2024-06-10 04:17:05

by Zhang Zhiyu

[permalink] [raw]
Subject: [Kernel 6.6.30+] BUG: corrupted list in dma_buf_file_release

Hi upstream maintainers and community,

We found a Linux kernel bug with our modified Syzkaller.
====================== Meta info =======================
Kernel version: 6.6.30
Compiler: clang-16.0.6
Affected file: drivers/dma-buf/dma-buf.c:100
Attachments: syzbot config, C & Syz reproducers
=================== How to reproduce====================
This bug can be stably reproduced on 6.6.32 with or without sanitizers (KASAN)

1. Create a brand new image through syzkaller script: create-image.sh
2. Compile the repro.c with gcc repro.c -lpthread -o repro, and execute it
3. Observe the kernel panic
======================= Report ========================
list_del corruption, ffff8881095bf098->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:58!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8076 Comm: syz-executor123 Not tainted 6.6.30 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0xe9/0x130 lib/list_debug.c:56
Code: 48 89 de e8 19 81 8e 06 0f 0b 48 c7 c7 20 82 7b 8b 48 89 de e8
08 81 8e 06 0f 0b 48 c7 c7 80 82 7b 8b 48 89 de e8 f7 80 8e 06 <0f> 0b
48 c7 c7 e0 82 7b 8b 48 89 de e8 e6 80 8e 06 0f 0b 48 c7 c7
RSP: 0018:ffffc900029f7a88 EFLAGS: 00010246
RAX: 000000000000004e RBX: ffff8881095bf098 RCX: da38cb9f4384fa00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000002 R08: ffffc900029f7767 R09: 1ffff9200053eeec
R10: dffffc0000000000 R11: fffff5200053eeed R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: dead000000000122
FS: 00007fe9aa53f700(0000) GS:ffff888135c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000004 CR3: 000000010e6ac000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
dma_buf_file_release+0x9e/0x190 drivers/dma-buf/dma-buf.c:100
__fput+0x425/0x940 fs/file_table.c:384
task_work_run+0x252/0x310 kernel/task_work.c:180
get_signal+0x15a2/0x1780 kernel/signal.c:2668
arch_do_signal_or_restart+0x96/0x840 arch/x86/kernel/signal.c:309
exit_to_user_mode_loop+0x70/0x110 kernel/entry/common.c:174
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x64/0x270 kernel/entry/common.c:302
do_syscall_64+0x4b/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x4516dd
Code: c3 e8 27 2a 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe9aa53ecd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000004e1478 RCX: 00000000004516dd
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000004e1478
RBP: 00000000004e1470 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004e147c
R13: 00007ffe79e314af R14: 00007ffe79e315c0 R15: 00007fe9aa53edc0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xe9/0x130 lib/list_debug.c:56
Code: 48 89 de e8 19 81 8e 06 0f 0b 48 c7 c7 20 82 7b 8b 48 89 de e8
08 81 8e 06 0f 0b 48 c7 c7 80 82 7b 8b 48 89 de e8 f7 80 8e 06 <0f> 0b
48 c7 c7 e0 82 7b 8b 48 89 de e8 e6 80 8e 06 0f 0b 48 c7 c7
RSP: 0018:ffffc900029f7a88 EFLAGS: 00010246
RAX: 000000000000004e RBX: ffff8881095bf098 RCX: da38cb9f4384fa00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000002 R08: ffffc900029f7767 R09: 1ffff9200053eeec
R10: dffffc0000000000 R11: fffff5200053eeed R12: dffffc0000000000
R13: dffffc0000000000 R14: dead000000000100 R15: dead000000000122
FS: 00007fe9aa53f700(0000) GS:ffff888135c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000004 CR3: 000000010e6ac000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
======================= Analysis ========================
By debugging the kernel with reproducer in gdb, we found that the
number of executing dma_buf_file_release was not fixed but the list
would always be corrupted and panic the kernel. Since the bug can only
be triggered in a newly created image, we guess may the other
operations in the syz reproducer would interact with the environment,
which stably crash the list in dmabuf.

Hope these findings would be of help for fixing this bug. Please let
me know for anything I can help. And wish you have a good day!

Best,
Zhiyu Zhang


Attachments:
repro.cprog (17.37 kB)
repro.prog (2.18 kB)
repro.report (3.68 kB)
syzbot-6.6-nosan.config (240.07 kB)
gdb-step_in_continue.png (1.78 MB)
gdb-crashed.png (1.91 MB)
Download all attachments