[syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in dev_map_generic_redirect

From: syzbot
Date: Sun Apr 07 2024 - 23:43:38 EST


Hello,

syzbot found the following issue on:

HEAD commit: 026e680b0a08 Merge tag 'pwm/for-6.9-rc3-fixes' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17dc5d5e180000
kernel config: https://syzkaller.appspot.com/x/.config?x=10acd270ef193b93
dashboard link: https://syzkaller.appspot.com/bug?extid=aa38edb98c8bd20d2915
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-026e680b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/085338135a57/vmlinux-026e680b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4b6e5889af37/zImage-026e680b.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aa38edb98c8bd20d2915@xxxxxxxxxxxxxxxxxxxxxxxxx

8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000008d when read
[0000008d] *pgd=85442003, *pmd=fc491003
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 13298 Comm: syz-executor.0 Not tainted 6.9.0-rc2-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at xdp_ok_fwd_dev include/linux/filter.h:1009 [inline]
PC is at dev_map_generic_redirect+0x24/0x23c kernel/bpf/devmap.c:681
LR is at xdp_do_generic_redirect_map net/core/filter.c:4463 [inline]
LR is at xdp_do_generic_redirect+0x1d8/0x4d4 net/core/filter.c:4520
pc : [<803f2e70>] lr : [<813e318c>] psr: 60000013
sp : dfa41d00 ip : dfa41d58 fp : dfa41d54
r10: 0000fdef r9 : 83641800 r8 : dfa43000
r7 : 00000001 r6 : 841bb400 r5 : 855c8a80 r4 : 824b3560
r3 : 00000000 r2 : dfa43000 r1 : 855c8a80 r0 : 841bb400
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 30c5387d Table: 85104f00 DAC: 00000000
Register r0 information: slab kmalloc-cg-64 start 841bb400 pointer offset 0 size 64
Register r1 information: slab skbuff_head_cache start 855c8a80 pointer offset 0 size 192
Register r2 information: 1-page vmalloc region starting at 0xdfa43000 allocated at bpf_prog_alloc_no_stats+0x38/0x1cc kernel/bpf/core.c:103
Register r3 information: NULL pointer
Register r4 information: non-slab/vmalloc memory
Register r5 information: slab skbuff_head_cache start 855c8a80 pointer offset 0 size 192
Register r6 information: slab kmalloc-cg-64 start 841bb400 pointer offset 0 size 64
Register r7 information: non-paged memory
Register r8 information: 1-page vmalloc region starting at 0xdfa43000 allocated at bpf_prog_alloc_no_stats+0x38/0x1cc kernel/bpf/core.c:103
Register r9 information: slab task_struct start 83641800 pointer offset 0 size 3072
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdfa40000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
Register r12 information: 2-page vmalloc region starting at 0xdfa40000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
Process syz-executor.0 (pid: 13298, stack limit = 0xdfa40000)
Stack: (0xdfa41d00 to 0xdfa42000)
1d00: 804a6614 8027b0a4 855c8a80 dfa41da4 854a0102 854afef1 dfa43000 0000000e
1d20: dfa41d3c dfa41d30 824b3560 824b3560 855c8a80 84c46000 dfa41da4 0000000e
1d40: 00000024 5b930000 dfa41d9c dfa41d58 813e318c 803f2e58 dfa41d9c dfa41d68
1d60: 0000aaaa 00000000 841bb400 dfa43000 dfa41db4 dfa41e40 00000004 0000000e
1d80: dfa43000 83641800 83404800 00000000 dfa41dec dfa41da0 813ae474 813e2fc0
1da0: dfa41ef0 854a0102 854afef1 854a0102 854a0000 85060400 00000000 00020000
1dc0: 00000000 d2f4c1d4 84c46660 00000001 855e52cc 84c47660 00000ebe 855c8a80
1de0: dfa41ea4 dfa41df0 80c29b04 813ae204 00000000 00000400 00000000 00000eb0
