Hi,
We found a bug in Linux 6.10. It is probably a null pointer dereference bug.
The bug report and syzkaller reproducer are as follows:
Bug report:
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 0 PID: 45 Comm: kworker/u4:3 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: writeback wb_workfn (flush-8:0)
RIP: 0010:update_io_ticks+0x94/0x2c0 block/blk-core.c:992
Code: f3 f3 f3 48 89 54 24 18 4a 89 04 32 e8 75 77 59 fd 48 c1 eb 03
48 89 5c 24 08 eb 03 4c 8b 2b 49 8d 5d 28 48 89 d8 48 c1 e8 03 <42> 80
3c 30 00 74 08 48 89 df e8 6d 82 bc fd 4c 8b 3b 48 8b 44 24
RSP: 0018:ffffc9000090e620 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 0000000000000028 RCX: ffff888015330000
RDX: 0000000000000000 RSI: 0000000100000845 RDI: 0000000000000000
RBP: ffffc9000090e6d8 R08: ffffffff843a8b4a R09: 1ffffffff1e48be5
R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000100000845
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88801d4f2058
FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd0a027408 CR3: 00000000232cc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
blk_account_io_start+0x189/0x2d0 block/blk-mq.c:1022
blk_mq_bio_to_request block/blk-mq.c:2559 [inline]
blk_mq_submit_bio+0x1043/0x1f40 block/blk-mq.c:2996
__submit_bio+0x1bc/0x550 block/blk-core.c:627
__submit_bio_noacct_mq block/blk-core.c:708 [inline]
submit_bio_noacct_nocheck+0x3ed/0xc20 block/blk-core.c:737
ext4_io_submit+0xd4/0x130 fs/ext4/page-io.c:377
ext4_do_writepages+0x293b/0x38e0 fs/ext4/inode.c:2699
ext4_writepages+0x20c/0x3b0 fs/ext4/inode.c:2768
do_writepages+0x36f/0x880 mm/page-writeback.c:2656
__writeback_single_inode+0xe2/0x660 fs/fs-writeback.c:1651
writeback_sb_inodes+0x8ee/0x1140 fs/fs-writeback.c:1947
__writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:2018
wb_writeback+0x3e7/0x750 fs/fs-writeback.c:2129
wb_check_old_data_flush fs/fs-writeback.c:2233 [inline]
wb_do_writeback fs/fs-writeback.c:2286 [inline]
wb_workfn+0xa29/0xf00 fs/fs-writeback.c:2314
process_one_work kernel/workqueue.c:3248 [inline]
process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
kthread+0x2eb/0x380 kernel/kthread.c:389
ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:update_io_ticks+0x94/0x2c0 block/blk-core.c:992
Code: f3 f3 f3 48 89 54 24 18 4a 89 04 32 e8 75 77 59 fd 48 c1 eb 03
48 89 5c 24 08 eb 03 4c 8b 2b 49 8d 5d 28 48 89 d8 48 c1 e8 03 <42> 80
3c 30 00 74 08 48 89 df e8 6d 82 bc fd 4c 8b 3b 48 8b 44 24
RSP: 0018:ffffc9000090e620 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 0000000000000028 RCX: ffff888015330000
RDX: 0000000000000000 RSI: 0000000100000845 RDI: 0000000000000000
RBP: ffffc9000090e6d8 R08: ffffffff843a8b4a R09: 1ffffffff1e48be5
R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000100000845
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88801d4f2058
FS: 0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd0a027408 CR3: 00000000232cc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: f3 f3 f3 48 89 54 24 repz repz xrelease mov %rdx,0x18(%rsp)
7: 18
8: 4a 89 04 32 mov %rax,(%rdx,%r14,1)
c: e8 75 77 59 fd call 0xfd597786
11: 48 c1 eb 03 shr $0x3,%rbx
15: 48 89 5c 24 08 mov %rbx,0x8(%rsp)
1a: eb 03 jmp 0x1f
1c: 4c 8b 2b mov (%rbx),%r13
1f: 49 8d 5d 28 lea 0x28(%r13),%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 30 00 cmpb $0x0,(%rax,%r14,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 6d 82 bc fd call 0xfdbc82a6
39: 4c 8b 3b mov (%rbx),%r15
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 44 rex.R
3f: 24 .byte 0x24
Syzkaller reproducer:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false
FaultCall:0 FaultNth:0}}
write$syz_spec_18446744072532934322_80(0xffffffffffffffff,
&(0x7f0000000000)="2b952480c7ca55097d1707935ba64b20f3026c03d658026b81bf264340512b3cb4e01afda2de754299ea7a113343ab7b9bda2fc0a2e2cdbfecbca0233a0772b12ebde5d98a1203cb871672dff7e4c86ec1dccef0a76312fbe8d45dc2bd0f8fc2ebeb2a6be6a300916c5281da2c1ef64d66267091b82429976c019da3645557ed1d439c5a637f6bf58c53bc414539dd87c69098d671402586b631f9ac5c2fe9cedc281a6f005b5c4d1dd5ed9be400",
0xb4)
r0 = syz_open_dev$sg(&(0x7f00000000c0), 0x0, 0x181040)
ioctl$syz_spec_1724254976_2866(r0, 0x1, &(0x7f0000000080)={0x0, 0x2,
[0x85, 0x8, 0x15, 0xd]})
--
Yours sincerely,
Xingyu
