syzbot

 sign-in | mailing list | source | docs
🐞 Open [79] 🐞 Fixed [21] 🐞 Invalid [282] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: null-ptr-deref Write in mark_buffer_dirty_inode

Status: auto-obsoleted due to no activity on 2023/06/02 15:38
Subsystems: fat
[Documentation on labels]
Reported-by: syzbot+6c5ed5e5e399bab41dd8@syzkaller.appspotmail.com
First crash: 447d, last: 447d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 general protection fault in mark_buffer_dirty_inode 1 5d20h 5d20h 0/3 upstream: reported on 2024/04/19 10:58
linux-4.19 general protection fault in mark_buffer_dirty_inode (2) C error 1 514d 514d 0/1 upstream: reported C repro on 2022/11/28 03:52
upstream general protection fault in mark_buffer_dirty_inode (2) udf C 32 354d 512d 22/26 fixed on 2023/06/08 14:41

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
BUG: KASAN: null-ptr-deref in queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
BUG: KASAN: null-ptr-deref in do_raw_spin_lock include/linux/spinlock.h:181 [inline]
BUG: KASAN: null-ptr-deref in __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
BUG: KASAN: null-ptr-deref in _raw_spin_lock+0x96/0x1b0 kernel/locking/spinlock.c:151
Write of size 4 at addr 000000000000008c by task syz-executor.5/1905

CPU: 1 PID: 1905 Comm: syz-executor.5 Not tainted 5.4.225-syzkaller-00029-g6a5ec6cea0cd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 __kasan_report+0xec/0x130 mm/kasan/report.c:520
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 check_memory_region_inline mm/kasan/generic.c:141 [inline]
 check_memory_region+0x298/0x2d0 mm/kasan/generic.c:191
 atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
 do_raw_spin_lock include/linux/spinlock.h:181 [inline]
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x96/0x1b0 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:338 [inline]
 mark_buffer_dirty_inode+0x126/0x300 fs/buffer.c:558
 fat12_ent_put+0x1a4/0x2d0 fs/fat/fatent.c:172
 fat_alloc_clusters+0x7f9/0x14f0 fs/fat/fatent.c:502
 fat_alloc_new_dir+0x19e/0xd70 fs/fat/dir.c:1148
 vfat_mkdir+0x176/0x420 fs/fat/namei_vfat.c:860
 vfs_mkdir+0x416/0x5f0 fs/namei.c:3896
 open_or_create_special_dir+0xe3/0x1c0 fs/incfs/vfs.c:459
 incfs_mount_fs+0x485/0xa00 fs/incfs/vfs.c:1818
 legacy_get_tree+0xde/0x170 fs/fs_context.c:647
 vfs_get_tree+0x85/0x260 fs/super.c:1547
 do_new_mount+0x299/0x580 fs/namespace.c:2843
 do_mount+0x6ac/0xe10 fs/namespace.c:3163
 ksys_mount+0xc2/0xf0 fs/namespace.c:3372
 __do_sys_mount fs/namespace.c:3386 [inline]
 __se_sys_mount fs/namespace.c:3383 [inline]
 __x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
==================================================================
BUG: kernel NULL pointer dereference, address: 000000000000008c
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1aeec1067 P4D 1aeec1067 PUD 1e05a2067 PMD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1905 Comm: syz-executor.5 Tainted: G    B             5.4.225-syzkaller-00029-g6a5ec6cea0cd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline]
RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:181 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
RIP: 0010:_raw_spin_lock+0xb8/0x1b0 kernel/locking/spinlock.c:151
Code: 00 00 00 e8 ea 7d 4e fd 4c 89 ff be 04 00 00 00 e8 dd 7d 4e fd 43 8a 04 26 84 c0 0f 85 a9 00 00 00 8b 44 24 20 b9 01 00 00 00 <f0> 41 0f b1 4d 00 75 33 48 c7 04 24 0e 36 e0 45 49 c7 04 1c 00 00
RSP: 0018:ffff8881b2d07360 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 1ffff110365a0e6c RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881b2d07380
RBP: ffff8881b2d073e8 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffed10365a0e71 R11: 1ffff110365a0e70 R12: dffffc0000000000
R13: 000000000000008c R14: 1ffff110365a0e70 R15: ffff8881b2d07380
FS:  00007f756d38c700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000008c CR3: 00000001e2f4d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 spin_lock include/linux/spinlock.h:338 [inline]
 mark_buffer_dirty_inode+0x126/0x300 fs/buffer.c:558
 fat12_ent_put+0x1a4/0x2d0 fs/fat/fatent.c:172
 fat_alloc_clusters+0x7f9/0x14f0 fs/fat/fatent.c:502
 fat_alloc_new_dir+0x19e/0xd70 fs/fat/dir.c:1148
 vfat_mkdir+0x176/0x420 fs/fat/namei_vfat.c:860
 vfs_mkdir+0x416/0x5f0 fs/namei.c:3896
 open_or_create_special_dir+0xe3/0x1c0 fs/incfs/vfs.c:459
 incfs_mount_fs+0x485/0xa00 fs/incfs/vfs.c:1818
 legacy_get_tree+0xde/0x170 fs/fs_context.c:647
 vfs_get_tree+0x85/0x260 fs/super.c:1547
 do_new_mount+0x299/0x580 fs/namespace.c:2843
 do_mount+0x6ac/0xe10 fs/namespace.c:3163
 ksys_mount+0xc2/0xf0 fs/namespace.c:3372
 __do_sys_mount fs/namespace.c:3386 [inline]
 __se_sys_mount fs/namespace.c:3383 [inline]
 __x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
CR2: 000000000000008c
---[ end trace baa816398ab0d8c2 ]---
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:200 [inline]
RIP: 0010:atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:695 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:181 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
RIP: 0010:_raw_spin_lock+0xb8/0x1b0 kernel/locking/spinlock.c:151
Code: 00 00 00 e8 ea 7d 4e fd 4c 89 ff be 04 00 00 00 e8 dd 7d 4e fd 43 8a 04 26 84 c0 0f 85 a9 00 00 00 8b 44 24 20 b9 01 00 00 00 <f0> 41 0f b1 4d 00 75 33 48 c7 04 24 0e 36 e0 45 49 c7 04 1c 00 00
RSP: 0018:ffff8881b2d07360 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 1ffff110365a0e6c RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8881b2d07380
RBP: ffff8881b2d073e8 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffed10365a0e71 R11: 1ffff110365a0e70 R12: dffffc0000000000
R13: 000000000000008c R14: 1ffff110365a0e70 R15: ffff8881b2d07380
FS:  00007f756d38c700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000008c CR3: 00000001e2f4d000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	00 00                	add    %al,(%rax)
   2:	e8 ea 7d 4e fd       	callq  0xfd4e7df1
   7:	4c 89 ff             	mov    %r15,%rdi
   a:	be 04 00 00 00       	mov    $0x4,%esi
   f:	e8 dd 7d 4e fd       	callq  0xfd4e7df1
  14:	43 8a 04 26          	mov    (%r14,%r12,1),%al
  18:	84 c0                	test   %al,%al
  1a:	0f 85 a9 00 00 00    	jne    0xc9
  20:	8b 44 24 20          	mov    0x20(%rsp),%eax
  24:	b9 01 00 00 00       	mov    $0x1,%ecx
* 29:	f0 41 0f b1 4d 00    	lock cmpxchg %ecx,0x0(%r13) <-- trapping instruction
  2f:	75 33                	jne    0x64
  31:	48 c7 04 24 0e 36 e0 	movq   $0x45e0360e,(%rsp)
  38:	45
  39:	49                   	rex.WB
  3a:	c7                   	.byte 0xc7
  3b:	04 1c                	add    $0x1c,%al

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/02/02 15:37 android12-5.4 6a5ec6cea0cd 16d19e30 .config console log report info ci2-android-5-4-kasan KASAN: null-ptr-deref Write in mark_buffer_dirty_inode
* Struck through repros no longer work on HEAD.