Re: BUG: unable to handle kernel NULL pointer dereference in fscache_free_cookie

From: Wei Chen
Date: Mon Oct 31 2022 - 10:24:24 EST


Dear Linux developers,

Here is the link to the reproducers.

C reproducer: https://drive.google.com/file/d/1g1uju2rj7ujfCGc_cWHVBhJb-vMZjWvF/view?usp=share_link
Syz reproducer:
https://drive.google.com/file/d/1g3Jy98NftOZkM_QVh0XCP5dB8kXPPMTF/view?usp=share_link

The bug persists in the latest commit, v5.15.76 (4f5365f77018). I hope
it is helpful to you.

[ 127.444408][ T6903] FAULT_INJECTION: forcing a failure.
[ 127.444408][ T6903] name fail_page_alloc, interval 1, probability
0, space 0, times 1
[ 127.448565][ T6903] CPU: 1 PID: 6903 Comm: a.out Not tainted 5.15.76 #5
[ 127.450699][ T6903] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
[ 127.454780][ T6903] Call Trace:
[ 127.455825][ T6903] <TASK>
[ 127.456776][ T6903] dump_stack_lvl+0x8d/0xcf
[ 127.458239][ T6903] should_fail+0x13c/0x160
[ 127.459641][ T6903] __alloc_pages+0x121/0x420
[ 127.461108][ T6903] alloc_pages+0x85/0x150
[ 127.462485][ T6903] new_slab+0x300/0x4e0
[ 127.463823][ T6903] ___slab_alloc+0xaac/0x1080
[ 127.465009][ T6903] ? p9_fid_create+0x26/0x1b0
[ 127.466126][ T6903] ? p9_fid_create+0x26/0x1b0
[ 127.467229][ T6903] ? __slab_alloc.isra.90+0x4f/0xb0
[ 127.468453][ T6903] __slab_alloc.isra.90+0x4f/0xb0
[ 127.469642][ T6903] ? p9_fid_create+0x26/0x1b0
[ 127.470744][ T6903] kmem_cache_alloc_trace+0x229/0x270
[ 127.472194][ T6903] p9_fid_create+0x26/0x1b0
[ 127.473459][ T6903] p9_client_attach+0x53/0x2d0
[ 127.474548][ T6903] ? v9fs_session_init+0x698/0x930
[ 127.475715][ T6903] ? v9fs_session_init+0x5ed/0x930
[ 127.476883][ T6903] v9fs_session_init+0x5ed/0x930
[ 127.478011][ T6903] ? rcu_read_lock_sched_held+0x4d/0x80
[ 127.479269][ T6903] ? trace_kmalloc+0x8c/0xe0
[ 127.480311][ T6903] ? kmem_cache_alloc_trace+0x192/0x270
[ 127.481576][ T6903] ? v9fs_mount+0x57/0x3e0
[ 127.482585][ T6903] v9fs_mount+0x57/0x3e0
[ 127.483554][ T6903] legacy_get_tree+0x2e/0x80
[ 127.484599][ T6903] vfs_get_tree+0x28/0x100
[ 127.485612][ T6903] path_mount+0x926/0xce0
[ 127.486605][ T6903] ? putname+0x83/0xa0
[ 127.487537][ T6903] do_mount+0x92/0xb0
[ 127.488449][ T6903] __x64_sys_mount+0xb0/0x120
[ 127.489517][ T6903] do_syscall_64+0x34/0xb0
[ 127.490524][ T6903] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 127.491862][ T6903] RIP: 0033:0x7ff527e9a469
[ 127.492865][ T6903] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f
1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b
4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8
64 89 01 48
[ 127.497297][ T6903] RSP: 002b:00007ff52858ada8 EFLAGS: 00000202
ORIG_RAX: 00000000000000a5
[ 127.499198][ T6903] RAX: ffffffffffffffda RBX: 0000000000000000
RCX: 00007ff527e9a469
[ 127.501005][ T6903] RDX: 00000000200002c0 RSI: 0000000020000100
RDI: 0000000000000000
[ 127.502805][ T6903] RBP: 00007ff52858ae20 R08: 00000000200007c0
R09: 0000000000000000
[ 127.504602][ T6903] R10: 0000000000000000 R11: 0000000000000202
R12: 00007ffee097c81e
[ 127.506411][ T6903] R13: 00007ffee097c81f R14: 00007ff52856b000
R15: 0000000000000003
[ 127.508219][ T6903] </TASK>
[ 127.529498][ T6908] FAULT_INJECTION: forcing a failure.
