Re: BUG: unable to handle kernel NULL pointer dereference in free_pipe_info

From: Eric Biggers
Date: Tue Jan 30 2018 - 22:55:16 EST


Hi Goldwyn,

On Tue, Jan 30, 2018 at 09:52:02PM -0600, Goldwyn Rodrigues wrote:
>
>
> On 01/30/2018 04:13 PM, Eric Biggers wrote:
> > On Tue, Dec 19, 2017 at 12:39:01AM -0800, syzbot wrote:
> >> Hello,
> >>
> >> syzkaller hit the following crash on
> >> 6084b576dca2e898f5c101baef151f7bfdbb606d
> >> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> >> compiler: gcc (GCC) 7.1.1 20170620
> >> .config is attached
> >> Raw console output is attached.
> >>
> >> Unfortunately, I don't have any reproducer for this bug yet.
> >>
> >>
> >> BUG: unable to handle kernel NULL pointer dereference at 000000000000002f
> >> IP: pipe_buf_release include/linux/pipe_fs_i.h:136 [inline]
> >> IP: free_pipe_info+0x75/0xd0 fs/pipe.c:674
> >> PGD 1e069b067 P4D 1e069b067 PUD 1e0d7f067 PMD 0
> >> Oops: 0000 [#1] SMP
> >> Dumping ftrace buffer:
> >> (ftrace buffer empty)
> >> Modules linked in:
> >> CPU: 1 PID: 11658 Comm: syz-executor4 Not tainted 4.15.0-rc3-next-20171214+
> >> #67
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> >> Google 01/01/2011
> >> RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:136 [inline]
> >> RIP: 0010:free_pipe_info+0x75/0xd0 fs/pipe.c:674
> >> RSP: 0018:ffffc90000e27ba8 EFLAGS: 00010293
> >> RAX: ffff8801dfa7e500 RBX: ffff8801dac70200 RCX: ffffffff81414817
> >> RDX: 0000000000000000 RSI: ffff8802156b6800 RDI: ffff8801dac70200
> >> RBP: ffffc90000e27bc8 R08: 0000000000000001 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> >> R13: ffff8802156b6800 R14: 000000000000001f R15: ffff880213d99820
> >> FS: 00007f81f5ada700(0000) GS:ffff88021fd00000(0000) knlGS:0000000000000000
> >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: 000000000000002f CR3: 00000001e05cc000 CR4: 00000000001426e0
> >> Call Trace:
> >> put_pipe_info+0x65/0x80 fs/pipe.c:561
> >> pipe_release+0xda/0x110 fs/pipe.c:582
> >> __fput+0x120/0x270 fs/file_table.c:209
> >> ____fput+0x15/0x20 fs/file_table.c:243
> >> task_work_run+0xa3/0xe0 kernel/task_work.c:113
> >> exit_task_work include/linux/task_work.h:22 [inline]
> >> do_exit+0x3e6/0x1050 kernel/exit.c:869
> >> do_group_exit+0x60/0x100 kernel/exit.c:972
> >> get_signal+0x36c/0xad0 kernel/signal.c:2337
> >> do_signal+0x23/0x670 arch/x86/kernel/signal.c:809
> >> exit_to_usermode_loop+0x13c/0x160 arch/x86/entry/common.c:161
> >> prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
> >> syscall_return_slowpath+0x1b4/0x1e0 arch/x86/entry/common.c:264
> >> entry_SYSCALL_64_fastpath+0x94/0x96
> >> RIP: 0033:0x452a39
> >> RSP: 002b:00007f81f5ad9ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> >> RAX: fffffffffffffe00 RBX: 00000000007581b8 RCX: 0000000000452a39
> >> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007581b8
> >> RBP: 00000000007581b8 R08: 000000000000001a R09: 0000000000758190
> >> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> >> R13: 0000000000a6f7ff R14: 00007f81f5ada9c0 R15: 000000000000000e
> >> Code: 48 8d 14 80 48 8b 83 08 01 00 00 4c 8d 2c d0 4d 8b 75 10 4d 85 f6 74
> >> 17 e8 29 5b ea ff 49 c7 45 10 00 00 00 00 4c 89 ee 48 89 df <41> ff 56 10 e8
> >> 12 5b ea ff 41 83 c4 01 44 39 a3 d0 00 00 00 77
> >> RIP: pipe_buf_release include/linux/pipe_fs_i.h:136 [inline] RSP:
> >> ffffc90000e27ba8
> >> RIP: free_pipe_info+0x75/0xd0 fs/pipe.c:674 RSP: ffffc90000e27ba8
> >> CR2: 000000000000002f
> >> ---[ end trace 7ae396f579301f25 ]---
> >
> > Invalidating this bug since it hasn't been seen again, and it was reported while
> > KASAN was accidentally disabled in the syzbot kconfig due to a change to the
> > kconfig menus in linux-next (so this crash was possibly caused by slab
> > corruption elsewhere).
> >
>
> This crash looks similar to the ones discussed in
> https://lkml.org/lkml/2017/10/30/780
>
> If this can be reproduced, please share how.
>

syzkaller wasn't able to generate a reproducer for this. If it had it would
have been provided in the report.

Thanks,

- Eric