KASAN: null-ptr-deref Read in vhost_debug_mm ================================================================== BUG: KASAN: null-ptr-deref in atomic_read /./include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: null-ptr-deref in vhost_debug_mm+0x45/0x110 /drivers/vhost/vhost.c:52 Read of size 4 at addr 0000000000000058 by task syz-fuzzer/8693 CPU: 0 PID: 8693 Comm: syz-fuzzer Not tainted 5.2.0-rc2+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack /lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 /lib/dump_stack.c:113 __kasan_report.cold+0x5/0x40 /mm/kasan/report.c:321 kasan_report+0x12/0x20 /mm/kasan/common.c:614 check_memory_region_inline /mm/kasan/generic.c:185 [inline] check_memory_region+0x123/0x190 /mm/kasan/generic.c:191 kasan_check_read+0x11/0x20 /mm/kasan/common.c:94 atomic_read /./include/asm-generic/atomic-instrumented.h:26 [inline] vhost_debug_mm+0x45/0x110 /drivers/vhost/vhost.c:52 vhost_dev_cleanup+0x1e8/0xcd0 /drivers/vhost/vhost.c:962 vhost_vsock_dev_release+0x324/0x470 /drivers/vhost/vsock.c:628 __fput+0x2ff/0x890 /fs/file_table.c:280 ____fput+0x16/0x20 /fs/file_table.c:313 task_work_run+0x145/0x1c0 /kernel/task_work.c:113 tracehook_notify_resume /./include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x273/0x2c0 /arch/x86/entry/common.c:168 prepare_exit_to_usermode /arch/x86/entry/common.c:199 [inline] syscall_return_slowpath /arch/x86/entry/common.c:279 [inline] do_syscall_64+0x58e/0x680 /arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x47fcb4 Code: ff ff cc cc cc cc e8 2b 41 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 RSP: 002b:000000c4201173e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000047fcb4 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 000000c420117428 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000c4203e2cb9 R13: 000000c4203e2cbf R14: 000000c4203e2cb8 R15: 000000c4203e2cc8 ================================================================== [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 65.063118][ T24] audit: type=1800 audit(1563839374.387:25): pid=8533 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 65.104240][ T24] audit: type=1800 audit(1563839374.397:26): pid=8533 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 65.137449][ T24] audit: type=1800 audit(1563839374.397:27): pid=8533 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.53' (ECDSA) to the list of known hosts. 2019/07/22 23:49:45 fuzzer started 2019/07/22 23:49:47 connecting to host at 10.128.0.26:36975 2019/07/22 23:49:47 checking machine... 2019/07/22 23:49:47 checking revisions... 2019/07/22 23:49:47 testing simple program... syzkaller login: [ 78.547300][ T8703] IPVS: ftp: loaded support on port[0] = 21 2019/07/22 23:49:47 building call list... [ 79.944624][ T8693] ================================================================== [ 79.952882][ T8693] BUG: KASAN: null-ptr-deref in vhost_debug_mm+0x45/0x110 [ 79.960008][ T8693] Read of size 4 at addr 0000000000000058 by task syz-fuzzer/8693 [ 79.967815][ T8693] [ 79.970184][ T8693] CPU: 0 PID: 8693 Comm: syz-fuzzer Not tainted 5.2.0-rc2+ #1 [ 79.977646][ T8693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.987746][ T8693] Call Trace: [ 79.991064][ T8693] dump_stack+0x172/0x1f0 [ 79.995416][ T8693] ? vhost_debug_mm+0x45/0x110 [ 80.000206][ T8693] ? vhost_debug_mm+0x45/0x110 [ 80.005026][ T8693] __kasan_report.cold+0x5/0x40 [ 80.009906][ T8693] ? vhost_debug_mm+0x45/0x110 [ 80.014685][ T8693] kasan_report+0x12/0x20 [ 80.019056][ T8693] check_memory_region+0x123/0x190 [ 80.024174][ T8693] kasan_check_read+0x11/0x20 [ 80.028886][ T8693] vhost_debug_mm+0x45/0x110 [ 80.033491][ T8693] vhost_dev_cleanup+0x1e8/0xcd0 [ 80.038444][ T8693] vhost_vsock_dev_release+0x324/0x470 [ 80.043916][ T8693] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 80.050170][ T8693] __fput+0x2ff/0x890 [ 80.054162][ T8693] ? vhost_vsock_dev_open+0x330/0x330 [ 80.059539][ T8693] ____fput+0x16/0x20 [ 80.063506][ T8693] task_work_run+0x145/0x1c0 [ 80.068129][ T8693] exit_to_usermode_loop+0x273/0x2c0 [ 80.073402][ T8693] do_syscall_64+0x58e/0x680 [ 80.078022][ T8693] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.083900][ T8693] RIP: 0033:0x47fcb4 [ 80.087782][ T8693] Code: ff ff cc cc cc cc e8 2b 41 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 80.107385][ T8693] RSP: 002b:000000c4201173e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 80.115800][ T8693] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000047fcb4 [ 80.123760][ T8693] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 80.131718][ T8693] RBP: 000000c420117428 R08: 0000000000000000 R09: 0000000000000000 [ 80.139675][ T8693] R10: 0000000000000000 R11: 0000000000000246 R12: 000000c4203e2cb9 [ 80.147637][ T8693] R13: 000000c4203e2cbf R14: 000000c4203e2cb8 R15: 000000c4203e2cc8 [ 80.155614][ T8693] ================================================================== [ 80.163659][ T8693] Disabling lock debugging due to kernel taint [ 80.170251][ T8693] Kernel panic - not syncing: panic_on_warn set ... [ 80.176849][ T8693] CPU: 0 PID: 8693 Comm: syz-fuzzer Tainted: G B 5.2.0-rc2+ #1 [ 80.185670][ T8693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.195708][ T8693] Call Trace: [ 80.198989][ T8693] dump_stack+0x172/0x1f0 [ 80.203302][ T8693] panic+0x2cb/0x744 [ 80.207177][ T8693] ? __warn_printk+0xf3/0xf3 [ 80.211759][ T8693] ? vhost_debug_mm+0x45/0x110 [ 80.216528][ T8693] ? preempt_schedule+0x4b/0x60 [ 80.221369][ T8693] ? ___preempt_schedule+0x16/0x18 [ 80.226474][ T8693] ? trace_hardirqs_on+0x5e/0x220 [ 80.231489][ T8693] ? vhost_debug_mm+0x45/0x110 [ 80.236254][ T8693] end_report+0x47/0x4f [ 80.247913][ T8693] ? vhost_debug_mm+0x45/0x110 [ 80.252664][ T8693] __kasan_report.cold+0xe/0x40 [ 80.257512][ T8693] ? vhost_debug_mm+0x45/0x110 [ 80.262259][ T8693] kasan_report+0x12/0x20 [ 80.266576][ T8693] check_memory_region+0x123/0x190 [ 80.271948][ T8693] kasan_check_read+0x11/0x20 [ 80.276697][ T8693] vhost_debug_mm+0x45/0x110 [ 80.281274][ T8693] vhost_dev_cleanup+0x1e8/0xcd0 [ 80.286199][ T8693] vhost_vsock_dev_release+0x324/0x470 [ 80.291645][ T8693] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 80.297869][ T8693] __fput+0x2ff/0x890 [ 80.301855][ T8693] ? vhost_vsock_dev_open+0x330/0x330 [ 80.307236][ T8693] ____fput+0x16/0x20 [ 80.314132][ T8693] task_work_run+0x145/0x1c0 [ 80.318741][ T8693] exit_to_usermode_loop+0x273/0x2c0 [ 80.324010][ T8693] do_syscall_64+0x58e/0x680 [ 80.328586][ T8693] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.334495][ T8693] RIP: 0033:0x47fcb4 [ 80.338378][ T8693] Code: ff ff cc cc cc cc e8 2b 41 fb ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 45 31 d2 45 31 c0 45 31 c9 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 80.357972][ T8693] RSP: 002b:000000c4201173e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 80.366382][ T8693] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000047fcb4 [ 80.374363][ T8693] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 80.382331][ T8693] RBP: 000000c420117428 R08: 0000000000000000 R09: 0000000000000000 [ 80.390290][ T8693] R10: 0000000000000000 R11: 0000000000000246 R12: 000000c4203e2cb9 [ 80.398247][ T8693] R13: 000000c4203e2cbf R14: 000000c4203e2cb8 R15: 000000c4203e2cc8 [ 80.407403][ T8693] Kernel Offset: disabled [ 80.411733][ T8693] Rebooting in 86400 seconds..