1e00: 00000000 83641800 dfa41ea4 dfa41e18 8031cb08 00010040 00000000 83641800
1e20: 00000000 0000ef31 0000fdef 00000000 855e5000 0000fdef 00000000 00080000
1e40: 855c8a80 00000000 00000000 00000000 00000000 00000000 00000400 00000000
1e60: 00000000 d2f4c1d4 8219b2bc 84c46660 84c46000 d2f4c1d4 83641800 dfa41f08
1e80: dfa41ef0 00000000 84c46660 855e5000 20000040 81b6cbe4 dfa41ed4 dfa41ea8
1ea0: 80c2acb8 80c290c4 00000001 00000000 00000008 80c2ac58 846f6d80 0000fdef
1ec0: 83641800 dfa41f68 dfa41f64 dfa41ed8 804f7298 80c2ac64 dfa41f04 dfa41ee8
1ee0: 8020c17c 8020d138 00000000 00000000 00010000 0000fdef 20000040 00000000
1f00: 00000001 00000000 846f6d80 00000000 0000002a 00000000 00000000 00000000
1f20: 00000000 00000000 00000000 00000000 0000fdef d2f4c1d4 83641800 846f6d81
1f40: 846f6d80 0000002a 00000000 80200288 83641800 00000004 dfa41f94 dfa41f68
1f60: 804f75e0 804f7030 0000002a 00000000 80203054 d2f4c1d4 0000fdef 20000040
1f80: 000000c8 00000004 dfa41fa4 dfa41f98 804f7670 804f7574 00000000 dfa41fa8
1fa0: 80200060 804f766c 0000fdef 20000040 000000c8 20000040 0000fdef 00000000
1fc0: 0000fdef 20000040 000000c8 00000004 7ed4d32e 7ed4d32f 003d0f00 76b160fc
1fe0: 0000005c 76b15ef0 00091154 0004f04c 40000010 000000c8 00000000 00000000
Call trace:
[<803f2e4c>] (dev_map_generic_redirect) from [<813e318c>] (xdp_do_generic_redirect_map net/core/filter.c:4463 [inline])
[<803f2e4c>] (dev_map_generic_redirect) from [<813e318c>] (xdp_do_generic_redirect+0x1d8/0x4d4 net/core/filter.c:4520)
r10:5b930000 r9:00000024 r8:0000000e r7:dfa41da4 r6:84c46000 r5:855c8a80
r4:824b3560
[<813e2fb4>] (xdp_do_generic_redirect) from [<813ae474>] (do_xdp_generic+0x27c/0x440 net/core/dev.c:5021)
r10:00000000 r9:83404800 r8:83641800 r7:dfa43000 r6:0000000e r5:00000004
r4:dfa41e40
[<813ae1f8>] (do_xdp_generic) from [<80c29b04>] (tun_get_user+0xa4c/0x13f4 drivers/net/tun.c:1924)
r9:855c8a80 r8:00000ebe r7:84c47660 r6:855e52cc r5:00000001 r4:84c46660
[<80c290b8>] (tun_get_user) from [<80c2acb8>] (tun_chr_write_iter+0x60/0xc8 drivers/net/tun.c:2048)
r10:81b6cbe4 r9:20000040 r8:855e5000 r7:84c46660 r6:00000000 r5:dfa41ef0
r4:dfa41f08
[<80c2ac58>] (tun_chr_write_iter) from [<804f7298>] (call_write_iter include/linux/fs.h:2108 [inline])
[<80c2ac58>] (tun_chr_write_iter) from [<804f7298>] (new_sync_write fs/read_write.c:497 [inline])
[<80c2ac58>] (tun_chr_write_iter) from [<804f7298>] (vfs_write+0x274/0x438 fs/read_write.c:590)
r8:dfa41f68 r7:83641800 r6:0000fdef r5:846f6d80 r4:80c2ac58
[<804f7024>] (vfs_write) from [<804f75e0>] (ksys_write+0x78/0xf8 fs/read_write.c:643)
r10:00000004 r9:83641800 r8:80200288 r7:00000000 r6:0000002a r5:846f6d80
r4:846f6d81
[<804f7568>] (ksys_write) from [<804f7670>] (__do_sys_write fs/read_write.c:655 [inline])
[<804f7568>] (ksys_write) from [<804f7670>] (sys_write+0x10/0x14 fs/read_write.c:652)
r7:00000004 r6:000000c8 r5:20000040 r4:0000fdef
[<804f7660>] (sys_write) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdfa41fa8 to 0xdfa41ff0)
1fa0: 0000fdef 20000040 000000c8 20000040 0000fdef 00000000
1fc0: 0000fdef 20000040 000000c8 00000004 7ed4d32e 7ed4d32f 003d0f00 76b160fc
1fe0: 0000005c 76b15ef0 00091154 0004f04c
Code: ee1d9f70 e1a08002 e591a054 e1a06000 (e597508c)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: ee1d9f70 mrc 15, 0, r9, cr13, cr0, {3}
4: e1a08002 mov r8, r2
8: e591a054 ldr sl, [r1, #84] @ 0x54
c: e1a06000 mov r6, r0
* 10: e597508c ldr r5, [r7, #140] @ 0x8c <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup