Hello,
A Syzkaller PoC causes a GPF with the following stacktrace in linux-4.14.y and linux-4.19.y.
BUG: KASAN: null-ptr-deref in get_page+0xf/0x65 Read of size 8 at addr 0000000000000008 by task poc2/3395
CPU: 0 PID: 3395 Comm: poc2 Not tainted 4.19.214-00936-g38ec06730e44 #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0xe7/0x131 kasan_report+0x22a/0x272 get_page+0xf/0x65 submit_page_section+0xf4/0x202 do_blockdev_direct_IO+0xb90/0xfb9 ? dio_set_defer_completion+0x57/0x57 ? lock_is_held_type+0x78/0x86 ? jbd2_journal_stop+0x6fa/0x742 ? ext4_get_block_trans+0x188/0x188 ? lock_downgrade+0x29a/0x29a ? __blockdev_direct_IO+0x52/0x93 ? do_journal_get_write_access+0x7b/0x7b ext4_direct_IO+0x4eb/0x7ad ? ext4_get_block_trans+0x188/0x188 generic_file_direct_write+0x132/0x1d8 __generic_file_write_iter+0xa6/0x1c0 ? generic_write_checks+0x173/0x19d ext4_file_write_iter+0x450/0x549 ? ext4_unwritten_wait+0x153/0x153 ? iter_file_splice_write+0x11a/0x4d7 ? lock_acquire+0x1a7/0x1e7 ? iter_file_splice_write+0x11a/0x4d7 ? lock_acquire+0x1b7/0x1e7 ? match_held_lock+0x2e/0x102 ? __lock_is_held+0x2a/0x87 do_iter_readv_writev+0x145/0x1b1 ? file_start_write.isra.0+0x34/0x34 ? avc_policy_seqno+0x1d/0x25 ? selinux_file_permission+0xce/0x115 do_iter_write+0xa6/0xe6 iter_file_splice_write+0x337/0x4d7 ? __do_compat_sys_vmsplice+0x16c/0x16c ? match_held_lock+0x2e/0x102 ? lock_is_held_type+0x78/0x86 __do_sys_splice+0x6cc/0x8f6 ? ipipe_prep.part.0+0x99/0x99 ? mark_held_locks+0x2d/0x84 ? do_syscall_64+0x14/0x90 do_syscall_64+0x74/0x90 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43f579
Could the following patch be applied to linux-4.19.y and linux-4.14.y? linux-5.4.y has this commit. 3d75ca0adef4 ("block: introduce multi-page bvec helpers")
Tests run: * Syzkaller reproducer * Chrome OS tryjobs
Thanks, - Zubin
On Fri, Nov 05, 2021 at 09:17:10AM -0700, Zubin Mithra wrote:
Hello,
A Syzkaller PoC causes a GPF with the following stacktrace in linux-4.14.y and linux-4.19.y.
BUG: KASAN: null-ptr-deref in get_page+0xf/0x65 Read of size 8 at addr 0000000000000008 by task poc2/3395
CPU: 0 PID: 3395 Comm: poc2 Not tainted 4.19.214-00936-g38ec06730e44 #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0xe7/0x131 kasan_report+0x22a/0x272 get_page+0xf/0x65 submit_page_section+0xf4/0x202 do_blockdev_direct_IO+0xb90/0xfb9 ? dio_set_defer_completion+0x57/0x57 ? lock_is_held_type+0x78/0x86 ? jbd2_journal_stop+0x6fa/0x742 ? ext4_get_block_trans+0x188/0x188 ? lock_downgrade+0x29a/0x29a ? __blockdev_direct_IO+0x52/0x93 ? do_journal_get_write_access+0x7b/0x7b ext4_direct_IO+0x4eb/0x7ad ? ext4_get_block_trans+0x188/0x188 generic_file_direct_write+0x132/0x1d8 __generic_file_write_iter+0xa6/0x1c0 ? generic_write_checks+0x173/0x19d ext4_file_write_iter+0x450/0x549 ? ext4_unwritten_wait+0x153/0x153 ? iter_file_splice_write+0x11a/0x4d7 ? lock_acquire+0x1a7/0x1e7 ? iter_file_splice_write+0x11a/0x4d7 ? lock_acquire+0x1b7/0x1e7 ? match_held_lock+0x2e/0x102 ? __lock_is_held+0x2a/0x87 do_iter_readv_writev+0x145/0x1b1 ? file_start_write.isra.0+0x34/0x34 ? avc_policy_seqno+0x1d/0x25 ? selinux_file_permission+0xce/0x115 do_iter_write+0xa6/0xe6 iter_file_splice_write+0x337/0x4d7 ? __do_compat_sys_vmsplice+0x16c/0x16c ? match_held_lock+0x2e/0x102 ? lock_is_held_type+0x78/0x86 __do_sys_splice+0x6cc/0x8f6 ? ipipe_prep.part.0+0x99/0x99 ? mark_held_locks+0x2d/0x84 ? do_syscall_64+0x14/0x90 do_syscall_64+0x74/0x90 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43f579
Could the following patch be applied to linux-4.19.y and linux-4.14.y? linux-5.4.y has this commit. 3d75ca0adef4 ("block: introduce multi-page bvec helpers")
Tests run:
- Syzkaller reproducer
- Chrome OS tryjobs
Now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org