syzbot


KASAN: null-ptr-deref Read in drm_dp_aux_dev_get_by_minor

Status: fixed on 2020/09/09 05:22
Reported-by: syzbot+0451284812d8cdb9a6a6@syzkaller.appspotmail.com
Fix commit: 954fc7da99a9 fs/minix: reject too-large maximum file size
First crash: 1627d, last: 1567d
Fix bisection: fixed by (bisect log) :
commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Author: Eric Biggers <ebiggers@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000

  fs/minix: reject too-large maximum file size

  
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2020/09/06 11:03 3h40m bisect fix linux-4.19.y OK (1) job log
2020/08/07 08:39 26m bisect fix linux-4.19.y OK (0) job log log
2020/07/08 08:15 24m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
MINIX-fs: mounting unchecked file system, running fsck is recommended
audit: type=1800 audit(1591600222.446:9): pid=6445 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor477" name="file0" dev="sda1" ino=15703 res=0
==================================================================
BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: null-ptr-deref in refcount_add_not_zero arch/x86/include/asm/refcount.h:85 [inline]
BUG: KASAN: null-ptr-deref in refcount_inc_not_zero arch/x86/include/asm/refcount.h:107 [inline]
BUG: KASAN: null-ptr-deref in kref_get_unless_zero include/linux/kref.h:116 [inline]
BUG: KASAN: null-ptr-deref in drm_dp_aux_dev_get_by_minor+0x92/0x1f0 drivers/gpu/drm/drm_dp_aux_dev.c:63
Read of size 4 at addr 0000000000000018 by task syz-executor477/6445

CPU: 0 PID: 6445 Comm: syz-executor477 Not tainted 4.19.127-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 kasan_report_error mm/kasan/report.c:352 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x194/0x2b9 mm/kasan/report.c:396
 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
 refcount_add_not_zero arch/x86/include/asm/refcount.h:85 [inline]
 refcount_inc_not_zero arch/x86/include/asm/refcount.h:107 [inline]
 kref_get_unless_zero include/linux/kref.h:116 [inline]
 drm_dp_aux_dev_get_by_minor+0x92/0x1f0 drivers/gpu/drm/drm_dp_aux_dev.c:63
 auxdev_open+0x47/0xa0 drivers/gpu/drm/drm_dp_aux_dev.c:131
 chrdev_open+0x219/0x5c0 fs/char_dev.c:423
 do_dentry_open+0x4a8/0x1160 fs/open.c:796
 do_last fs/namei.c:3421 [inline]
 path_openat+0xe06/0x2eb0 fs/namei.c:3537
 do_filp_open+0x1a1/0x280 fs/namei.c:3567
 file_open_name+0x291/0x370 fs/open.c:1032
 acct_on kernel/acct.c:207 [inline]
 __do_sys_acct kernel/acct.c:286 [inline]
 __se_sys_acct+0xf2/0x930 kernel/acct.c:273
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x444ac9
Code: 0d d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db d7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd7380f348 EFLAGS: 00000246 ORIG_RAX: 00000000000000a3
RAX: ffffffffffffffda RBX: 00007ffd7380f350 RCX: 0000000000444ac9
RDX: 0000000000401470 RSI: 44eadf382f7582d4 RDI: 0000000020000480
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000400eb0
R10: 00007ffd7380f220 R11: 0000000000000246 R12: 0000000000402730
R13: 00000000004027c0 R14: 0000000000000000 R15: 0000000000000000
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/06/08 07:13 linux-4.19.y 106fa147d3da 7751efd0 .config console log report syz C ci2-linux-4-19
* Struck through repros no longer work on HEAD.