| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <65F6AF5F-6C2A-44DE-B3DB-A447EA9D6CD4@psu.edu> Date: Tue, 2 Dec 2025 20:04:43 +0000 From: "Bai, Shuangpeng" <SJB7183@....EDU> To: "agruenba@...hat.com" <agruenba@...hat.com> CC: "gfs2@...ts.linux.dev" <gfs2@...ts.linux.dev>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "syzkaller@...glegroups.com" <syzkaller@...glegroups.com> Subject: [BUG] KASAN: null-ptr-deref in gfs2_remove_from_journal Hi Kernel Maintainers, Our tool found a new kernel bug. Please see the details below. Kernel commit: v6.18 Kernel config: attachment C/Syz reproducer: attachment I’m happy to test debug patches or provide additional information. Reported-by: Shuangpeng Bai <SJB7183@....edu> [ 88.648947][ T8723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI [ 88.651126][ T8723] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 88.652396][ T8723] CPU: 1 UID: 0 PID: 8723 Comm: a.out Not tainted 6.18.0 #6 PREEMPT(full) [ 88.653240][ T8723] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 88.654141][ T8723] RIP: 0010:gfs2_remove_from_journal (fs/gfs2/meta_io.c:359) [ 88.654770][ T8723] Code: e9 80 e1 07 80 c1 03 38 c1 7c 2c 48 89 ef e8 87 fd 3c fe eb 22 e8 60 a6 db fd 48 8b 5c 24 08 48 8d 6b 2c 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 6e 01 00 00 ff 45 00 48 8d 7b 18 be 08 All code ======== 0: e9 80 e1 07 80 jmp 0xffffffff8007e185 5: c1 03 38 roll $0x38,(%rbx) 8: c1 7c 2c 48 89 sarl $0x89,0x48(%rsp,%rbp,1) d: ef out %eax,(%dx) e: e8 87 fd 3c fe call 0xfffffffffe3cfd9a 13: eb 22 jmp 0x37 15: e8 60 a6 db fd call 0xfffffffffddba67a 1a: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx 1f: 48 8d 6b 2c lea 0x2c(%rbx),%rbp 23: 48 89 e8 mov %rbp,%rax 26: 48 c1 e8 03 shr $0x3,%rax 2a:* 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction 2f: 84 c0 test %al,%al 31: 0f 85 6e 01 00 00 jne 0x1a5 37: ff 45 00 incl 0x0(%rbp) 3a: 48 8d 7b 18 lea 0x18(%rbx),%rdi 3e: be .byte 0xbe 3f: 08 .byte 0x8 Code starting with the faulting instruction =========================================== 0: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax 5: 84 c0 test %al,%al 7: 0f 85 6e 01 00 00 jne 0x17b d: ff 45 00 incl 0x0(%rbp) 10: 48 8d 7b 18 lea 0x18(%rbx),%rdi 14: be .byte 0xbe 15: 08 .byte 0x8 [ 88.656658][ T8723] RSP: 0018:ffffc9000855f1d0 EFLAGS: 00010207 [ 88.657263][ T8723] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffff888109ee4a00 [ 88.658055][ T8723] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8881232c01e0 [ 88.658867][ T8723] RBP: 000000000000002c R08: ffff88816eef879f R09: 1ffff1102dddf0f3 [ 88.659688][ T8723] R10: dffffc0000000000 R11: ffffed102dddf0f4 R12: ffff8881643b13f0 [ 88.660499][ T8723] R13: ffff8881643b1430 R14: ffff8881232c01c0 R15: dffffc0000000000 [ 88.661310][ T8723] FS: 00007f54d2ad6800(0000) GS:ffff8882c55fb000(0000) knlGS:0000000000000000 [ 88.662220][ T8723] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.662894][ T8723] CR2: 00007f54d2cca320 CR3: 0000000122256000 CR4: 00000000000006f0 [ 88.663718][ T8723] Call Trace: [ 88.664066][ T8723] <TASK> [ 88.664377][ T8723] gfs2_invalidate_folio (./include/linux/spinlock.h:391 fs/gfs2/aops.c:598 fs/gfs2/aops.c:631) [ 88.665533][ T8723] truncate_cleanup_folio (mm/truncate.c:? mm/truncate.c:160) [ 88.666090][ T8723] truncate_inode_pages_range (mm/truncate.c:?) [ 88.676542][ T8723] gfs2_evict_inode (fs/gfs2/super.c:1440) [ 88.680291][ T8723] evict (fs/inode.c:?) [ 88.683033][ T8723] __dentry_kill (fs/dcache.c:?) [ 88.684995][ T8723] dput (fs/dcache.c:912) [ 88.687047][ T8723] __fput (fs/file_table.c:477) [ 88.723119][ T8723] task_work_run (kernel/task_work.c:228) [ 88.724642][ T8723] do_exit (kernel/exit.c:967) [ 88.725557][ T8723] do_group_exit (kernel/exit.c:1086) [ 88.726036][ T8723] get_signal (kernel/signal.c:?) [ 88.727567][ T8723] arch_do_signal_or_restart (arch/x86/kernel/signal.c:?) [ 88.728778][ T8723] irqentry_exit_to_user_mode (kernel/entry/common.c:42 ./include/linux/irq-entry-common.h:225 kernel/entry/common.c:73) [ 88.729356][ T8723] asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:618) [ 88.729868][ T8723] RIP: 0033:0x7f54d2bcdf31 [ 88.730329][ T8723] Code: Unable to access opcode bytes at 0x7f54d2bcdf07. [ 88.731041][ T8723] RSP: 002b:0000000000000040 EFLAGS: 00010217 [ 88.731670][ T8723] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f54d2bcdf29 [ 88.732482][ T8723] RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000011 [ 88.733294][ T8723] RBP: 00007ffd081be500 R08: 0000000000000000 R09: 0000000000000000 [ 88.734104][ T8723] R10: 0000000000000000 R11: 0000000000000246 R12: 000055cd0467c460 [ 88.734915][ T8723] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 88.735735][ T8723] </TASK> [ 88.736063][ T8723] Modules linked in: [ 88.736526][ T8723] ---[ end trace 0000000000000000 ]--- [ 88.737091][ T8723] RIP: 0010:gfs2_remove_from_journal (fs/gfs2/meta_io.c:359) [ 88.737744][ T8723] Code: e9 80 e1 07 80 c1 03 38 c1 7c 2c 48 89 ef e8 87 fd 3c fe eb 22 e8 60 a6 db fd 48 8b 5c 24 08 48 8d 6b 2c 48 89 e8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 6e 01 00 00 ff 45 00 48 8d 7b 18 be 08 All code ======== 0: e9 80 e1 07 80 jmp 0xffffffff8007e185 5: c1 03 38 roll $0x38,(%rbx) 8: c1 7c 2c 48 89 sarl $0x89,0x48(%rsp,%rbp,1) d: ef out %eax,(%dx) e: e8 87 fd 3c fe call 0xfffffffffe3cfd9a 13: eb 22 jmp 0x37 15: e8 60 a6 db fd call 0xfffffffffddba67a 1a: 48 8b 5c 24 08 mov 0x8(%rsp),%rbx 1f: 48 8d 6b 2c lea 0x2c(%rbx),%rbp 23: 48 89 e8 mov %rbp,%rax 26: 48 c1 e8 03 shr $0x3,%rax 2a:* 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction 2f: 84 c0 test %al,%al 31: 0f 85 6e 01 00 00 jne 0x1a5 37: ff 45 00 incl 0x0(%rbp) 3a: 48 8d 7b 18 lea 0x18(%rbx),%rdi 3e: be .byte 0xbe 3f: 08 .byte 0x8 Code starting with the faulting instruction =========================================== 0: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax 5: 84 c0 test %al,%al 7: 0f 85 6e 01 00 00 jne 0x17b d: ff 45 00 incl 0x0(%rbp) 10: 48 8d 7b 18 lea 0x18(%rbx),%rdi 14: be .byte 0xbe 15: 08 .byte 0x8 [ 88.739719][ T8723] RSP: 0018:ffffc9000855f1d0 EFLAGS: 00010207 [ 88.740348][ T8723] RAX: 0000000000000005 RBX: 0000000000000000 RCX: ffff888109ee4a00 [ 88.741156][ T8723] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8881232c01e0 [ 88.741968][ T8723] RBP: 000000000000002c R08: ffff88816eef879f R09: 1ffff1102dddf0f3 [ 88.742781][ T8723] R10: dffffc0000000000 R11: ffffed102dddf0f4 R12: ffff8881643b13f0 [ 88.743612][ T8723] R13: ffff8881643b1430 R14: ffff8881232c01c0 R15: dffffc0000000000 [ 88.744420][ T8723] FS: 00007f54d2ad6800(0000) GS:ffff8882c55fb000(0000) knlGS:0000000000000000 [ 88.745325][ T8723] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.745997][ T8723] CR2: 00007f54d2cca320 CR3: 0000000122256000 CR4: 00000000000006f0 [ 88.746809][ T8723] note: a.out[8723] exited with preempt_count 2 [ 88.747446][ T8723] Fixing recursive fault but reboot is needed! [ 88.755657][ T8723] BUG: using smp_processor_id() in preemptible [00000000] code: a.out/8723 [ 88.756638][ T8723] caller is __schedule (kernel/sched/core.c:6803) [ 88.757181][ T8723] CPU: 1 UID: 0 PID: 8723 Comm: a.out Tainted: G D 6.18.0 #6 PREEMPT(full) [ 88.757189][ T8723] Tainted: [D]=DIE [ 88.757191][ T8723] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 88.757194][ T8723] Call Trace: [ 88.757196][ T8723] <TASK> [ 88.757198][ T8723] dump_stack_lvl (lib/dump_stack.c:122) [ 88.757245][ T8723] check_preemption_disabled (lib/smp_processor_id.c:?) [ 88.757251][ T8723] __schedule (kernel/sched/core.c:6803) [ 88.757326][ T8723] do_task_dead (kernel/sched/core.c:6951) [ 88.757333][ T8723] make_task_dead (kernel/exit.c:1055) [ 88.757345][ T8723] rewind_stack_and_make_dead (??:?) [ 88.757352][ T8723] RIP: 0033:0x7f54d2bcdf31 [ 88.757356][ T8723] Code: Unable to access opcode bytes at 0x7f54d2bcdf07. Code starting with the faulting instruction =========================================== [ 88.757358][ T8723] RSP: 002b:0000000000000040 EFLAGS: 00010217 [ 88.757363][ T8723] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f54d2bcdf29 [ 88.757366][ T8723] RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000011 [ 88.757369][ T8723] RBP: 00007ffd081be500 R08: 0000000000000000 R09: 0000000000000000 [ 88.757372][ T8723] R10: 0000000000000000 R11: 0000000000000246 R12: 000055cd0467c460 [ 88.757374][ T8723] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 88.757379][ T8723] </TASK> [ 88.757381][ T8723] BUG: scheduling while atomic: a.out/8723/0x00000000 [ 88.779784][ T8723] Modules linked in: [ 88.780188][ T8723] Preemption disabled at: [ 88.780191][ T8723] 0x0 [ 88.781220][ T8723] Kernel panic - not syncing: scheduling while atomic: panic_on_warn set ... [ 88.782224][ T8723] Kernel Offset: disabled [ 88.782669][ T8723] ---[ end Kernel panic - not syncing: scheduling while atomic: panic_on_warn set ... ]--- Best, Shuangpeng Download attachment "ATT44994.config" of type "application/octet-stream" (270069 bytes) Download attachment "repro.c" of type "application/octet-stream" (1118152 bytes)
Powered by blists - more mailing lists