syzbot


BUG: unable to handle kernel NULL pointer dereference in qlist_free_all

Status: auto-closed as invalid on 2020/09/17 07:42
Reported-by: syzbot+be4ab0e2bc0ecd3c428c@syzkaller.appspotmail.com
First crash: 1681d, last: 1648d
Similar bugs (12)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: unable to handle kernel NULL pointer dereference in qlist_free_all 1 1678d 1678d 0/1 auto-closed as invalid on 2020/08/18 08:06
linux-4.19 BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (2) 8 1044d 1281d 0/1 auto-closed as invalid on 2022/05/13 11:55
upstream BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (4) mm 8 2496d 2543d 0/28 closed as invalid on 2018/02/12 16:58
upstream BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (6) ext4 syz 7 2056d 2154d 0/28 closed as dup on 2018/12/31 07:50
upstream BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (7) tomoyo 7 1658d 1718d 0/28 closed as invalid on 2020/07/06 10:57
upstream BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (2) kernel 1 2573d 2573d 0/28 closed as invalid on 2017/11/09 10:06
upstream BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (8) kvm 11 1512d 1535d 0/28 auto-closed as invalid on 2021/01/30 15:56
upstream BUG: unable to handle kernel NULL pointer dereference in qlist_free_all fs 1 2608d 2608d 0/28 closed as invalid on 2017/10/18 09:51
upstream BUG: unable to handle kernel paging request in qlist_free_all (7) kernel 20 1085d 1306d 0/28 auto-closed as invalid on 2022/03/03 13:56
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (2) 3 1288d 1313d 0/1 auto-closed as invalid on 2021/09/12 03:17
upstream BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (5) fs 19 2402d 2459d 0/28 closed as invalid on 2018/05/26 17:43
upstream BUG: unable to handle kernel NULL pointer dereference in qlist_free_all (3) mm 8 2546d 2562d 0/28 closed as invalid on 2017/12/05 10:45

Sample crash report:
BUG: unable to handle kernel NULL pointer dereference at 00000000000000fc
IP: qlink_to_object mm/kasan/quarantine.c:136 [inline]
IP: qlink_free mm/kasan/quarantine.c:141 [inline]
IP: qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
PGD 0 P4D 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 28267 Comm: systemd-udevd Not tainted 4.14.181-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88808fd5c4c0 task.stack: ffff888088060000
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:136 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
RSP: 0018:ffff888088067ca0 EFLAGS: 00010246
RAX: ffffea0000000000 RBX: ffff888000000000 RCX: ffffea000000001f
RDX: 0000000000000000 RSI: ffff88808fd5cd48 RDI: ffff888000000000
Cannot find set identified by id 0 to match
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888000000000
R13: ffff888088067cd8 R14: 0000000000000000 R15: 0000000000000286
FS:  00007f4fd622d8c0(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000fc CR3: 00000000a0841000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 quarantine_reduce+0x140/0x170 mm/kasan/quarantine.c:259
 kasan_kmalloc+0x95/0xe0 mm/kasan/kasan.c:536
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc mm/slab.c:3390 [inline]
 kmem_cache_alloc+0x114/0x770 mm/slab.c:3550
 getname_flags fs/namei.c:138 [inline]
 getname_flags+0xc8/0x560 fs/namei.c:128
 getname fs/namei.c:209 [inline]
 do_unlinkat+0x9e/0x5d0 fs/namei.c:4065
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f4fd50a20e7
RSP: 002b:00007ffc9ee1fe28 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 000055f101d17390 RCX: 00007f4fd50a20e7
RDX: 00007ffc9ee1fd00 RSI: 00007ffc9ee1fd00 RDI: 00007ffc9ee1fe30
RBP: 0000000000000afa R08: 00000000000001c0 R09: 0000000000000014
R10: 00007ffc9ee1fe00 R11: 0000000000000246 R12: 00007ffc9ee1fe30
R13: 000055f101d17390 R14: 0000000000000003 R15: 000000000000000e
Code: eb d6 90 41 57 41 56 41 55 41 54 55 53 48 8b 1f 48 85 db 0f 84 08 01 00 00 48 89 f5 49 89 fd 48 85 ed 49 89 ee 0f 84 8b 00 00 00 <49> 63 86 fc 00 00 00 4c 8b 23 48 29 c3 48 83 3d b3 a6 4d 06 00 
RIP: qlink_to_object mm/kasan/quarantine.c:136 [inline] RSP: ffff888088067ca0
RIP: qlink_free mm/kasan/quarantine.c:141 [inline] RSP: ffff888088067ca0
RIP: qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166 RSP: ffff888088067ca0
CR2: 00000000000000fc
BUG: unable to handle kernel NULL pointer dereference at 00000000000000fc
IP: qlink_to_object mm/kasan/quarantine.c:136 [inline]
IP: qlink_free mm/kasan/quarantine.c:141 [inline]
IP: qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
PGD 9560b067 P4D 9560b067 PUD 9f5d4067 PMD 0 
Oops: 0000 [#2] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 28278 Comm: syz-executor.2 Tainted: G      D         4.14.181-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff888058488280 task.stack: ffff888058060000
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:136 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166
RSP: 0018:ffff8880580678f8 EFLAGS: 00010246
RAX: ffffea0000000000 RBX: ffff888000000000 RCX: ffffea000000001f
RDX: 0000000000000000 RSI: ffffffff8129cb93 RDI: ffff888000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: ffff88812fffb000 R11: ffffea0000004a20 R12: ffff888000000000
R13: ffff888058067930 R14: 0000000000000000 R15: 0000000000000286
FS:  00007f234f71c700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000fc CR3: 00000000a9201000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 quarantine_reduce+0x140/0x170 mm/kasan/quarantine.c:259
 kasan_kmalloc+0x95/0xe0 mm/kasan/kasan.c:536
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc mm/slab.c:3390 [inline]
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x145/0x7c0 mm/slab.c:3729
 kmalloc_array include/linux/slab.h:607 [inline]
 kcalloc include/linux/slab.h:618 [inline]
 iter_file_splice_write+0x143/0xa10 fs/splice.c:692
 do_splice_from fs/splice.c:851 [inline]
 direct_splice_actor+0x115/0x160 fs/splice.c:1018
 splice_direct_to_actor+0x27e/0x730 fs/splice.c:973
 do_splice_direct+0x164/0x210 fs/splice.c:1061
 do_sendfile+0x469/0xaf0 fs/read_write.c:1441
 SYSC_sendfile64 fs/read_write.c:1496 [inline]
 SyS_sendfile64+0x9b/0x110 fs/read_write.c:1488
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45ca29
RSP: 002b:00007f234f71bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000004fc540 RCX: 000000000045ca29
RDX: 00000000200001c0 RSI: 0000000000000006 RDI: 0000000000000006
RBP: 000000000078c0e0 R08: 0000000000000000 R09: 0000000000000000
R10: 00008080fffffffe R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008dc R14: 00000000004cba16 R15: 00007f234f71c6d4
Code: eb d6 90 41 57 41 56 41 55 41 54 55 53 48 8b 1f 48 85 db 0f 84 08 01 00 00 48 89 f5 49 89 fd 48 85 ed 49 89 ee 0f 84 8b 00 00 00 <49> 63 86 fc 00 00 00 4c 8b 23 48 29 c3 48 83 3d b3 a6 4d 06 00 
RIP: qlink_to_object mm/kasan/quarantine.c:136 [inline] RSP: ffff8880580678f8
RIP: qlink_free mm/kasan/quarantine.c:141 [inline] RSP: ffff8880580678f8
RIP: qlist_free_all+0x28/0x140 mm/kasan/quarantine.c:166 RSP: ffff8880580678f8
CR2: 00000000000000fc
---[ end trace f3075cf6d87d9803 ]---

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/05/20 07:41 linux-4.14.y a41ba30d9df2 6d882fd2 .config console log report ci2-linux-4-14
2020/04/16 13:03 linux-4.14.y c10b57a567e4 c743fcb3 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.