff bf ff ff ff ff e8 ab 27 58 f8 41 ff ce
RSP: 0018:ffffc9000431f960 EFLAGS: 00010256
RAX: ffffffff89678f01 RBX: ffffffffffffffdb RCX: ffffffff89678fdc
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffffffffdb
RBP: ffffc9000431f9f8 R08: ffffffffffffffde R09: 1ffffffffffffffb
R10: dffffc0000000000 R11: fffffbfffffffffc R12: dffffc0000000000
R13: dffffc0000000000 R14: 00000000ffffffff R15: 1ffff92000863f2c
FS:  0000555583637500(0000) GS:ffff888125d17000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffdb CR3: 000000002465a000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 dst_release+0x24/0x1b0 net/core/dst.c:167
 ip_rt_put include/net/route.h:285 [inline]
 pptp_xmit+0x14b/0x1a90 drivers/net/ppp/pptp.c:267
 __ppp_channel_push+0xf2/0x1c0 drivers/net/ppp/ppp_generic.c:2166
 ppp_channel_push+0x123/0x660 drivers/net/ppp/ppp_generic.c:2198
 ppp_write+0x2b0/0x400 drivers/net/ppp/ppp_generic.c:544
 vfs_write+0x27b/0xb30 fs/read_write.c:684
 ksys_write+0x145/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fda7098eb69
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffb2fc7658 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fda70bb5fa0 RCX: 00007fda7098eb69
RDX: 0000000000000013 RSI: 00002000000002c0 RDI: 0000000000000004
RBP: 00007fda70a11df1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fda70bb5fa0 R14: 00007fda70bb5fa0 R15: 0000000000000003
 </TASK>
Modules linked in:
CR2: ffffffffffffffdb
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_sub_return_release include/linux/atomic/atomic-arch-fallback.h:846 [inline]
RIP: 0010:atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:327 [inline]
RIP: 0010:__rcuref_put include/linux/rcuref.h:109 [inline]
RIP: 0010:rcuref_put+0x172/0x210 include/linux/rcuref.h:173
Code: c7 c7 80 72 94 8c be 68 00 00 00 48 c7 c2 c0 72 94 8c e8 21 f7 35 f8 48 89 df be 04 00 00 00 e8 84 90 bb f8 41 be ff ff ff ff <f0> 44 0f c1 33 41 8d 76 ff bf ff ff ff ff e8 ab 27 58 f8 41 ff ce
RSP: 0018:ffffc9000431f960 EFLAGS: 00010256
RAX: ffffffff89678f01 RBX: ffffffffffffffdb RCX: ffffffff89678fdc
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffffffffdb
RBP: ffffc9000431f9f8 R08: ffffffffffffffde R09: 1ffffffffffffffb
R10: dffffc0000000000 R11: fffffbfffffffffc R12: dffffc0000000000
R13: dffffc0000000000 R14: 00000000ffffffff R15: 1ffff92000863f2c
FS:  0000555583637500(0000) GS:ffff888125d17000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffdb CR3: 000000002465a000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	c7 c7 80 72 94 8c    	mov    $0x8c947280,%edi
   6:	be 68 00 00 00       	mov    $0x68,%esi
   b:	48 c7 c2 c0 72 94 8c 	mov    $0xffffffff8c9472c0,%rdx
  12:	e8 21 f7 35 f8       	call   0xf835f738
  17:	48 89 df             	mov    %rbx,%rdi
  1a:	be 04 00 00 00       	mov    $0x4,%esi
  1f:	e8 84 90 bb f8       	call   0xf8bb90a8
  24:	41 be ff ff ff ff    	mov    $0xffffffff,%r14d
* 2a:	f0 44 0f c1 33       	lock xadd %r14d,(%rbx) <-- trapping instruction
  2f:	41 8d 76 ff          	lea    -0x1(%r14),%esi
  33:	bf ff ff ff ff       	mov    $0xffffffff,%edi
  38:	e8 ab 27 58 f8       	call   0xf85827e8
  3d:	41 ff ce             	dec    %r14d


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [net?] KASAN: null-ptr-deref Write in rcuref_put (4)

[Eric Dumazet]

On Mon, Aug 4, 2025 at 4:12 AM syzbot
<syzbot+27d7cfbc93457e472e00@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:    5c5a10f0be96 Add linux-next specific files for 20250804
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=14f23aa2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f4ccbd076877954b
> dashboard link: https://syzkaller.appspot.com/bug?extid=27d7cfbc93457e472e00
> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1628faa2580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12490434580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cb2134de7be8/disk-5c5a10f0.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/fe8a36605e0c/vmlinux-5c5a10f0.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/12df22603d55/bzImage-5c5a10f0.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+27d7cfbc93457e472e00@syzkaller.appspotmail.com
>
> BUG: unable to handle page fault for address: ffffffffffffffdb
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD df3b067 P4D df3b067 PUD df3d067 PMD 0
> Oops: Oops: 0002 [#1] SMP KASAN PTI
> CPU: 1 UID: 0 PID: 6346 Comm: syz.0.336 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
> RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
> RIP: 0010:raw_atomic_sub_return_release include/linux/atomic/atomic-arch-fallback.h:846 [inline]
> RIP: 0010:atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:327 [inline]
> RIP: 0010:__rcuref_put include/linux/rcuref.h:109 [inline]
> RIP: 0010:rcuref_put+0x172/0x210 include/linux/rcuref.h:173
> Code: c7 c7 80 72 94 8c be 68 00 00 00 48 c7 c2 c0 72 94 8c e8 21 f7 35 f8 48 89 df be 04 00 00 00 e8 84 90 bb f8 41 be ff ff ff ff <f0> 44 0f c1 33 41 8d 76 ff bf ff ff ff ff e8 ab 27 58 f8 41 ff ce
> RSP: 0018:ffffc9000431f960 EFLAGS: 00010256
> RAX: ffffffff89678f01 RBX: ffffffffffffffdb RCX: ffffffff89678fdc
> RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffffffffdb
> RBP: ffffc9000431f9f8 R08: ffffffffffffffde R09: 1ffffffffffffffb
> R10: dffffc0000000000 R11: fffffbfffffffffc R12: dffffc0000000000
> R13: dffffc0000000000 R14: 00000000ffffffff R15: 1ffff92000863f2c
> FS:  0000555583637500(0000) GS:ffff888125d17000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffffffffffdb CR3: 000000002465a000 CR4: 00000000003526f0
> Call Trace:
>  <TASK>
>  dst_release+0x24/0x1b0 net/core/dst.c:167
>  ip_rt_put include/net/route.h:285 [inline]
>  pptp_xmit+0x14b/0x1a90 drivers/net/ppp/pptp.c:267
>  __ppp_channel_push+0xf2/0x1c0 drivers/net/ppp/ppp_generic.c:2166
>  ppp_channel_push+0x123/0x660 drivers/net/ppp/ppp_generic.c:2198
>  ppp_write+0x2b0/0x400 drivers/net/ppp/ppp_generic.c:544
>  vfs_write+0x27b/0xb30 fs/read_write.c:684
>  ksys_write+0x145/0x250 fs/read_write.c:738
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fda7098eb69
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fffb2fc7658 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 00007fda70bb5fa0 RCX: 00007fda7098eb69
> RDX: 0000000000000013 RSI: 00002000000002c0 RDI: 0000000000000004
> RBP: 00007fda70a11df1 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007fda70bb5fa0 R14: 00007fda70bb5fa0 R15: 0000000000000003
>  </TASK>
> Modules linked in:
> CR2: ffffffffffffffdb
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
> RIP: 0010:raw_atomic_sub_return_release include/linux/atomic/atomic-arch-fallback.h:846 [inline]
> RIP: 0010:atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:327 [inline]
> RIP: 0010:__rcuref_put include/linux/rcuref.h:109 [inline]
> RIP: 0010:rcuref_put+0x172/0x210 include/linux/rcuref.h:173
> Code: c7 c7 80 72 94 8c be 68 00 00 00 48 c7 c2 c0 72 94 8c e8 21 f7 35 f8 48 89 df be 04 00 00 00 e8 84 90 bb f8 41 be ff ff ff ff <f0> 44 0f c1 33 41 8d 76 ff bf ff ff ff ff e8 ab 27 58 f8 41 ff ce
> RSP: 0018:ffffc9000431f960 EFLAGS: 00010256
> RAX: ffffffff89678f01 RBX: ffffffffffffffdb RCX: ffffffff89678fdc
> RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffffffffdb
> RBP: ffffc9000431f9f8 R08: ffffffffffffffde R09: 1ffffffffffffffb
> R10: dffffc0000000000 R11: fffffbfffffffffc R12: dffffc0000000000
> R13: dffffc0000000000 R14: 00000000ffffffff R15: 1ffff92000863f2c
> FS:  0000555583637500(0000) GS:ffff888125d17000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffffffffffdb CR3: 000000002465a000 CR4: 00000000003526f0
> ----------------
> Code disassembly (best guess):
>    0:   c7 c7 80 72 94 8c       mov    $0x8c947280,%edi
>    6:   be 68 00 00 00          mov    $0x68,%esi
>    b:   48 c7 c2 c0 72 94 8c    mov    $0xffffffff8c9472c0,%rdx
>   12:   e8 21 f7 35 f8          call   0xf835f738
>   17:   48 89 df                mov    %rbx,%rdi
>   1a:   be 04 00 00 00          mov    $0x4,%esi
>   1f:   e8 84 90 bb f8          call   0xf8bb90a8
>   24:   41 be ff ff ff ff       mov    $0xffffffff,%r14d
> * 2a:   f0 44 0f c1 33          lock xadd %r14d,(%rbx) <-- trapping instruction
>   2f:   41 8d 76 ff             lea    -0x1(%r14),%esi
>   33:   bf ff ff ff ff          mov    $0xffffffff,%edi
>   38:   e8 ab 27 58 f8          call   0xf85827e8
>   3d:   41 ff ce                dec    %r14d
>

