Re: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR
Eric Dumazet wrote: > > > On 8/2/20 3:45 PM, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit:ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=1323497090 > > kernel config: https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2 > > dashboard link: https://syzkaller.appspot.com/bug?extid=192a7fbbece55f740074 > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141541ea90 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+192a7fbbece55f740...@syzkaller.appspotmail.com > > > > BUG: kernel NULL pointer dereference, address: > > #PF: supervisor read access in kernel mode > > #PF: error_code(0x) - not-present page > > PGD 9176a067 P4D 9176a067 PUD 9176b067 PMD 0 > > Oops: [#1] PREEMPT SMP KASAN > > CPU: 1 PID: 8142 Comm: syz-executor.2 Not tainted 5.8.0-rc7-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > RIP: 0010:bpf_prog_e48ebe87b99394c4+0x1f/0x590 > > Code: cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 48 81 ec > > 00 00 00 00 53 41 55 41 56 41 57 6a 00 31 c0 48 8b 47 28 <48> 8b 40 00 8b > > 80 00 01 00 00 5b 41 5f 41 5e 41 5d 5b c9 c3 cc cc > > RSP: 0018:c900038a7b00 EFLAGS: 00010246 > > RAX: RBX: dc00 RCX: dc00 > > RDX: 88808cfb0200 RSI: c9e7e038 RDI: c900038a7ca8 > > RBP: c900038a7b28 R08: R09: > > R10: R11: R12: c9e7e000 > > R13: c9e7e000 R14: 0001 R15: > > FS: 7fda07fef700() GS:8880ae70() knlGS: > > CS: 0010 DS: ES: CR0: 80050033 > > CR2: CR3: 91769000 CR4: 001406e0 > > DR0: DR1: DR2: > > DR3: DR6: fffe0ff0 DR7: 0400 > > Call Trace: > > bpf_prog_run_xdp include/linux/filter.h:734 [inline] > > bpf_test_run+0x221/0xc70 net/bpf/test_run.c:47 > > bpf_prog_test_run_xdp+0x2ca/0x510 net/bpf/test_run.c:524 > > bpf_prog_test_run kernel/bpf/syscall.c:2983 [inline] > > __do_sys_bpf+0x2117/0x4b10 kernel/bpf/syscall.c:4135 > > do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > RIP: 0033:0x45cc79 > > Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:7fda07feec78 EFLAGS: 0246 ORIG_RAX: 0141 > > RAX: ffda RBX: 1740 RCX: 0045cc79 > > RDX: 0028 RSI: 2080 RDI: 000a > > RBP: 0078bfe0 R08: R09: > > R10: R11: 0246 R12: 0078bfac > > R13: 7ffc3ef769bf R14: 7fda07fef9c0 R15: 0078bfac > > Modules linked in: > > CR2: > > ---[ end trace b2d24107e7fdae7d ]--- > > RIP: 0010:bpf_prog_e48ebe87b99394c4+0x1f/0x590 > > Code: cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 48 81 ec > > 00 00 00 00 53 41 55 41 56 41 57 6a 00 31 c0 48 8b 47 28 <48> 8b 40 00 8b > > 80 00 01 00 00 5b 41 5f 41 5e 41 5d 5b c9 c3 cc cc > > RSP: 0018:c900038a7b00 EFLAGS: 00010246 > > RAX: RBX: dc00 RCX: dc00 > > RDX: 88808cfb0200 RSI: c9e7e038 RDI: c900038a7ca8 > > RBP: c900038a7b28 R08: R09: > > R10: R11: R12: c9e7e000 > > R13: c9e7e000 R14: 0001 R15: > > FS: 7fda07fef700() GS:8880ae70() knlGS: > > CS: 0010 DS: ES: CR0: 80050033 > > CR2: CR3: 91769000 CR4: 001406e0 > > DR0: DR1: DR2: > > DR3: DR6: fffe0ff0 DR7: 0400 > > > > > > --- > > This report is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkal...@googlegroups.com. > > > > syzbot will keep track of this issue. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > syzbot can test patches for this issue, for details see: > > https://goo.gl/tpsmEJ#testing-patches > > > > > # > https://syzkaller.appspot.com/bug?id=d60883a0b19a778d2bcab55f3f6459467f4a3ea7 > # See https://goo.gl/kgGztJ for information about syzkaller reproducers. >
Re: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR
On 8/2/20 3:45 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1323497090
> kernel config: https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2
> dashboard link: https://syzkaller.appspot.com/bug?extid=192a7fbbece55f740074
> compiler: gcc (GCC) 10.1.0-syz 20200507
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141541ea90
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+192a7fbbece55f740...@syzkaller.appspotmail.com
>
> BUG: kernel NULL pointer dereference, address:
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x) - not-present page
> PGD 9176a067 P4D 9176a067 PUD 9176b067 PMD 0
> Oops: [#1] PREEMPT SMP KASAN
> CPU: 1 PID: 8142 Comm: syz-executor.2 Not tainted 5.8.0-rc7-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:bpf_prog_e48ebe87b99394c4+0x1f/0x590
> Code: cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 48 81 ec 00
> 00 00 00 53 41 55 41 56 41 57 6a 00 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 00
> 01 00 00 5b 41 5f 41 5e 41 5d 5b c9 c3 cc cc
> RSP: 0018:c900038a7b00 EFLAGS: 00010246
> RAX: RBX: dc00 RCX: dc00
> RDX: 88808cfb0200 RSI: c9e7e038 RDI: c900038a7ca8
> RBP: c900038a7b28 R08: R09:
> R10: R11: R12: c9e7e000
> R13: c9e7e000 R14: 0001 R15:
