BUG: unable to handle kernel NULL pointer dereference in do_epoll_wait

From: Hao Sun
Date: Sat Apr 10 2021 - 23:01:26 EST


Hi

When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
the Linux kernel, I found a null-ptr-deref bug in do_epoll_wait, but
I'm not sure about this.
Sorry, I do not have a reproducing program for this bug.
I hope that the stack trace information in the crash log can help you
locate the problem.

Here is the details:
commit: 3b9cdafb5358eb9f3790de2f728f765fef100731
version: linux 5.11
git tree: upstream
report:
BUG: kernel NULL pointer dereference, address: 0000000000000048
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 23043 Comm: systemd-udevd Not tainted 5.11.0+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:vfs_poll include/linux/poll.h:88 [inline]
RIP: 0010:ep_item_poll fs/eventpoll.c:840 [inline]
RIP: 0010:ep_send_events fs/eventpoll.c:1677 [inline]
RIP: 0010:ep_poll fs/eventpoll.c:1792 [inline]
RIP: 0010:do_epoll_wait+0x68d/0xf00 fs/eventpoll.c:2220
Code: 50 89 84 24 d0 00 00 00 48 8d 7b 28 e8 bc 0f d8 ff 48 8b 6b 28
48 c7 c0 e0 6e c6 85 48 39 c5 74 3c 48 8d 7d 48 e8 a3 0f d8 ff <4c> 8b
75 48 4d 85 f6 0f 84 3f 02 00 00 e8 f1 59 c7 ff 48 89 df 48
RSP: 0018:ffffc9000769fdc8 EFLAGS: 00010246
RAX: ffff88800d87edb8 RBX: ffff888009b0e600 RCX: 00000000000003db
RDX: 0000000000000048 RSI: 0000000000000000 RDI: 0000000000000048
RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000004f
R10: 0001ffffffffffff R11: ffff88800d87e300 R12: ffff888041f93d18
R13: ffff888041f93d68 R14: 0000000000000004 R15: ffff888041f93d20
FS: 00007f4f3e1fa8c0(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000048 CR3: 000000000e3c5000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
__do_sys_epoll_wait fs/eventpoll.c:2232 [inline]
__se_sys_epoll_wait fs/eventpoll.c:2227 [inline]
__x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2227
do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f4f3d07b2e3
Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00
66 90 83 3d 29 54 2b 00 00 75 13 49 89 ca b8 e8 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 34 c3 48 83 ec 08 e8 0b c2 00 00 48 89 04 24
RSP: 002b:00007fff2e5db728 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
RAX: ffffffffffffffda RBX: 00007fff2e5db7f0 RCX: 00007f4f3d07b2e3
RDX: 0000000000000004 RSI: 00007fff2e5db7f0 RDI: 0000000000000004
RBP: 00007fff2e5db8a0 R08: 00005578feaa7410 R09: 00005578fea9b855
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff2e5db7f0
R13: 00007fff2e5db7fc R14: 0000000000000003 R15: 000000000000000e
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: 0000000000000048
---[ end trace 201f1cc113e7b051 ]---
RIP: 0010:vfs_poll include/linux/poll.h:88 [inline]
RIP: 0010:ep_item_poll fs/eventpoll.c:840 [inline]
RIP: 0010:ep_send_events fs/eventpoll.c:1677 [inline]
RIP: 0010:ep_poll fs/eventpoll.c:1792 [inline]
RIP: 0010:do_epoll_wait+0x68d/0xf00 fs/eventpoll.c:2220
Code: 50 89 84 24 d0 00 00 00 48 8d 7b 28 e8 bc 0f d8 ff 48 8b 6b 28
48 c7 c0 e0 6e c6 85 48 39 c5 74 3c 48 8d 7d 48 e8 a3 0f d8 ff <4c> 8b
75 48 4d 85 f6 0f 84 3f 02 00 00 e8 f1 59 c7 ff 48 89 df 48
RSP: 0018:ffffc9000769fdc8 EFLAGS: 00010246
RAX: ffff88800d87edb8 RBX: ffff888009b0e600 RCX: 00000000000003db
RDX: 0000000000000048 RSI: 0000000000000000 RDI: 0000000000000048
RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000004f
R10: 0001ffffffffffff R11: ffff88800d87e300 R12: ffff888041f93d18
R13: ffff888041f93d68 R14: 0000000000000004 R15: ffff888041f93d20
FS: 00007f4f3e1fa8c0(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000048 CR3: 000000000e3c5000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554