[syzbot] BUG: unable to handle kernel NULL pointer dereference in __lookup_slow (2)
Hello, syzbot found the following issue on: HEAD commit:d93a0d43 Merge tag 'block-5.12-2021-04-02' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16519431d0 kernel config: https://syzkaller.appspot.com/x/.config?x=71a75beb62b62a34 dashboard link: https://syzkaller.appspot.com/bug?extid=11c49ce9d4e7896f3406 compiler: Debian clang version 11.0.1-2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+11c49ce9d4e7896f3...@syzkaller.appspotmail.com REISERFS (device loop4): Using r5 hash to sort names BUG: kernel NULL pointer dereference, address: #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 6bb82067 P4D 6bb82067 PUD 6bb81067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 11072 Comm: syz-executor.4 Not tainted 5.12.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c90008f8fa20 EFLAGS: 00010246 RAX: 113872e8 RBX: dc00 RCX: 0004 RDX: RSI: 88802e9d9490 RDI: 88807f140190 RBP: 89c39740 R08: 81c9d4de R09: fbfff200a946 R10: fbfff200a946 R11: R12: R13: 88807f140190 R14: 111005d3b292 R15: 88802e9d9490 FS: 7f894af88700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 6bb83000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __lookup_slow+0x240/0x370 fs/namei.c:1626 lookup_one_len+0x10e/0x200 fs/namei.c:2649 reiserfs_lookup_privroot+0x85/0x1e0 fs/reiserfs/xattr.c:980 reiserfs_fill_super+0x2a69/0x3160 fs/reiserfs/super.c:2176 mount_bdev+0x26c/0x3a0 fs/super.c:1367 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x86/0x270 fs/super.c:1497 do_new_mount fs/namespace.c:2903 [inline] path_mount+0x188a/0x29a0 fs/namespace.c:3233 do_mount fs/namespace.c:3246 [inline] __do_sys_mount fs/namespace.c:3454 [inline] __se_sys_mount+0x28c/0x320 fs/namespace.c:3431 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x46797a Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f894af87fa8 EFLAGS: 0206 ORIG_RAX: 00a5 RAX: ffda RBX: 2200 RCX: 0046797a RDX: 2000 RSI: 2100 RDI: 7f894af88000 RBP: 7f894af88040 R08: 7f894af88040 R09: 2000 R10: R11: 0206 R12: 2000 R13: 2100 R14: 7f894af88000 R15: 20011500 Modules linked in: CR2: ---[ end trace a1b8dbb111baf993 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c90008f8fa20 EFLAGS: 00010246 RAX: 113872e8 RBX: dc00 RCX: 0004 RDX: RSI: 88802e9d9490 RDI: 88807f140190 RBP: 89c39740 R08: 81c9d4de R09: fbfff200a946 R10: fbfff200a946 R11: R12: R13: 88807f140190 R14: 111005d3b292 R15: 88802e9d9490 FS: 7f894af88700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 6bb83000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: BUG: unable to handle kernel NULL pointer dereference in __lookup_slow
On Sat, Jan 9, 2021 at 8:20 AM syzbot wrote: > > syzbot suspects this issue was fixed by commit: > > commit d24396c5290ba8ab04ba505176874c4e04a2d53c > Author: Rustam Kovhaev > Date: Sun Nov 1 14:09:58 2020 + > > reiserfs: add check for an invalid ih_entry_count > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=111480e750 > start commit: a68a0262 mm/madvise: remove racy mm ownership check > git tree: upstream > kernel config: https://syzkaller.appspot.com/x/.config?x=e597c2b53c984cd8 > dashboard link: https://syzkaller.appspot.com/bug?extid=3db80bbf66b88d68af9d > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1737b8a750 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1697246b50 > > If the result looks correct, please mark the issue as fixed by replying with: > > #syz fix: reiserfs: add check for an invalid ih_entry_count > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection Looks realistic. #syz fix: reiserfs: add check for an invalid ih_entry_count
Re: BUG: unable to handle kernel NULL pointer dereference in __lookup_slow
syzbot suspects this issue was fixed by commit: commit d24396c5290ba8ab04ba505176874c4e04a2d53c Author: Rustam Kovhaev Date: Sun Nov 1 14:09:58 2020 + reiserfs: add check for an invalid ih_entry_count bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=111480e750 start commit: a68a0262 mm/madvise: remove racy mm ownership check git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=e597c2b53c984cd8 dashboard link: https://syzkaller.appspot.com/bug?extid=3db80bbf66b88d68af9d syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1737b8a750 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1697246b50 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: reiserfs: add check for an invalid ih_entry_count For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: BUG: unable to handle kernel NULL pointer dereference in __lookup_slow
syzbot has found a reproducer for the following issue on: HEAD commit:a68a0262 mm/madvise: remove racy mm ownership check git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15b3609750 kernel config: https://syzkaller.appspot.com/x/.config?x=e597c2b53c984cd8 dashboard link: https://syzkaller.appspot.com/bug?extid=3db80bbf66b88d68af9d compiler: clang version 11.0.0 (https://github.com/llvm/llvm-project.git ca2dcbd030eadbf0aa9b660efe864ff08af6e18b) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1737b8a750 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1697246b50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+3db80bbf66b88d68a...@syzkaller.appspotmail.com REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 REISERFS (device loop0): checking transaction log (loop0) REISERFS (device loop0): Using rupasov hash to sort names REISERFS (device loop0): using 3.5.x disk format BUG: kernel NULL pointer dereference, address: #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 1d5b1067 P4D 1d5b1067 PUD 13a4d067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 8464 Comm: syz-executor889 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c900015ffa10 EFLAGS: 00010246 RAX: 113857c8 RBX: dc00 RCX: 8880152c8000 RDX: RSI: 88802e27dbe8 RDI: 888034c90190 RBP: 89c2be40 R08: 81c397ee R09: fbfff1eabc57 R10: fbfff1eabc57 R11: R12: R13: 888034c90190 R14: 111005c4fb7d R15: 88802e27dbe8 FS: 023f0880() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 12d42000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __lookup_slow+0x240/0x370 fs/namei.c:1544 lookup_one_len+0x10e/0x200 fs/namei.c:2563 reiserfs_lookup_privroot+0x85/0x1e0 fs/reiserfs/xattr.c:979 reiserfs_fill_super+0x2a57/0x3140 fs/reiserfs/super.c:2176 mount_bdev+0x24f/0x360 fs/super.c:1419 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1549 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x17b4/0x2a20 fs/namespace.c:3205 do_mount fs/namespace.c:3218 [inline] __do_sys_mount fs/namespace.c:3426 [inline] __se_sys_mount+0x28c/0x320 fs/namespace.c:3403 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x44707a Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd ad fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da ad fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:7ffc217e9828 EFLAGS: 0297 ORIG_RAX: 00a5 RAX: ffda RBX: 7ffc217e9880 RCX: 0044707a RDX: 2000 RSI: 2100 RDI: 7ffc217e9840 RBP: 7ffc217e9840 R08: 7ffc217e9880 R09: 7ffc0015 R10: R11: 0297 R12: 0006 R13: 0004 R14: 0003 R15: 0003 Modules linked in: CR2: ---[ end trace f20ed6d33f177882 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c900015ffa10 EFLAGS: 00010246 RAX: 113857c8 RBX: dc00 RCX: 8880152c8000 RDX: RSI: 88802e27dbe8 RDI: 888034c90190 RBP: 89c2be40 R08: 81c397ee R09: fbfff1eabc57 R10: fbfff1eabc57 R11: R12: R13: 888034c90190 R14: 111005c4fb7d R15: 88802e27dbe8 FS: 023f0880() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 12d42000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400
BUG: unable to handle kernel NULL pointer dereference in __lookup_slow
Hello, syzbot found the following issue on: HEAD commit:7c7ec322 Merge tag 'for-linus' of git://git.kernel.org/pub.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1728977390 kernel config: https://syzkaller.appspot.com/x/.config?x=240e2ebab67245c7 dashboard link: https://syzkaller.appspot.com/bug?extid=3db80bbf66b88d68af9d compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+3db80bbf66b88d68a...@syzkaller.appspotmail.com REISERFS (device loop1): Using r5 hash to sort names REISERFS (device loop1): using 3.5.x disk format BUG: kernel NULL pointer dereference, address: #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD a7454067 P4D a7454067 PUD 93380067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 9128 Comm: syz-executor.1 Not tainted 5.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Bad RIP value. RSP: 0018:c90008bbf910 EFLAGS: 00010246 RAX: dc00 RBX: 192001177f25 RCX: c9000aad7000 RDX: RSI: 888085c9f330 RDI: 88804358f7e0 RBP: 889c4280 R08: 0001 R09: 8d461a7f R10: R11: 0005f088 R12: 888085c9f330 R13: 88804358f7e0 R14: c90008bbfaa0 R15: c90008bbf948 FS: 7f6bb6cc7700() GS:8880ae40() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: a75b9000 CR4: 001526f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __lookup_slow+0x24c/0x480 fs/namei.c:1544 lookup_one_len+0x163/0x190 fs/namei.c:2562 reiserfs_lookup_privroot+0x92/0x280 fs/reiserfs/xattr.c:972 reiserfs_fill_super+0x211b/0x2df3 fs/reiserfs/super.c:2176 mount_bdev+0x32e/0x3f0 fs/super.c:1417 legacy_get_tree+0x105/0x220 fs/fs_context.c:592 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x1387/0x20a0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount fs/namespace.c:3390 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x460bca Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 dd 87 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ba 87 fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:7f6bb6cc6a88 EFLAGS: 0202 ORIG_RAX: 00a5 RAX: ffda RBX: 7f6bb6cc6b20 RCX: 00460bca RDX: 2000 RSI: 2100 RDI: 7f6bb6cc6ae0 RBP: 7f6bb6cc6ae0 R08: 7f6bb6cc6b20 R09: 2000 R10: 00a04850 R11: 0202 R12: 2000 R13: 2100 R14: 2200 R15: 2040 Modules linked in: CR2: ---[ end trace 79d7e2c3db21cbd3 ]--- RIP: 0010:0x0 Code: Bad RIP value. RSP: 0018:c90008bbf910 EFLAGS: 00010246 RAX: dc00 RBX: 192001177f25 RCX: c9000aad7000 RDX: RSI: 888085c9f330 RDI: 88804358f7e0 RBP: 889c4280 R08: 0001 R09: 8d461a7f R10: R11: 0005f088 R12: 888085c9f330 R13: 88804358f7e0 R14: c90008bbfaa0 R15: c90008bbf948 FS: 7f6bb6cc7700() GS:8880ae50() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 558411c291f8 CR3: a75b9000 CR4: 001526e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.