syzbot


BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan

Status: upstream: reported C repro on 2023/12/25 04:44
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+f9238a0a31f9b5603fef@syzkaller.appspotmail.com
First crash: 150d, last: 21h22m
Cause bisection: the cause commit could be any of (bisect log):
  d61ea1cb0095 userfaultfd: UFFD_FEATURE_WP_ASYNC
  52526ca7fdb9 fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs
  
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] Monthly fs report (Mar 2024) 0 (1) 2024/03/16 12:09
[syzbot] [fs?] BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan 1 (3) 2024/01/05 02:04
Last patch testing requests (4)
Created Duration User Patch Repo Result
2024/04/12 19:15 6m retest repro upstream report log
2024/02/11 10:34 22m retest repro upstream OK log
2024/02/11 10:09 25m retest repro upstream OK log
2024/01/05 01:23 22m lizhi.xu@windriver.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 861deac3b092 OK log

Sample crash report:
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000018 when write
[00000018] *pgd=84363003, *pmd=fe701003
Internal error: Oops: a07 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 2979 Comm: syz-executor164 Not tainted 6.8.0-rc5-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at pagemap_scan_init_bounce_buffer fs/proc/task_mmu.c:2400 [inline]
PC is at do_pagemap_scan+0x29c/0x6c0 fs/proc/task_mmu.c:2446
LR is at kmalloc_array include/linux/slab.h:627 [inline]
LR is at pagemap_scan_init_bounce_buffer fs/proc/task_mmu.c:2395 [inline]
LR is at do_pagemap_scan+0x268/0x6c0 fs/proc/task_mmu.c:2446
pc : [<8058c580>]    lr : [<8058c54c>]    psr: 20000013
sp : df969dc8  ip : 00000000  fp : df969eb4
r10: df969e00  r9 : 841c3000  r8 : 00000000
r7 : 00000000  r6 : 00000000  r5 : 20ffb000  r4 : 840cb600
r3 : 20ffc000  r2 : 00000000  r1 : 00000000  r0 : 00000010
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 84389ac0  DAC: 00000000
Register r0 information: zero-size pointer
Register r1 information: NULL pointer
Register r2 information: NULL pointer
Register r3 information: non-paged memory
Register r4 information: slab mm_struct start 840cb600 pointer offset 0 size 712
Register r5 information: non-paged memory
Register r6 information: NULL pointer
Register r7 information: NULL pointer
Register r8 information: NULL pointer
Register r9 information: slab task_struct start 841c3000 pointer offset 0 size 3072
Register r10 information: 2-page vmalloc region starting at 0xdf968000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Register r11 information: 2-page vmalloc region starting at 0xdf968000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Register r12 information: NULL pointer
Process syz-executor164 (pid: 2979, stack limit = 0xdf968000)
Stack: (0xdf969dc8 to 0xdf96a000)
9dc0:                   00000000 00000000 10000000 20000200 00000001 00000000
9de0: 00000000 20ffb000 00000000 00000000 00000000 00000000 00000000 00000000
9e00: 00000060 00000000 00000000 00000000 20ffb000 00000000 20ffc000 00000000
9e20: 00000000 00000000 20000140 00000000 00000000 10000000 ffffffff 00000000
9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9e60: 00000000 00000000 00000010 00000000 00000000 00000000 20000140 00000000
9e80: c0606610 2da1a712 df969ea4 c0606610 00000000 842923c0 20000200 842923c0
9ea0: 00000003 841c3000 df969ec4 df969eb8 8058c9cc 8058c2f0 df969fa4 df969ec8
9ec0: 80501d88 8058c9b0 df969efc 804f74f8 82ed8000 2da1a712 00000000 82ed8000
9ee0: df969f58 00000003 ffffff9c 80200288 841c3000 00000142 df969f1c df969f08
9f00: 804f74f8 804a54a4 82ed8000 df969f58 df969f54 df969f20 804e6370 804f7480
9f20: 00000002 00000000 00000006 00000100 00000001 2da1a712 ffffff9c 7ec98c18
9f40: 00000000 00000142 df969fa4 df969f58 804e678c 804e62d4 00000002 00000000
9f60: 00000000 00000000 00000000 00000000 00000002 2da1a712 00000000 ffffffff
9f80: 00000000 00000000 00000036 80200288 841c3000 00000036 00000000 df969fa8
9fa0: 80200060 80501c7c ffffffff 00000000 00000003 c0606610 20000200 00000000
9fc0: ffffffff 00000000 00000000 00000036 000f4240 00000000 00000001 00003a97
9fe0: 7ec98bf8 7ec98be8 000106ac 0002e810 00000010 00000003 00000000 00000000
Backtrace: 
[<8058c2e4>] (do_pagemap_scan) from [<8058c9cc>] (do_pagemap_cmd+0x28/0x34 fs/proc/task_mmu.c:2513)
 r10:841c3000 r9:00000003 r8:842923c0 r7:20000200 r6:842923c0 r5:00000000
 r4:c0606610
[<8058c9a4>] (do_pagemap_cmd) from [<80501d88>] (vfs_ioctl fs/ioctl.c:51 [inline])
[<8058c9a4>] (do_pagemap_cmd) from [<80501d88>] (do_vfs_ioctl fs/ioctl.c:831 [inline])
[<8058c9a4>] (do_pagemap_cmd) from [<80501d88>] (__do_sys_ioctl fs/ioctl.c:869 [inline])
[<8058c9a4>] (do_pagemap_cmd) from [<80501d88>] (sys_ioctl+0x118/0xb58 fs/ioctl.c:857)
[<80501c70>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdf969fa8 to 0xdf969ff0)
9fa0:                   ffffffff 00000000 00000003 c0606610 20000200 00000000
9fc0: ffffffff 00000000 00000000 00000036 000f4240 00000000 00000001 00003a97
9fe0: 7ec98bf8 7ec98be8 000106ac 0002e810
 r10:00000036 r9:841c3000 r8:80200288 r7:00000036 r6:00000000 r5:00000000
 r4:ffffffff
Code: e51b309c e51b208c e50b203c e3a02000 (e1c060f8) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e51b309c 	ldr	r3, [fp, #-156]	@ 0xffffff64
   4:	e51b208c 	ldr	r2, [fp, #-140]	@ 0xffffff74
   8:	e50b203c 	str	r2, [fp, #-60]	@ 0xffffffc4
   c:	e3a02000 	mov	r2, #0
* 10:	e1c060f8 	strd	r6, [r0, #8] <-- trapping instruction

Crashes (26):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/02/19 18:40 upstream b401b621758e 96e91f57 .config console log report syz C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2023/12/27 23:41 upstream fbafc3e621c3 fb427a07 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in do_pagemap_scan
2023/12/25 04:43 upstream 861deac3b092 fb427a07 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in do_pagemap_scan
2024/03/29 19:13 upstream 317c7bc0ef03 c52bcb23 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/03/25 10:41 upstream 4cece7649650 0ea90952 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/03/22 15:54 upstream 8e938e398669 4b6cdce6 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/03/18 06:12 upstream 906a93befec8 d615901c .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/03/17 09:27 upstream 741e9d668aa5 d615901c .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/03/14 05:05 upstream e5e038b7ae9d f919f202 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/03/03 04:09 upstream 5ad3cb0ed525 25905f5d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/02/19 17:06 upstream b401b621758e 96e91f57 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/02/17 13:16 upstream c1ca10ceffbb 578f7538 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/01/28 04:42 upstream 8a696a29c690 cc4a4020 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/01/26 19:47 upstream ecb1b8288dc7 cc4a4020 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/01/22 03:18 upstream 4fbbed787267 9bd8dcda .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/01/20 15:26 upstream 9d64bf433c53 9bd8dcda .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/01/16 05:57 upstream 052d534373b7 2a7bcc7f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/01/09 03:49 upstream 5db8752c3b81 4c0fd4bb .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/01/02 22:00 upstream 610a9b8f49fb fb427a07 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2023/12/31 06:57 upstream 453f5db0619e fb427a07 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2023/12/22 01:31 upstream a4aebe936554 4f9530a3 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2023/11/18 13:35 upstream 791c8ab095f7 cb976f63 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2023/11/14 18:27 upstream 9bacdd8996c7 cb976f63 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in do_pagemap_scan
2024/01/17 10:18 upstream 052d534373b7 2a7bcc7f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in do_pagemap_scan
2024/01/17 05:41 upstream 052d534373b7 2a7bcc7f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce general protection fault in do_pagemap_scan
2023/12/25 04:18 upstream 861deac3b092 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root general protection fault in do_pagemap_scan
* Struck through repros no longer work on HEAD.