2021-10-14 02:37:31

by Hao Sun

[permalink] [raw]
Subject: KASAN: null-ptr-deref Write in __pm_runtime_resume

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
console output:
https://drive.google.com/file/d/1PxZuz-gH7uq_cTOv4acy5QHJJdeDLtUP/view?usp=sharing
kernel config: https://drive.google.com/file/d/1em3xgUIMNN_-LUUdySzwN-UDPc3qiiKD/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1MvRSzjAxkpHTM5OheyQQOjSEsLdSNsFl/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/1tL_4a8DbjmlbQ7pylunO9cCp24bFNh9k/view?usp=sharing

If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <[email protected]>

Bluetooth: : Invalid header checksum
Bluetooth: : Invalid header checksum
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write
include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc
include/linux/atomic/atomic-instrumented.h:181 [inline]
BUG: KASAN: null-ptr-deref in __pm_runtime_resume+0x132/0x180
drivers/base/power/runtime.c:1105
Write of size 4 at addr 0000000000000388 by task kworker/u9:4/661

CPU: 0 PID: 661 Comm: kworker/u9:4 Not tainted 5.15.0-rc5 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events_unbound flush_to_ldisc
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:446 [inline]
kasan_report.cold+0x66/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x14e/0x1b0 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_inc include/linux/atomic/atomic-instrumented.h:181 [inline]
__pm_runtime_resume+0x132/0x180 drivers/base/power/runtime.c:1105
pm_runtime_get include/linux/pm_runtime.h:374 [inline]
h5_recv+0x2c4/0x680 drivers/bluetooth/hci_h5.c:590
hci_uart_tty_receive+0x24d/0x710 drivers/bluetooth/hci_ldisc.c:613
tty_ldisc_receive_buf+0x14d/0x190 drivers/tty/tty_buffer.c:475
tty_port_default_receive_buf+0x6e/0xa0 drivers/tty/tty_port.c:39
receive_buf drivers/tty/tty_buffer.c:491 [inline]
flush_to_ldisc+0x20d/0x380 drivers/tty/tty_buffer.c:543
process_one_work+0x9df/0x16d0 kernel/workqueue.c:2297
worker_thread+0x90/0xed0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
==================================================================