Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: general protection fault in bio_associate_blkg_from_css
affected file: block/blk-cgroup.c
kernel version: 5.15.156
kernel commit: c52b9710c83d3b8ab63bb217cc7c8b61e13f12cd
git tree: upstream
kernel config: attached
crash reproducer: attached
======================================================
Crash log:
general protection fault, probably for non-canonical address
0xdffffc00000000ba: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000005d0-0x00000000000005d7]
CPU: 1 PID: 6609 Comm: syz-executor.3 Not tainted 5.15.156 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1
04/01/2014
RIP: 0010:blkg_tryget_closest block/blk-cgroup.c:1831 [inline]
RIP: 0010:bio_associate_blkg_from_css+0x134/0x1050 block/blk-cgroup.c:1865
Code: 80 3c 02 00 0f 85 f0 0d 00 00 48 8b 04 24 48 8b 58 08 48 b8 00 00 00
00 00 fc ff df 48 8d bb d0 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
85 d0 0d 00 00 48 8b 9b d0 05 00 00 48 b8 00 00 00
RSP: 0018:ffffc90001b9fa40 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83c79b2c
RDX: 00000000000000ba RSI: ffffffff83c78fd1 RDI: 00000000000005d0
RBP: ffff88802077bb40 R08: 0000000000000000 R09: ffffffff8fd95a27
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88804cb71000
R13: ffff888090f74000 R14: 0000000000000000 R15: ffff88804cb71000
FS: 000055555585b480(0000) GS:ffff888135c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8452584000 CR3: 00000000363bf000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
bio_associate_blkg+0xcd/0x410 block/blk-cgroup.c:1893
lbmStartIO+0x1eb/0x430 fs/jfs/jfs_logmgr.c:2130
lbmWrite+0x2ea/0x420 fs/jfs/jfs_logmgr.c:2079
lmNextPage.isra.0+0x285/0x720 fs/jfs/jfs_logmgr.c:624
lmWriteRecord+0xa90/0x1140 fs/jfs/jfs_logmgr.c:537
lmLogSync+0x155/0x780 fs/jfs/jfs_logmgr.c:977
jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1049
jfs_sync_fs+0x80/0xa0 fs/jfs/super.c:690
sync_filesystem fs/sync.c:56 [inline]
sync_filesystem+0x105/0x280 fs/sync.c:30
generic_shutdown_super+0x70/0x380 fs/super.c:448
kill_block_super+0x97/0xf0 fs/super.c:1414
deactivate_locked_super+0x94/0x160 fs/super.c:335
deactivate_super+0xad/0xd0 fs/super.c:366
cleanup_mnt+0x3a2/0x540 fs/namespace.c:1143
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:181 [inline]
exit_to_user_mode_prepare+0x253/0x280 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:307
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7ff1dd48674b
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 90 f3 0f 1e fa 31 f6 e9 05
00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff
ff 77 05 c3 0f 1f 40 00 48 c7 c2 b0 ff ff ff f7 d8
RSP: 002b:00007fffe4a91848 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff1dd48674b
RDX: 00007ff1dd41e280 RSI: 000000000000000a RDI: 00007fffe4a91900
RBP: 00007fffe4a91900 R08: 0000000000000000 R09: 00007fffe4a916d0
R10: 000055555585ca63 R11: 0000000000000246 R12: 00007ff1dd4e5312
R13: 00007fffe4a929e0 R14: 000055555585c970 R15: 00007fffe4a929d0
</TASK>
Modules linked in:
---[ end trace 4d6e710b0359a28f ]---
RIP: 0010:blkg_tryget_closest block/blk-cgroup.c:1831 [inline]
RIP: 0010:bio_associate_blkg_from_css+0x134/0x1050 block/blk-cgroup.c:1865
Code: 80 3c 02 00 0f 85 f0 0d 00 00 48 8b 04 24 48 8b 58 08 48 b8 00 00 00
00 00 fc ff df 48 8d bb d0 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
85 d0 0d 00 00 48 8b 9b d0 05 00 00 48 b8 00 00 00
RSP: 0018:ffffc90001b9fa40 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83c79b2c
RDX: 00000000000000ba RSI: ffffffff83c78fd1 RDI: 00000000000005d0
RBP: ffff88802077bb40 R08: 0000000000000000 R09: ffffffff8fd95a27
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88804cb71000
R13: ffff888090f74000 R14: 0000000000000000 R15: ffff88804cb71000
FS: 000055555585b480(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555558a99a8 CR3: 00000000363bf000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 f0 0d 00 00 jne 0xdfa
a: 48 8b 04 24 mov (%rsp),%rax
e: 48 8b 58 08 mov 0x8(%rax),%rbx
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 48 8d bb d0 05 00 00 lea 0x5d0(%rbx),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 d0 0d 00 00 jne 0xe04
34: 48 8b 9b d0 05 00 00 mov 0x5d0(%rbx),%rbx
3b: 48 rex.W
3c: b8 .byte 0xb8
3d: 00 00 add %al,(%rax)
======================================================
Wishing you a lovely day!
Best,
Marius