syzkaller: panic: runtime error: invalid memory address or nil pointer dereference

Question

syzkaller: panic: runtime error: invalid memory address or nil pointer dereference

avagin opened this issue 3 years ago · comments

Description

https://syzkaller.appspot.com/bug?id=257e0a059c33311a37eec6f6069f6d522ef72793

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0xaec92f]

goroutine 578 [running]:
panic(0x18e49a0, 0x262bbc0)
	GOROOT/src/runtime/panic.go:1065 +0x565 fp=0xc000713928 sp=0xc000713860 pc=0x43a6c5
runtime.panicmem()
	GOROOT/src/runtime/panic.go:212 +0x5b fp=0xc000713948 sp=0xc000713928 pc=0x43871b
runtime.sigpanic()
	GOROOT/src/runtime/signal_unix.go:734 +0x173 fp=0xc000713980 sp=0xc000713948 pc=0x453db3
gvisor.dev/gvisor/pkg/sentry/fsimpl/kernfs.(*Dentry).releaseKeptDentriesLocked(0xc000342480, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/fsimpl/kernfs/filesystem.go:272 +0x6f fp=0xc000713a70 sp=0xc000713980 pc=0xaec92f
gvisor.dev/gvisor/pkg/sentry/fsimpl/kernfs.(*Filesystem).Release(0xc000252790, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/fsimpl/kernfs/filesystem.go:258 +0x95 fp=0xc000713aa8 sp=0xc000713a70 pc=0xaec815
gvisor.dev/gvisor/pkg/sentry/fsimpl/mqfs.(*filesystem).Release(0xc000252790, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/fsimpl/mqfs/mqfs.go:112 +0xa7 fp=0xc000713ad8 sp=0xc000713aa8 pc=0xb24e67
gvisor.dev/gvisor/pkg/sentry/vfs.(*Filesystem).DecRef.func1()
	pkg/sentry/vfs/filesystem.go:81 +0x148 fp=0xc000713b30 sp=0xc000713ad8 pc=0x9823e8
gvisor.dev/gvisor/pkg/sentry/vfs.(*FilesystemRefs).DecRef(0xc000252790, 0xc000713bb8)
	bazel-out/k8-fastbuild-ST-0995fa9490c1/bin/pkg/sentry/vfs/filesystem_refs.go:131 +0x7d fp=0xc000713ba8 sp=0xc000713b30 pc=0x955bbd
gvisor.dev/gvisor/pkg/sentry/vfs.(*Filesystem).DecRef(0xc000252790, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/vfs/filesystem.go:77 +0x77 fp=0xc000713be8 sp=0xc000713ba8 pc=0x955157
gvisor.dev/gvisor/pkg/sentry/vfs.(*Mount).destroy(0xc0003959e0, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/vfs/mount.go:528 +0xe5 fp=0xc000713c50 sp=0xc000713be8 pc=0x95ea85
gvisor.dev/gvisor/pkg/sentry/vfs.(*Mount).DecRef(0xc0003959e0, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/vfs/mount.go:512 +0xab fp=0xc000713c78 sp=0xc000713c50 pc=0x95e98b
gvisor.dev/gvisor/pkg/sentry/fsimpl/mqfs.(*RegistryImpl).Destroy(0xc0004ec078, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/fsimpl/mqfs/registry.go:133 +0x9d fp=0xc000713ca0 sp=0xc000713c78 pc=0xb26f7d
gvisor.dev/gvisor/pkg/sentry/kernel/mq.(*Registry).Destroy(0xc0002485c0, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/kernel/mq/mq.go:245 +0xbc fp=0xc000713d18 sp=0xc000713ca0 pc=0xb1ebdc
gvisor.dev/gvisor/pkg/sentry/kernel.(*IPCNamespace).DecRef.func1()
	pkg/sentry/kernel/ipc_namespace.go:106 +0xf5 fp=0xc000713d68 sp=0xc000713d18 pc=0xd92bd5
gvisor.dev/gvisor/pkg/sentry/kernel.(*IPCNamespaceRefs).DecRef(0xc0002d84b0, 0xc000713df0)
	bazel-out/k8-fastbuild-ST-0995fa9490c1/bin/pkg/sentry/kernel/ipc_namespace_refs.go:131 +0x7d fp=0xc000713de0 sp=0xc000713d68 pc=0xd0617d
gvisor.dev/gvisor/pkg/sentry/kernel.(*IPCNamespace).DecRef(0xc0002d84b0, 0x1d5a6a0, 0xc00070b500)
	pkg/sentry/kernel/ipc_namespace.go:103 +0x77 fp=0xc000713e20 sp=0xc000713de0 pc=0xd05937
gvisor.dev/gvisor/pkg/sentry/kernel.(*runExitMain).execute(0x0, 0xc00070b500, 0x1d2ddc0, 0x0)
	pkg/sentry/kernel/task_exit.go:259 +0x3f4 fp=0xc000713ed0 sp=0xc000713e20 pc=0xd43e14
gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run(0xc00070b500, 0x11)
	pkg/sentry/kernel/task_run.go:97 +0x393 fp=0xc000713fd0 sp=0xc000713ed0 pc=0xd549b3
runtime.goexit()
	src/runtime/asm_amd64.s:1371 +0x1 fp=0xc000713fd8 sp=0xc000713fd0 pc=0x477541
created by gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).Start
	pkg/sentry/kernel/task_start.go:327 +0x1a5

Steps to reproduce

https://syzkaller.appspot.com/text?tag=ReproC&x=14013f2cb0000

runsc version

No response

docker version (if using docker)

No response

uname

No response

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response

Andrei Vagin · Answer 1 · Tue Oct 26 2021 01:10:23 GMT+0800 (China Standard Time)

This issue was introiduced in #6345.
@sudo-sturbia, could you fix it?

Zyad A. Ali · Answer 2 · Tue Oct 26 2021 04:11:35 GMT+0800 (China Standard Time)

@avagin It's solved in this pr #6778, I believe the problem was happening due to this line https://cs.opensource.google/gvisor/gvisor/+/master:pkg/sentry/fsimpl/mqfs/registry.go;l=132 where root dentry gets destroyed before the mount.

Ayush Ranjan · Answer 3 · Wed Oct 27 2021 04:26:28 GMT+0800 (China Standard Time)

Fixed in #6345. The actual issue was that GetFilesystem was not taking a ref on the returned root dentry like it was supposed to. The caller would DecRef the returned root dentry to get rid of its ref. And when the filesystem was released, the filesystem would drop its ref on the root dentry which would panic because no refs left to drop.