general protection fault in ext4_update_overhead

general protection fault in ext4_update_overhead

[Sanan Hasanov]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/1xpe7qMUUYvHQFzqZGUzcco9jF97EwTqQ/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1Q8ix6EiWrzx0bWLyoGTHP721KE4Ei3qf/view?usp=sharing
Thank you!

Best regards,
Sanan Hasanov

general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
kobject: 'loop6' (00000000df72f20a): kobject_uevent_env
CPU: 2 PID: 20787 Comm: syz-executor.4 Not tainted 6.3.0-next-20230426 #1
kobject: 'loop6' (00000000df72f20a): fill_kobj_path: path = '/devices/virtual/block/loop6'
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:ext4_update_overhead+0xb3/0x1a0
Code: 00 00 e8 20 cd 57 ff 45 84 ed 0f 85 b1 00 00 00 e8 62 d2 57 ff 4c 8d 73 48 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 c8 00 00 00 4c 8b 6b 48 31 ff 4c 89 ee e8 95 cd
RSP: 0018:ffff88801d51fac8 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000009 RSI: ffffffff823198fe RDI: ffffffff823198f0
RBP: ffff88801d51fae8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880516be000
R13: 0000000000000000 R14: 0000000000000048 R15: ffff8880516be000
FS:  00007f442e80f700(0000) GS:ffff88811a300000(0000) knlGS:0000000000000000
kobject: 'loop1' (00000000f3e7cad3): kobject_uevent_env
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kobject: 'loop1' (00000000f3e7cad3): fill_kobj_path: path = '/devices/virtual/block/loop1'
CR2: 0000555555bfdc88 CR3: 0000000050354000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 ext4_fill_super+0x30c8/0xb8d0
 get_tree_bdev+0x447/0x770
 ext4_get_tree+0x21/0x30
 vfs_get_tree+0x97/0x370
 path_mount+0x6d3/0x1fb0
 __x64_sys_mount+0x2b2/0x340
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f442d69176e
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f442e80ea08 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f442d69176e
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f442e80ea60
RBP: 00007f442e80eaa0 R08: 00007f442e80eaa0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f442e80ea60 R15: 00000000200008c0
 </TASK>
Modules linked in:
kobject: 'loop2' (0000000027c67f3b): kobject_uevent_env
kobject: 'loop2' (0000000027c67f3b): fill_kobj_path: path = '/devices/virtual/block/loop2'
---[ end trace 0000000000000000 ]---
kobject: 'loop2' (0000000027c67f3b): kobject_uevent_env
RIP: 0010:ext4_update_overhead+0xb3/0x1a0
kobject: 'loop2' (0000000027c67f3b): fill_kobj_path: path = '/devices/virtual/block/loop2'
Code: 00 00 e8 20 cd 57 ff 45 84 ed 0f 85 b1 00 00 00 e8 62 d2 57 ff 4c 8d 73 48 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 c8 00 00 00 4c 8b 6b 48 31 ff 4c 89 ee e8 95 cd
RSP: 0018:ffff88801d51fac8 EFLAGS: 00010216
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000009 RSI: ffffffff823198fe RDI: ffffffff823198f0
RBP: ffff88801d51fae8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880516be000
R13: 0000000000000000 R14: 0000000000000048 R15: ffff8880516be000
kobject: 'loop2' (0000000027c67f3b): kobject_uevent_env
FS:  00007f442e80f700(0000) GS:ffff88811a300000(0000) knlGS:0000000000000000
kobject: 'loop2' (0000000027c67f3b): kobject_uevent_env: uevent_suppress caused the event to drop!
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kobject: 'loop2' (0000000027c67f3b): kobject_uevent_env
kobject: 'loop2' (0000000027c67f3b): kobject_uevent_env: uevent_suppress caused the event to drop!
loop2: detected capacity change from 0 to 64
CR2: 00007f42967bd0b0 CR3: 0000000050354000 CR4: 0000000000350ee0
kobject: 'loop2' (0000000027c67f3b): kobject_uevent_env
----------------
Code disassembly (best guess):
   0:   00 00                   add    %al,(%rax)
   2:   e8 20 cd 57 ff          call   0xff57cd27
   7:   45 84 ed                test   %r13b,%r13b
   a:   0f 85 b1 00 00 00       jne    0xc1
  10:   e8 62 d2 57 ff          call   0xff57d277
  15:   4c 8d 73 48             lea    0x48(%rbx),%r14
  19:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  20:   fc ff df
  23:   4c 89 f2                mov    %r14,%rdx
  26:   48 c1 ea 03             shr    $0x3,%rdx
* 2a:   80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:   0f 85 c8 00 00 00       jne    0xfc
  34:   4c 8b 6b 48             mov    0x48(%rbx),%r13
  38:   31 ff                   xor    %edi,%edi
  3a:   4c 89 ee                mov    %r13,%rsi
  3d:   e8                      .byte 0xe8
  3e:   95                      xchg   %eax,%ebp
  3f:   cd                      .byte 0xcd

Re: general protection fault in ext4_update_overhead

[Theodore Ts'o]

On Tue, Sep 12, 2023 at 11:02:35PM +0000, Sanan Hasanov wrote:
> Good day, dear maintainers,
> 
> We found a bug using a modified kernel configuration file used by syzbot.
> 
> We enhanced the coverage of the configuration file using our tool, klocalizer.
> 
> Kernel Branch: 6.3.0-next-20230426
> Kernel Config: https://drive.google.com/file/d/1xpe7qMUUYvHQFzqZGUzcco9jF97EwTqQ/view?usp=sharing
> Reproducer: https://drive.google.com/file/d/1Q8ix6EiWrzx0bWLyoGTHP721KE4Ei3qf/view?usp=sharing

The reproducer is a zero-length file.  So I can do nothing with this
report.

Note that the official syzbot instance will do automatic bisection,
and will allow us to test patches.  The official syzbot instance also
processes the console output so that the stack trace has line numbers
and clickable links to the kernel sources.

This report is **much** less useful than the syzbot report, so please
don't be surprised if people treat this at a significantly lower
priority.  (Even if the reproducer wasn't a zero length file.  :-P  )

	   	    		   	  - Ted

Re: general protection fault in ext4_update_overhead

[Darrick J. Wong]

On Tue, Sep 12, 2023 at 07:41:12PM -0400, Theodore Ts'o wrote:
> On Tue, Sep 12, 2023 at 11:02:35PM +0000, Sanan Hasanov wrote:
> > Good day, dear maintainers,
> > 
> > We found a bug using a modified kernel configuration file used by syzbot.
> > 
> > We enhanced the coverage of the configuration file using our tool, klocalizer.
> > 
> > Kernel Branch: 6.3.0-next-20230426

Also this was from            ^^^^^^^^ four months ago.

Why are you wasting Ted and everyone else's time with this?

--D

> > Kernel Config: https://drive.google.com/file/d/1xpe7qMUUYvHQFzqZGUzcco9jF97EwTqQ/view?usp=sharing
> > Reproducer: https://drive.google.com/file/d/1Q8ix6EiWrzx0bWLyoGTHP721KE4Ei3qf/view?usp=sharing
> 
> The reproducer is a zero-length file.  So I can do nothing with this
> report.
> 
> Note that the official syzbot instance will do automatic bisection,
> and will allow us to test patches.  The official syzbot instance also
> processes the console output so that the stack trace has line numbers
> and clickable links to the kernel sources.
> 
> This report is **much** less useful than the syzbot report, so please
> don't be surprised if people treat this at a significantly lower
> priority.  (Even if the reproducer wasn't a zero length file.  :-P  )
> 
> 	   	    		   	  - Ted