syzbot


BUG: unable to handle kernel NULL pointer dereference in __lookup_hash

Status: fixed on 2021/05/03 13:12
Reported-by: syzbot+02ba38b4eebbee8f6475@syzkaller.appspotmail.com
Fix commit: b74d5f70523a reiserfs: add check for an invalid ih_entry_count
First crash: 1283d, last: 1090d
Fix bisection: fixed by (bisect log) :
commit b74d5f70523a819aac71e0eee4f4b530e69e463a
Author: Rustam Kovhaev <rkovhaev@gmail.com>
Date: Sun Nov 1 14:09:58 2020 +0000

  reiserfs: add check for an invalid ih_entry_count

  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: unable to handle kernel NULL pointer dereference in __lookup_hash (2) C 4 403d 1053d 0/1 upstream: reported C repro on 2021/05/10 10:30

Sample crash report:
reiserfs: using flush barriers
REISERFS (device loop0): journal params: device loop0, size 8192, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30
REISERFS (device loop0): checking transaction log (loop0)
REISERFS (device loop0): Using rupasov hash to sort names
REISERFS (device loop0): using 3.5.x disk format
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP:           (null)
PGD a81b8067 P4D a81b8067 PUD 90da9067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 6359 Comm: syz-executor357 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880971d44c0 task.stack: ffff888095470000
RIP: 0010:          (null)
RSP: 0018:ffff888095477a30 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff86b6a680 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff888083a95340 RDI: ffff888082bfc748
RBP: ffff888082bfc748 R08: 0000000000000001 R09: 0000000000000002
R10: 0000000000000000 R11: ffff8880971d44c0 R12: ffff888083a95340
R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000076
FS:  0000000001f0f880(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000008b811000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 lookup_real fs/namei.c:1555 [inline]
 __lookup_hash fs/namei.c:1575 [inline]
 __lookup_hash+0x1bb/0x270 fs/namei.c:1563
 lookup_one_len+0x279/0x3a0 fs/namei.c:2539
 reiserfs_lookup_privroot+0x92/0x270 fs/reiserfs/xattr.c:963
 reiserfs_fill_super+0x1ad8/0x28b6 fs/reiserfs/super.c:2179
 mount_bdev+0x2b3/0x360 fs/super.c:1134
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2549 [inline]
 do_mount+0xe53/0x2a00 fs/namespace.c:2879
 SYSC_mount fs/namespace.c:3095 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3072
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x44707a
RSP: 002b:00007ffff47a6398 EFLAGS: 00000297 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffff47a63f0 RCX: 000000000044707a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffff47a63b0
RBP: 00007ffff47a63b0 R08: 00007ffff47a63f0 R09: 00007fff00000015
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000006
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003
Code:  Bad RIP value.
RIP:           (null) RSP: ffff888095477a30
CR2: 0000000000000000
---[ end trace b7a965fcdd634e5d ]---

Crashes (31):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/10/13 17:21 linux-4.14.y cbfa1702aaf6 bd69ee0d .config console log report syz C ci2-linux-4-14
2021/04/02 23:56 linux-4.14.y bd634aa64163 6a81331a .config console log report info ci2-linux-4-14 BUG: unable to handle kernel NULL pointer dereference in __lookup_hash
2021/03/12 01:46 linux-4.14.y c7150cd2fa8c 429d8a6b .config console log report info ci2-linux-4-14 BUG: unable to handle kernel NULL pointer dereference in __lookup_hash
2021/03/10 13:46 linux-4.14.y 1d177c0872ab 26967e35 .config console log report info ci2-linux-4-14 BUG: unable to handle kernel NULL pointer dereference in __lookup_hash
2021/02/25 22:55 linux-4.14.y 3242aa3a635c 76f7fc95 .config console log report info ci2-linux-4-14 BUG: unable to handle kernel NULL pointer dereference in __lookup_hash
2021/02/22 14:03 linux-4.14.y 29c52025152b c26fb06b .config console log report info ci2-linux-4-14 BUG: unable to handle kernel NULL pointer dereference in __lookup_hash
2021/02/10 10:25 linux-4.14.y 2c8a3fceddf0 9c8b8541 .config console log report info ci2-linux-4-14 BUG: unable to handle kernel NULL pointer dereference in __lookup_hash
2021/01/20 17:32 linux-4.14.y 2762b48e9611 d4f4eca5 .config console log report info ci2-linux-4-14 BUG: unable to handle kernel NULL pointer dereference in __lookup_hash
2021/01/06 10:45 linux-4.14.y 1752938529c6 fff20c29 .config console log report info ci2-linux-4-14
2021/01/02 00:43 linux-4.14.y 1752938529c6 79264ae3 .config console log report info ci2-linux-4-14
2020/12/25 04:51 linux-4.14.y 3f2ecb86cb90 c2c1d1dd .config console log report info ci2-linux-4-14
2020/12/23 12:28 linux-4.14.y 3f2ecb86cb90 c2c1d1dd .config console log report info ci2-linux-4-14
2020/12/12 06:54 linux-4.14.y 3f2ecb86cb90 bca53db9 .config console log report info ci2-linux-4-14
2020/12/07 08:35 linux-4.14.y c196b3a9c83a f80ce148 .config console log report info ci2-linux-4-14
2020/11/30 11:44 linux-4.14.y 87335852c5d9 76831598 .config console log report info ci2-linux-4-14
2020/11/25 04:48 linux-4.14.y 87335852c5d9 1a1f4bd8 .config console log report info ci2-linux-4-14
2020/11/24 04:21 linux-4.14.y 0df445b0f0da 1ab681a4 .config console log report info ci2-linux-4-14
2020/11/24 03:57 linux-4.14.y 0df445b0f0da 1ab681a4 .config console log report info ci2-linux-4-14
2020/11/20 13:59 linux-4.14.y 8961076ed318 0767f13f .config console log report info ci2-linux-4-14
2020/11/17 21:55 linux-4.14.y 27ce4f2a6817 09323409 .config console log report info ci2-linux-4-14
2020/11/17 21:53 linux-4.14.y 27ce4f2a6817 09323409 .config console log report info ci2-linux-4-14
2020/11/15 20:29 linux-4.14.y 27ce4f2a6817 1bf9a662 .config console log report info ci2-linux-4-14
2020/11/10 01:23 linux-4.14.y 6b6446efedb2 cba33199 .config console log report info ci2-linux-4-14
2020/11/09 14:57 linux-4.14.y 6b6446efedb2 cba33199 .config console log report info ci2-linux-4-14
2020/10/30 10:19 linux-4.14.y 2b7915014161 a6e3ac3b .config console log report info ci2-linux-4-14
2020/10/21 12:35 linux-4.14.y 5b7a52cd2eef 99c64d5c .config console log report info ci2-linux-4-14
2020/10/13 21:54 linux-4.14.y cbfa1702aaf6 fc7735a2 .config console log report info ci2-linux-4-14
2020/10/04 09:55 linux-4.14.y cbfa1702aaf6 5ef9c291 .config console log report info ci2-linux-4-14
2020/09/28 23:42 linux-4.14.y cbfa1702aaf6 1b88c6d5 .config console log report info ci2-linux-4-14
2020/09/25 13:30 linux-4.14.y cbfa1702aaf6 4a006f63 .config console log report info ci2-linux-4-14
2020/09/21 22:12 linux-4.14.y cbfa1702aaf6 9e1fa68e .config console log report info ci2-linux-4-14
* Struck through repros no longer work on HEAD.