> FS: 7fda07fef700() GS:8880ae70() knlGS:
> CS: 0010 DS: ES: CR0: 80050033
> CR2: CR3: 91769000 CR4: 001406e0
> DR0: DR1: DR2:
> DR3: DR6: fffe0ff0 DR7: 0400
> Call Trace:
> bpf_prog_run_xdp include/linux/filter.h:734 [inline]
> bpf_test_run+0x221/0xc70 net/bpf/test_run.c:47
> bpf_prog_test_run_xdp+0x2ca/0x510 net/bpf/test_run.c:524
> bpf_prog_test_run kernel/bpf/syscall.c:2983 [inline]
> __do_sys_bpf+0x2117/0x4b10 kernel/bpf/syscall.c:4135
> do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x45cc79
> Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48
> 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f
> 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:7fda07feec78 EFLAGS: 0246 ORIG_RAX: 0141
> RAX: ffda RBX: 1740 RCX: 0045cc79
> RDX: 0028 RSI: 2080 RDI: 000a
> RBP: 0078bfe0 R08: R09:
> R10: R11: 0246 R12: 0078bfac
> R13: 7ffc3ef769bf R14: 7fda07fef9c0 R15: 0078bfac
> Modules linked in:
> CR2:
> ---[ end trace b2d24107e7fdae7d ]---
> RIP: 0010:bpf_prog_e48ebe87b99394c4+0x1f/0x590
> Code: cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 48 81 ec 00
> 00 00 00 53 41 55 41 56 41 57 6a 00 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 00
> 01 00 00 5b 41 5f 41 5e 41 5d 5b c9 c3 cc cc
> RSP: 0018:c900038a7b00 EFLAGS: 00010246
> RAX: RBX: dc00 RCX: dc00
> RDX: 88808cfb0200 RSI: c9e7e038 RDI: c900038a7ca8
> RBP: c900038a7b28 R08: R09:
> R10: R11: R12: c9e7e000
> R13: c9e7e000 R14: 0001 R15:
> FS: 7fda07fef700() GS:8880ae70() knlGS:
> CS: 0010 DS: ES: CR0: 80050033
> CR2: CR3: 91769000 CR4: 001406e0
> DR0: DR1: DR2:
> DR3: DR6: fffe0ff0 DR7: 0400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkal...@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
# https://syzkaller.appspot.com/bug?id=d60883a0b19a778d2bcab55f3f6459467f4a3ea7
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"threaded":true,"collide":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"tun":true,"netdev":true,"resetnet":true,"cgroups":true,"binfmt_misc":true,"close_fds":true,"vhci":true,"tmpdir":true,"segv":true}
BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR
Hello, syzbot found the following issue on: HEAD commit:ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1323497090 kernel config: https://syzkaller.appspot.com/x/.config?x=c0cfcf935bcc94d2 dashboard link: https://syzkaller.appspot.com/bug?extid=192a7fbbece55f740074 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141541ea90 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+192a7fbbece55f740...@syzkaller.appspotmail.com BUG: kernel NULL pointer dereference, address: #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD 9176a067 P4D 9176a067 PUD 9176b067 PMD 0 Oops: [#1] PREEMPT SMP KASAN CPU: 1 PID: 8142 Comm: syz-executor.2 Not tainted 5.8.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bpf_prog_e48ebe87b99394c4+0x1f/0x590 Code: cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 48 81 ec 00 00 00 00 53 41 55 41 56 41 57 6a 00 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 00 01 00 00 5b 41 5f 41 5e 41 5d 5b c9 c3 cc cc RSP: 0018:c900038a7b00 EFLAGS: 00010246 RAX: RBX: dc00 RCX: dc00 RDX: 88808cfb0200 RSI: c9e7e038 RDI: c900038a7ca8 RBP: c900038a7b28 R08: R09: R10: R11: R12: c9e7e000 R13: c9e7e000 R14: 0001 R15: FS: 7fda07fef700() GS:8880ae70() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: CR3: 91769000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: bpf_prog_run_xdp include/linux/filter.h:734 [inline] bpf_test_run+0x221/0xc70 net/bpf/test_run.c:47 bpf_prog_test_run_xdp+0x2ca/0x510 net/bpf/test_run.c:524 bpf_prog_test_run kernel/bpf/syscall.c:2983 [inline] __do_sys_bpf+0x2117/0x4b10 kernel/bpf/syscall.c:4135 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45cc79 Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fda07feec78 EFLAGS: 0246 ORIG_RAX: 0141 RAX: ffda RBX: 1740 RCX: 0045cc79 RDX: 0028 RSI: 2080 RDI: 000a RBP: 0078bfe0 R08: R09: R10: R11: 0246 R12: 0078bfac R13: 7ffc3ef769bf R14: 7fda07fef9c0 R15: 0078bfac Modules linked in: CR2: ---[ end trace b2d24107e7fdae7d ]--- RIP: 0010:bpf_prog_e48ebe87b99394c4+0x1f/0x590 Code: cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 55 48 89 e5 48 81 ec 00 00 00 00 53 41 55 41 56 41 57 6a 00 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 00 01 00 00 5b 41 5f 41 5e 41 5d 5b c9 c3 cc cc RSP: 0018:c900038a7b00 EFLAGS: 00010246 RAX: RBX: dc00 RCX: dc00 RDX: 88808cfb0200 RSI: c9e7e038 RDI: c900038a7ca8 RBP: c900038a7b28 R08: R09: R10: R11: R12: c9e7e000 R13: c9e7e000 R14: 0001 R15: FS: 7fda07fef700() GS:8880ae70() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: CR3: 91769000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
