Hi Kernel Maintainers, Our tool found a kernel bug KASAN: null-ptr-deref in do_journal_end. Please see the details below. Kernel commit: v6.9 (Commits on May 12, 2024) Kernel config: attachment C/Syz reproducer: attachment We find a similar bug was reported and marked as fixed. (https://syzkaller.appspot.com/bug?extid=845cd8e5c47f2a125683) Our reproducer can trigger this bug in v6.9, so the bug may have not been fixed correctly. Please let me know for anything I can help. Best, Shuangpeng [ 192.148501][ T764] ================================================================== [ 192.150547][ T764] BUG: KASAN: null-ptr-deref in do_journal_end (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/buffer_head.h:149 fs/reiserfs/journal.c:4080) [ 192.152011][ T764] Read of size 8 at addr 0000000000000000 by task kworker/1:2/764 [ 192.153805][ T764] [ 192.154415][ T764] CPU: 1 PID: 764 Comm: kworker/1:2 Not tainted 6.9.0 #7 [ 192.156235][ T764] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 192.164992][ T764] Workqueue: events_long flush_old_commits [ 192.165628][ T764] Call Trace: [ 192.165988][ T764] <TASK> [ 192.166319][ T764] dump_stack_lvl (lib/dump_stack.c:117) [ 192.166865][ T764] kasan_report (mm/kasan/report.c:603) [ 192.167325][ T764] ? do_journal_end (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/buffer_head.h:149 fs/reiserfs/journal.c:4080) [ 192.167861][ T764] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) [ 192.168406][ T764] do_journal_end (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/buffer_head.h:149 fs/reiserfs/journal.c:4080) [ 192.183507][ T764] ? __pfx_do_journal_begin_r (fs/reiserfs/journal.c:3030) [ 192.184751][ T764] ? dquot_writeback_dquots (fs/quota/dquot.c:684) [ 192.185982][ T764] ? __pfx_do_journal_end (fs/reiserfs/journal.c:3985) [ 192.187181][ T764] ? mutex_lock (./arch/x86/include/asm/atomic64_64.h:109 ./include/linux/atomic/atomic-arch-fallback.h:4296 ./include/linux/atomic/atomic-long.h:1482 ./include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:171 kernel/locking/mutex.c:285) [ 192.188117][ T764] ? __pfx_mutex_lock (kernel/locking/mutex.c:282) [ 192.189190][ T764] ? __pfx_dquot_writeback_dquots (fs/quota/dquot.c:684) [ 192.190535][ T764] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) [ 192.191849][ T764] reiserfs_sync_fs (fs/reiserfs/super.c:78) [ 192.192898][ T764] ? __pfx_reiserfs_sync_fs (fs/reiserfs/super.c:68) [ 192.194082][ T764] ? queue_delayed_work_on (kernel/workqueue.c:2614) [ 192.195256][ T764] flush_old_commits (fs/reiserfs/super.c:112) [ 192.196334][ T764] process_one_work (kernel/workqueue.c:3272) [ 192.197429][ T764] ? kthread_data (kernel/kthread.c:77 kernel/kthread.c:244) [ 192.198449][ T764] worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) [ 192.199504][ T764] ? __kthread_parkme (kernel/kthread.c:293) [ 192.211122][ T764] ? __pfx_worker_thread (kernel/workqueue.c:3375) [ 192.212263][ T764] kthread (kernel/kthread.c:388) [ 192.213176][ T764] ? __pfx_kthread (kernel/kthread.c:341) [ 192.214213][ T764] ret_from_fork (arch/x86/kernel/process.c:153) [ 192.215220][ T764] ? __pfx_kthread (kernel/kthread.c:341) [ 192.216237][ T764] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) [ 192.217289][ T764] </TASK> [ 192.217964][ T764] ================================================================== [ 192.280428][ T764] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 192.282215][ T764] CPU: 1 PID: 764 Comm: kworker/1:2 Not tainted 6.9.0 #7 [ 192.283805][ T764] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 192.285883][ T764] Workqueue: events_long flush_old_commits [ 192.287245][ T764] Call Trace: [ 192.288005][ T764] <TASK> [ 192.288666][ T764] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4)) [ 192.289714][ T764] panic (kernel/panic.c:348) [ 192.290641][ T764] ? __pfx_panic (kernel/panic.c:282) [ 192.291699][ T764] ? preempt_schedule_thunk (arch/x86/entry/thunk_64.S:12) [ 192.292913][ T764] ? preempt_schedule_common (./arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6927) [ 192.294145][ T764] ? check_panic_on_warn (kernel/panic.c:240) [ 192.295319][ T764] ? do_journal_end (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/buffer_head.h:149 fs/reiserfs/journal.c:4080) [ 192.296448][ T764] check_panic_on_warn (kernel/panic.c:241) [ 192.297535][ T764] end_report (mm/kasan/report.c:226) [ 192.298487][ T764] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606) [ 192.299510][ T764] ? do_journal_end (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/buffer_head.h:149 fs/reiserfs/journal.c:4080) [ 192.300661][ T764] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) [ 192.301757][ T764] do_journal_end (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/buffer_head.h:149 fs/reiserfs/journal.c:4080) [ 192.302862][ T764] ? __pfx_do_journal_begin_r (fs/reiserfs/journal.c:3030) [ 192.304098][ T764] ? dquot_writeback_dquots (fs/quota/dquot.c:684) [ 192.305345][ T764] ? __pfx_do_journal_end (fs/reiserfs/journal.c:3985) [ 192.306499][ T764] ? mutex_lock (./arch/x86/include/asm/atomic64_64.h:109 ./include/linux/atomic/atomic-arch-fallback.h:4296 ./include/linux/atomic/atomic-long.h:1482 ./include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:171 kernel/locking/mutex.c:285) [ 192.307484][ T764] ? __pfx_mutex_lock (kernel/locking/mutex.c:282) [ 192.308562][ T764] ? __pfx_dquot_writeback_dquots (fs/quota/dquot.c:684) [ 192.309904][ T764] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) [ 192.311301][ T764] reiserfs_sync_fs (fs/reiserfs/super.c:78) [ 192.312447][ T764] ? __pfx_reiserfs_sync_fs (fs/reiserfs/super.c:68) [ 192.313680][ T764] ? queue_delayed_work_on (kernel/workqueue.c:2614) [ 192.314906][ T764] flush_old_commits (fs/reiserfs/super.c:112) [ 192.316037][ T764] process_one_work (kernel/workqueue.c:3272) [ 192.317185][ T764] ? kthread_data (kernel/kthread.c:77 kernel/kthread.c:244) [ 192.318223][ T764] worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) [ 192.319309][ T764] ? __kthread_parkme (kernel/kthread.c:293) [ 192.320465][ T764] ? __pfx_worker_thread (kernel/workqueue.c:3375) [ 192.321625][ T764] kthread (kernel/kthread.c:388) [ 192.322564][ T764] ? __pfx_kthread (kernel/kthread.c:341) [ 192.323616][ T764] ret_from_fork (arch/x86/kernel/process.c:153) [ 192.324651][ T764] ? __pfx_kthread (kernel/kthread.c:341) [ 192.325691][ T764] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) [ 192.326812][ T764] </TASK> [ 192.327649][ T764] Kernel Offset: disabled [ 192.328603][ T764] Rebooting in 86400 seconds..
Attachment:
repro.c
Description: Binary data
Attachment:
.config
Description: Binary data