BUG: unable to handle kernel NULL pointer dereference in try_to_wake_up

Wei Chen harperchen1110 at gmail.com
Sun Dec 25 07:56:59 PST 2022


Dear Linux Developers,

Recently, when using our tool to fuzz kernel, the following crash was triggered.

HEAD commit:  e45fb347b630 Linux 6.1.0-next-20221220
git tree: linux-next
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/1d2Bl86zvgz1mdE-cYUT3lnbPGAagNUZf/view?usp=share_link
kernel config: https://drive.google.com/file/d/1mMD6aopttKDGK4aYUlgiwAk6bOQHivd-/view?usp=share_link

Unfortunately, I do not have a reproducer for this crash. It seems
like when dereferencing p->pi_lock->raw_lock->val->counter, null ptr
deref is triggered.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110 at gmail.com>

BUG: kernel NULL pointer dereference, address: 0000000000000834
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 56ef4067 P4D 56ef4067 PUD 58112067 PMD 0
Oops: 0002 [#1] PREEMPT SMP
CPU: 0 PID: 12 Comm: ksoftirqd/0 Not tainted 6.1.0-next-20221220 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:202 [inline]
RIP: 0010:atomic_try_cmpxchg_acquire
include/linux/atomic/atomic-instrumented.h:543 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:186 [inline]
RIP: 0010:__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
RIP: 0010:_raw_spin_lock_irqsave+0x4e/0xa0 kernel/locking/spinlock.c:162
Code: 48 c7 04 24 00 00 00 00 9c 8f 04 24 48 89 df e8 88 fb 8d fc 48
8b 1c 24 fa bd 01 00 00 00 bf 01 00 00 00 e8 a4 9c 66 fc 31 c0 <3e> 41
0f b1 2e 75 1c 65 48 8b 04 25 28 00 00 00 48 3b 44 24 08 75
RSP: 0018:ffffc90000497908 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff84ad1b08
RDX: 0000000000000996 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0001c9000049790f R09: 0000000000000000
R10: 0001ffffffffffff R11: 0001c90000497908 R12: 0000000000000834
R13: ffffffff84446de0 R14: 0000000000000834 R15: ffff888061b71700
FS:  0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000834 CR3: 0000000057b36000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 try_to_wake_up+0x3d/0x430 kernel/sched/core.c:4100
 rxrpc_wake_up_io_thread net/rxrpc/ar-internal.h:967 [inline]
 rxrpc_encap_rcv+0xc7/0xf0 net/rxrpc/io_thread.c:40
 udp_queue_rcv_one_skb+0x64c/0x750 net/ipv4/udp.c:2164
 udp_queue_rcv_skb+0x53d/0x5c0 net/ipv4/udp.c:2241
 __udp4_lib_mcast_deliver net/ipv4/udp.c:2333 [inline]
 __udp4_lib_rcv+0x1c66/0x1d00 net/ipv4/udp.c:2468
 udp_rcv+0x4b/0x50 net/ipv4/udp.c:2655
 ip_protocol_deliver_rcu+0x380/0x720 net/ipv4/ip_input.c:205
 ip_local_deliver_finish net/ipv4/ip_input.c:233 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ip_local_deliver+0x210/0x340 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:454 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ip_rcv+0x1b1/0x260 net/ipv4/ip_input.c:569
 __netif_receive_skb_one_core net/core/dev.c:5482 [inline]
 __netif_receive_skb+0x8b/0x1b0 net/core/dev.c:5596
 process_backlog+0x23f/0x3b0 net/core/dev.c:5924
 __napi_poll+0x65/0x420 net/core/dev.c:6485
 napi_poll net/core/dev.c:6552 [inline]
 net_rx_action+0x37e/0x730 net/core/dev.c:6663
 __do_softirq+0xf2/0x2c9 kernel/softirq.c:571
 run_ksoftirqd+0x1f/0x30 kernel/softirq.c:934
 smpboot_thread_fn+0x308/0x4a0 kernel/smpboot.c:164
 kthread+0x1a9/0x1e0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Modules linked in:
CR2: 0000000000000834
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:202 [inline]
RIP: 0010:atomic_try_cmpxchg_acquire
include/linux/atomic/atomic-instrumented.h:543 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:186 [inline]
RIP: 0010:__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
RIP: 0010:_raw_spin_lock_irqsave+0x4e/0xa0 kernel/locking/spinlock.c:162
Code: 48 c7 04 24 00 00 00 00 9c 8f 04 24 48 89 df e8 88 fb 8d fc 48
8b 1c 24 fa bd 01 00 00 00 bf 01 00 00 00 e8 a4 9c 66 fc 31 c0 <3e> 41
0f b1 2e 75 1c 65 48 8b 04 25 28 00 00 00 48 3b 44 24 08 75
RSP: 0018:ffffc90000497908 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff84ad1b08
RDX: 0000000000000996 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0001c9000049790f R09: 0000000000000000
R10: 0001ffffffffffff R11: 0001c90000497908 R12: 0000000000000834
R13: ffffffff84446de0 R14: 0000000000000834 R15: ffff888061b71700
FS:  0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000834 CR3: 0000000057b36000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: 48 c7 04 24 00 00 00 movq   $0x0,(%rsp)
   7: 00
   8: 9c                   pushfq
   9: 8f 04 24             popq   (%rsp)
   c: 48 89 df             mov    %rbx,%rdi
   f: e8 88 fb 8d fc       callq  0xfc8dfb9c
  14: 48 8b 1c 24           mov    (%rsp),%rbx
  18: fa                   cli
  19: bd 01 00 00 00       mov    $0x1,%ebp
  1e: bf 01 00 00 00       mov    $0x1,%edi
  23: e8 a4 9c 66 fc       callq  0xfc669ccc
  28: 31 c0                 xor    %eax,%eax
* 2a: 3e 41 0f b1 2e       cmpxchg %ebp,%ds:(%r14) <-- trapping instruction
  2f: 75 1c                 jne    0x4d
  31: 65 48 8b 04 25 28 00 mov    %gs:0x28,%rax
  38: 00 00
  3a: 48 3b 44 24 08       cmp    0x8(%rsp),%rax
  3f: 75                   .byte 0x75

Best,
Wei



More information about the linux-afs mailing list