BUG: unable to handle kernel NULL pointer dereference in reset_interrupt

From: Hao Sun
Date: Wed Oct 06 2021 - 04:12:11 EST

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 0513e464f900 Merge tag 'perf-tools-fixes-for-v5.15-2021-09-27'
git tree: upstream
console output:
https://drive.google.com/file/d/1Vg4qLPbcjILoerGfzKXlEpdmagBonsn1/view?usp=sharing
kernel config: https://drive.google.com/file/d/1Jqhc4DpCVE8X7d-XBdQnrMoQzifTG5ho/view?usp=sharing

Sorry, I don't have a reproducer for this crash, hope the symbolized
report can help.
If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@xxxxxxxxx>

84 90 4295172491
last result at 4295172491
last redo_fd_request at 4295166102
40 00 00 e2 1e e5 02 @......
status=80
fdc_busy=1
floppy_work.func=floppy_work_workfn
timer_function=ffffffff82653f90 expires=294
cont=ffffffff84a34480
current_req=0000000000000000
command_status=-1

floppy0: Unable to send byte 1e to FDC. Fdc=0 Status=d0

floppy driver state
-------------------
now=4295172495 last interrupt=4295172491 diff=4 last called
handler=main_command_interrupt
timeout_message=floppy start
last output bytes:
f 80 4295166093
0 90 4295166093
1 90 4295166093
8 80 4295166093
4 80 4295166099
0 90 4295166099
f 80 4295166099
0 90 4295166099
0 90 4295166099
8 80 4295166099
31 80 4295172491
e4 90 4295172491
e2 90 4295172491
1e 90 4295172491
e5 90 4295172491
af 90 4295172491
2e 90 4295172491
25 90 4295172491
84 90 4295172491
6b 80 4295172495
last result at 4295172491
last redo_fd_request at 4295166102
40 00 00 e2 1e e5 02 @......
status=d0
fdc_busy=1
floppy_work.func=floppy_work_workfn
timer_function=ffffffff82653f90 expires=288
cont=ffffffff84a34480
current_req=0000000000000000
command_status=-1

BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 2 PID: 7832 Comm: kworker/u8:3 Not tainted 5.15.0-rc3+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Workqueue: floppy floppy_work_workfn
RIP: 0010:reset_interrupt+0x60/0xf0 drivers/block/floppy.c:1792
Code: 1d 35 c6 30 06 48 83 fb 01 0f 87 8c 00 00 00 48 8d 04 9b f6 04
c5 f8 04 96 88 04 75 42 e8 b8 52 d2 fe 48 8b 05 89 c6 30 06 5b <48> 8b
40 08 ff e0 e8 a5 52 d2 fe 48 8b 0d be 72 1b 03 48 c7 c2 16
RSP: 0018:ffffc90005097e48 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff888104398000 RSI: ffffffff82653ea8 RDI: 0000000000000000
RBP: ffffc90005097ec8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc90005097d18 R11: 0000000000000001 R12: ffff888016f6bd80
R13: ffff888008c5cc00 R14: ffff888009860c00 R15: ffffffff85c70b00
FS: 0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000001912b000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
process_one_work+0x359/0x850 kernel/workqueue.c:2297
worker_thread+0x41/0x4d0 kernel/workqueue.c:2444
kthread+0x178/0x1b0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: 0000000000000008
---[ end trace c4cbac3b36a74da5 ]---
RIP: 0010:reset_interrupt+0x60/0xf0 drivers/block/floppy.c:1792
Code: 1d 35 c6 30 06 48 83 fb 01 0f 87 8c 00 00 00 48 8d 04 9b f6 04
c5 f8 04 96 88 04 75 42 e8 b8 52 d2 fe 48 8b 05 89 c6 30 06 5b <48> 8b
40 08 ff e0 e8 a5 52 d2 fe 48 8b 0d be 72 1b 03 48 c7 c2 16
RSP: 0018:ffffc90005097e48 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff888104398000 RSI: ffffffff82653ea8 RDI: 0000000000000000
RBP: ffffc90005097ec8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc90005097d18 R11: 0000000000000001 R12: ffff888016f6bd80
R13: ffff888008c5cc00 R14: ffff888009860c00 R15: ffffffff85c70b00
FS: 0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000001912b000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 1d 35 c6 30 06 sbb $0x630c635,%eax
5: 48 83 fb 01 cmp $0x1,%rbx
9: 0f 87 8c 00 00 00 ja 0x9b
f: 48 8d 04 9b lea (%rbx,%rbx,4),%rax
13: f6 04 c5 f8 04 96 88 testb $0x4,-0x7769fb08(,%rax,8)
1a: 04
1b: 75 42 jne 0x5f
1d: e8 b8 52 d2 fe callq 0xfed252da
22: 48 8b 05 89 c6 30 06 mov 0x630c689(%rip),%rax # 0x630c6b2
29: 5b pop %rbx
* 2a: 48 8b 40 08 mov 0x8(%rax),%rax <-- trapping instruction
2e: ff e0 jmpq *%rax
30: e8 a5 52 d2 fe callq 0xfed252da
35: 48 8b 0d be 72 1b 03 mov 0x31b72be(%rip),%rcx # 0x31b72fa
3c: 48 rex.W
3d: c7 .byte 0xc7
3e: c2 .byte 0xc2
3f: 16 (bad)