[BUG] KASAN: null-ptr-deref in gfs2_remove_from_journal

[Bai, Shuangpeng]

Hi Kernel Maintainers,

Our tool found a new kernel bug. Please see the details below.

Kernel commit: v6.18
Kernel config: attachment
C/Syz reproducer: attachment

I’m happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <SJB...@psu.edu>



[ 88.648947][ T8723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
[ 88.651126][ T8723] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[ 88.652396][ T8723] CPU: 1 UID: 0 PID: 8723 Comm: a.out Not tainted 6.18.0 #6 PREEMPT(full)
[ 88.653240][ T8723] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 88.654141][ T8723] RIP: 0010:gfs2_remove_from_journal (fs/gfs2/meta_io.c:359)
[ 88.654770][ T8723] Code: e9 80 e1 07 80 c1 03 38 c1 7c 2c 48 89 ef e8 87 fd 3c fe eb 22 e8 60 a6 db fd 48 8b 5c 24 08 48 8d 6b 2c 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 6e 01 00 00 ff 45 00 48 8d 7b 18 be 08
All code
========
0: e9 80 e1 07 80 jmp 0xffffffff8007e185
5: c1 03 38 roll $0x38,(%rbx)
8: c1 7c 2c 48 89 sarl $0x89,0x48(%rsp,%rbp,1)
d: ef out %eax,(%dx)
e: e8 87 fd 3c fe call 0xfffffffffe3cfd9a
13: eb 22 jmp 0x37
15: e8 60 a6 db fd call 0xfffffffffddba67a
1a: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx
1f: 48 8d 6b 2c lea 0x2c(%rbx),%rbp
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
2a:* 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 6e 01 00 00 jne 0x1a5
37: ff 45 00 incl 0x0(%rbp)
3a: 48 8d 7b 18 lea 0x18(%rbx),%rdi
3e: be .byte 0xbe
3f: 08 .byte 0x8

Code starting with the faulting instruction
===========================================
0: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
5: 84 c0 test %al,%al
7: 0f 85 6e 01 00 00 jne 0x17b
d: ff 45 00 incl 0x0(%rbp)
10: 48 8d 7b 18 lea 0x18(%rbx),%rdi
14: be .byte 0xbe
15: 08 .byte 0x8
[ 88.656658][ T8723] RSP: 0018:ffffc9000855f1d0 EFLAGS: 00010207
[ 88.657263][ T8723] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffff888109ee4a00
[ 88.658055][ T8723] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8881232c01e0
[ 88.658867][ T8723] RBP: 000000000000002c R08: ffff88816eef879f R09: 1ffff1102dddf0f3
[ 88.659688][ T8723] R10: dffffc0000000000 R11: ffffed102dddf0f4 R12: ffff8881643b13f0
[ 88.660499][ T8723] R13: ffff8881643b1430 R14: ffff8881232c01c0 R15: dffffc0000000000
[ 88.661310][ T8723] FS: 00007f54d2ad6800(0000) GS:ffff8882c55fb000(0000) knlGS:0000000000000000
[ 88.662220][ T8723] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 88.662894][ T8723] CR2: 00007f54d2cca320 CR3: 0000000122256000 CR4: 00000000000006f0
[ 88.663718][ T8723] Call Trace:
[ 88.664066][ T8723] <TASK>
[ 88.664377][ T8723] gfs2_invalidate_folio (./include/linux/spinlock.h:391 fs/gfs2/aops.c:598 fs/gfs2/aops.c:631)
[ 88.665533][ T8723] truncate_cleanup_folio (mm/truncate.c:? mm/truncate.c:160)
[ 88.666090][ T8723] truncate_inode_pages_range (mm/truncate.c:?)
[ 88.676542][ T8723] gfs2_evict_inode (fs/gfs2/super.c:1440)
[ 88.680291][ T8723] evict (fs/inode.c:?)
[ 88.683033][ T8723] __dentry_kill (fs/dcache.c:?)
[ 88.684995][ T8723] dput (fs/dcache.c:912)
[ 88.687047][ T8723] __fput (fs/file_table.c:477)
[ 88.723119][ T8723] task_work_run (kernel/task_work.c:228)
[ 88.724642][ T8723] do_exit (kernel/exit.c:967)
[ 88.725557][ T8723] do_group_exit (kernel/exit.c:1086)
[ 88.726036][ T8723] get_signal (kernel/signal.c:?)
[ 88.727567][ T8723] arch_do_signal_or_restart (arch/x86/kernel/signal.c:?)
[ 88.728778][ T8723] irqentry_exit_to_user_mode (kernel/entry/common.c:42 ./include/linux/irq-entry-common.h:225 kernel/entry/common.c:73)
[ 88.729356][ T8723] asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:618)
[ 88.729868][ T8723] RIP: 0033:0x7f54d2bcdf31
[ 88.730329][ T8723] Code: Unable to access opcode bytes at 0x7f54d2bcdf07.
[ 88.731041][ T8723] RSP: 002b:0000000000000040 EFLAGS: 00010217
[ 88.731670][ T8723] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f54d2bcdf29
[ 88.732482][ T8723] RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000011
[ 88.733294][ T8723] RBP: 00007ffd081be500 R08: 0000000000000000 R09: 0000000000000000
[ 88.734104][ T8723] R10: 0000000000000000 R11: 0000000000000246 R12: 000055cd0467c460
[ 88.734915][ T8723] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 88.735735][ T8723] </TASK>
[ 88.736063][ T8723] Modules linked in:
[ 88.736526][ T8723] ---[ end trace 0000000000000000 ]---
[ 88.737091][ T8723] RIP: 0010:gfs2_remove_from_journal (fs/gfs2/meta_io.c:359)
[ 88.737744][ T8723] Code: e9 80 e1 07 80 c1 03 38 c1 7c 2c 48 89 ef e8 87 fd 3c fe eb 22 e8 60 a6 db fd 48 8b 5c 24 08 48 8d 6b 2c 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 6e 01 00 00 ff 45 00 48 8d 7b 18 be 08
All code
========
0: e9 80 e1 07 80 jmp 0xffffffff8007e185
5: c1 03 38 roll $0x38,(%rbx)
8: c1 7c 2c 48 89 sarl $0x89,0x48(%rsp,%rbp,1)
d: ef out %eax,(%dx)
e: e8 87 fd 3c fe call 0xfffffffffe3cfd9a
13: eb 22 jmp 0x37
15: e8 60 a6 db fd call 0xfffffffffddba67a
1a: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx
1f: 48 8d 6b 2c lea 0x2c(%rbx),%rbp
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
2a:* 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 6e 01 00 00 jne 0x1a5
37: ff 45 00 incl 0x0(%rbp)
3a: 48 8d 7b 18 lea 0x18(%rbx),%rdi
3e: be .byte 0xbe
3f: 08 .byte 0x8

