fsnotify_destroy_inode_mark() null pointer dereference

[Bart Van Assche <bvanassche@acm.org>]

Hello,

Has anyone else already run into this ? So far I ran twice into
this issue - once with kernel 4.0.0-rc3 and once with kernel 3.19.1.
I think these call traces mean that fsnotify_destroy_inode_mark()
was called with mark->group->mark_mutex == NULL.

Thanks,

Bart.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
IP: [<ffffffff811e8d4d>] fsnotify_destroy_inode_mark+0x1d/0xa0
PGD 1f1c39067 PUD 202b8a067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP 
Modules linked in: tun rfcomm fuse dm_crypt algif_skcipher af_alg loop xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat bridge stp llc nf_log_ipv6 xt_pkttype nf_log_ipv4 nf_log_common xt_LOG xt_limit af_packet ip6t_REJECT nf_reject_ipv6 xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_raw ipt_REJECT nf_reject_ipv4 iptable_raw xt_CT iptable_filter ip6table_mangle nf_conntrack_netbios_ns nf_conntrack_broadcast nf_conntrack_ipv4 nf_defrag_ipv4 ip_tables xt_conntrack nf_conntrack ip6table_filter ip6_tables x_tables uvcvideo videobuf2_vmalloc videobuf2_memops bnep videobuf2_core snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic arc4 x86_pkg_temp_thermal intel_powerclamp snd_hda_intel coretemp snd_hda_controller dell_wmi kvm_intel
 snd_hda_codec sparse_keymap snd_hwdep snd_pcm kvm crct10dif_pclmul crc32_pclmul crc32c_intel dell_laptop iwlmvm mac80211 dcdbas ghash_clmulni_intel aesni_intel snd_timer snd iwlwifi aes_x86_64 glue_helper lrw btusb gf128mul ablk_helper cryptd bluetooth cfg80211 sdhci_pci soundcore joydev e1000e rfkill xhci_pci serio_raw xhci_hcd pcspkr wmi ptp lpc_ich shpchp i2c_i801 mfd_core thermal battery pps_core i2c_hid i2c_designware_platform i2c_designware_core 8250_dw dell_smo8800 ac processor dm_mod i915 i2c_algo_bit drm_kms_helper drm video sdhci_acpi sdhci mmc_core button sg
CPU: 1 PID: 2088 Comm: systemd Not tainted 4.0.0-rc3+ #1
Hardware name: Dell Inc. Latitude E7440/03HFCG, BIOS A10 06/26/2014
task: ffff8800db083510 ti: ffff88020d2f4000 task.ti: ffff88020d2f4000
RIP: 0010:[<ffffffff811e8d4d>]  [<ffffffff811e8d4d>] fsnotify_destroy_inode_mark+0x1d/0xa0
 pam_unix(systemd-user:session): session closed for user root
RSP: 0018:ffff88020d2f7d98  EFLAGS: 00010292
RAX: 0000000000000000 RBX: ffffffff818d94b0 RCX: 00000000ffffffff
RDX: 00000000ffffffef RSI: ffff8802134a3a00 RDI: ffffffff818d94b0
RBP: ffff88020d2f7db8 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000001af68 R11: 0000000000000246 R12: 0000000000000000
R13: ffffffff818d94c0 R14: ffffffff818d94d0 R15: 0000000000000000
FS:  00007f198299e880(0000) GS:ffff88021ea80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000070 CR3: 0000000213e97000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff880202bc3a50 ffffffff818d94b0 ffff8802134a3a00 ffffffff818d94c0
 ffff88020d2f7df8 ffffffff811e9498 ffff8802134a3a00 ffff880214da6a50
 ffffffff818d94b0 ffff8802134a3a00 00000000ffffffff ffff8802134a3aa0
Call Trace:
 [<ffffffff811e9498>] fsnotify_destroy_mark_locked+0x128/0x190
 [<ffffffff811e9acf>] fsnotify_clear_marks_by_group_flags+0x7f/0xb0
 [<ffffffff811e9b13>] fsnotify_clear_marks_by_group+0x13/0x20
 [<ffffffff811e8ba6>] fsnotify_destroy_group+0x16/0x50
 [<ffffffff811eab06>] inotify_release+0x26/0x50
 [<ffffffff811ab51e>] __fput+0xce/0x1d0
 [<ffffffff811ab66e>] ____fput+0xe/0x10
 [<ffffffff8106fd87>] task_work_run+0xa7/0xe0
 [<ffffffff81002f39>] do_notify_resume+0x59/0x80
 [<ffffffff8162feb1>] int_signal+0x12/0x17
Code: 5c 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb 48 83 ec 08 48 8b 47 08 4c 8b 67 48 <8b> 40 70 83 f8 01 74 6e 8b 47 20 89 c2 c1 ea 10 66 39 d0 74 63 
RIP  [<ffffffff811e8d4d>] fsnotify_destroy_inode_mark+0x1d/0xa0
 RSP <ffff88020d2f7d98>
CR2: 0000000000000070
---[ end trace 05cd1ed92ae3a185 ]---




BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
IP: [<ffffffff811e691d>] fsnotify_destroy_inode_mark+0x1d/0xa0
PGD 207807067 PUD 20785e067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP 
Modules linked in: tun fuse dm_crypt algif_skcipher af_alg ctr ccm loop xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat bridge stp llc nf_log_ipv6 af_packet xt_pkttype nf_log_ipv4 nf_log_common xt_LOG xt_limit ip6t_REJECT nf_reject_ipv6 xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_raw ipt_REJECT nf_reject_ipv4 iptable_raw xt_CT iptable_filter ip6table_mangle nf_conntrack_netbios_ns nf_conntrack_broadcast nf_conntrack_ipv4 nf_defrag_ipv4 ip_tables xt_conntrack nf_conntrack ip6table_filter ip6_tables x_tables arc4 uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core iwlmvm mac80211 dell_wmi sparse_keymap iwlwifi sdhci_pci cfg80211 snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic ecb x86_pkg_temp_thermal intel_powercla
 mp
 coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel dell_laptop dcdbas aesni_intel joydev aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep snd_pcm snd_timer snd btusb bluetooth pcspkr rfkill serio_raw lpc_ich mfd_core i2c_i801 shpchp e1000e soundcore ptp pps_core xhci_pci xhci_hcd thermal wmi battery i2c_hid dell_smo8800 ac 8250_dw i2c_designware_platform i2c_designware_core processor dm_mod i915 i2c_algo_bit drm_kms_helper drm video sdhci_acpi sdhci mmc_core button sg
CPU: 3 PID: 1203 Comm: systemd Not tainted 3.19.1+ #1
Hardware name: Dell Inc. Latitude E7440/03HFCG, BIOS A10 06/26/2014
task: ffff880213e1cb60 ti: ffff8800db358000 task.ti: ffff8800db358000
RIP: 0010:[<ffffffff811e691d>]  [<ffffffff811e691d>] fsnotify_destroy_inode_mark+0x1d/0xa0
RSP: 0018:ffff8800db35bd98  EFLAGS: 00010292
RAX: 0000000000000000 RBX: ffffffff818d0990 RCX: 0000000000000002
RDX: 00000000ffffffef RSI: ffff880213afe400 RDI: ffffffff818d0990
RBP: ffff8800db35bdb8 R08: 0000000000000000 R09: 0000000000000246
R10: 0000000000019c50 R11: 0000000000000246 R12: 0000000000000000
R13: ffffffff818d09a0 R14: ffffffff818d09b0 R15: 0000000000000000
FS:  00007fdfca252880(0000) GS:ffff88021eb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000070 CR3: 00000002119a0000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8802124f8f98 ffffffff818d0990 ffff880213afe400 ffffffff818d09a0
 ffff8800db35bdf8 ffffffff811e7068 ffff880213afe400 ffff8802124f8f30
 ffffffff818d0990 ffff880213afe400 00000000ffffffff ffff880213afe4a0
Call Trace:
 [<ffffffff811e7068>] fsnotify_destroy_mark_locked+0x128/0x190
 [<ffffffff811e769f>] fsnotify_clear_marks_by_group_flags+0x7f/0xb0
 [<ffffffff811e76e3>] fsnotify_clear_marks_by_group+0x13/0x20
 [<ffffffff811e6776>] fsnotify_destroy_group+0x16/0x50
 [<ffffffff811e86d6>] inotify_release+0x26/0x50
 [<ffffffff811a956e>] __fput+0xce/0x1d0
 [<ffffffff811a96be>] ____fput+0xe/0x10
 [<ffffffff8106ec57>] task_work_run+0xa7/0xe0
 [<ffffffff81002f31>] do_notify_resume+0x61/0xa0
 [<ffffffff81627487>] int_signal+0x12/0x17
Code: 5c 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb 48 83 ec 08 48 8b 47 08 4c 8b 67 48 <8b> 40 70 83 f8 01 74 6e 8b 47 20 89 c2 c1 ea 10 66 39 d0 74 63 
RIP  [<ffffffff811e691d>] fsnotify_destroy_inode_mark+0x1d/0xa0
 RSP <ffff8800db35bd98>
CR2: 0000000000000070
---[ end trace a9b2903b537496c1 ]---