BUG: general protection fault in update_io_ticks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

We found a bug in Linux 6.10. It is probably a null pointer dereference bug.
The bug report and syzkaller reproducer are as follows:

Bug report:

Oops: general protection fault, probably for non-canonical address
0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 0 PID: 45 Comm: kworker/u4:3 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: writeback wb_workfn (flush-8:0)
RIP: 0010:update_io_ticks+0x94/0x2c0 block/blk-core.c:992
Code: f3 f3 f3 48 89 54 24 18 4a 89 04 32 e8 75 77 59 fd 48 c1 eb 03
48 89 5c 24 08 eb 03 4c 8b 2b 49 8d 5d 28 48 89 d8 48 c1 e8 03 <42> 80
3c 30 00 74 08 48 89 df e8 6d 82 bc fd 4c 8b 3b 48 8b 44 24
RSP: 0018:ffffc9000090e620 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 0000000000000028 RCX: ffff888015330000
RDX: 0000000000000000 RSI: 0000000100000845 RDI: 0000000000000000
RBP: ffffc9000090e6d8 R08: ffffffff843a8b4a R09: 1ffffffff1e48be5
R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000100000845
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88801d4f2058
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd0a027408 CR3: 00000000232cc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 blk_account_io_start+0x189/0x2d0 block/blk-mq.c:1022
 blk_mq_bio_to_request block/blk-mq.c:2559 [inline]
 blk_mq_submit_bio+0x1043/0x1f40 block/blk-mq.c:2996
 __submit_bio+0x1bc/0x550 block/blk-core.c:627
 __submit_bio_noacct_mq block/blk-core.c:708 [inline]
 submit_bio_noacct_nocheck+0x3ed/0xc20 block/blk-core.c:737
 ext4_io_submit+0xd4/0x130 fs/ext4/page-io.c:377
 ext4_do_writepages+0x293b/0x38e0 fs/ext4/inode.c:2699
 ext4_writepages+0x20c/0x3b0 fs/ext4/inode.c:2768
 do_writepages+0x36f/0x880 mm/page-writeback.c:2656
 __writeback_single_inode+0xe2/0x660 fs/fs-writeback.c:1651
 writeback_sb_inodes+0x8ee/0x1140 fs/fs-writeback.c:1947
 __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:2018
 wb_writeback+0x3e7/0x750 fs/fs-writeback.c:2129
 wb_check_old_data_flush fs/fs-writeback.c:2233 [inline]
 wb_do_writeback fs/fs-writeback.c:2286 [inline]
 wb_workfn+0xa29/0xf00 fs/fs-writeback.c:2314
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
 kthread+0x2eb/0x380 kernel/kthread.c:389
 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:update_io_ticks+0x94/0x2c0 block/blk-core.c:992
Code: f3 f3 f3 48 89 54 24 18 4a 89 04 32 e8 75 77 59 fd 48 c1 eb 03
48 89 5c 24 08 eb 03 4c 8b 2b 49 8d 5d 28 48 89 d8 48 c1 e8 03 <42> 80
3c 30 00 74 08 48 89 df e8 6d 82 bc fd 4c 8b 3b 48 8b 44 24
RSP: 0018:ffffc9000090e620 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 0000000000000028 RCX: ffff888015330000
RDX: 0000000000000000 RSI: 0000000100000845 RDI: 0000000000000000
RBP: ffffc9000090e6d8 R08: ffffffff843a8b4a R09: 1ffffffff1e48be5
R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000100000845
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88801d4f2058
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd0a027408 CR3: 00000000232cc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: f3 f3 f3 48 89 54 24 repz repz xrelease mov %rdx,0x18(%rsp)
   7: 18
   8: 4a 89 04 32           mov    %rax,(%rdx,%r14,1)
   c: e8 75 77 59 fd       call   0xfd597786
  11: 48 c1 eb 03           shr    $0x3,%rbx
  15: 48 89 5c 24 08       mov    %rbx,0x8(%rsp)
  1a: eb 03                 jmp    0x1f
  1c: 4c 8b 2b             mov    (%rbx),%r13
  1f: 49 8d 5d 28           lea    0x28(%r13),%rbx
  23: 48 89 d8             mov    %rbx,%rax
  26: 48 c1 e8 03           shr    $0x3,%rax
* 2a: 42 80 3c 30 00       cmpb   $0x0,(%rax,%r14,1) <-- trapping instruction
  2f: 74 08                 je     0x39
  31: 48 89 df             mov    %rbx,%rdi
  34: e8 6d 82 bc fd       call   0xfdbc82a6
  39: 4c 8b 3b             mov    (%rbx),%r15
  3c: 48                   rex.W
  3d: 8b                   .byte 0x8b
  3e: 44                   rex.R
  3f: 24                   .byte 0x24


Syzkaller reproducer:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false
FaultCall:0 FaultNth:0}}
write$syz_spec_18446744072532934322_80(0xffffffffffffffff,
&(0x7f0000000000)="2b952480c7ca55097d1707935ba64b20f3026c03d658026b81bf264340512b3cb4e01afda2de754299ea7a113343ab7b9bda2fc0a2e2cdbfecbca0233a0772b12ebde5d98a1203cb871672dff7e4c86ec1dccef0a76312fbe8d45dc2bd0f8fc2ebeb2a6be6a300916c5281da2c1ef64d66267091b82429976c019da3645557ed1d439c5a637f6bf58c53bc414539dd87c69098d671402586b631f9ac5c2fe9cedc281a6f005b5c4d1dd5ed9be400",
0xb4)
r0 = syz_open_dev$sg(&(0x7f00000000c0), 0x0, 0x181040)
ioctl$syz_spec_1724254976_2866(r0, 0x1, &(0x7f0000000080)={0x0, 0x2,
[0x85, 0x8, 0x15, 0xd]})


-- 
Yours sincerely,
Xingyu





[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux