syzbot


BUG: unable to handle kernel NULL pointer dereference in loop_rw_iter

Status: fixed on 2020/09/16 22:51
Subsystems: io-uring fs
[Documentation on labels]
Reported-by: syzbot+1abbd16e49910f6bbe45@syzkaller.appspotmail.com
Fix commit: 2dd2111d0d38 io_uring: Fix NULL pointer dereference in loop_rw_iter()
First crash: 1524d, last: 1509d
Cause bisection: introduced by (bisect log) [merge commit]:
commit 33c84e89abe4a92ab699c33029bd54269d574782
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu Jan 30 02:16:16 2020 +0000

  Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Crash: WARNING: ODEBUG bug in netdev_run_todo (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
BUG: unable to handle kernel NULL pointer dereference in loop_rw_iter 1 (2) 2020/08/10 16:00

Sample crash report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD a7080067 P4D a7080067 PUD 9eae5067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6836 Comm: io_wqe_worker-0 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffffc9000536f910 EFLAGS: 00010246
RAX: 1ffffffff10b0b9b RBX: dffffc0000000000 RCX: ffff88809ed26cc8
RDX: 00000000000000a3 RSI: 0000000020000240 RDI: ffff88809a317840
RBP: 0000000020000240 R08: 0000000000000001 R09: ffff8880940a0b08
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000536fa28
R13: ffffffff88585cc0 R14: 00000000000000a3 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000a1272000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 loop_rw_iter.part.0+0x26e/0x450 fs/io_uring.c:2850
 loop_rw_iter fs/io_uring.c:2829 [inline]
 io_write+0x6a2/0x7a0 fs/io_uring.c:3190
 io_issue_sqe+0x1b0/0x60d0 fs/io_uring.c:5530
 io_wq_submit_work+0x183/0x3d0 fs/io_uring.c:5775
 io_worker_handle_work+0xa45/0x13f0 fs/io-wq.c:527
 io_wqe_worker+0xbf0/0x10e0 fs/io-wq.c:569
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
CR2: 0000000000000000
---[ end trace a35f4299b6f575bb ]---
RIP: 0010:0x0
Code: Bad RIP value.
RSP: 0018:ffffc9000536f910 EFLAGS: 00010246
RAX: 1ffffffff10b0b9b RBX: dffffc0000000000 RCX: ffff88809ed26cc8
RDX: 00000000000000a3 RSI: 0000000020000240 RDI: ffff88809a317840
RBP: 0000000020000240 R08: 0000000000000001 R09: ffff8880940a0b08
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000536fa28
R13: ffffffff88585cc0 R14: 00000000000000a3 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000a1272000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (24):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/11 07:15 upstream fc80c51fd4b2 7adc7b65 .config console log report syz C ci-upstream-kasan-gce-root
2020/08/10 04:33 upstream 9420f1ce0186 70301872 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/08/09 21:43 upstream 06a81c1c7db9 70301872 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/08/09 08:42 upstream 06a81c1c7db9 f721e4a0 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/09 04:55 upstream 449dc8c97089 f721e4a0 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/08/07 19:59 upstream d6efb3ac3e6c cb436c69 .config console log report syz C ci-upstream-kasan-gce-root
2020/08/13 09:20 linux-next bc09acc9f224 bc15f7db .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/08/13 05:31 linux-next bc09acc9f224 bc15f7db .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2020/08/16 00:17 upstream c9c9735c46f5 424dd8e7 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/15 22:08 upstream c9c9735c46f5 424dd8e7 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/14 18:01 upstream a1d21081a60d 424dd8e7 .config console log report ci-upstream-kasan-gce-smack-root
2020/08/14 16:00 upstream a1d21081a60d 424dd8e7 .config console log report ci-upstream-kasan-gce-root
2020/08/13 10:52 upstream fb893de323e2 bc15f7db .config console log report ci-upstream-kasan-gce-smack-root
2020/08/13 09:15 upstream fb893de323e2 bc15f7db .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/13 09:09 upstream fb893de323e2 bc15f7db .config console log report ci-upstream-kasan-gce-smack-root
2020/08/11 21:34 upstream 00e4db51259a bacaf5fa .config console log report ci-upstream-kasan-gce-smack-root
2020/08/11 18:15 upstream 00e4db51259a bacaf5fa .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/08 11:27 upstream 5631c5e0eb90 ff51e522 .config console log report ci-upstream-kasan-gce-root
2020/08/07 19:32 upstream d6efb3ac3e6c cb436c69 .config console log report ci-upstream-kasan-gce-root
2020/08/07 15:11 upstream d6efb3ac3e6c cb436c69 .config console log report ci-upstream-kasan-gce-selinux-root
2020/08/22 05:35 upstream 00e4db51259a 6436ce4b .config console log report ci-qemu-upstream-386
2020/08/20 02:00 upstream 00e4db51259a ed282a3a .config console log report ci-qemu-upstream-386
2020/08/13 09:06 linux-next bc09acc9f224 bc15f7db .config console log report ci-upstream-linux-next-kasan-gce-root
2020/08/10 20:22 linux-next f80535b9aa10 7adc7b65 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.