Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2527214imm; Thu, 7 Jun 2018 12:09:15 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJQdcs2hMPQnta8EuhhJ6k/DIf86Lo/lLzCrWCnI/2GGUufbOrjm95TtHcvOsCuWRl6McqD X-Received: by 2002:a17:902:26:: with SMTP id 35-v6mr3308888pla.276.1528398555340; Thu, 07 Jun 2018 12:09:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528398555; cv=none; d=google.com; s=arc-20160816; b=KDNiZO/QLCCja9c5DR3WPnNSchbRMDZB3wyI3Elf4DuhiKVDfQ2ElX1Ym7qb4RsY84 +M6h69MwiudXAWMRmmfdv6s+Cvfqd8liWPi+f4PuxRahOYmHhB4PLl78q7TO4Cf11z5C IHirHZTF1k4IVdoov/nGKvUMfRW9oYJWwXAvpHL8VwhxA1bYjGcB0qpKJrj+jfBhFug2 M+6vOOnCGzA2RpnXulWJIHLFHt1OMmVG0LXsseVP9IgpMQrrh2CIsiH8gVkr7knOIzM+ 2Ggrod9bbez8252eGO2NmWLtA3oj6FFn275A6WuOGEoKj6RCkLSsdGqSyqCf97/gFYLH cDgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:from:subject:message-id:date :mime-version:arc-authentication-results; bh=ktSKA17LAA4/Pu89Wmt7p3bX1NctNFJviAh/vbefD3Q=; b=ddjK1FpE6UL6bxLUyvpCnmnCwvR4wODBdgcN6d5QFY193swmFaoShH7TBOFa/a2o9J z0h97FVSt06dx53KGdbv7rxbKkNB6lfK7V2tYtc25ODGwvzDVNrTHrqZP7C7bcabPfzf /IesyVwNJKeZnARLv3h9THlmJJXi8U5EI+RJegUSP0ifvEoG/nw7jL9/NCQlQ5HjhTDa WfBklfJaIWy44LehVPAY+5WneD8gOh3/e+Z4t0dhdQZHWZqgO8oDXPTc5D8BMYBXJBi5 GFA58akCI11zgDpn8WD35OvjVsGdbCDB2IW+p5HGbvlSwdVjX9aXQ0qWXsIGgDYpXiaL 4KjQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t13-v6si30810734pgs.242.2018.06.07.12.09.00; Thu, 07 Jun 2018 12:09:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936224AbeFGSRH (ORCPT + 99 others); Thu, 7 Jun 2018 14:17:07 -0400 Received: from mail-it0-f70.google.com ([209.85.214.70]:37281 "EHLO mail-it0-f70.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935297AbeFGSRC (ORCPT ); Thu, 7 Jun 2018 14:17:02 -0400 Received: by mail-it0-f70.google.com with SMTP id p130-v6so8569206itp.2 for ; Thu, 07 Jun 2018 11:17:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=ktSKA17LAA4/Pu89Wmt7p3bX1NctNFJviAh/vbefD3Q=; b=XgN6f0+AN08/DUFELrhrYflk8/7mCEpzvjWY1ZsDBiGqgOXDYgRyKQfsr2ZQzPeZiE XB3oepolv+3zKfvK4D7RoM46iFS9XCIq1+60Uzj/hVxtx+rdBCvyhapASAdy8vfAct80 QgN5resgS1LIOsY5mwzTA9thNeKIjVq61QSY8Ri7a8dyQnGz8hc5gKiXtiG3j8RQCh7Q 6qyv35xx/z9g/aDHstmtQARcLux8au9c7lobJ3frPeAeL+Kkgg2RurW258HQtWKRl+8+ oLGnfYuph2j3J5pAXWOoq6GWkSTev1TdxhSuKTEJptC0f60fD0/pxlhL2VW/jAXa5Tqb IjWA== X-Gm-Message-State: APt69E0ad/kBR0kPt6EmJcExLbp0IQhSvCrx0vRZgQcfuYpH55AwK/ng c1y/VTpZciFNgWlshRr9474BC9OLUYfdokMjpFn0TZQ7FNuM MIME-Version: 1.0 X-Received: by 2002:a24:7d91:: with SMTP id b139-v6mr1555448itc.6.1528395422216; Thu, 07 Jun 2018 11:17:02 -0700 (PDT) Date: Thu, 07 Jun 2018 11:17:02 -0700 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <00000000000037bf29056e114a86@google.com> Subject: KASAN: null-ptr-deref Write in xdp_umem_unaccount_pages From: syzbot To: bjorn.topel@intel.com, davem@davemloft.net, linux-kernel@vger.kernel.org, magnus.karlsson@intel.com, netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, syzbot found the following crash on: HEAD commit: 1c8c5a9d38f6 Merge git://git.kernel.org/pub/scm/linux/kern.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13a72bdf800000 kernel config: https://syzkaller.appspot.com/x/.config?x=4f1acdf888c9d4e9 dashboard link: https://syzkaller.appspot.com/bug?extid=979217770b09ebf5c407 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12aca2af800000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161d4ddf800000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+979217770b09ebf5c407@syzkaller.appspotmail.com RDX: 0000000000000004 RSI: 000000000000011b RDI: 0000000000000004 RBP: 00000000006cb018 R08: 0000000000000018 R09: 00007fffc4750032 R10: 0000000020000040 R11: 0000000000000246 R12: 0000000000000005 R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 ================================================================== BUG: KASAN: null-ptr-deref in atomic64_sub include/asm-generic/atomic-instrumented.h:144 [inline] BUG: KASAN: null-ptr-deref in atomic_long_sub include/asm-generic/atomic-long.h:199 [inline] BUG: KASAN: null-ptr-deref in xdp_umem_unaccount_pages.isra.4+0x3d/0x80 net/xdp/xdp_umem.c:135 Write of size 8 at addr 0000000000000060 by task syz-executor246/4527 CPU: 1 PID: 4527 Comm: syz-executor246 Not tainted 4.17.0+ #89 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 kasan_report_error mm/kasan/report.c:352 [inline] kasan_report.cold.7+0x6d/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 atomic64_sub include/asm-generic/atomic-instrumented.h:144 [inline] atomic_long_sub include/asm-generic/atomic-long.h:199 [inline] xdp_umem_unaccount_pages.isra.4+0x3d/0x80 net/xdp/xdp_umem.c:135 xdp_umem_reg net/xdp/xdp_umem.c:334 [inline] xdp_umem_create+0xd6c/0x10f0 net/xdp/xdp_umem.c:349 xsk_setsockopt+0x443/0x550 net/xdp/xsk.c:531 __sys_setsockopt+0x1bd/0x390 net/socket.c:1935 __do_sys_setsockopt net/socket.c:1946 [inline] __se_sys_setsockopt net/socket.c:1943 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1943 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x440549 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fffc475d008 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440549 RDX: 0000000000000004 RSI: 000000000000011b RDI: 0000000000000004 RBP: 00000000006cb018 R08: 0000000000000018 R09: 00007fffc4750032 R10: 0000000020000040 R11: 0000000000000246 R12: 0000000000000005 R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 ================================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches