BUG: unable to handle kernel NULL pointer dereference in stack_depot_save
From: Wei Chen
Date: Sun Oct 30 2022 - 06:16:53 EST
Dear Linux Developer,
Recently when using our tool to fuzz kernel, the following crash was triggered:
HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1tiImsOLsgUyTS1wPbI1psiX7HtBTNhj9/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@xxxxxxxxx>
BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 13792 Comm: systemd Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:stack_depot_save+0x136/0x520
Code: ff ff 0f 00 4c 8d 34 c8 4d 8b 2e 4d 85 ed 0f 84 b4 00 00 00 8d
75 ff 48 c1 e6 03 eb 0d 4d 8b 6d 00 4d 85 ed 0f 84 9e 00 00 00 <41> 39
5d 08 75 ed 41 3b 6d 0c 75 e7 49 8b 04 24 49 39 45 18 75 dd
RSP: 0018:ffffc9000abeb0b0 EFLAGS: 00010206
RAX: ffff88813d000000 RBX: 00000000d05577a2 RCX: 00000000000577a2
RDX: 0000000000012c50 RSI: 0000000000000078 RDI: 00000000f0f1e45b
RBP: 0000000000000010 R08: 00000000b6dd3736 R09: ffffffff86c43dd4
R10: ffffffff86c43dd0 R11: 0000000000000000 R12: ffffc9000abeb120
R13: 0000000000000020 R14: ffff88813d2bbd10 R15: 0000000000000000
FS: 00007f721246a500(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 000000010886f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
save_stack+0xa2/0xe0
__set_page_owner+0x45/0x100
prep_new_page+0xbd/0x100
get_page_from_freelist+0x12fc/0x17e0
__alloc_pages+0x1c8/0x420
alloc_pages+0xbf/0x160
new_slab+0x309/0x4c0
___slab_alloc.part.92+0x7b7/0xfc0
__slab_alloc.isra.93+0x4f/0xa0
kmem_cache_alloc+0x2f8/0x310
alloc_buffer_head+0x1d/0xb0
alloc_page_buffers+0x1df/0x4a0
create_empty_buffers+0x26/0x450
ext4_block_write_begin+0x938/0xc60
ext4_da_write_begin+0x24f/0x5d0
generic_perform_write+0x15d/0x290
ext4_buffered_write_iter+0xc9/0x1d0
ext4_file_write_iter+0xb1/0xbb0
__kernel_write+0x22f/0x4c0
__dump_emit+0xaf/0xf0
dump_emit+0x107/0x1a0
dump_user_range+0x5a/0x1f0
elf_core_dump+0x1804/0x1aa0
do_coredump+0x10da/0x1bf0
get_signal+0xa5d/0x1520
arch_do_signal_or_restart+0xa9/0x870
exit_to_user_mode_prepare+0x138/0x280
syscall_exit_to_user_mode+0x19/0x60
do_syscall_64+0x40/0xb0
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f721098c317
Code: 44 00 00 48 8b 15 81 5b 36 00 f7 d8 64 89 02 b8 ff ff ff ff c3
66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 b8 3e 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 51 5b 36 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe5d132438 EFLAGS: 00000213 ORIG_RAX: 000000000000003e
RAX: 0000000000000000 RBX: 00007ffe5d1324e0 RCX: 00007f721098c317
RDX: 00007f7210a350d7 RSI: 000000000000000b RDI: 00000000000035e0
RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000000000
R13: 0000000000000000 R14: 0000557657079838 R15: 00007ffe5d1333d0
Modules linked in:
CR2: 0000000000000028
---[ end trace c2c81c11bafb869c ]---
RIP: 0010:stack_depot_save+0x136/0x520
Code: ff ff 0f 00 4c 8d 34 c8 4d 8b 2e 4d 85 ed 0f 84 b4 00 00 00 8d
75 ff 48 c1 e6 03 eb 0d 4d 8b 6d 00 4d 85 ed 0f 84 9e 00 00 00 <41> 39
5d 08 75 ed 41 3b 6d 0c 75 e7 49 8b 04 24 49 39 45 18 75 dd
RSP: 0018:ffffc9000abeb0b0 EFLAGS: 00010206
RAX: ffff88813d000000 RBX: 00000000d05577a2 RCX: 00000000000577a2
RDX: 0000000000012c50 RSI: 0000000000000078 RDI: 00000000f0f1e45b
RBP: 0000000000000010 R08: 00000000b6dd3736 R09: ffffffff86c43dd4
R10: ffffffff86c43dd0 R11: 0000000000000000 R12: ffffc9000abeb120
R13: 0000000000000020 R14: ffff88813d2bbd10 R15: 0000000000000000
FS: 00007f721246a500(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 000000010886f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: ff 0f decl (%rdi)
2: 00 4c 8d 34 add %cl,0x34(%rbp,%rcx,4)
6: c8 4d 8b 2e enterq $0x8b4d,$0x2e
a: 4d 85 ed test %r13,%r13
d: 0f 84 b4 00 00 00 je 0xc7
13: 8d 75 ff lea -0x1(%rbp),%esi
16: 48 c1 e6 03 shl $0x3,%rsi
1a: eb 0d jmp 0x29
1c: 4d 8b 6d 00 mov 0x0(%r13),%r13
20: 4d 85 ed test %r13,%r13
23: 0f 84 9e 00 00 00 je 0xc7
* 29: 41 39 5d 08 cmp %ebx,0x8(%r13) <-- trapping instruction
2d: 75 ed jne 0x1c
2f: 41 3b 6d 0c cmp 0xc(%r13),%ebp
33: 75 e7 jne 0x1c
35: 49 8b 04 24 mov (%r12),%rax
39: 49 39 45 18 cmp %rax,0x18(%r13)
3d: 75 dd jne 0x1c
Best,
Wei