Dear Linux Developer,
Recently when using our tool to fuzz kernel, the following crash was triggered:
HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1AdHbN-IWDhcwHKqvdfNnePbFeJkAllIB/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <[email protected]>
BUG: kernel NULL pointer dereference, address: 0000000000000038
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 2981 Comm: systemd-journal Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:debug_check_no_obj_freed+0xa0/0x1e0
Code: 03 4c 8d a3 48 7e 2f 89 4c 89 e7 45 31 ff e8 57 db 61 02 48 89
c6 48 c7 c0 40 7e 2f 89 4c 8b 2c 18 4d 85 ed 74 70 41 83 c7 01 <4d> 8b
4d 18 4c 39 4c 24 20 4d 8b 45 00 77 52 4c 3b 4c 24 10 73 4b
RSP: 0000:ffffc900007c7a90 EFLAGS: 00010002
RAX: ffffffff892f7e40 RBX: 0000000000016890 RCX: 00000000ffffbe79
RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffffffff8930e6d8
RBP: ffff888105359000 R08: 0000000000000020 R09: 0000000000000000
R10: ffffffff8930e6f0 R11: 0000000000000000 R12: ffffffff8930e6d8
R13: 0000000000000020 R14: 0000000000000000 R15: 000000000000000e
FS: 0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 000000000628a000 CR4: 00000000003506e0
Call Trace:
slab_free_freelist_hook+0xcc/0x160
kmem_cache_free+0x8f/0x490
unlink_anon_vmas+0x200/0x2e0
free_pgtables+0x163/0x1b0
exit_mmap+0x104/0x320
mmput+0xc8/0x1e0
do_exit+0x527/0x1430
do_group_exit+0x6f/0x120
get_signal+0x260/0x1520
arch_do_signal_or_restart+0xa9/0x870
exit_to_user_mode_prepare+0x138/0x280
irqentry_exit_to_user_mode+0x5/0x40
exc_page_fault+0x4a4/0x1130
asm_exc_page_fault+0x1e/0x30
RIP: 0033:0x7f9422a41200
Code: Unable to access opcode bytes at RIP 0x7f9422a411d6.
RSP: 002b:00007fffa498a478 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000564bd2afeaf0 RCX: 0000564bd2afeaf0
RDX: 0000000000000800 RSI: 0000564bd2afeb2d RDI: 0000000000000013
RBP: 0000000000000011 R08: 0000000000000008 R09: 00007fffa49a60f0
R10: 000000000008b2fc R11: 0000000000000202 R12: 0000564bd2aff370
R13: 00007fffa498a5a8 R14: 0000564bd2631958 R15: 000d715db535b416
Modules linked in:
CR2: 0000000000000038
---[ end trace d79df620a6156371 ]---
RIP: 0010:debug_check_no_obj_freed+0xa0/0x1e0
Code: 03 4c 8d a3 48 7e 2f 89 4c 89 e7 45 31 ff e8 57 db 61 02 48 89
c6 48 c7 c0 40 7e 2f 89 4c 8b 2c 18 4d 85 ed 74 70 41 83 c7 01 <4d> 8b
4d 18 4c 39 4c 24 20 4d 8b 45 00 77 52 4c 3b 4c 24 10 73 4b
RSP: 0000:ffffc900007c7a90 EFLAGS: 00010002
RAX: ffffffff892f7e40 RBX: 0000000000016890 RCX: 00000000ffffbe79
RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffffffff8930e6d8
RBP: ffff888105359000 R08: 0000000000000020 R09: 0000000000000000
R10: ffffffff8930e6f0 R11: 0000000000000000 R12: ffffffff8930e6d8
R13: 0000000000000020 R14: 0000000000000000 R15: 000000000000000e
FS: 0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 000000000628a000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 03 4c 8d a3 add -0x5d(%rbp,%rcx,4),%ecx
4: 48 7e 2f rex.W jle 0x36
7: 89 4c 89 e7 mov %ecx,-0x19(%rcx,%rcx,4)
b: 45 31 ff xor %r15d,%r15d
e: e8 57 db 61 02 callq 0x261db6a
13: 48 89 c6 mov %rax,%rsi
16: 48 c7 c0 40 7e 2f 89 mov $0xffffffff892f7e40,%rax
1d: 4c 8b 2c 18 mov (%rax,%rbx,1),%r13
21: 4d 85 ed test %r13,%r13
24: 74 70 je 0x96
26: 41 83 c7 01 add $0x1,%r15d
* 2a: 4d 8b 4d 18 mov 0x18(%r13),%r9 <-- trapping instruction
2e: 4c 39 4c 24 20 cmp %r9,0x20(%rsp)
33: 4d 8b 45 00 mov 0x0(%r13),%r8
37: 77 52 ja 0x8b
39: 4c 3b 4c 24 10 cmp 0x10(%rsp),%r9
3e: 73 4b jae 0x8b
Best,
Wei
Le 30/10/2022 à 10:23, Wei Chen a écrit :
> Dear Linux Developer,
>
> Recently when using our tool to fuzz kernel, the following crash was triggered:
>
> HEAD commit: 64570fbc14f8 Linux 5.15-rc5
Hi,
any reason to run your fuzzer on 5.15-rc5?
We are at 5.15.76 and many things have already been fixed in the 5.15
branch.
5.15 is also old.
CJ
Dear Linux developers,
The bug persists in 5.15.76. Unfortunately, we do not have a reproducer either.
