215903 – BUG: kernel NULL pointer dereference, address: 0000000000000000

Bug 215903 - BUG: kernel NULL pointer dereference, address: 0000000000000000

Summary: BUG: kernel NULL pointer dereference, address: 0000000000000000

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-27 13:57 UTC by bughunter
Modified:	2022-04-27 14:42 UTC (History)
CC List:	3 users (show)

See Also:
Kernel Version:	5.17
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
case.c, a c file containing file operations to reproduce the bug (10.94 KB, text/x-csrc) 2022-04-27 13:57 UTC, bughunter	Details
Add an attachment (proposed patch, testcase, etc.)

Description bughunter 2022-04-27 13:57:55 UTC

Created attachment 300827 [details]
case.c, a c file containing file operations to reproduce the bug

I have encountered a bug in the kernel v5.17 when testing file systems.

I have uploaded the system call sequence as case.c, and a modified image can be found on google net disk (https://drive.google.com/file/d/1HugsHyHXHKKHtFE7Ja9mJYbu__LiyBAW/view?usp=sharing).

The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can reproduce the bug by running the following commands:

gcc -o case case.c
losetup /dev/loop0 case.img
mount -o "disable_roll_forward,nouser_xattr,noacl,noinline_data,inline_dentry,flush_merge,nobarrier,fastboot,data_flush,usrquota,alloc_mode=reuse,fsync_mode=nobarrier,test_dummy_encryption" /dev/loop0 /root/mnt
./case

The kernel message is shown below:

1,815,118207471,-;BUG: kernel NULL pointer dereference, address: 0000000000000000
1,816,118207481,-;#PF: supervisor instruction fetch in kernel mode
1,817,118207484,-;#PF: error_code(0x0010) - not-present page
6,818,118207487,-;PGD 0 P4D 0 
4,819,118207492,-;Oops: 0010 [#1] PREEMPT SMP KASAN PTI
4,820,118207496,-;CPU: 5 PID: 1489 Comm: case Not tainted 5.17.0 #3
4,821,118207501,-;Hardware name: Dell Inc. OptiPlex 9020/03CPWF, BIOS A14 09/14/2015
4,822,118207503,-;RIP: 0010:0x0
4,823,118207509,-;Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
4,824,118207511,-;RSP: 0018:ffff888128857640 EFLAGS: 00010246
4,825,118207515,-;RAX: 0000000000000000 RBX: ffffffff888bdf60 RCX: ffffffff85891e03
4,826,118207518,-;RDX: 1ffffffff1117bef RSI: 0000000000000008 RDI: ffffea0005391740
4,827,118207520,-;RBP: ffffea0005391740 R08: 0000000000000001 R09: fffff94000a722e9
4,828,118207523,-;R10: ffffea0005391747 R11: fffff94000a722e8 R12: ffff8881681209b0
4,829,118207525,-;R13: ffff88814e45d000 R14: 0000000000000000 R15: ffffea0005391740
4,830,118207528,-;FS:  00007f9b80e14540(0000) GS:ffff8881d5740000(0000) knlGS:0000000000000000
4,831,118207531,-;CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
4,832,118207533,-;CR2: ffffffffffffffd6 CR3: 0000000114cdc005 CR4: 00000000001706e0
4,833,118207536,-;Call Trace:
4,834,118207538,-; <TASK>
4,835,118207540,-; folio_mark_dirty+0x99/0x130
4,836,118207548,-; f2fs_add_regular_entry+0xa1f/0xcb0
4,837,118207555,-; ? f2fs_init_inode_metadata+0xdb0/0xdb0
4,838,118207559,-; ? __f2fs_setup_filename.part.0+0x9d/0xe0
4,839,118207563,-; ? memset+0x20/0x40
4,840,118207568,-; ? __f2fs_setup_filename.part.0+0xe0/0xe0
4,841,118207572,-; f2fs_add_dentry+0x184/0x210
4,842,118207577,-; f2fs_do_add_link+0x1e7/0x290
4,843,118207581,-; ? f2fs_add_dentry+0x210/0x210
4,844,118207585,-; ? f2fs_find_entry+0x8f/0x170
4,845,118207589,-; ? __f2fs_find_entry+0x810/0x810
4,846,118207593,-; ? unlock_new_inode+0x75/0xb0
4,847,118207599,-; __recover_dot_dentries+0x344/0x400
4,848,118207602,-; ? f2fs_link+0x1340/0x1340
4,849,118207606,-; f2fs_lookup+0x833/0xab0
4,850,118207610,-; ? f2fs_rmdir+0x50/0x50
4,851,118207613,-; ? __d_lookup+0x297/0x490
4,852,118207617,-; ? selinux_inode_permission+0x250/0x3c0
4,853,118207622,-; __lookup_slow+0x18c/0x370
4,854,118207627,-; ? vfs_rmdir+0x560/0x560
4,855,118207631,-; ? security_inode_permission+0x73/0xb0
4,856,118207635,-; walk_component+0x35e/0x5f0
4,857,118207639,-; ? handle_dots.part.0+0x16c0/0x16c0
4,858,118207643,-; ? path_init+0xb8/0x1590
4,859,118207647,-; ? walk_component+0x5f0/0x5f0
4,860,118207650,-; ? __is_insn_slot_addr+0x82/0xd0
4,861,118207656,-; path_lookupat.isra.0+0x11e/0x4a0
4,862,118207661,-; filename_lookup+0x19e/0x3b0
4,863,118207664,-; ? may_linkat+0x1a0/0x1a0
4,864,118207668,-; ? _raw_spin_lock_irqsave+0x88/0xe0
4,865,118207673,-; ? create_object+0x39/0xaf0
4,866,118207676,-; ? kmem_cache_alloc+0xc4/0x220
4,867,118207680,-; ? _raw_spin_unlock_irqrestore+0x3d/0x70
4,868,118207683,-; ? create_object+0x649/0xaf0
4,869,118207686,-; ? kasan_unpoison+0x23/0x50
4,870,118207690,-; ? strncpy_from_user+0x44/0x220
4,871,118207695,-; ? kmem_cache_alloc+0x10f/0x220
4,872,118207698,-; ? getname_flags+0xf8/0x4e0
4,873,118207702,-; user_path_at_empty+0x35/0x50
4,874,118207705,-; do_fchownat+0xa7/0x140
4,875,118207709,-; ? chown_common+0x3c0/0x3c0
4,876,118207712,-; ? __ia32_sys_utimes_time32+0x70/0x70
4,877,118207717,-; ? fpregs_assert_state_consistent+0x45/0xb0
4,878,118207721,-; __x64_sys_lchown+0x75/0xb0
4,879,118207725,-; ? syscall_exit_to_user_mode+0x1d/0x40
4,880,118207730,-; do_syscall_64+0x3b/0x90
4,881,118207734,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
4,882,118207738,-;RIP: 0033:0x7f9b80d3976d
4,883,118207741,-;Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48
4,884,118207744,-;RSP: 002b:00007fff62196da8 EFLAGS: 00000217 ORIG_RAX: 000000000000005e
4,885,118207748,-;RAX: ffffffffffffffda RBX: 000056261616d9e0 RCX: 00007f9b80d3976d
4,886,118207751,-;RDX: 0000000000000003 RSI: 0000000000000008 RDI: 00007fff62196f84
4,887,118207753,-;RBP: 00007fff625973a0 R08: 00007fff62597498 R09: 00007fff62597498
4,888,118207755,-;R10: 00007fff62597498 R11: 0000000000000217 R12: 000056261616c0a0
4,889,118207758,-;R13: 00007fff62597490 R14: 0000000000000000 R15: 0000000000000000
4,890,118207761,-; </TASK>
4,891,118207763,-;Modules linked in: x86_pkg_temp_thermal efivarfs
4,892,118207769,-;CR2: 0000000000000000
4,893,118207773,-;---[ end trace 0000000000000000 ]---
4,894,118207775,-;RIP: 0010:0x0
4,895,118207778,-;Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
4,896,118207780,-;RSP: 0018:ffff888128857640 EFLAGS: 00010246
4,897,118207783,-;RAX: 0000000000000000 RBX: ffffffff888bdf60 RCX: ffffffff85891e03
4,898,118207786,-;RDX: 1ffffffff1117bef RSI: 0000000000000008 RDI: ffffea0005391740
4,899,118207788,-;RBP: ffffea0005391740 R08: 0000000000000001 R09: fffff94000a722e9
4,900,118207791,-;R10: ffffea0005391747 R11: fffff94000a722e8 R12: ffff8881681209b0
4,901,118207793,-;R13: ffff88814e45d000 R14: 0000000000000000 R15: ffffea0005391740
4,902,118207795,-;FS:  00007f9b80e14540(0000) GS:ffff8881d5740000(0000) knlGS:0000000000000000
4,903,118207798,-;CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
4,904,118207801,-;CR2: ffffffffffffffd6 CR3: 0000000114cdc005 CR4: 00000000001706e0

Note You need to log in before you can comment on or make changes to this bug.