BUG: unable to handle kernel paging request in squashfs_decompress

[Palash Oswal]

Syzkaller hit 'BUG: unable to handle kernel paging request in squashfs_decompress' bug.

Head Commit : 841fca5a32cc tag: v5.10.1
git tree : stable 

kernel config :  Attached config.txt

console output : 
BUG: unable to handle page fault for address: ffffc9000014b000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 3c00067 P4D 3c00067 PUD 3dce067 PMD 3dcf067 PTE 0
Oops: 0002 [#1] SMP PTI
CPU: 0 PID: 318 Comm: syz-executor186 Not tainted 5.10.1 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014
RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55
Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
RSP: 0018:ffffc9000089f840 EFLAGS: 00010246
RAX: ffffc9000014affe RBX: 0000000000001000 RCX: 0000000000000ffe
RDX: 0000000000001000 RSI: ffff888005a34002 RDI: ffffc9000014b000
RBP: ffffc9000089f8b8 R08: 0000000000007368 R09: ffff888005ca1240
R10: ffffffff8157e760 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc9000014affe R14: 0000000000000000 R15: 000000000000236a
FS:  00000000019f7380(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000014b000 CR3: 0000000005ada006 CR4: 0000000000370ef0
Call Trace:
 squashfs_decompress+0x62/0x90 fs/squashfs/decompressor_single.c:70
 squashfs_read_data+0x111/0x710 fs/squashfs/block.c:214
 squashfs_cache_get+0x198/0x460 fs/squashfs/cache.c:110
 squashfs_read_metadata+0xeb/0x1b0 fs/squashfs/cache.c:344
 squashfs_xattr_lookup+0x76/0xd0 fs/squashfs/xattr_id.c:38
 squashfs_read_inode+0x63d/0xae0 fs/squashfs/inode.c:395
 squashfs_iget+0xa8/0xf0 fs/squashfs/inode.c:85
 squashfs_lookup+0x42d/0x500 fs/squashfs/namei.c:212
 lookup_open fs/namei.c:3083 [inline]
 open_last_lookups fs/namei.c:3178 [inline]
 path_openat+0x6ee/0x14a0 fs/namei.c:3366
 do_filp_open+0xa7/0x190 fs/namei.c:3396
 do_sys_openat2+0xcc/0x1e0 fs/open.c:1168
 do_sys_open fs/open.c:1184 [inline]
 __do_sys_openat fs/open.c:1200 [inline]
 __se_sys_openat fs/open.c:1195 [inline]
 __x64_sys_openat+0x80/0xe0 fs/open.c:1195
 do_syscall_64+0x38/0x90 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4489fd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffea7e1498 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000400530 RCX: 00000000004489fd
RDX: 0000000000080000 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 0000000000403e50 R08: 0000000000000000 R09: 0000000000400530
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403ef0
R13: 0000000000000000 R14: 00000000004bf018 R15: 0000000000400530
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: ffffc9000014b000
---[ end trace ef664778b3add560 ]---
RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55
Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
RSP: 0018:ffffc9000089f840 EFLAGS: 00010246
RAX: ffffc9000014affe RBX: 0000000000001000 RCX: 0000000000000ffe
RDX: 0000000000001000 RSI: ffff888005a34002 RDI: ffffc9000014b000
RBP: ffffc9000089f8b8 R08: 0000000000007368 R09: ffff888005ca1240
R10: ffffffff8157e760 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc9000014affe R14: 0000000000000000 R15: 000000000000236a
FS:  00000000019f7380(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000014b000 CR3: 0000000005ada006 CR4: 0000000000370ef0

c reproducer : Attached reproduer.c

syzkaller reproducer : 
# {Threaded:false Collide:false Repeat:false RepeatTimes:0 Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false}
r0 = syz_mount_image$squashfs(&(0x7f0000000000)='squashfs\x00', &(0x7f0000000100)='./file0\x00', 0x7fffffff, 0x1, &(0x7f0000000200)=[{&(0x7f0000010000)="6873717307000000911d675f004000000100000003000e00e0000200040000001201000000000000f801000000000000ac01000000000000e0010000000000007f000000000000001f0100000000000076010000000000009a010000000000001a73797a6b616c6c6572203a200020438c01200000009820002838001100009e001d0200ed0100000100911d675f40012b0100644c002a7d00032d6e001a040f000300ff277c005901006d08264c00000e2f746d702f73797a2d696d61676567656e3431393737363339322f66696c6530b5000129750102c40b7d00294d00074d0009297d000529f5010a2da402e6177e04bc002add00065d0160de0328232cdc006d0dff410000291f000100c027ed0007dc04651f545d1a085c001100004800130100a100034d00204c00090200040066696c65304000015002b2013104d404f7050200088003032e636f6c647e590201f9069e4001ec080131d60005273100322a3100331100000b00136000a1001fdc0011000069010000000000001a001200c1007edd0020dd0040dd009edd00d6de001201bc001100007e0100000000000008805cf90100535f0100a2010000000000001b001e00000600786174747231060000c401274d0032274d00321100000d001200c100024d00244c00110000b40100000000000001", 0x1e9}], 0x0, &(0x7f0000010200)=ANY=[])
openat(r0, &(0x7f0000000040)='./file1\x00', 0x80000, 0x0)

I haven't seen this entry on the syzkaller dashboard yet;

Palash