Dear Linux Developer, Recently when using our tool to fuzz kernel, the following crash was triggered. HEAD commit: 147307c69ba git tree: upstream compiler: clang 12.0.0 console output: https://drive.google.com/file/d/1DW61s3gHmgG-1aa8JP-KfsQzVW_1zm_P/view?usp=share_link kernel config: https://drive.google.com/file/d/1NAf4S43d9VOKD52xbrqw-PUP1Mbj8z-S/view?usp=share_link Syz reproducer: https://drive.google.com/file/d/1LfCJ4C3H2QKanNGIfVwEAewaN53G9CSE/view?usp=share_link Unfortunately, if we transform the syz reproducer to C reproducer with syz-prog2c, the crash would not happen. Please consider using syz-execprog and syz-executor to reproduce the crash. BUG: kernel NULL pointer dereference, address: 000000000000006c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106d3d067 P4D 106d3d067 PUD 107d32067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 2783 Comm: kworker/0:3 Not tainted 6.1.0-rc5-next-20221118 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 Workqueue: wg-crypt-wg0 wg_packet_tx_worker RIP: 0010:xfrm_policy_lookup_bytype+0x1764/0x1790 net/xfrm/xfrm_policy.c:2139 Code: 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 03 4b 1f fd eb 0c e8 fc 4a 1f fd e8 17 a3 12 fd 31 ed 48 8d 7d 6c e8 ec b3 32 fd <8b> 75 6c 48 c7 c7 89 21 7e 85 44 89 e2 31 c0 e8 38 5f a1 00 eb a6 RSP: 0000:ffffc90000003740 EFLAGS: 00010246 RAX: ffff88813bc274d8 RBX: 0000000000000000 RCX: ffffffff840866f4 RDX: 00000000000004d4 RSI: 0000000000000000 RDI: 000000000000006c RBP: 0000000000000000 R08: 000000000000006f R09: 0000000000000000 R10: 0001ffffffffffff R11: ffff8881032a4000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000006c CR3: 0000000104bd7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> xfrm_policy_lookup net/xfrm/xfrm_policy.c:2151 [inline] __xfrm_policy_check+0x5c1/0x19e0 net/xfrm/xfrm_policy.c:3571 __xfrm_policy_check2 include/net/xfrm.h:1132 [inline] xfrm_policy_check include/net/xfrm.h:1137 [inline] xfrm6_policy_check include/net/xfrm.h:1147 [inline] udpv6_queue_rcv_one_skb+0x184/0xb90 net/ipv6/udp.c:703 udpv6_queue_rcv_skb+0x53d/0x5c0 net/ipv6/udp.c:792 udp6_unicast_rcv_skb net/ipv6/udp.c:935 [inline] __udp6_lib_rcv+0xceb/0x1770 net/ipv6/udp.c:1020 udpv6_rcv+0x4b/0x50 net/ipv6/udp.c:1133 ip6_protocol_deliver_rcu+0x85f/0xd80 net/ipv6/ip6_input.c:439 ip6_input_finish net/ipv6/ip6_input.c:484 [inline] NF_HOOK include/linux/netfilter.h:302 [inline] ip6_input+0x9f/0x180 net/ipv6/ip6_input.c:493 dst_input include/net/dst.h:454 [inline] ip6_rcv_finish+0x1e9/0x2d0 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:302 [inline] ipv6_rcv+0x85/0x140 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core net/core/dev.c:5482 [inline] __netif_receive_skb+0x8b/0x1b0 net/core/dev.c:5596 process_backlog+0x23f/0x3b0 net/core/dev.c:5924 __napi_poll+0x65/0x420 net/core/dev.c:6485 napi_poll net/core/dev.c:6552 [inline] net_rx_action+0x37e/0x730 net/core/dev.c:6663 __do_softirq+0xf2/0x2c9 kernel/softirq.c:571 do_softirq+0xb1/0xf0 kernel/softirq.c:472 </IRQ> <TASK> __local_bh_enable_ip+0x6f/0x80 kernel/softirq.c:396 __raw_read_unlock_bh include/linux/rwlock_api_smp.h:257 [inline] _raw_read_unlock_bh+0x17/0x20 kernel/locking/spinlock.c:284 wg_socket_send_skb_to_peer+0x107/0x120 drivers/net/wireguard/socket.c:184 wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline] wg_packet_tx_worker+0x142/0x360 drivers/net/wireguard/send.c:276 process_one_work+0x3e3/0x950 kernel/workqueue.c:2289 worker_thread+0x628/0xa70 kernel/workqueue.c:2436 kthread+0x1a9/0x1e0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: CR2: 000000000000006c ---[ end trace 0000000000000000 ]--- RIP: 0010:xfrm_policy_lookup_bytype+0x1764/0x1790 net/xfrm/xfrm_policy.c:2139 Code: 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 03 4b 1f fd eb 0c e8 fc 4a 1f fd e8 17 a3 12 fd 31 ed 48 8d 7d 6c e8 ec b3 32 fd <8b> 75 6c 48 c7 c7 89 21 7e 85 44 89 e2 31 c0 e8 38 5f a1 00 eb a6 RSP: 0000:ffffc90000003740 EFLAGS: 00010246 RAX: ffff88813bc274d8 RBX: 0000000000000000 RCX: ffffffff840866f4 RDX: 00000000000004d4 RSI: 0000000000000000 RDI: 000000000000006c RBP: 0000000000000000 R08: 000000000000006f R09: 0000000000000000 R10: 0001ffffffffffff R11: ffff8881032a4000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000006c CR3: 0000000104bd7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 5b 41 add %bl,0x41(%rbx) 5: 5c pop %rsp 6: 41 5d pop %r13 8: 41 5e pop %r14 a: 41 5f pop %r15 c: 5d pop %rbp d: c3 retq e: e8 03 4b 1f fd callq 0xfd1f4b16 13: eb 0c jmp 0x21 15: e8 fc 4a 1f fd callq 0xfd1f4b16 1a: e8 17 a3 12 fd callq 0xfd12a336 1f: 31 ed xor %ebp,%ebp 21: 48 8d 7d 6c lea 0x6c(%rbp),%rdi 25: e8 ec b3 32 fd callq 0xfd32b416 * 2a: 8b 75 6c mov 0x6c(%rbp),%esi <-- trapping instruction 2d: 48 c7 c7 89 21 7e 85 mov $0xffffffff857e2189,%rdi 34: 44 89 e2 mov %r12d,%edx 37: 31 c0 xor %eax,%eax 39: e8 38 5f a1 00 callq 0xa15f76 3e: eb a6 jmp 0xffffffe6 Best, Wei
