syzbot


general protection fault in utf8nlookup

Status: fixed on 2024/02/16 19:40
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+9cf75dc581fb4307d6dd@syzkaller.appspotmail.com
Fix commit: 6f861765464f fs: Block writes to mounted block devices
First crash: 444d, last: 333d
Cause bisection: introduced by (bisect log) :
commit b81427939590450172716093dafdda8ef52e020f
Author: Eric Biggers <ebiggers@google.com>
Date: Mon Aug 14 18:29:02 2023 +0000

  ext4: remove redundant checks of s_encoding

Crash: BUG: unable to handle kernel NULL pointer dereference in utf8nlookup (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] [ext4?] general protection fault in utf8nlookup 2 (4) 2024/02/13 10:42
[PATCH] unicode: add s_encoding null ptr check in utf8ncursor 2 (2) 2023/09/20 19:37
Last patch testing requests (5)
Created Duration User Patch Repo Result
2024/02/08 11:46 18m retest repro upstream OK log
2024/01/05 03:22 22m retest repro upstream report log
2023/09/30 07:13 10m retest repro upstream report log
2023/09/20 10:43 16m twuufnxlz@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e42bebf6db29 OK log
2023/09/20 07:45 9m twuufnxlz@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e42bebf6db29 report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2024/02/12 20:41 3h41m bisect fix upstream OK (1) job log
2023/11/30 10:22 1h14m bisect fix upstream OK (0) job log log
2023/10/30 15:49 1h46m bisect fix upstream OK (0) job log log

Sample crash report:
EXT4-fs error (device loop0): __ext4_ext_dirty:202: inode #2: comm syz-executor385: mark_inode_dirty error
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 PID: 5064 Comm: syz-executor385 Not tainted 6.7.0-rc6-syzkaller-00078-ga4aebe936554 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:utf8nlookup+0x3a/0x890 fs/unicode/utf8-norm.c:306
Code: 89 fb 48 83 ec 20 48 89 54 24 10 4c 89 44 24 08 e8 8b 76 f2 fe 48 8d 7b 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 07 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
RSP: 0018:ffffc900039cf958 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88807ee5a4d8
RDX: 0000000000000003 RSI: ffffffff8294fb45 RDI: 0000000000000018
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000080
R10: 0000000000000040 R11: ffffffff81ddf493 R12: 0000000000000000
R13: ffff88807ee5a4d8 R14: ffffc900039cfa70 R15: ffffc900039cfa70
FS:  0000555556cf8480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559d589bb000 CR3: 00000000774da000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 utf8byte+0x1ca/0x1390 fs/unicode/utf8-norm.c:502
 utf8_casefold+0x16c/0x230 fs/unicode/utf8-core.c:109
 ext4_fname_setup_ci_filename+0x18b/0x490 fs/ext4/namei.c:1462
 ext4_fname_prepare_lookup+0x168/0x350 fs/ext4/crypto.c:55
 ext4_lookup_entry fs/ext4/namei.c:1764 [inline]
 ext4_lookup+0x147/0x740 fs/ext4/namei.c:1839
 lookup_one_qstr_excl+0x116/0x180 fs/namei.c:1609
 filename_create+0x1ed/0x530 fs/namei.c:3876
 do_mkdirat+0xab/0x3a0 fs/namei.c:4121
 __do_sys_mkdir fs/namei.c:4149 [inline]
 __se_sys_mkdir fs/namei.c:4147 [inline]
 __x64_sys_mkdir+0xf2/0x140 fs/namei.c:4147
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fb43cf25557
Code: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe7913d128 EFLAGS: 00000286 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fb43cf25557
RDX: 0000000000000040 RSI: 00000000000001ff RDI: 0000000020000540
RBP: 00007ffe7913d1c0 R08: 00000000000000fd R09: 0000000000000000
R10: 0000000000000249 R11: 0000000000000286 R12: 0000000020000540
R13: 00000000200000c0 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:utf8nlookup+0x3a/0x890 fs/unicode/utf8-norm.c:306
Code: 89 fb 48 83 ec 20 48 89 54 24 10 4c 89 44 24 08 e8 8b 76 f2 fe 48 8d 7b 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 07 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
RSP: 0018:ffffc900039cf958 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88807ee5a4d8
RDX: 0000000000000003 RSI: ffffffff8294fb45 RDI: 0000000000000018
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000080
R10: 0000000000000040 R11: ffffffff81ddf493 R12: 0000000000000000
R13: ffff88807ee5a4d8 R14: ffffc900039cfa70 R15: ffffc900039cfa70
FS:  0000555556cf8480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559d589bb000 CR3: 00000000774da000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
   0:	89 fb                	mov    %edi,%ebx
   2:	48 83 ec 20          	sub    $0x20,%rsp
   6:	48 89 54 24 10       	mov    %rdx,0x10(%rsp)
   b:	4c 89 44 24 08       	mov    %r8,0x8(%rsp)
  10:	e8 8b 76 f2 fe       	call   0xfef276a0
  15:	48 8d 7b 18          	lea    0x18(%rbx),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 8e 07 00 00    	jne    0x7c2
  34:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  3b:	fc ff df
  3e:	4c                   	rex.WR
  3f:	8b                   	.byte 0x8b

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/12/21 23:41 upstream a4aebe936554 4f9530a3 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root general protection fault in utf8nlookup
2023/09/16 05:54 upstream e42bebf6db29 0b6a67ac .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-upstream-fs general protection fault in utf8nlookup
2023/09/16 05:18 upstream e42bebf6db29 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in utf8nlookup
* Struck through repros no longer work on HEAD.