All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: syzbot <syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com>,
	Christian Brauner <christian.brauner@ubuntu.com>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [syzbot] KASAN: null-ptr-deref Read in filp_close (2)
Date: Fri, 26 Mar 2021 09:02:08 +0100	[thread overview]
Message-ID: <CACT4Y+baP24jKmj-trhF8bG_d_zkz8jN7L1kYBnUR=EAY6hOaA@mail.gmail.com> (raw)
In-Reply-To: <00000000000069c40405be6bdad4@google.com>

On Fri, Mar 26, 2021 at 8:55 AM syzbot
<syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    5ee96fa9 Merge tag 'irq-urgent-2021-03-21' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17fb84bed00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=6abda3336c698a07
> dashboard link: https://syzkaller.appspot.com/bug?extid=283ce5a46486d6acdbaf
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com

I was able to reproduce this with the following C program:
https://gist.githubusercontent.com/dvyukov/00fb7aae489f22c60b4e64b45ef14d60/raw/cb368ca523d01986c2917f4414add0893b8f4243/gistfile1.txt

+Christian
The repro also contains close_range as the previous similar crash:
https://syzkaller.appspot.com/bug?id=1bef50bdd9622a1969608d1090b2b4a588d0c6ac
I don't know if it's related or not in this case, but looks suspicious.


> ==================================================================
> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
> BUG: KASAN: null-ptr-deref in atomic64_read include/asm-generic/atomic-instrumented.h:837 [inline]
> BUG: KASAN: null-ptr-deref in atomic_long_read include/asm-generic/atomic-long.h:29 [inline]
> BUG: KASAN: null-ptr-deref in filp_close+0x22/0x170 fs/open.c:1289
> Read of size 8 at addr 0000000000000077 by task syz-executor.4/16965
>
> CPU: 0 PID: 16965 Comm: syz-executor.4 Not tainted 5.12.0-rc3-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:79 [inline]
>  dump_stack+0x141/0x1d7 lib/dump_stack.c:120
>  __kasan_report mm/kasan/report.c:403 [inline]
>  kasan_report.cold+0x5f/0xd8 mm/kasan/report.c:416
>  check_region_inline mm/kasan/generic.c:180 [inline]
>  kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
>  instrument_atomic_read include/linux/instrumented.h:71 [inline]
>  atomic64_read include/asm-generic/atomic-instrumented.h:837 [inline]
>  atomic_long_read include/asm-generic/atomic-long.h:29 [inline]
>  filp_close+0x22/0x170 fs/open.c:1289
>  close_files fs/file.c:403 [inline]
>  put_files_struct fs/file.c:418 [inline]
>  put_files_struct+0x1d0/0x350 fs/file.c:415
>  exit_files+0x7e/0xa0 fs/file.c:435
>  do_exit+0xbc2/0x2a60 kernel/exit.c:820
>  do_group_exit+0x125/0x310 kernel/exit.c:922
>  get_signal+0x42c/0x2100 kernel/signal.c:2773
>  arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:789
>  handle_signal_work kernel/entry/common.c:147 [inline]
>  exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
>  exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:208
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
>  syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:301
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x466459
> Code: Unable to access opcode bytes at RIP 0x46642f.
> RSP: 002b:00007feb5e334218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 000000000056bf68 RCX: 0000000000466459
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000056bf68
> RBP: 000000000056bf60 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf6c
> R13: 0000000000a9fb1f R14: 00007feb5e334300 R15: 0000000000022000
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000069c40405be6bdad4%40google.com.

  reply	other threads:[~2021-03-26  8:03 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-26  7:55 [syzbot] KASAN: null-ptr-deref Read in filp_close (2) syzbot
2021-03-26  8:02 ` Dmitry Vyukov [this message]
2021-03-26  9:12   ` Christian Brauner
2021-03-26  9:21     ` Dmitry Vyukov
     [not found]       ` <CAHrFyr7iUpMh4sicxrMWwaUHKteU=qHt-1O-3hojAAX3d5879Q@mail.gmail.com>
2021-03-26 13:50         ` Christian Brauner
2021-03-26 14:22           ` Dmitry Vyukov
2021-03-27 23:33           ` Al Viro
2021-03-29  9:21             ` Christian Brauner
2021-03-29 17:35               ` Christian Brauner
2021-04-02 12:35 ` [PATCH 0/3] file: fix and simplify close_range() Christian Brauner
2021-04-02 12:35 ` [PATCH 1/3] file: fix close_range() for unshare+cloexec Christian Brauner
2021-04-02 12:35 ` [PATCH 2/3] file: let pick_file() tell caller it's done Christian Brauner
2021-04-02 20:09   ` kernel test robot
2021-04-02 12:35 ` [PATCH 3/3] file: simplify logic in __close_range() Christian Brauner
2021-07-13  4:12 ` [syzbot] KASAN: null-ptr-deref Read in filp_close (2) syzbot
2021-07-13 18:49   ` Linus Torvalds
2021-07-14  7:59     ` Christian Brauner
2021-07-14  9:14       ` Christian Brauner
2021-07-14 11:45       ` Dmitry Vyukov
2021-07-14 13:51   ` Christian Brauner
2021-07-14 13:54     ` syzbot
2021-07-14 13:57     ` Christian Brauner
2021-07-14 14:16       ` syzbot
2021-07-14 13:53   ` Christian Brauner
2021-07-14 13:53     ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+baP24jKmj-trhF8bG_d_zkz8jN7L1kYBnUR=EAY6hOaA@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.