BUG: kernel NULL pointer dereference, address: 0000000000000038
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 10876 Comm: systemd-udevd Not tainted 5.15.76 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:983 [inline]
RIP: 0010:debug_check_no_obj_freed+0xc7/0x210 lib/debugobjects.c:1023
Code: 48 89 34 24 48 8b 3c 24 45 31 ff e8 63 d6 fc 01 48 8b 54 24 20
48 89 44 24 18 48 c7 c0 a0 a9 82 88 48 8b 04 10 48 85 c0 74 4b <48> 8b
48 18 41 83 c7 01 4c 8b 30 48 39 cb 77 2e 48 39 e9 73 29 83
RSP: 0018:ffffc9000d3dfbb8 EFLAGS: 00010002
RAX: 0000000000000020 RBX: ffff88811741d000 RCX: 0000000000000000
RDX: 0000000000099b40 RSI: ffffffff852b51d8 RDI: ffffffff888c44e8
RBP: ffff88811741e000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc9000d3dfa60 R11: 0000000000000001 R12: dead000000000122
R13: dead000000000100 R14: 0000000000000020 R15: 0000000000000003
FS: 00007f29edb2a8c0(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 000000010cc24000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
free_pages_prepare mm/page_alloc.c:1345 [inline]
free_pcp_prepare+0x177/0x490 mm/page_alloc.c:1391
free_unref_page_prepare mm/page_alloc.c:3317 [inline]
free_unref_page_list+0x8a/0x660 mm/page_alloc.c:3433
release_pages+0x1d2/0x1140 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x60/0x1e0 mm/mmu_gather.c:249
tlb_finish_mmu+0x5f/0xb0 mm/mmu_gather.c:340
unmap_region+0x155/0x1a0 mm/mmap.c:2668
__do_munmap+0x292/0x6f0 mm/mmap.c:2899
__vm_munmap+0x96/0x180 mm/mmap.c:2922
__do_sys_munmap mm/mmap.c:2948 [inline]
__se_sys_munmap mm/mmap.c:2944 [inline]
__x64_sys_munmap+0x2a/0x30 mm/mmap.c:2944
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f29ec9a66e7
Code: c7 c0 ff ff ff ff eb 8d 48 8b 15 ac 47 2b 00 f7 d8 64 89 02 e9
5b ff ff ff 66 2e 0f 1f 84 00 00 00 00 00 b8 0b 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 81 47 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffd3fcf6c98 EFLAGS: 00000207 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 00000000000c3c94 RCX: 00007f29ec9a66e7
RDX: 00007f29edae9000 RSI: 0000000000041000 RDI: 00007f29edae9000
RBP: 0000000000000021 R08: 0000557c1a93c0d0 R09: 0000000000000000
R10: 0000000000000210 R11: 0000000000000207 R12: 0000557c1a872ea0
R13: 0000557c1a872ef0 R14: 00007f29ed709aa4 R15: 00007f29edae9028
</TASK>
Modules linked in:
CR2: 0000000000000038
---[ end trace 850a1b705a5c4266 ]---
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:983 [inline]
RIP: 0010:debug_check_no_obj_freed+0xc7/0x210 lib/debugobjects.c:1023
Code: 48 89 34 24 48 8b 3c 24 45 31 ff e8 63 d6 fc 01 48 8b 54 24 20
48 89 44 24 18 48 c7 c0 a0 a9 82 88 48 8b 04 10 48 85 c0 74 4b <48> 8b
48 18 41 83 c7 01 4c 8b 30 48 39 cb 77 2e 48 39 e9 73 29 83
RSP: 0018:ffffc9000d3dfbb8 EFLAGS: 00010002
RAX: 0000000000000020 RBX: ffff88811741d000 RCX: 0000000000000000
RDX: 0000000000099b40 RSI: ffffffff852b51d8 RDI: ffffffff888c44e8
RBP: ffff88811741e000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc9000d3dfa60 R11: 0000000000000001 R12: dead000000000122
R13: dead000000000100 R14: 0000000000000020 R15: 0000000000000003
FS: 00007f29edb2a8c0(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 000000010cc24000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 89 34 24 mov %rsi,(%rsp)
4: 48 8b 3c 24 mov (%rsp),%rdi
8: 45 31 ff xor %r15d,%r15d
b: e8 63 d6 fc 01 callq 0x1fcd673
10: 48 8b 54 24 20 mov 0x20(%rsp),%rdx
15: 48 89 44 24 18 mov %rax,0x18(%rsp)
1a: 48 c7 c0 a0 a9 82 88 mov $0xffffffff8882a9a0,%rax
21: 48 8b 04 10 mov (%rax,%rdx,1),%rax
25: 48 85 c0 test %rax,%rax
28: 74 4b je 0x75
* 2a: 48 8b 48 18 mov 0x18(%rax),%rcx <-- trapping instruction
2e: 41 83 c7 01 add $0x1,%r15d
32: 4c 8b 30 mov (%rax),%r14
35: 48 39 cb cmp %rcx,%rbx
38: 77 2e ja 0x68
3a: 48 39 e9 cmp %rbp,%rcx
3d: 73 29 jae 0x68
3f: 83 .byte 0x83
Best,
Wei
On Mon, 31 Oct 2022 at 00:43, Christophe JAILLET
<[email protected]> wrote:
>
> Le 30/10/2022 à 10:23, Wei Chen a écrit :
> > Dear Linux Developer,
> >
> > Recently when using our tool to fuzz kernel, the following crash was triggered:
> >
> > HEAD commit: 64570fbc14f8 Linux 5.15-rc5
>
> Hi,
>
> any reason to run your fuzzer on 5.15-rc5?
>
> We are at 5.15.76 and many things have already been fixed in the 5.15
> branch.
>
> 5.15 is also old.
>
> CJ