Re: [syzbot] [overlayfs?] BUG: unable to handle kernel NULL pointer dereference in __lookup_slow (3)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+94891a5155abdf6821b7@syzkaller.appspotmail.com>
To: andrew.kanner@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [overlayfs?] BUG: unable to handle kernel NULL pointer dereference in __lookup_slow (3)
Date: Wed, 04 Sep 2024 00:04:03 -0700	[thread overview]
Message-ID: <000000000000756497062145c7a0@google.com> (raw)
In-Reply-To: <66d79038.170a0220.22e970.97fd@mx.google.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in __lookup_slow

loop0: detected capacity change from 0 to 64
overlayfs: fs on './file0' does not support file handles, falling back to index=off,nfs_export=off.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 800000001f849067 P4D 800000001f849067 PUD 1fabf067 PMD 0 
Oops: Oops: 0010 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 6157 Comm: syz.0.15 Not tainted 6.11.0-rc5-syzkaller-00017-g7d6899fb69d2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000492f558 EFLAGS: 00010246
RAX: 1ffffffff17f1868 RBX: ffffffff8bf8c340 RCX: ffff888024845a00
RDX: 0000000000000000 RSI: ffff8880699ead38 RDI: ffff888069bac018
RBP: ffffc9000492f670 R08: ffffffff820c2f53 R09: 1ffffffff29ad1f5
R10: dffffc0000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880699ead38 R14: 1ffff1100d33d5a7 R15: 1ffff92000925eb0
FS:  00007f735e4b46c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000078faa000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __lookup_slow+0x28c/0x3f0 fs/namei.c:1718
 lookup_slow fs/namei.c:1735 [inline]
 lookup_one_unlocked+0x1a4/0x290 fs/namei.c:2898
 ovl_lookup_positive_unlocked fs/overlayfs/namei.c:210 [inline]
 ovl_lookup_single+0x200/0xbd0 fs/overlayfs/namei.c:240
 ovl_lookup_layer+0x417/0x510 fs/overlayfs/namei.c:333
 ovl_lookup+0xcf7/0x2a60 fs/overlayfs/namei.c:1124
 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
 filename_create+0x297/0x540 fs/namei.c:3980
 do_mknodat+0x18b/0x5b0 fs/namei.c:4125
 __do_sys_mknod fs/namei.c:4171 [inline]
 __se_sys_mknod fs/namei.c:4169 [inline]
 __x64_sys_mknod+0x8c/0xa0 fs/namei.c:4169
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f735d779ef9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f735e4b4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000085
RAX: ffffffffffffffda RBX: 00007f735d915f80 RCX: 00007f735d779ef9
RDX: 0000000000000700 RSI: 0000000000002000 RDI: 0000000020000140
RBP: 00007f735d7e793e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f735d915f80 R15: 00007ffd8cecbb18
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000492f558 EFLAGS: 00010246
RAX: 1ffffffff17f1868 RBX: ffffffff8bf8c340 RCX: ffff888024845a00
RDX: 0000000000000000 RSI: ffff8880699ead38 RDI: ffff888069bac018
RBP: ffffc9000492f670 R08: ffffffff820c2f53 R09: 1ffffffff29ad1f5
R10: dffffc0000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880699ead38 R14: 1ffff1100d33d5a7 R15: 1ffff92000925eb0
FS:  00007f735e4b46c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000078faa000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit:         7d6899fb ovl: fsync after metadata copy-up
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/overlayfs/vfs.git overlayfs-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1272d5b7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d806687521800cad
dashboard link: https://syzkaller.appspot.com/bug?extid=94891a5155abdf6821b7
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

next      parent reply	other threads:[~2024-09-04  7:04 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <66d79038.170a0220.22e970.97fd@mx.google.com>
2024-09-04  7:04 ` syzbot [this message]
     [not found] <66f8a340.170a0220.2c5856.ac87@mx.google.com>
2024-09-29  1:32 ` [syzbot] [overlayfs?] BUG: unable to handle kernel NULL pointer dereference in __lookup_slow (3) syzbot
2024-04-28  8:01 syzbot
2025-01-08 20:42 ` syzbot
2025-01-09 11:33   ` Miklos Szeredi
2025-01-09 13:13     ` Miklos Szeredi
2025-01-09 13:13       ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000756497062145c7a0@google.com \
    --to=syzbot+94891a5155abdf6821b7@syzkaller.appspotmail.com \
    --cc=andrew.kanner@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.