From: syzbot <syzbot+84f695756ed0c4bb3aba@syzkaller.appspotmail.com>
To: andrew.kanner@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in sk_msg_recvmsg
Date: Mon, 15 Apr 2024 17:52:02 -0700 [thread overview]
Message-ID: <00000000000066253406162c2536@google.com> (raw)
In-Reply-To: <661dc844.2e0a0220.ae23e.1016@mx.google.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in sk_msg_recvmsg
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043940000
[0000000000000000] pgd=08000000468bd003, p4d=08000000468bd003, pud=0800000046ab8003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3479 Comm: syz-executor.0 Not tainted 6.9.0-rc4-syzkaller-g96fca68c4fbf #0
Hardware name: linux,dummy-virt (DT)
pstate: 61401009 (nZCv daif +PAN -UAO -TCO +DIT +SSBS BTYPE=--)
pc : page_kasan_tag include/linux/mm.h:1834 [inline]
pc : lowmem_page_address include/linux/mm.h:2234 [inline]
pc : kmap_local_page include/linux/highmem-internal.h:185 [inline]
pc : copy_page_to_iter+0xb4/0x154 lib/iov_iter.c:360
lr : sk_msg_recvmsg+0xf8/0x37c net/core/skmsg.c:437
sp : ffff80008964b940
x29: ffff80008964b940 x28: 0000000000000000 x27: f1ff000005cd9800
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
x23: 0000000000000000 x22: 0000020040000000 x21: ffff000000000000
x20: 0000000000001000 x19: ffff80008964bd50 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000382 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000001 x10: 382d7d5bed6f0326 x9 : a9c46d8380c16462
x8 : fdff0000056d6bc8 x7 : 0000000000000000 x6 : fdff000005cd6d40
x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff80008964bd50
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff801000000000
Call trace:
arch_static_branch_jump arch/arm64/include/asm/jump_label.h:38 [inline]
kasan_enabled include/linux/kasan-enabled.h:13 [inline]
page_kasan_tag include/linux/mm.h:1833 [inline]
lowmem_page_address include/linux/mm.h:2234 [inline]
kmap_local_page include/linux/highmem-internal.h:185 [inline]
copy_page_to_iter+0xb4/0x154 lib/iov_iter.c:360
sk_msg_recvmsg+0xf8/0x37c net/core/skmsg.c:437
unix_bpf_recvmsg net/unix/unix_bpf.c:73 [inline]
unix_bpf_recvmsg+0x13c/0x4f0 net/unix/unix_bpf.c:50
unix_dgram_recvmsg+0x30/0x4c net/unix/af_unix.c:2529
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg net/socket.c:1068 [inline]
sock_recvmsg net/socket.c:1064 [inline]
____sys_recvmsg+0x1d0/0x268 net/socket.c:2803
___sys_recvmsg+0x90/0xe8 net/socket.c:2845
do_recvmmsg+0xc8/0x2f8 net/socket.c:2939
__sys_recvmmsg net/socket.c:3018 [inline]
__do_sys_recvmmsg net/socket.c:3041 [inline]
__se_sys_recvmmsg net/socket.c:3034 [inline]
__arm64_sys_recvmmsg+0xd0/0xec net/socket.c:3034
__invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
invoke_syscall+0x48/0x118 arch/arm64/kernel/syscall.c:48
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:133
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:152
el0_svc+0x34/0xf8 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
Code: 8b160320 d346fc00 8b0032a0 d503201f (f9400323)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 8b160320 add x0, x25, x22
4: d346fc00 lsr x0, x0, #6
8: 8b0032a0 add x0, x21, x0, lsl #12
c: d503201f nop
* 10: f9400323 ldr x3, [x25] <-- trapping instruction
Tested on:
commit: 96fca68c Merge tag 'nfsd-6.9-3' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16572cc3180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4ba795506e24be71
dashboard link: https://syzkaller.appspot.com/bug?extid=84f695756ed0c4bb3aba
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Note: no patches were applied.
next parent reply other threads:[~2024-04-16 0:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <661dc844.2e0a0220.ae23e.1016@mx.google.com>
2024-04-16 0:52 ` syzbot [this message]
[not found] <DB3PR10MB6835A6C1F8E2DD5D5CE8DE90E8AAA@DB3PR10MB6835.EURPRD10.PROD.OUTLOOK.COM>
2023-11-06 13:47 ` [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in sk_msg_recvmsg syzbot
2023-10-26 18:32 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000066253406162c2536@google.com \
--to=syzbot+84f695756ed0c4bb3aba@syzkaller.appspotmail.com \
--cc=andrew.kanner@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.