Re: BUG: unable to handle kernel paging request in ext4_ext_remove_space

[Thomas Gleixner <tglx@linutronix.de>]

On Fri, Mar 15 2024 at 12:50, cheung wall wrote:

Removed x86 and random other people from CC and added the EXT4 folks
which are the ones who are really interested in this. Kept full context
intact.

> when using Healer to fuzz the latest Linux Kernel, the following crash
>
> was triggered on:
>
>
> HEAD commit: 0dd3ee31125508cd67f7e7172247f05b7fd1753a  (tag: v6.7)
>
> git tree: upstream
>
> console output: https://pastebin.com/raw/dtWhAR8Y
>
> kernel config: https://pastebin.com/raw/dRctH7sr
>
> C reproducer: https://pastebin.com/raw/zUiGyNi9
>
> Syzlang reproducer:https://pastebin.com/raw/PNyeDjq6
>
> If you fix this issue, please add the following tag to the commit:
>
> Reported-by: Qiang Zhang <zzqq0103.hey@gmail.com>
>
> ----------------------------------------------------------
>
> EXT4-fs (loop0): mounted filesystem
> 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode:
> writeback.
> ext4 filesystem being mounted at /syzkaller.TPYs2I/19/file1 supports
> timestamps until 2038-01-19 (0x7fffffff)
> BUG: unable to handle page fault for address: ffff888002cba000
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0003) - permissions violation
> PGD a4c01067 P4D a4c01067 PUD a4c02067 PMD 2c63063 PTE 8000000002cba121

The page is mapped RO ...

> Oops: 0003 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 2 PID: 366 Comm: syz-executor127 Not tainted 6.7.0 #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:memmove+0x1e/0x1b0
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/arch/x86/lib/memmove_64.S:44
> Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 89 f8 48 39
> fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f b5 00 00 00 48 89 d1 <f3> a4
> e9 26 14 1b 00 66 2e 0f 1f 84 00 00 00 00 00 48 81 fa a8 02
> RSP: 0018:ffff88800d84f840 EFLAGS: 00010216
> RAX: ffff888002c9903c RBX: ffff888002c99000 RCX: fffffffffffdf000
> RDX: ffffffffffffffc4 RSI: ffff888002cba00c RDI: ffff888002cba000
> RBP: ffff888002c99002 R08: 0000000000000001 R09: fffff94000039076
> R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
> R13: ffff88800ba37868 R14: ffff888002c99040 R15: 0000000000000004
> FS:  00007fefc4cb4640(0000) GS:ffff88809e900000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffff888002cba000 CR3: 00000000092fc005 CR4: 0000000000770ef0
> PKRU: 55555554
> Call Trace:
>  <TASK>
>  ext4_ext_rm_leaf
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ext4/extents.c:2736
> [inline]
>  ext4_ext_remove_space+0x1aae/0x36b0
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ext4/extents.c:2958
>  ext4_punch_hole+0xb8b/0xe50
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ext4/inode.c:4019
>  ext4_fallocate+0xb68/0x3230
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ext4/extents.c:4707
>  vfs_fallocate+0x361/0xae0
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/open.c:324
>  ioctl_preallocate+0x172/0x1f0
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ioctl.c:291
>  file_ioctl root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ioctl.c:334
> [inline]
>  do_vfs_ioctl+0x109e/0x13c0
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ioctl.c:850
>  __do_sys_ioctl
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ioctl.c:869
> [inline]
>  __se_sys_ioctl
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ioctl.c:857
> [inline]
>  __x64_sys_ioctl+0xef/0x1e0
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/fs/ioctl.c:857
>  do_syscall_x64
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/arch/x86/entry/common.c:52
> [inline]
>  do_syscall_64+0x46/0xf0
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x6f/0x77
> RIP: 0033:0x7fefc4d3263d
> Code: c3 e8 27 23 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fefc4cb4198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fefc4dc95d0 RCX: 00007fefc4d3263d
> RDX: 0000000020000080 RSI: 0000000040305829 RDI: 0000000000000004
> RBP: 00007fefc4d93598 R08: 00007ffe5e3ab7bf R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0031656c69662f2e
> R13: 6f6f6c2f7665642f R14: 000001ff7fdfd000 R15: 00007fefc4dc95d8
>  </TASK>
> Modules linked in:
> CR2: ffff888002cba000
> ---[ end trace 0000000000000000 ]---
> BUG: unable to handle page fault for address: ffffebde001bf808
> RIP: 0010:memmove+0x1e/0x1b0
> root/zhangqiang/kernel_fuzzing/zq-LLM-OS/llm-syz-environment/linux-6.7/arch/x86/lib/memmove_64.S:44
> #PF: supervisor read access in kernel mode
> Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 89 f8 48 39
> fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f b5 00 00 00 48 89 d1 <f3> a4
> e9 26 14 1b 00 66 2e 0f 1f 84 00 00 00 00 00 48 81 fa a8 02
> #PF: error_code(0x0000) - not-present page
> RSP: 0018:ffff88800d84f840 EFLAGS: 00010216
> PGD 0 P4D 0