All of lore.kernel.org
 help / color / mirror / Atom feed
From: Wei Chen <harperchen1110@gmail.com>
To: vyasevich@gmail.com, nhorman@tuxdriver.com,
	marcelo.leitner@gmail.com, linux-sctp@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	davem@davemloft.net, Eric Dumazet <edumazet@google.com>,
	kuba@kernel.org, pabeni@redhat.com
Subject: BUG: unable to handle kernel NULL pointer dereference in sctp_sched_dequeue_common
Date: Tue, 12 Jul 2022 14:50:33 +0800	[thread overview]
Message-ID: <CAO4mrfcB0d+qbwtfndzqcrL+QEQgfOmJYQMAdzwxRePmP8TY1A@mail.gmail.com> (raw)
In-Reply-To: <CAO4mrfcUYjEi69mcSt_vXyb3VGFTAAq3dyNeWueucgw0DGABfg@mail.gmail.com>

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit:  c5eb0a61238d Linux 5.18-rc6
git tree: upstream
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/1zbd9t-NNorzTXESdQ3bxE-q9uLu-Bm9d/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/18wnwTf53Ln4K8e4G9d8hS4-e0URQKHet/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1ttiMq0WYi46zFP1II8O9eee_dvDweIb6/view?usp=sharing
kernel config: https://drive.google.com/file/d/1fITkvcuglspvuhI0mhXUndx112fJmcOZ/view?usp=sharing

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@gmail.com>

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 12f83067 P4D 12f83067 PUD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.18.0-rc6 #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__list_del_entry_valid+0x26/0x80
Code: 00 00 00 00 55 48 89 e5 48 89 fe 48 ba 00 01 00 00 00 00 ad de
48 8b 0f 48 39 d1 74 22 48 8b 46 08 48 83 c2 22 48 39 d0 74 25 <48> 8b
10 48 39 f2 75 2d 48 8b 51 08 48 39 f2 75 37 b0 01 5d c3 48
RSP: 0018:ffff888007313720 EFLAGS: 00010217
RAX: 0000000000000000 RBX: ffff88800c6283e8 RCX: 0000000000000000
RDX: dead000000000122 RSI: ffff88800c6283e8 RDI: ffff88800c6283e8
RBP: ffff888007313720 R08: ffffffff84399732 R09: ffffffff84392a74
R10: 0000000000000042 R11: ffff8880072a2f80 R12: ffff8880138be238
R13: ffff888016cdb000 R14: ffff888016cdb5a0 R15: ffff888016cdb000
FS:  0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000012f82000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 sctp_sched_dequeue_common+0x1c/0x90
 sctp_sched_prio_dequeue+0x67/0x80
 __sctp_outq_teardown+0x299/0x380
 sctp_outq_free+0x15/0x20
 sctp_association_free+0xc3/0x440
 sctp_do_sm+0x1ca7/0x2210
 sctp_assoc_bh_rcv+0x1f6/0x340
 sctp_inq_push+0x98/0xb0
 sctp_rcv+0x134e/0x16b0
 sctp6_rcv+0x1b/0x30
 ip6_protocol_deliver_rcu+0x5b7/0x930
 ip6_input+0x80/0x140
 ip6_rcv_finish+0x16e/0x1d0
 ipv6_rcv+0x72/0x110
 __netif_receive_skb+0x66/0x140
 process_backlog+0x13d/0x230
 __napi_poll+0x4b/0x310
 net_rx_action+0x1ae/0x410
 __do_softirq+0x16e/0x30f
 run_ksoftirqd+0x23/0x30
 smpboot_thread_fn+0x210/0x370
 kthread+0x124/0x160
 ret_from_fork+0x1f/0x30
 </TASK>
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid+0x26/0x80
Code: 00 00 00 00 55 48 89 e5 48 89 fe 48 ba 00 01 00 00 00 00 ad de
48 8b 0f 48 39 d1 74 22 48 8b 46 08 48 83 c2 22 48 39 d0 74 25 <48> 8b
10 48 39 f2 75 2d 48 8b 51 08 48 39 f2 75 37 b0 01 5d c3 48
RSP: 0018:ffff888007313720 EFLAGS: 00010217
RAX: 0000000000000000 RBX: ffff88800c6283e8 RCX: 0000000000000000
RDX: dead000000000122 RSI: ffff88800c6283e8 RDI: ffff88800c6283e8
RBP: ffff888007313720 R08: ffffffff84399732 R09: ffffffff84392a74
R10: 0000000000000042 R11: ffff8880072a2f80 R12: ffff8880138be238
R13: ffff888016cdb000 R14: ffff888016cdb5a0 R15: ffff888016cdb000
FS:  0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000012f82000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
   0: 00 00                          add    %al,(%rax)
   2: 00 00                          add    %al,(%rax)
   4: 55                               push   %rbp
   5: 48 89 e5                     mov    %rsp,%rbp
   8: 48 89 fe                      mov    %rdi,%rsi
   b: 48 ba 00 01 00 00 00 movabs $0xdead000000000100,%rdx
  12: 00 ad de
  15: 48 8b 0f                     mov    (%rdi),%rcx
  18: 48 39 d1                    cmp    %rdx,%rcx
  1b: 74 22                         je     0x3f
  1d: 48 8b 46 08               mov    0x8(%rsi),%rax
  21: 48 83 c2 22               add    $0x22,%rdx
  25: 48 39 d0                    cmp    %rdx,%rax
  28: 74 25                         je     0x4f
* 2a: 48 8b 10                   mov    (%rax),%rdx <-- trapping instruction
  2d: 48 39 f2                    cmp    %rsi,%rdx
  30: 75 2d                        jne    0x5f
  32: 48 8b 51 08              mov    0x8(%rcx),%rdx
  36: 48 39 f2                    cmp    %rsi,%rdx
  39: 75 37                        jne    0x72
  3b: b0 01                        mov    $0x1,%al
  3d: 5d                             pop    %rbp
  3e: c3                             retq
  3f: 48                              rex.W

       reply	other threads:[~2022-07-12  6:51 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CAO4mrfcUYjEi69mcSt_vXyb3VGFTAAq3dyNeWueucgw0DGABfg@mail.gmail.com>
2022-07-12  6:50 ` Wei Chen [this message]
2022-07-16 22:06   ` BUG: unable to handle kernel NULL pointer dereference in sctp_sched_dequeue_common Xin Long
2022-07-13 16:20 Wei Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAO4mrfcB0d+qbwtfndzqcrL+QEQgfOmJYQMAdzwxRePmP8TY1A@mail.gmail.com \
    --to=harperchen1110@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    --cc=marcelo.leitner@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=pabeni@redhat.com \
    --cc=vyasevich@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.