Linux kernel bug report: "general protection fault in crypto_skcipher_encrypt"

From: Liebes Wang
Date: Tue Jan 28 2025 - 07:08:36 EST


Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **general protection fault in crypto_skcipher_encrypt**, discovered using a modified version of Syzkaller.

Linux version: 2144da25584eb10b84252230319b5783f6a83041 (6.13-rc6)

The bisection log shows the first introduced commit is 03ef80b469d5d83530ce1ce15be78a40e5300f9b. 
03ef80b469d5 bcachefs: Ignore unknown mount options

The test case, kernel config and full bisection log are attached.

The report is (The full report is attached):
bcachefs (loop4): Doing compatible version upgrade from 1.7: mi_btree_bitmap to 1.13: inode_has_child_snapshots
  running recovery passes: check_allocations,check_inodes
bcachefs: bch2_fs_get_tree() error: fsck_errors_not_fixed
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 0 UID: 0 PID: 10753 Comm: syz.4.760 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:crypto_skcipher_alg include/crypto/skcipher.h:375 [inline]
RIP: 0010:crypto_skcipher_encrypt+0x48/0x170 crypto/skcipher.c:637
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 5d 40 48 8d 7b 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 fe 00 00 00 48 8d 7b 04 4c 8b 63 18 48 b8 00 00
loop1: detected capacity change from 0 to 32768
RSP: 0018:ff11000120e96840 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: ffa00000028b7000
RDX: 0000000000000004 RSI: ffffffff836396b0 RDI: 0000000000000020
RBP: ff11000120e968b0 R08: 0000000000000020 R09: 0000000000000000
R10: 0000000000000000 R11: 00000000000000c0 R12: 0000000000000008
R13: ff11000120e96b78 R14: 0000000000000020 R15: ff11000120e96d58
FS:  00007f1ff7870700(0000) GS:ff110004ca800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f535ba2e000 CR3: 000000011da18006 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
 <TASK>
 do_encrypt_sg+0xdf/0x170 fs/bcachefs/checksum.c:108
bcachefs (/dev/loop1): error validating superblock: Invalid time precision: 0 (min 1, max 1000000000)
bcachefs: bch2_fs_get_tree() error: invalid_sb_time_precision
 do_encrypt+0x742/0x910 fs/bcachefs/checksum.c:124
 gen_poly_key.isra.0+0x144/0x310 fs/bcachefs/checksum.c:200
 bch2_checksum+0x1c4/0x2a0 fs/bcachefs/checksum.c:236
 bch2_btree_node_read_done+0x75a/0x4e70 fs/bcachefs/btree_io.c:1060
 btree_node_read_work+0x63e/0xf70 fs/bcachefs/btree_io.c:1327
 bch2_btree_node_read+0x76c/0xdf0 fs/bcachefs/btree_io.c:1712
loop2: detected capacity change from 0 to 256
exfat: Unknown parameter 'Ø'
 __bch2_btree_root_read fs/bcachefs/btree_io.c:1753 [inline]
 bch2_btree_root_read+0x2c5/0x460 fs/bcachefs/btree_io.c:1775
 read_btree_roots fs/bcachefs/recovery.c:523 [inline]
 bch2_fs_recovery+0x1db7/0x3c60 fs/bcachefs/recovery.c:853
 bch2_fs_start+0x2d8/0x610 fs/bcachefs/super.c:1036
 bch2_fs_get_tree+0xfda/0x15d0 fs/bcachefs/fs.c:2170
 vfs_get_tree+0x94/0x380 fs/super.c:1814
 do_new_mount fs/namespace.c:3507 [inline]
 path_mount+0x6b2/0x1eb0 fs/namespace.c:3834
 do_mount fs/namespace.c:3847 [inline]
 __do_sys_mount fs/namespace.c:4057 [inline]
 __se_sys_mount fs/namespace.c:4034 [inline]
 __x64_sys_mount+0x283/0x300 fs/namespace.c:4034
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Attachment: kconfig
Description: Binary data

Attachment: report0
Description: Binary data

Attachment: bisect 2.log
Description: Binary data

Attachment: repro 2.cprog
Description: Binary data