[Android 5.4] [fat?] KASAN: null-ptr-deref Write in mark_buffer_dirty_inode
8 views
Skip to first unread message
syzbot
Feb 2, 2023, 10:37:47 AM2/2/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6a5ec6cea0cd UPSTREAM: 9p/fd: fix issue of list_del corrup..
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1481069d480000
kernel config: https://syzkaller.appspot.com/x/.config?x=c00a32e58def3322
dashboard link: https://syzkaller.appspot.com/bug?extid=6c5ed5e5e399bab41dd8
compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b0c84a2500cf/disk-6a5ec6ce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7c54760baf8c/vmlinux-6a5ec6ce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/838417840fba/bzImage-6a5ec6ce.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6c5ed5...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
BUG: KASAN: null-ptr-deref in queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
BUG: KASAN: null-ptr-deref in do_raw_spin_lock include/linux/spinlock.h:181 [inline]
BUG: KASAN: null-ptr-deref in __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
BUG: KASAN: null-ptr-deref in _raw_spin_lock+0x96/0x1b0 kernel/locking/spinlock.c:151
Write of size 4 at addr 000000000000008c by task syz-executor.5/1905
CPU: 1 PID: 1905 Comm: syz-executor.5 Not tainted 5.4.225-syzkaller-00029-g6a5ec6cea0cd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
__kasan_report+0xec/0x130 mm/kasan/report.c:520
kasan_report+0x30/0x60 mm/kasan/common.c:653
check_memory_region_inline mm/kasan/generic.c:141 [inline]
check_memory_region+0x298/0x2d0 mm/kasan/generic.c:191
atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
do_raw_spin_lock include/linux/spinlock.h:181 [inline]
__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_lock+0x96/0x1b0 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
mark_buffer_dirty_inode+0x126/0x300 fs/buffer.c:558
fat12_ent_put+0x1a4/0x2d0 fs/fat/fatent.c:172
fat_alloc_clusters+0x7f9/0x14f0 fs/fat/fatent.c:502
fat_alloc_new_dir+0x19e/0xd70 fs/fat/dir.c:1148
vfat_mkdir+0x176/0x420 fs/fat/namei_vfat.c:860
vfs_mkdir+0x416/0x5f0 fs/namei.c:3896
open_or_create_special_dir+0xe3/0x1c0 fs/incfs/vfs.c:459
incfs_mount_fs+0x485/0xa00 fs/incfs/vfs.c:1818
legacy_get_tree+0xde/0x170 fs/fs_context.c:647
vfs_get_tree+0x85/0x260 fs/super.c:1547
do_new_mount+0x299/0x580 fs/namespace.c:2843
do_mount+0x6ac/0xe10 fs/namespace.c:3163
ksys_mount+0xc2/0xf0 fs/namespace.c:3372
__do_sys_mount fs/namespace.c:3386 [inline]
__se_sys_mount fs/namespace.c:3383 [inline]
__x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
==================================================================
BUG: kernel NULL pointer dereference, address: 000000000000008c
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1aeec1067 P4D 1aeec1067 PUD 1e05a2067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1905 Comm: syz-executor.5 Tainted: G B 5.4.225-syzkaller-00029-g6a5ec6cea0cd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline]
RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:181 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
RIP: 0010:_raw_spin_lock+0xb8/0x1b0 kernel/locking/spinlock.c:151
Code: 00 00 00 e8 ea 7d 4e fd 4c 89 ff be 04 00 00 00 e8 dd 7d 4e fd 43 8a 04 26 84 c0 0f 85 a9 00 00 00 8b 44 24 20 b9 01 00 00 00 <f0> 41 0f b1 4d 00 75 33 48 c7 04 24 0e 36 e0 45 49 c7 04 1c 00 00
RSP: 0018:ffff8881b2d07360 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 1ffff110365a0e6c RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881b2d07380
RBP: ffff8881b2d073e8 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffed10365a0e71 R11: 1ffff110365a0e70 R12: dffffc0000000000
R13: 000000000000008c R14: 1ffff110365a0e70 R15: ffff8881b2d07380
FS: 00007f756d38c700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000008c CR3: 00000001e2f4d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
spin_lock include/linux/spinlock.h:338 [inline]
mark_buffer_dirty_inode+0x126/0x300 fs/buffer.c:558
fat12_ent_put+0x1a4/0x2d0 fs/fat/fatent.c:172
fat_alloc_clusters+0x7f9/0x14f0 fs/fat/fatent.c:502
fat_alloc_new_dir+0x19e/0xd70 fs/fat/dir.c:1148
