From: Uladzislau Rezki <urezki@gmail.com>
To: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Uladzislau Rezki <urezki@gmail.com>,
Kent Overstreet <kent.overstreet@linux.dev>,
syzbot <syzbot+80e5d6f453f14a53383a@syzkaller.appspotmail.com>,
akpm@linux-foundation.org, josh@joshtriplett.org,
linux-bcachefs@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, rcu@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [rcu?] [bcachefs?] BUG: unable to handle kernel NULL pointer dereference in rcu_core (3)
Date: Mon, 9 Jun 2025 10:35:34 +0200 [thread overview]
Message-ID: <aEac1veMLffwOdv8@pc636> (raw)
In-Reply-To: <602bb1be-f4a4-4194-803f-856e95711870@paulmck-laptop>
On Sun, Jun 08, 2025 at 05:25:05PM -0700, Paul E. McKenney wrote:
> On Sun, Jun 08, 2025 at 08:23:36PM +0200, Uladzislau Rezki wrote:
> > On Sun, Jun 08, 2025 at 11:26:28AM -0400, Kent Overstreet wrote:
> > > On Wed, Feb 05, 2025 at 06:56:19AM -0800, Paul E. McKenney wrote:
> > > > On Tue, Feb 04, 2025 at 04:34:18PM -0800, syzbot wrote:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following issue on:
> > > > >
> > > > > HEAD commit: 0de63bb7d919 Merge tag 'pull-fix' of git://git.kernel.org/..
> > > > > git tree: upstream
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10faf5f8580000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=1909f2f0d8e641ce
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=80e5d6f453f14a53383a
> > > > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b69d18580000
> > > > >
> > > > > Downloadable assets:
> > > > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-0de63bb7.raw.xz
> > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/1142009a30a7/vmlinux-0de63bb7.xz
> > > > > kernel image: https://storage.googleapis.com/syzbot-assets/5d9e46a8998d/bzImage-0de63bb7.xz
> > > > > mounted in repro: https://storage.googleapis.com/syzbot-assets/526692501242/mount_0.gz
> > > > >
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+80e5d6f453f14a53383a@syzkaller.appspotmail.com
> > > > >
> > > > > slab radix_tree_node start ffff88803bf382c0 pointer offset 24 size 576
> > > > > BUG: kernel NULL pointer dereference, address: 0000000000000000
> > > > > #PF: supervisor instruction fetch in kernel mode
> > > > > #PF: error_code(0x0010) - not-present page
> > > > > PGD 0 P4D 0
> > > > > Oops: Oops: 0010 [#1] PREEMPT SMP KASAN NOPTI
> > > > > CPU: 0 UID: 0 PID: 5705 Comm: syz-executor Not tainted 6.14.0-rc1-syzkaller-00020-g0de63bb7d919 #0
> > > > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> > > > > RIP: 0010:0x0
> > > > > Code: Unable to access opcode bytes at 0xffffffffffffffd6.
> > > > > RSP: 0018:ffffc90000007bd8 EFLAGS: 00010246
> > > > > RAX: dffffc0000000000 RBX: 1ffff110077e705c RCX: 23438dd059a4b100
> > > > > RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffff88803bf382d8
> > > > > RBP: ffffc90000007e10 R08: ffffffff819f146c R09: 1ffff11003f8519a
> > > > > R10: dffffc0000000000 R11: 0000000000000000 R12: ffffffff81a6d507
> > > > > R13: ffff88803bf382e0 R14: 0000000000000000 R15: ffff88803bf382d8
> > > > > FS: 0000555567992500(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
> > > > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > > CR2: ffffffffffffffd6 CR3: 000000004da38000 CR4: 0000000000352ef0
> > > > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > > > Call Trace:
> > > > > <IRQ>
> > > > > rcu_do_batch kernel/rcu/tree.c:2546 [inline]
> > > >
> > > > The usual way that this happens is that someone clobbers the rcu_head
> > > > structure of something that has been passed to call_rcu(). The most
> > > > popular way of clobbering this structure is to pass the same something to
> > > > call_rcu() twice in a row, but other creative arrangements are possible.
> > > >
> > > > Building your kernel with CONFIG_DEBUG_OBJECTS_RCU_HEAD=y can usually
> > > > spot invoking call_rcu() twice in a row.
> > >
> > > I don't think it's that - syzbot's .config already has that enabled.
> > > KASAN, too.
> > >
> > > And the only place we do call_rcu() is from rcu_pending.c, where we've
> > > got a rearming rcu callback - but we track whether it's outstanding, and
> > > we do all relevant operations with a lock held.
> > >
> > > And we only use rcu_pending.c with SRCU, not regular RCU.
> > >
> > > We do use kfree_rcu() in a few places (all boring, I expect), but that
> > > doesn't (generally?) use the rcu callback list.
> > >
> > Right, kvfree_rcu() does not intersect with regular callbacks, it has
> > its own path.
> >
> > It looks like the problem is here:
> >
> > <snip>
> > f = rhp->func;
> > debug_rcu_head_callback(rhp);
> > WRITE_ONCE(rhp->func, (rcu_callback_t)0L);
> > f(rhp);
> > <snip>
> >
> > we do not check if callback, "f", is a NULL. If it is, the kernel bug
> > is triggered right away. For example:
> >
> > call_rcu(&rh, NULL);
> >
> > @Paul, do you think it makes sense to narrow callers which apparently
> > pass NULL as a callback? To me it seems the case of this bug. But we
> > do not know the source.
> >
> > It would give at least a stack-trace of caller which passes a NULL.
>
> Adding a check for NULL func passed to __call_rcu_common(), you mean?
>
Yes. Currently there is no any check. So passing a NULL just triggers
kernel panic.
>
> That wouldn't hurt, and would either (as you say) catch the culprit
> or show that the problem is elsewhere.
>
I can add it then and send out the patch if no objections.
--
Uladzislau Rezki
next prev parent reply other threads:[~2025-06-09 8:35 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-05 0:34 [syzbot] [rcu?] [bcachefs?] BUG: unable to handle kernel NULL pointer dereference in rcu_core (3) syzbot
2025-02-05 14:56 ` Paul E. McKenney
2025-06-08 15:26 ` Kent Overstreet
2025-06-08 18:23 ` Uladzislau Rezki
2025-06-09 0:25 ` Paul E. McKenney
2025-06-09 8:35 ` Uladzislau Rezki [this message]
2025-06-09 9:47 ` Paul E. McKenney
2025-06-09 14:20 ` Joel Fernandes
2025-06-10 12:19 ` Uladzislau Rezki
2025-06-09 18:28 ` Vlastimil Babka
2025-06-10 12:33 ` Uladzislau Rezki
2025-06-08 6:58 ` [syzbot] [bcachefs?] [rcu?] " syzbot
2025-06-11 15:58 ` [syzbot] [rcu?] [bcachefs?] " Uladzislau Rezki
2025-06-11 18:02 ` [syzbot] [bcachefs?] [rcu?] " syzbot
2025-06-11 19:15 ` Uladzislau Rezki
2025-06-11 19:57 ` syzbot
2025-06-11 20:58 ` Boqun Feng
2025-06-12 7:42 ` Aleksandr Nogikh
2025-06-12 9:37 ` Uladzislau Rezki
2025-06-12 17:20 ` Boqun Feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aEac1veMLffwOdv8@pc636 \
--to=urezki@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=josh@joshtriplett.org \
--cc=kent.overstreet@linux.dev \
--cc=linux-bcachefs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=paulmck@kernel.org \
--cc=rcu@vger.kernel.org \
--cc=syzbot+80e5d6f453f14a53383a@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.