Code starting with the faulting instruction
===========================================
0: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
5: 84 c0 test %al,%al
7: 0f 85 6e 01 00 00 jne 0x17b
d: ff 45 00 incl 0x0(%rbp)
10: 48 8d 7b 18 lea 0x18(%rbx),%rdi
14: be .byte 0xbe
15: 08 .byte 0x8
[ 88.739719][ T8723] RSP: 0018:ffffc9000855f1d0 EFLAGS: 00010207
[ 88.740348][ T8723] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffff888109ee4a00
[ 88.741156][ T8723] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8881232c01e0
[ 88.741968][ T8723] RBP: 000000000000002c R08: ffff88816eef879f R09: 1ffff1102dddf0f3
[ 88.742781][ T8723] R10: dffffc0000000000 R11: ffffed102dddf0f4 R12: ffff8881643b13f0
[ 88.743612][ T8723] R13: ffff8881643b1430 R14: ffff8881232c01c0 R15: dffffc0000000000
[ 88.744420][ T8723] FS: 00007f54d2ad6800(0000) GS:ffff8882c55fb000(0000) knlGS:0000000000000000
[ 88.745325][ T8723] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 88.745997][ T8723] CR2: 00007f54d2cca320 CR3: 0000000122256000 CR4: 00000000000006f0
[ 88.746809][ T8723] note: a.out[8723] exited with preempt_count 2
[ 88.747446][ T8723] Fixing recursive fault but reboot is needed!
[ 88.755657][ T8723] BUG: using smp_processor_id() in preemptible [00000000] code: a.out/8723
[ 88.756638][ T8723] caller is __schedule (kernel/sched/core.c:6803)
[ 88.757181][ T8723] CPU: 1 UID: 0 PID: 8723 Comm: a.out Tainted: G D 6.18.0 #6 PREEMPT(full)
[ 88.757189][ T8723] Tainted: [D]=DIE
[ 88.757191][ T8723] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 88.757194][ T8723] Call Trace:
[ 88.757196][ T8723] <TASK>
[ 88.757198][ T8723] dump_stack_lvl (lib/dump_stack.c:122)
[ 88.757245][ T8723] check_preemption_disabled (lib/smp_processor_id.c:?)
[ 88.757251][ T8723] __schedule (kernel/sched/core.c:6803)
[ 88.757326][ T8723] do_task_dead (kernel/sched/core.c:6951)
[ 88.757333][ T8723] make_task_dead (kernel/exit.c:1055)
[ 88.757345][ T8723] rewind_stack_and_make_dead (??:?)
[ 88.757352][ T8723] RIP: 0033:0x7f54d2bcdf31
[ 88.757356][ T8723] Code: Unable to access opcode bytes at 0x7f54d2bcdf07.

Code starting with the faulting instruction
===========================================
[ 88.757358][ T8723] RSP: 002b:0000000000000040 EFLAGS: 00010217
[ 88.757363][ T8723] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f54d2bcdf29
[ 88.757366][ T8723] RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000011
[ 88.757369][ T8723] RBP: 00007ffd081be500 R08: 0000000000000000 R09: 0000000000000000
[ 88.757372][ T8723] R10: 0000000000000000 R11: 0000000000000246 R12: 000055cd0467c460
[ 88.757374][ T8723] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 88.757379][ T8723] </TASK>
[ 88.757381][ T8723] BUG: scheduling while atomic: a.out/8723/0x00000000
[ 88.779784][ T8723] Modules linked in:
[ 88.780188][ T8723] Preemption disabled at:
[ 88.780191][ T8723] 0x0
[ 88.781220][ T8723] Kernel panic - not syncing: scheduling while atomic: panic_on_warn set ...
[ 88.782224][ T8723] Kernel Offset: disabled
[ 88.782669][ T8723] ---[ end Kernel panic - not syncing: scheduling while atomic: panic_on_warn set ... ]---



Best,
Shuangpeng