[ 127.529498][ T6908] name failslab, interval 1, probability 0, space
0, times 1
[ 127.532621][ T6908] CPU: 1 PID: 6908 Comm: a.out Not tainted 5.15.76 #5
[ 127.534188][ T6908] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
[ 127.536998][ T6908] Call Trace:
[ 127.537744][ T6908] <TASK>
[ 127.538412][ T6908] dump_stack_lvl+0x8d/0xcf
[ 127.539445][ T6908] should_fail+0x13c/0x160
[ 127.540454][ T6908] should_failslab+0x5/0x10
[ 127.541484][ T6908] slab_pre_alloc_hook.constprop.98+0x4e/0xc0
[ 127.542863][ T6908] ? fscache_alloc_cookie+0x2c1/0x330
[ 127.544086][ T6908] __kmalloc+0x64/0x240
[ 127.545038][ T6908] fscache_alloc_cookie+0x2c1/0x330
[ 127.546225][ T6908] __fscache_acquire_cookie+0xcc/0x4a0
[ 127.547475][ T6908] v9fs_cache_session_get_cookie+0x68/0x110
[ 127.548824][ T6908] v9fs_session_init+0x62c/0x930
[ 127.550014][ T6908] ? rcu_read_lock_sched_held+0x4d/0x80
[ 127.551281][ T6908] ? trace_kmalloc+0x8c/0xe0
[ 127.552327][ T6908] ? kmem_cache_alloc_trace+0x192/0x270
[ 127.553597][ T6908] ? v9fs_mount+0x57/0x3e0
[ 127.554599][ T6908] v9fs_mount+0x57/0x3e0
[ 127.555570][ T6908] legacy_get_tree+0x2e/0x80
[ 127.556617][ T6908] vfs_get_tree+0x28/0x100
[ 127.557629][ T6908] path_mount+0x926/0xce0
[ 127.558619][ T6908] ? putname+0x83/0xa0
[ 127.559550][ T6908] do_mount+0x92/0xb0
[ 127.560458][ T6908] __x64_sys_mount+0xb0/0x120
[ 127.561533][ T6908] do_syscall_64+0x34/0xb0
[ 127.562540][ T6908] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 127.563881][ T6908] RIP: 0033:0x7ff527e9a469
[ 127.564888][ T6908] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f
1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b
4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8
64 89 01 48
[ 127.569353][ T6908] RSP: 002b:00007ff528569da8 EFLAGS: 00000202
ORIG_RAX: 00000000000000a5
[ 127.571263][ T6908] RAX: ffffffffffffffda RBX: 0000000000000000
RCX: 00007ff527e9a469
[ 127.573078][ T6908] RDX: 00000000200002c0 RSI: 0000000020000100
RDI: 0000000000000000
[ 127.574889][ T6908] RBP: 00007ff528569e20 R08: 00000000200007c0
R09: 0000000000000000
[ 127.576698][ T6908] R10: 0000000000000000 R11: 0000000000000202
R12: 00007ffee097c81e
[ 127.578529][ T6908] R13: 00007ffee097c81f R14: 00007ff52854a000
R15: 0000000000000003
[ 127.580347][ T6908] </TASK>
[ 127.582306][ T6908] list_del corruption, ffff888101394720->next is NULL
[ 127.584217][ T6908] ------------[ cut here ]------------
[ 127.585496][ T6908] kernel BUG at lib/list_debug.c:50!
[ 127.586726][ T6908] invalid opcode: 0000 [#1] PREEMPT SMP
[ 127.587995][ T6908] CPU: 0 PID: 6908 Comm: a.out Not tainted 5.15.76 #5
[ 127.589552][ T6908] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
[ 127.592388][ T6908] RIP: 0010:__list_del_entry_valid+0x55/0xb0
[ 127.593770][ T6908] Code: 39 ca 74 4d 48 8b 32 48 39 fe 75 56 48 8b
50 08 48 39 f2 75 61 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 40 96 3d 85
e8 f1 65 f8 01 <0f> 0b 48 89 fe 48 c7 c7 70 96 3d 85 e8 e0 65 f8 01 0f
0b 48 89 fe
[ 127.598566][ T6908] RSP: 0018:ffffc90002613c50 EFLAGS: 00010286
[ 127.599956][ T6908] RAX: 0000000000000033 RBX: ffff888101394668
RCX: 0000000000000000
[ 127.601766][ T6908] RDX: 0000000000000000 RSI: ffffffff812d935c
RDI: 00000000ffffffff
[ 127.603579][ T6908] RBP: 0000000000000079 R08: 0000000000000000
R09: 0000000000000001
[ 127.605389][ T6908] R10: 0000000000000000 R11: 0000000000000001
R12: 000000000000001f
[ 127.607234][ T6908] R13: 0000000000000000 R14: ffffffff8496d360
R15: 0000000000000000
[ 127.609062][ T6908] FS: 00007ff52856a700(0000)
GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 127.611098][ T6908] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 127.612604][ T6908] CR2: 000055d718411188 CR3: 0000000011a11000
CR4: 00000000003506f0
[ 127.614423][ T6908] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[ 127.616403][ T6908] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[ 127.618478][ T6908] Call Trace:
[ 127.619236][ T6908] <TASK>
[ 127.619945][ T6908] fscache_free_cookie.part.14+0x21/0xd0
[ 127.621282][ T6908] fscache_alloc_cookie+0x291/0x330
[ 127.622777][ T6908] __fscache_acquire_cookie+0xcc/0x4a0
[ 127.624490][ T6908] v9fs_cache_session_get_cookie+0x68/0x110
[ 127.626334][ T6908] v9fs_session_init+0x62c/0x930
[ 127.627869][ T6908] ? rcu_read_lock_sched_held+0x4d/0x80
[ 127.629567][ T6908] ? trace_kmalloc+0x8c/0xe0
[ 127.631022][ T6908] ? kmem_cache_alloc_trace+0x192/0x270
[ 127.632731][ T6908] ? v9fs_mount+0x57/0x3e0
[ 127.634136][ T6908] v9fs_mount+0x57/0x3e0
[ 127.635499][ T6908] legacy_get_tree+0x2e/0x80
[ 127.636928][ T6908] vfs_get_tree+0x28/0x100
[ 127.638330][ T6908] path_mount+0x926/0xce0
[ 127.639722][ T6908] ? putname+0x83/0xa0
[ 127.641030][ T6908] do_mount+0x92/0xb0
[ 127.642279][ T6908] __x64_sys_mount+0xb0/0x120
[ 127.643747][ T6908] do_syscall_64+0x34/0xb0
[ 127.645166][ T6908] entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 127.647038][ T6908] RIP: 0033:0x7ff527e9a469
[ 127.648440][ T6908] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f
1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b
4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8
64 89 01 48
[ 127.654640][ T6908] RSP: 002b:00007ff528569da8 EFLAGS: 00000202
ORIG_RAX: 00000000000000a5
[ 127.657251][ T6908] RAX: ffffffffffffffda RBX: 0000000000000000
RCX: 00007ff527e9a469
[ 127.659757][ T6908] RDX: 00000000200002c0 RSI: 0000000020000100
RDI: 0000000000000000
[ 127.662296][ T6908] RBP: 00007ff528569e20 R08: 00000000200007c0
R09: 0000000000000000
[ 127.664816][ T6908] R10: 0000000000000000 R11: 0000000000000202
R12: 00007ffee097c81e
[ 127.667345][ T6908] R13: 00007ffee097c81f R14: 00007ff52854a000
R15: 0000000000000003
[ 127.669876][ T6908] </TASK>
[ 127.670834][ T6908] Modules linked in:
[ 127.672259][ T6908] ---[ end trace c3a644b48eb3b338 ]---
[ 127.673760][ T6908] RIP: 0010:__list_del_entry_valid+0x55/0xb0
[ 127.675148][ T6908] Code: 39 ca 74 4d 48 8b 32 48 39 fe 75 56 48 8b
50 08 48 39 f2 75 61 b8 01 00 00 00 c3 48 89 fe 48 c7 c7 40 96 3d 85
e8 f1 65 f8 01 <0f> 0b 48 89 fe 48 c7 c7 70 96 3d 85 e8 e0 65 f8 01 0f
0b 48 89 fe
[ 127.679641][ T6908] RSP: 0018:ffffc90002613c50 EFLAGS: 00010286
[ 127.681037][ T6908] RAX: 0000000000000033 RBX: ffff888101394668
RCX: 0000000000000000
[ 127.682878][ T6908] RDX: 0000000000000000 RSI: ffffffff812d935c
RDI: 00000000ffffffff
[ 127.684707][ T6908] RBP: 0000000000000079 R08: 0000000000000000
R09: 0000000000000001
[ 127.686541][ T6908] R10: 0000000000000000 R11: 0000000000000001
R12: 000000000000001f
[ 127.688366][ T6908] R13: 0000000000000000 R14: ffffffff8496d360
R15: 0000000000000000
[ 127.690194][ T6908] FS: 00007ff52856a700(0000)
GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 127.692236][ T6908] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 127.693766][ T6908] CR2: 000055d718411188 CR3: 0000000011a11000
CR4: 00000000003506f0
[ 127.695610][ T6908] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[ 127.697449][ T6908] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[ 127.699281][ T6908] Kernel panic - not syncing: Fatal exception
[ 127.701367][ T6908] Kernel Offset: disabled
[ 127.702367][ T6908] Rebooting in 86400 seconds.

Best,
Wei

On Sun, 30 Oct 2022 at 18:32, Wei Chen <harperchen1110@xxxxxxxxx> wrote:
>
> Dear Linux Developer,
>
> Recently when using our tool to fuzz kernel, the following crash was triggered:
>
> HEAD commit: 64570fbc14f8 Linux 5.15-rc5
> git tree: upstream
> compiler: gcc 8.0.1
> console output:
> https://drive.google.com/file/d/1XbBDSFuHIAMsOAmvF0ITxNg8CEr443UB/view?usp=share_link
> kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: Wei Chen <harperchen1110@xxxxxxxxx>
>
> RBP: 000000000000004a R08: 00000000200007c0 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bfac
> R13: 0000000000000000 R14: 000000000119bfa0 R15: 00007fffa5a71650
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 14091067 P4D 14091067 PUD 14092067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP
> CPU: 1 PID: 13456 Comm: syz-executor.0 Not tainted 5.15.0-rc5 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
> RIP: 0010:__list_del_entry_valid+0x2d/0x50
> Code: 01 00 00 00 00 ad de 48 8b 07 48 8b 57 08 48 39 c8 0f 84 cd cb
> 46 02 48 b9 22 01 00 00 00 00 ad de 48 39 ca 0f 84 f0 cb 46 02 <48> 8b
> 32 48 39 fe 0f 85 d0 cb 46 02 48 8b 50 08 48 39 f2 0f 85 b5
> RSP: 0018:ffffc9000cf63c28 EFLAGS: 00010217
> RAX: 0000000000000000 RBX: ffff88800f2113d8 RCX: dead000000000122
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88800f211490
> RBP: 0000000000000079 R08: 0000000000000000 R09: 0000000000000001
> R10: ffffffff86485018 R11: 0000000000000000 R12: 000000000000001f
> R13: 0000000000000000 R14: ffffffff8518ba40 R15: 0000000000000000
> FS: 00007f0e4932c700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 0000000014090000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> fscache_free_cookie+0x45/0x120
> fscache_alloc_cookie+0x331/0x350
> __fscache_acquire_cookie+0x132/0x620
> v9fs_cache_session_get_cookie+0x7d/0x140
> v9fs_session_init+0x798/0xac0
> v9fs_mount+0x53/0x480
> legacy_get_tree+0x2e/0x90
> vfs_get_tree+0x29/0x100
> path_mount+0x58e/0x10a0
> do_mount+0x9b/0xb0
> __x64_sys_mount+0x13a/0x150
> do_syscall_64+0x34/0xb0
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x4692c9
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f0e4932bc38 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00007f0e4932bc80 RCX: 00000000004692c9
> RDX: 00000000200002c0 RSI: 0000000020000100 RDI: 0000000000000000
> RBP: 000000000000004a R08: 00000000200007c0 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bfac
> R13: 0000000000000000 R14: 000000000119bfa0 R15: 00007fffa5a71650
> Modules linked in:
> CR2: 0000000000000000
> ---[ end trace 15cdfd4d79de03b8 ]---
> RIP: 0010:__list_del_entry_valid+0x2d/0x50
> Code: 01 00 00 00 00 ad de 48 8b 07 48 8b 57 08 48 39 c8 0f 84 cd cb
> 46 02 48 b9 22 01 00 00 00 00 ad de 48 39 ca 0f 84 f0 cb 46 02 <48> 8b
> 32 48 39 fe 0f 85 d0 cb 46 02 48 8b 50 08 48 39 f2 0f 85 b5
> RSP: 0018:ffffc9000cf63c28 EFLAGS: 00010217
> RAX: 0000000000000000 RBX: ffff88800f2113d8 RCX: dead000000000122
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88800f211490
> RBP: 0000000000000079 R08: 0000000000000000 R09: 0000000000000001
> R10: ffffffff86485018 R11: 0000000000000000 R12: 000000000000001f
> R13: 0000000000000000 R14: ffffffff8518ba40 R15: 0000000000000000
> FS: 00007f0e4932c700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 0000000014090000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
> 0: 01 00 add %eax,(%rax)
> 2: 00 00 add %al,(%rax)
> 4: 00 ad de 48 8b 07 add %ch,0x78b48de(%rbp)
> a: 48 8b 57 08 mov 0x8(%rdi),%rdx
> e: 48 39 c8 cmp %rcx,%rax
> 11: 0f 84 cd cb 46 02 je 0x246cbe4
> 17: 48 b9 22 01 00 00 00 movabs $0xdead000000000122,%rcx
> 1e: 00 ad de
> 21: 48 39 ca cmp %rcx,%rdx
> 24: 0f 84 f0 cb 46 02 je 0x246cc1a
> * 2a: 48 8b 32 mov (%rdx),%rsi <-- trapping instruction
> 2d: 48 39 fe cmp %rdi,%rsi
> 30: 0f 85 d0 cb 46 02 jne 0x246cc06
> 36: 48 8b 50 08 mov 0x8(%rax),%rdx
> 3a: 48 39 f2 cmp %rsi,%rdx
> 3d: 0f .byte 0xf
> 3e: 85 .byte 0x85
> 3f: b5 .byte 0xb5
>
> Best,
> Wei