Hi,
We would like to report the following bug which has been found by our modified version of syzkaller.
======================================================
description: KASAN: null-ptr-deref Write in xlog_cil_commit
affected file: fs/xfs/xfs_log_cil.c
kernel version: 5.15.156
kernel commit: c52b9710c83d3b8ab63bb217cc7c8b61e13f12cd
git tree: upstream
kernel config: attached
crash reproducer: attached
======================================================
Crash log:
BUG: KASAN: null-ptr-deref in memset include/linux/fortify-string.h:175 [inline]
BUG: KASAN: null-ptr-deref in xlog_cil_alloc_shadow_bufs fs/xfs/xfs_log_cil.c:225 [inline]
BUG: KASAN: null-ptr-deref in xlog_cil_commit+0x3bc/0x2840 fs/xfs/xfs_log_cil.c:1264
Write of size 88 at addr 0000000000000000 by task syz-executor.7/12467
CPU: 0 PID: 12467 Comm: syz-executor.7 Not tainted 5.15.156 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report.cold+0x66/0xdf mm/kasan/report.c:451
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x140/0x190 mm/kasan/generic.c:189
memset+0x20/0x40 mm/kasan/shadow.c:44
memset include/linux/fortify-string.h:175 [inline]
xlog_cil_alloc_shadow_bufs fs/xfs/xfs_log_cil.c:225 [inline]
xlog_cil_commit+0x3bc/0x2840 fs/xfs/xfs_log_cil.c:1264
__xfs_trans_commit+0x69d/0xe90 fs/xfs/xfs_trans.c:881
xfs_setattr_nonsize+0x372/0xd10 fs/xfs/xfs_iops.c:745
xfs_vn_setattr+0x1f4/0x250 fs/xfs/xfs_iops.c:1029
notify_change+0xbe9/0x1200 fs/attr.c:505
vfs_utimes+0x3fe/0x7f0 fs/utimes.c:65
do_utimes_path+0xfd/0x1a0 fs/utimes.c:98
do_utimes+0x31/0xf0 fs/utimes.c:144
do_futimesat+0x147/0x1b0 fs/utimes.c:198
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f68dfdd0d2d
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f68de340028 EFLAGS: 00000246 ORIG_RAX: 00000000000000eb
RAX: ffffffffffffffda RBX: 00007f68dff0df80 RCX: 00007f68dfdd0d2d
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007f68de3400a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 000000000000000b R14: 00007f68dff0df80 R15: 00007f68de320000
</TASK>
======================================================
We took a very brief look at the code. Is it possible that there is a check missing for the return value of kvmalloc at fs/xfs/xfs_log_cil.c:224?
lv = kvmalloc(buf_size, GFP_KERNEL);
memset(lv, 0, xlog_cil_iovec_space(niovecs));
Kind regards,
Marius
Attachment:
config
Description: Binary data
Attachment:
repro.syz
Description: Binary data