vfat_mkdir+0x176/0x420 fs/fat/namei_vfat.c:860
vfs_mkdir+0x416/0x5f0 fs/namei.c:3896
open_or_create_special_dir+0xe3/0x1c0 fs/incfs/vfs.c:459
incfs_mount_fs+0x485/0xa00 fs/incfs/vfs.c:1818
legacy_get_tree+0xde/0x170 fs/fs_context.c:647
vfs_get_tree+0x85/0x260 fs/super.c:1547
do_new_mount+0x299/0x580 fs/namespace.c:2843
do_mount+0x6ac/0xe10 fs/namespace.c:3163
ksys_mount+0xc2/0xf0 fs/namespace.c:3372
__do_sys_mount fs/namespace.c:3386 [inline]
__se_sys_mount fs/namespace.c:3383 [inline]
__x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
CR2: 000000000000008c
---[ end trace baa816398ab0d8c2 ]---
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline]
RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:181 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
RIP: 0010:_raw_spin_lock+0xb8/0x1b0 kernel/locking/spinlock.c:151
Code: 00 00 00 e8 ea 7d 4e fd 4c 89 ff be 04 00 00 00 e8 dd 7d 4e fd 43 8a 04 26 84 c0 0f 85 a9 00 00 00 8b 44 24 20 b9 01 00 00 00 <f0> 41 0f b1 4d 00 75 33 48 c7 04 24 0e 36 e0 45 49 c7 04 1c 00 00
RSP: 0018:ffff8881b2d07360 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 1ffff110365a0e6c RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881b2d07380
RBP: ffff8881b2d073e8 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffed10365a0e71 R11: 1ffff110365a0e70 R12: dffffc0000000000
R13: 000000000000008c R14: 1ffff110365a0e70 R15: ffff8881b2d07380
FS: 00007f756d38c700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000008c CR3: 00000001e2f4d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 00 00 add %al,(%rax)
2: e8 ea 7d 4e fd callq 0xfd4e7df1
7: 4c 89 ff mov %r15,%rdi
a: be 04 00 00 00 mov $0x4,%esi
f: e8 dd 7d 4e fd callq 0xfd4e7df1
14: 43 8a 04 26 mov (%r14,%r12,1),%al
18: 84 c0 test %al,%al
1a: 0f 85 a9 00 00 00 jne 0xc9
20: 8b 44 24 20 mov 0x20(%rsp),%eax
24: b9 01 00 00 00 mov $0x1,%ecx
* 29: f0 41 0f b1 4d 00 lock cmpxchg %ecx,0x0(%r13) <-- trapping instruction
2f: 75 33 jne 0x64
31: 48 c7 04 24 0e 36 e0 movq $0x45e0360e,(%rsp)
38: 45
39: 49 rex.WB
3a: c7 .byte 0xc7
3b: 04 1c add $0x1c,%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 6a5ec6cea0cd UPSTREAM: 9p/fd: fix issue of list_del corrup..
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1481069d480000
kernel config: https://syzkaller.appspot.com/x/.config?x=c00a32e58def3322
dashboard link: https://syzkaller.appspot.com/bug?extid=6c5ed5e5e399bab41dd8
compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b0c84a2500cf/disk-6a5ec6ce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7c54760baf8c/vmlinux-6a5ec6ce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/838417840fba/bzImage-6a5ec6ce.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6c5ed5...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
BUG: KASAN: null-ptr-deref in queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
BUG: KASAN: null-ptr-deref in do_raw_spin_lock include/linux/spinlock.h:181 [inline]
BUG: KASAN: null-ptr-deref in __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
BUG: KASAN: null-ptr-deref in _raw_spin_lock+0x96/0x1b0 kernel/locking/spinlock.c:151
Write of size 4 at addr 000000000000008c by task syz-executor.5/1905
CPU: 1 PID: 1905 Comm: syz-executor.5 Not tainted 5.4.225-syzkaller-00029-g6a5ec6cea0cd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
__kasan_report+0xec/0x130 mm/kasan/report.c:520
kasan_report+0x30/0x60 mm/kasan/common.c:653
check_memory_region_inline mm/kasan/generic.c:141 [inline]
check_memory_region+0x298/0x2d0 mm/kasan/generic.c:191
atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
do_raw_spin_lock include/linux/spinlock.h:181 [inline]
__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
_raw_spin_lock+0x96/0x1b0 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
mark_buffer_dirty_inode+0x126/0x300 fs/buffer.c:558
fat12_ent_put+0x1a4/0x2d0 fs/fat/fatent.c:172
fat_alloc_clusters+0x7f9/0x14f0 fs/fat/fatent.c:502
fat_alloc_new_dir+0x19e/0xd70 fs/fat/dir.c:1148
vfat_mkdir+0x176/0x420 fs/fat/namei_vfat.c:860
vfs_mkdir+0x416/0x5f0 fs/namei.c:3896
open_or_create_special_dir+0xe3/0x1c0 fs/incfs/vfs.c:459
incfs_mount_fs+0x485/0xa00 fs/incfs/vfs.c:1818
legacy_get_tree+0xde/0x170 fs/fs_context.c:647
vfs_get_tree+0x85/0x260 fs/super.c:1547
do_new_mount+0x299/0x580 fs/namespace.c:2843
do_mount+0x6ac/0xe10 fs/namespace.c:3163
ksys_mount+0xc2/0xf0 fs/namespace.c:3372
__do_sys_mount fs/namespace.c:3386 [inline]
__se_sys_mount fs/namespace.c:3383 [inline]
__x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
==================================================================
BUG: kernel NULL pointer dereference, address: 000000000000008c
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1aeec1067 P4D 1aeec1067 PUD 1e05a2067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1905 Comm: syz-executor.5 Tainted: G B 5.4.225-syzkaller-00029-g6a5ec6cea0cd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline]
RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:181 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
RIP: 0010:_raw_spin_lock+0xb8/0x1b0 kernel/locking/spinlock.c:151
Code: 00 00 00 e8 ea 7d 4e fd 4c 89 ff be 04 00 00 00 e8 dd 7d 4e fd 43 8a 04 26 84 c0 0f 85 a9 00 00 00 8b 44 24 20 b9 01 00 00 00 <f0> 41 0f b1 4d 00 75 33 48 c7 04 24 0e 36 e0 45 49 c7 04 1c 00 00
RSP: 0018:ffff8881b2d07360 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 1ffff110365a0e6c RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881b2d07380
RBP: ffff8881b2d073e8 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffed10365a0e71 R11: 1ffff110365a0e70 R12: dffffc0000000000
R13: 000000000000008c R14: 1ffff110365a0e70 R15: ffff8881b2d07380
FS: 00007f756d38c700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000008c CR3: 00000001e2f4d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
spin_lock include/linux/spinlock.h:338 [inline]
mark_buffer_dirty_inode+0x126/0x300 fs/buffer.c:558
fat12_ent_put+0x1a4/0x2d0 fs/fat/fatent.c:172
fat_alloc_clusters+0x7f9/0x14f0 fs/fat/fatent.c:502
fat_alloc_new_dir+0x19e/0xd70 fs/fat/dir.c:1148
vfat_mkdir+0x176/0x420 fs/fat/namei_vfat.c:860
vfs_mkdir+0x416/0x5f0 fs/namei.c:3896
open_or_create_special_dir+0xe3/0x1c0 fs/incfs/vfs.c:459
incfs_mount_fs+0x485/0xa00 fs/incfs/vfs.c:1818
legacy_get_tree+0xde/0x170 fs/fs_context.c:647
vfs_get_tree+0x85/0x260 fs/super.c:1547
do_new_mount+0x299/0x580 fs/namespace.c:2843
do_mount+0x6ac/0xe10 fs/namespace.c:3163
ksys_mount+0xc2/0xf0 fs/namespace.c:3372
__do_sys_mount fs/namespace.c:3386 [inline]
__se_sys_mount fs/namespace.c:3383 [inline]
__x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
CR2: 000000000000008c
---[ end trace baa816398ab0d8c2 ]---
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline]
RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:181 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
RIP: 0010:_raw_spin_lock+0xb8/0x1b0 kernel/locking/spinlock.c:151
Code: 00 00 00 e8 ea 7d 4e fd 4c 89 ff be 04 00 00 00 e8 dd 7d 4e fd 43 8a 04 26 84 c0 0f 85 a9 00 00 00 8b 44 24 20 b9 01 00 00 00 <f0> 41 0f b1 4d 00 75 33 48 c7 04 24 0e 36 e0 45 49 c7 04 1c 00 00
RSP: 0018:ffff8881b2d07360 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 1ffff110365a0e6c RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881b2d07380
RBP: ffff8881b2d073e8 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffed10365a0e71 R11: 1ffff110365a0e70 R12: dffffc0000000000
R13: 000000000000008c R14: 1ffff110365a0e70 R15: ffff8881b2d07380
FS: 00007f756d38c700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000008c CR3: 00000001e2f4d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 00 00 add %al,(%rax)
2: e8 ea 7d 4e fd callq 0xfd4e7df1
7: 4c 89 ff mov %r15,%rdi
a: be 04 00 00 00 mov $0x4,%esi
f: e8 dd 7d 4e fd callq 0xfd4e7df1
14: 43 8a 04 26 mov (%r14,%r12,1),%al
18: 84 c0 test %al,%al
1a: 0f 85 a9 00 00 00 jne 0xc9
20: 8b 44 24 20 mov 0x20(%rsp),%eax
24: b9 01 00 00 00 mov $0x1,%ecx
* 29: f0 41 0f b1 4d 00 lock cmpxchg %ecx,0x0(%r13) <-- trapping instruction
2f: 75 33 jne 0x64
31: 48 c7 04 24 0e 36 e0 movq $0x45e0360e,(%rsp)
38: 45
39: 49 rex.WB
3a: c7 .byte 0xc7
3b: 04 1c add $0x1c,%al
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 2, 2023, 11:38:49 AM6/2/23
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages