Re: BUG: unable to handle kernel NULL pointer dereference in debug_check_no_obj_freed

From: Wei Chen
Date: Sat Nov 05 2022 - 06:53:13 EST


Dear Linux developers,

The bug persists in 5.15.76. Unfortunately, we do not have a reproducer either.

BUG: kernel NULL pointer dereference, address: 0000000000000038
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 10876 Comm: systemd-udevd Not tainted 5.15.76 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:983 [inline]
RIP: 0010:debug_check_no_obj_freed+0xc7/0x210 lib/debugobjects.c:1023
Code: 48 89 34 24 48 8b 3c 24 45 31 ff e8 63 d6 fc 01 48 8b 54 24 20
48 89 44 24 18 48 c7 c0 a0 a9 82 88 48 8b 04 10 48 85 c0 74 4b <48> 8b
48 18 41 83 c7 01 4c 8b 30 48 39 cb 77 2e 48 39 e9 73 29 83
RSP: 0018:ffffc9000d3dfbb8 EFLAGS: 00010002
RAX: 0000000000000020 RBX: ffff88811741d000 RCX: 0000000000000000
RDX: 0000000000099b40 RSI: ffffffff852b51d8 RDI: ffffffff888c44e8
RBP: ffff88811741e000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc9000d3dfa60 R11: 0000000000000001 R12: dead000000000122
R13: dead000000000100 R14: 0000000000000020 R15: 0000000000000003
FS: 00007f29edb2a8c0(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 000000010cc24000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
free_pages_prepare mm/page_alloc.c:1345 [inline]
free_pcp_prepare+0x177/0x490 mm/page_alloc.c:1391
free_unref_page_prepare mm/page_alloc.c:3317 [inline]
free_unref_page_list+0x8a/0x660 mm/page_alloc.c:3433
release_pages+0x1d2/0x1140 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x60/0x1e0 mm/mmu_gather.c:249
tlb_finish_mmu+0x5f/0xb0 mm/mmu_gather.c:340
unmap_region+0x155/0x1a0 mm/mmap.c:2668
__do_munmap+0x292/0x6f0 mm/mmap.c:2899
__vm_munmap+0x96/0x180 mm/mmap.c:2922
__do_sys_munmap mm/mmap.c:2948 [inline]
__se_sys_munmap mm/mmap.c:2944 [inline]
__x64_sys_munmap+0x2a/0x30 mm/mmap.c:2944
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f29ec9a66e7
Code: c7 c0 ff ff ff ff eb 8d 48 8b 15 ac 47 2b 00 f7 d8 64 89 02 e9
5b ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 b8 0b 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 81 47 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffd3fcf6c98 EFLAGS: 00000207 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 00000000000c3c94 RCX: 00007f29ec9a66e7
RDX: 00007f29edae9000 RSI: 0000000000041000 RDI: 00007f29edae9000
RBP: 0000000000000021 R08: 0000557c1a93c0d0 R09: 0000000000000000
R10: 0000000000000210 R11: 0000000000000207 R12: 0000557c1a872ea0
R13: 0000557c1a872ef0 R14: 00007f29ed709aa4 R15: 00007f29edae9028
</TASK>
Modules linked in:
CR2: 0000000000000038
---[ end trace 850a1b705a5c4266 ]---
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:983 [inline]
RIP: 0010:debug_check_no_obj_freed+0xc7/0x210 lib/debugobjects.c:1023
Code: 48 89 34 24 48 8b 3c 24 45 31 ff e8 63 d6 fc 01 48 8b 54 24 20
48 89 44 24 18 48 c7 c0 a0 a9 82 88 48 8b 04 10 48 85 c0 74 4b <48> 8b
48 18 41 83 c7 01 4c 8b 30 48 39 cb 77 2e 48 39 e9 73 29 83
RSP: 0018:ffffc9000d3dfbb8 EFLAGS: 00010002

RAX: 0000000000000020 RBX: ffff88811741d000 RCX: 0000000000000000
RDX: 0000000000099b40 RSI: ffffffff852b51d8 RDI: ffffffff888c44e8
RBP: ffff88811741e000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc9000d3dfa60 R11: 0000000000000001 R12: dead000000000122
R13: dead000000000100 R14: 0000000000000020 R15: 0000000000000003
FS: 00007f29edb2a8c0(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 000000010cc24000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 89 34 24 mov %rsi,(%rsp)
4: 48 8b 3c 24 mov (%rsp),%rdi
8: 45 31 ff xor %r15d,%r15d
b: e8 63 d6 fc 01 callq 0x1fcd673
10: 48 8b 54 24 20 mov 0x20(%rsp),%rdx
15: 48 89 44 24 18 mov %rax,0x18(%rsp)
1a: 48 c7 c0 a0 a9 82 88 mov $0xffffffff8882a9a0,%rax
21: 48 8b 04 10 mov (%rax,%rdx,1),%rax
25: 48 85 c0 test %rax,%rax
28: 74 4b je 0x75
* 2a: 48 8b 48 18 mov 0x18(%rax),%rcx <-- trapping instruction
2e: 41 83 c7 01 add $0x1,%r15d
32: 4c 8b 30 mov (%rax),%r14
35: 48 39 cb cmp %rcx,%rbx
38: 77 2e ja 0x68
3a: 48 39 e9 cmp %rbp,%rcx
3d: 73 29 jae 0x68
3f: 83 .byte 0x83

Best,
Wei

On Mon, 31 Oct 2022 at 00:43, Christophe JAILLET
<christophe.jaillet@xxxxxxxxxx> wrote:
>
> Le 30/10/2022 à 10:23, Wei Chen a écrit :
> > Dear Linux Developer,
> >
> > Recently when using our tool to fuzz kernel, the following crash was triggered:
> >
> > HEAD commit: 64570fbc14f8 Linux 5.15-rc5
>
> Hi,
>
> any reason to run your fuzzer on 5.15-rc5?
>
> We are at 5.15.76 and many things have already been fixed in the 5.15
> branch.
>
> 5.15 is also old.
>
> CJ