[v5.15] KASAN: null-ptr-deref Write in get_block
1 view
Skip to first unread message
syzbot
Jun 16, 2023, 9:00:58 PM6/16/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 471e639e59d1 Linux 5.15.117
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=101960a7280000
kernel config: https://syzkaller.appspot.com/x/.config?x=6390289bcc1381aa
dashboard link: https://syzkaller.appspot.com/bug?extid=77fdbc31129a13c474ce
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1628183d280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141960a7280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/145b7f137d72/disk-471e639e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b5bd2fcb945c/vmlinux-471e639e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/794584032e0f/bzImage-471e639e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/9aec0bf8d61d/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+77fdbc...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 128
VFS: Found a Xenix FS (block size = 512) on device loop0
sysv_free_block: trying to free block not in datazone
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:55 [inline]
BUG: KASAN: null-ptr-deref in trylock_buffer include/linux/buffer_head.h:395 [inline]
BUG: KASAN: null-ptr-deref in lock_buffer include/linux/buffer_head.h:401 [inline]
BUG: KASAN: null-ptr-deref in alloc_branch fs/sysv/itree.c:148 [inline]
BUG: KASAN: null-ptr-deref in get_block+0x565/0x1690 fs/sysv/itree.c:251
Write of size 8 at addr 0000000000000000 by task syz-executor311/3498
CPU: 0 PID: 3498 Comm: syz-executor311 Not tainted 5.15.117-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report+0x161/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:55 [inline]
trylock_buffer include/linux/buffer_head.h:395 [inline]
lock_buffer include/linux/buffer_head.h:401 [inline]
alloc_branch fs/sysv/itree.c:148 [inline]
get_block+0x565/0x1690 fs/sysv/itree.c:251
__block_write_begin_int+0x60b/0x1650 fs/buffer.c:2012
__block_write_begin fs/buffer.c:2062 [inline]
block_write_begin+0x4f/0xc0 fs/buffer.c:2122
sysv_write_begin+0x36/0x70 fs/sysv/itree.c:485
generic_perform_write+0x2bf/0x5b0 mm/filemap.c:3776
__generic_file_write_iter+0x243/0x4f0 mm/filemap.c:3903
generic_file_write_iter+0xa7/0x1b0 mm/filemap.c:3935
do_iter_readv_writev+0x594/0x7a0
do_iter_write+0x1ea/0x760 fs/read_write.c:855
vfs_writev fs/read_write.c:928 [inline]
do_pwritev+0x219/0x360 fs/read_write.c:1025
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fbb39e5db29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffda20a7508 EFLAGS: 00000246 ORIG_RAX: 0000000000000128
RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007fbb39e5db29
RDX: 0000000000000005 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 00007fbb39e1d160 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000007fff R11: 0000000000000246 R12: 00007fbb39e1d1f0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 471e639e59d1 Linux 5.15.117
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=101960a7280000
kernel config: https://syzkaller.appspot.com/x/.config?x=6390289bcc1381aa
dashboard link: https://syzkaller.appspot.com/bug?extid=77fdbc31129a13c474ce
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1628183d280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141960a7280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/145b7f137d72/disk-471e639e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b5bd2fcb945c/vmlinux-471e639e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/794584032e0f/bzImage-471e639e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/9aec0bf8d61d/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+77fdbc...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 128
VFS: Found a Xenix FS (block size = 512) on device loop0
sysv_free_block: trying to free block not in datazone
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:55 [inline]
BUG: KASAN: null-ptr-deref in trylock_buffer include/linux/buffer_head.h:395 [inline]
BUG: KASAN: null-ptr-deref in lock_buffer include/linux/buffer_head.h:401 [inline]
BUG: KASAN: null-ptr-deref in alloc_branch fs/sysv/itree.c:148 [inline]
BUG: KASAN: null-ptr-deref in get_block+0x565/0x1690 fs/sysv/itree.c:251
Write of size 8 at addr 0000000000000000 by task syz-executor311/3498
CPU: 0 PID: 3498 Comm: syz-executor311 Not tainted 5.15.117-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report+0x161/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:55 [inline]
trylock_buffer include/linux/buffer_head.h:395 [inline]
lock_buffer include/linux/buffer_head.h:401 [inline]
alloc_branch fs/sysv/itree.c:148 [inline]
get_block+0x565/0x1690 fs/sysv/itree.c:251
__block_write_begin_int+0x60b/0x1650 fs/buffer.c:2012
__block_write_begin fs/buffer.c:2062 [inline]
block_write_begin+0x4f/0xc0 fs/buffer.c:2122
sysv_write_begin+0x36/0x70 fs/sysv/itree.c:485
generic_perform_write+0x2bf/0x5b0 mm/filemap.c:3776
__generic_file_write_iter+0x243/0x4f0 mm/filemap.c:3903
generic_file_write_iter+0xa7/0x1b0 mm/filemap.c:3935
do_iter_readv_writev+0x594/0x7a0
do_iter_write+0x1ea/0x760 fs/read_write.c:855
vfs_writev fs/read_write.c:928 [inline]
do_pwritev+0x219/0x360 fs/read_write.c:1025
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fbb39e5db29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffda20a7508 EFLAGS: 00000246 ORIG_RAX: 0000000000000128
RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007fbb39e5db29