Quite different bug I think, added with my recent commit

commit de9c4861fb42f0cd72da844c3c34f692d5895b7b
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jul 29 08:02:07 2025 +0000

    pptp: ensure minimal skb length in pptp_xmit()

#syz test

diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 4cd6f67bd5d3520308ee4f8d68547a1bc8a7bfd3..90737cb718928a2dddacdc098f1d48d4430d6ddd
100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -159,17 +159,17 @@ static int pptp_xmit(struct ppp_channel *chan,
struct sk_buff *skb)
        int len;
        unsigned char *data;
        __u32 seq_recv;
-       struct rtable *rt = NULL;
+       struct rtable *rt;
        struct net_device *tdev;
        struct iphdr  *iph;
        int    max_headroom;

        if (sk_pppox(po)->sk_state & PPPOX_DEAD)
-               goto tx_error;
+               goto tx_drop;

        rt = pptp_route_output(po, &fl4);
        if (IS_ERR(rt))
-               goto tx_error;
+               goto tx_drop;

        tdev = rt->dst.dev;

@@ -265,6 +265,7 @@ static int pptp_xmit(struct ppp_channel *chan,
struct sk_buff *skb)

 tx_error:
        ip_rt_put(rt);
+tx_drop:
        kfree_skb(skb);
        return 1;
 }

Re: [syzbot] [net?] KASAN: null-ptr-deref Write in rcuref_put (4)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file drivers/net/ppp/pptp.c
patch: **** unexpected end of file in patch



Tested on:

commit:         5c5a10f0 Add linux-next specific files for 20250804
git tree:       linux-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4ccbd076877954b
dashboard link: https://syzkaller.appspot.com/bug?extid=27d7cfbc93457e472e00
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=151dc6a2580000

Re: [syzbot] [net?] KASAN: null-ptr-deref Write in rcuref_put (4)

[syzbot]

syzbot has bisected this issue to:

commit de9c4861fb42f0cd72da844c3c34f692d5895b7b
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Jul 29 08:02:07 2025 +0000

    pptp: ensure minimal skb length in pptp_xmit()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=17cb2042580000
start commit:   5c5a10f0be96 Add linux-next specific files for 20250804
git tree:       linux-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=142b2042580000
console output: https://syzkaller.appspot.com/x/log.txt?x=102b2042580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4ccbd076877954b
dashboard link: https://syzkaller.appspot.com/bug?extid=27d7cfbc93457e472e00
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1628faa2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12490434580000

Reported-by: syzbot+27d7cfbc93457e472e00@syzkaller.appspotmail.com
Fixes: de9c4861fb42 ("pptp: ensure minimal skb length in pptp_xmit()")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection