syzbot


BUG: unable to handle kernel NULL pointer dereference in get_block

Status: fixed on 2020/09/15 07:46
Reported-by: syzbot+fe13a9e814dd76a3fcfe@syzkaller.appspotmail.com
Fix commit: 954fc7da99a9 fs/minix: reject too-large maximum file size
First crash: 1710d, last: 1559d
Fix bisection: fixed by (bisect log) :
commit 954fc7da99a9513d5e6b3ccf38f6f7c9af5a276d
Author: Eric Biggers <ebiggers@google.com>
Date: Wed Aug 12 01:35:30 2020 +0000

  fs/minix: reject too-large maximum file size

  
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in get_block C done 45 1563d 1710d 1/1 fixed on 2020/09/10 09:33
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in get_block (2) C 1 630d 713d 0/1 upstream: reported C repro on 2022/12/09 08:52
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2020/09/13 23:21 3h15m bisect fix linux-4.19.y OK (1) job log
2020/08/14 22:54 27m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
Process accounting resumed
Process accounting resumed
attempt to access beyond end of device
Process accounting resumed
loop0: rw=1048577, want=58, limit=52
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 9ea10067 P4D 9ea10067 PUD 9ec4d067 PMD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
Buffer I/O error on dev loop0, logical block 28, lost async page write
CPU: 0 PID: 8596 Comm: syz-executor494 Not tainted 4.19.120-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:test_and_set_bit_lock arch/x86/include/asm/bitops.h:223 [inline]
RIP: 0010:trylock_buffer include/linux/buffer_head.h:367 [inline]
RIP: 0010:lock_buffer include/linux/buffer_head.h:373 [inline]
RIP: 0010:alloc_branch fs/minix/itree_common.c:88 [inline]
RIP: 0010:get_block+0x76c/0x1300 fs/minix/itree_common.c:191
Code: 00 00 49 8b bc 24 28 01 00 00 b9 08 00 00 00 e8 7a 40 bc ff 31 d2 be 74 01 00 00 48 c7 c7 20 4b 9c 87 49 89 c4 e8 14 43 4e ff <f0> 49 0f ba 2c 24 02 40 0f 92 c6 31 ff 40 88 74 24 78 e8 0d f1 6e
RSP: 0018:ffff88807e067578 EFLAGS: 00010246
attempt to access beyond end of device
RAX: 0000000000000007 RBX: ffff88807e067690 RCX: 1ffffffff1238a88
RDX: 0000000000000000 RSI: ffffffff88d929a0 RDI: ffff88807e05e5e4
RBP: ffff88807e067710 R08: ffff88807e05e5c0 R09: fffff9400041d077
R10: fffff9400041d076 R11: ffffea00020e83b7 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88807e067640 R15: 0000000000000056
FS:  000000000204a940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
loop0: rw=1048577, want=60, limit=52
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000860a4000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Buffer I/O error on dev loop0, logical block 29, lost async page write
attempt to access beyond end of device
 minix_get_block+0xe5/0x110 fs/minix/inode.c:379
 __block_write_begin_int+0x480/0x17a0 fs/buffer.c:1978
loop0: rw=1048577, want=62, limit=52
 __block_write_begin fs/buffer.c:2028 [inline]
 block_write_begin+0x58/0x2e0 fs/buffer.c:2087
Buffer I/O error on dev loop0, logical block 30, lost async page write
 minix_write_begin+0x35/0xe0 fs/minix/inode.c:415
 generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3162
attempt to access beyond end of device
 __generic_file_write_iter+0x24c/0x610 mm/filemap.c:3287
loop0: rw=1048577, want=64, limit=52
 generic_file_write_iter+0x37f/0x729 mm/filemap.c:3315
 call_write_iter include/linux/fs.h:1821 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x512/0x760 fs/read_write.c:487
Buffer I/O error on dev loop0, logical block 31, lost async page write
attempt to access beyond end of device
 __kernel_write+0x109/0x370 fs/read_write.c:506
 do_acct_process+0xcd8/0x10e0 kernel/acct.c:520
loop0: rw=1048577, want=66, limit=52
 acct_pin_kill+0x29/0xf0 kernel/acct.c:174
 pin_kill+0x17a/0x7e0 fs/fs_pin.c:50
Buffer I/O error on dev loop0, logical block 32, lost async page write
attempt to access beyond end of device
 acct_on+0x54b/0x760 kernel/acct.c:254
 __do_sys_acct kernel/acct.c:286 [inline]
 __se_sys_acct kernel/acct.c:273 [inline]
 __x64_sys_acct+0xab/0x1f0 kernel/acct.c:273
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
loop0: rw=1048577, want=68, limit=52
RIP: 0033:0x4489f9
Code: ed cb fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffcab7d9288 EFLAGS: 00000246 ORIG_RAX: 00000000000000a3
Buffer I/O error on dev loop0, logical block 33, lost async page write
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004489f9
RDX: 00000000004045c0 RSI: 02a4d972d57b0154 RDI: 0000000020000480
RBP: 000000000000e56f R08: 000000000000000a R09: 00000000000003e8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000405ad0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
attempt to access beyond end of device
CR2: 0000000000000000
---[ end trace b24a9a6fa6e67354 ]---
loop0: rw=1048577, want=70, limit=52
RIP: 0010:test_and_set_bit arch/x86/include/asm/bitops.h:209 [inline]
RIP: 0010:test_and_set_bit_lock arch/x86/include/asm/bitops.h:223 [inline]
RIP: 0010:trylock_buffer include/linux/buffer_head.h:367 [inline]
RIP: 0010:lock_buffer include/linux/buffer_head.h:373 [inline]
RIP: 0010:alloc_branch fs/minix/itree_common.c:88 [inline]
RIP: 0010:get_block+0x76c/0x1300 fs/minix/itree_common.c:191
Buffer I/O error on dev loop0, logical block 34, lost async page write
Code: 00 00 49 8b bc 24 28 01 00 00 b9 08 00 00 00 e8 7a 40 bc ff 31 d2 be 74 01 00 00 48 c7 c7 20 4b 9c 87 49 89 c4 e8 14 43 4e ff <f0> 49 0f ba 2c 24 02 40 0f 92 c6 31 ff 40 88 74 24 78 e8 0d f1 6e
attempt to access beyond end of device
RSP: 0018:ffff88807e067578 EFLAGS: 00010246
loop0: rw=1048577, want=72, limit=52
RAX: 0000000000000007 RBX: ffff88807e067690 RCX: 1ffffffff1238a88
Buffer I/O error on dev loop0, logical block 35, lost async page write
RDX: 0000000000000000 RSI: ffffffff88d929a0 RDI: ffff88807e05e5e4
attempt to access beyond end of device
RBP: ffff88807e067710 R08: ffff88807e05e5c0 R09: fffff9400041d077
loop0: rw=1048577, want=74, limit=52
attempt to access beyond end of device
loop0: rw=1048577, want=76, limit=52
attempt to access beyond end of device
R10: fffff9400041d076 R11: ffffea00020e83b7 R12: 0000000000000000
loop0: rw=1048577, want=78, limit=52
attempt to access beyond end of device
loop0: rw=1048577, want=80, limit=52
attempt to access beyond end of device
loop0: rw=1048577, want=82, limit=52
attempt to access beyond end of device
loop0: rw=1048577, want=84, limit=52
attempt to access beyond end of device
R13: dffffc0000000000 R14: ffff88807e067640 R15: 0000000000000056
loop0: rw=1048577, want=86, limit=52
FS:  000000000204a940(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
attempt to access beyond end of device
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
loop0: rw=1048577, want=88, limit=52
CR2: 00007f680e007000 CR3: 00000000860a4000 CR4: 00000000001406f0
attempt to access beyond end of device
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
loop0: rw=1048577, want=90, limit=52
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
attempt to access beyond end of device

Crashes (60):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/05/02 22:29 linux-4.19.y fdc072324f3c 58da4c35 .config console log report syz C ci2-linux-4-19
2020/03/22 09:39 linux-4.19.y 14cfdbd39e31 78267cec .config console log report syz C ci2-linux-4-19
2020/03/17 10:29 linux-4.19.y 339485c9a80f 749688d2 .config console log report syz C ci2-linux-4-19
2020/03/22 09:58 linux-4.19.y 14cfdbd39e31 78267cec .config console log report syz ci2-linux-4-19
2020/07/15 22:54 linux-4.19.y dce0f88600e4 ada108d0 .config console log report ci2-linux-4-19
2020/07/12 17:45 linux-4.19.y dce0f88600e4 115e1930 .config console log report ci2-linux-4-19
2020/07/10 18:28 linux-4.19.y dce0f88600e4 56d01184 .config console log report ci2-linux-4-19
2020/06/30 08:01 linux-4.19.y a39e75458e1c 917afeaa .config console log report ci2-linux-4-19
2020/06/22 18:46 linux-4.19.y b3a99fd385fa 1afe1535 .config console log report ci2-linux-4-19
2020/06/22 10:08 linux-4.19.y b3a99fd385fa eabcced4 .config console log report ci2-linux-4-19
2020/06/20 15:19 linux-4.19.y 3fc898571b97 c655ec77 .config console log report ci2-linux-4-19
2020/06/18 10:14 linux-4.19.y 3fc898571b97 d45a4d69 .config console log report ci2-linux-4-19
2020/06/17 19:41 linux-4.19.y 3fc898571b97 b6c46f43 .config console log report ci2-linux-4-19
2020/06/15 13:49 linux-4.19.y 3fc898571b97 8e3ab941 .config console log report ci2-linux-4-19
2020/06/15 03:26 linux-4.19.y 3fc898571b97 2a22c77a .config console log report ci2-linux-4-19
2020/06/13 08:27 linux-4.19.y 3fc898571b97 f4724dd3 .config console log report ci2-linux-4-19
2020/06/03 19:14 linux-4.19.y 4707d8e57273 a5ce5de0 .config console log report ci2-linux-4-19
2020/06/02 19:51 linux-4.19.y 2d16cf4817bc 52fd7b7d .config console log report ci2-linux-4-19
2020/06/01 12:27 linux-4.19.y 2d16cf4817bc a0331e89 .config console log report ci2-linux-4-19
2020/05/31 19:33 linux-4.19.y 2d16cf4817bc a0331e89 .config console log report ci2-linux-4-19
2020/05/29 12:21 linux-4.19.y 2d16cf4817bc d19ed305 .config console log report ci2-linux-4-19
2020/05/28 10:57 linux-4.19.y 2d16cf4817bc 9072c126 .config console log report ci2-linux-4-19
2020/05/27 15:50 linux-4.19.y 1bab61d3e8cd 9072c126 .config console log report ci2-linux-4-19
2020/05/18 17:28 linux-4.19.y 258f0cf7ac3b 24d91142 .config console log report ci2-linux-4-19
2020/05/15 02:46 linux-4.19.y 258f0cf7ac3b 2d572622 .config console log report ci2-linux-4-19
2020/05/11 22:50 linux-4.19.y 033c4ea49a4b 9eb09c40 .config console log report ci2-linux-4-19
2020/05/10 21:59 linux-4.19.y 033c4ea49a4b 8742a2b9 .config console log report ci2-linux-4-19
2020/05/07 01:52 linux-4.19.y 84920cc7fbe1 4618eb2d .config console log report ci2-linux-4-19
2020/05/04 09:27 linux-4.19.y fdc072324f3c 58ae5e18 .config console log report ci2-linux-4-19
2020/05/03 10:19 linux-4.19.y fdc072324f3c 5457883a .config console log report ci2-linux-4-19
2020/05/03 03:30 linux-4.19.y fdc072324f3c 5457883a .config console log report ci2-linux-4-19
2020/04/29 21:10 linux-4.19.y 765675379b62 ba2806db .config console log report ci2-linux-4-19
2020/04/22 11:39 linux-4.19.y 8e2406c85187 2e44d63e .config console log report ci2-linux-4-19
2020/04/16 13:34 linux-4.19.y 6dd0e32665e5 c743fcb3 .config console log report ci2-linux-4-19
2020/04/15 15:08 linux-4.19.y 6dd0e32665e5 3f3c5574 .config console log report ci2-linux-4-19
2020/04/10 21:44 linux-4.19.y dda0e2920330 a8c6a3f8 .config console log report ci2-linux-4-19
2020/04/09 22:47 linux-4.19.y dda0e2920330 a8c6a3f8 .config console log report ci2-linux-4-19
2020/04/07 16:28 linux-4.19.y dda0e2920330 99a96044 .config console log report ci2-linux-4-19
2020/04/07 05:43 linux-4.19.y dda0e2920330 99a96044 .config console log report ci2-linux-4-19
2020/04/03 18:44 linux-4.19.y dda0e2920330 5ed396e6 .config console log report ci2-linux-4-19
2020/04/01 09:59 linux-4.19.y 54b4fa6d3955 a34e2c33 .config console log report ci2-linux-4-19
2020/03/31 05:01 linux-4.19.y 54b4fa6d3955 c8d1cc20 .config console log report ci2-linux-4-19
2020/03/30 07:26 linux-4.19.y 54b4fa6d3955 05736b29 .config console log report ci2-linux-4-19
2020/03/29 21:06 linux-4.19.y 54b4fa6d3955 05736b29 .config console log report ci2-linux-4-19
2020/03/27 04:10 linux-4.19.y 54b4fa6d3955 6d25c5a0 .config console log report ci2-linux-4-19
2020/03/27 03:25 linux-4.19.y 54b4fa6d3955 6d25c5a0 .config console log report ci2-linux-4-19
2020/03/26 22:13 linux-4.19.y 54b4fa6d3955 6d25c5a0 .config console log report ci2-linux-4-19
2020/03/26 09:52 linux-4.19.y 54b4fa6d3955 e8e6c7d2 .config console log report ci2-linux-4-19
2020/03/26 00:00 linux-4.19.y 54b4fa6d3955 e8e6c7d2 .config console log report ci2-linux-4-19
2020/03/22 10:39 linux-4.19.y 14cfdbd39e31 78267cec .config console log report ci2-linux-4-19
2020/03/22 10:15 linux-4.19.y 14cfdbd39e31 78267cec .config console log report ci2-linux-4-19
2020/03/22 07:36 linux-4.19.y 14cfdbd39e31 78267cec .config console log report ci2-linux-4-19
2020/03/22 06:51 linux-4.19.y 14cfdbd39e31 78267cec .config console log report ci2-linux-4-19
2020/03/19 22:49 linux-4.19.y 93556fb211fa 2c31c529 .config console log report ci2-linux-4-19
2020/03/19 22:28 linux-4.19.y 93556fb211fa 2c31c529 .config console log report ci2-linux-4-19
2020/03/19 13:18 linux-4.19.y 93556fb211fa 2c31c529 .config console log report ci2-linux-4-19
2020/03/18 16:50 linux-4.19.y 93556fb211fa 0a96a13c .config console log report ci2-linux-4-19
2020/03/17 10:11 linux-4.19.y 339485c9a80f 749688d2 .config console log report ci2-linux-4-19
2020/03/17 10:06 linux-4.19.y 339485c9a80f 749688d2 .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.