RDX: 0000000000000005 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 00007fbb39e1d160 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000007fff R11: 0000000000000246 R12: 00007fbb39e1d1f0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 19, 2023, 3:41:56 AM6/19/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: ca87e77a2ef8 Linux 6.1.34
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17d546ff280000
kernel config: https://syzkaller.appspot.com/x/.config?x=c188e92022a334b
dashboard link: https://syzkaller.appspot.com/bug?extid=4f729e4709113b5494ac
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17740d87280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15102aff280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f48d514c343c/disk-ca87e77a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/563336f1f216/vmlinux-ca87e77a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2254afa3642b/bzImage-ca87e77a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6e2e853992f8/mount_1.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
loop0: detected capacity change from 0 to 128
VFS: Found a Xenix FS (block size = 512) on device loop0
sysv_free_block: trying to free block not in datazone
==================================================================
BUG: KASAN: null-ptr-deref in test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:57 [inline]
BUG: KASAN: null-ptr-deref in trylock_buffer include/linux/buffer_head.h:390 [inline]
BUG: KASAN: null-ptr-deref in lock_buffer include/linux/buffer_head.h:396 [inline]
BUG: KASAN: null-ptr-deref in alloc_branch fs/sysv/itree.c:148 [inline]
BUG: KASAN: null-ptr-deref in get_block+0x563/0x1690 fs/sysv/itree.c:251
Write of size 8 at addr 0000000000000000 by task syz-executor347/3543
CPU: 1 PID: 3543 Comm: syz-executor347 Not tainted 6.1.34-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_report+0xe6/0x4f0 mm/kasan/report.c:398
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
kasan_report+0x136/0x160 mm/kasan/report.c:495
kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
test_and_set_bit_lock include/asm-generic/bitops/instrumented-lock.h:57 [inline]
trylock_buffer include/linux/buffer_head.h:390 [inline]
lock_buffer include/linux/buffer_head.h:396 [inline]
alloc_branch fs/sysv/itree.c:148 [inline]
get_block+0x563/0x1690 fs/sysv/itree.c:251
__block_write_begin_int+0x544/0x1a30 fs/buffer.c:1991
__block_write_begin fs/buffer.c:2041 [inline]
block_write_begin+0x98/0x1f0 fs/buffer.c:2102
sysv_write_begin+0x2d/0x60 fs/sysv/itree.c:485
generic_perform_write+0x2fc/0x5e0 mm/filemap.c:3754
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3882
generic_file_write_iter+0xab/0x310 mm/filemap.c:3914
do_iter_write+0x6e6/0xc50 fs/read_write.c:861
vfs_writev fs/read_write.c:934 [inline]
do_pwritev+0x216/0x360 fs/read_write.c:1031
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
RIP: 0033:0x7ff96ee68b29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff64f19f18 EFLAGS: 00000246 ORIG_RAX: 0000000000000128
RAX: ffffffffffffffda RBX: 0031656c69662f2e RCX: 00007ff96ee68b29
RDX: 0000000000000005 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 00007ff96ee28160 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000007fff R11: 0000000000000246 R12: 00007ff96ee281f0
syzbot
Oct 1, 2023, 11:31:27 AM10/1/23
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 1416eebaad80bdc85ad9f97f27242011b031e2a9
Author: Prince Kumar Maurya <princekum...@gmail.com>
Date: Wed May 31 01:31:41 2023 +0000
fs/sysv: Null check to prevent null-ptr-deref bug
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12661862680000
start commit: ca87e77a2ef8 Linux 6.1.34
git tree: linux-6.1.y
#syz fix: fs/sysv: Null check to prevent null-ptr-deref bug
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 1416eebaad80bdc85ad9f97f27242011b031e2a9
Author: Prince Kumar Maurya <princekum...@gmail.com>
Date: Wed May 31 01:31:41 2023 +0000
fs/sysv: Null check to prevent null-ptr-deref bug
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12661862680000
start commit: ca87e77a2ef8 Linux 6.1.34
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c188e92022a334b
dashboard link: https://syzkaller.appspot.com/bug?extid=4f729e4709113b5494ac
dashboard link: https://syzkaller.appspot.com/bug?extid=4f729e4709113b5494ac
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17740d87280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15102aff280000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15102aff280000
#syz fix: fs/sysv: Null check to prevent null-ptr-deref bug
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Oct 2, 2023, 11:28:44 AM10/2/23
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit afd9a31b5aa4b3747f382d44a7b03b7b5d0b7635
Author: Prince Kumar Maurya <princekum...@gmail.com>
Date: Wed May 31 01:31:41 2023 +0000
fs/sysv: Null check to prevent null-ptr-deref bug
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=156fdae6680000
Date: Wed May 31 01:31:41 2023 +0000
fs/sysv: Null check to prevent null-ptr-deref bug
start commit: 471e639e59d1 Linux 5.15.117
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=6390289bcc1381aa
dashboard link: https://syzkaller.appspot.com/bug?extid=77fdbc31129a13c474ce
dashboard link: https://syzkaller.appspot.com/bug?extid=77fdbc31129a13c474ce
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1628183d280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141960a7280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141960a7280000
Reply all
Reply to author
Forward
0 new messages