syzbot


general protection fault in io_poll_remove_entries

Status: fixed on 2023/05/02 21:55
Reported-by: syzbot+3b792a86d9466e763d47@syzkaller.appspotmail.com
Fix commit: 3eb2138d4693 io_uring/poll: clear single/double poll flags on poll arming
First crash: 633d, last: 614d
Fix bisection: fixed by (bisect log) :
commit 3eb2138d4693d81aa6e5514f439be255117cae63
Author: Jens Axboe <axboe@kernel.dk>
Date: Tue Mar 28 01:56:18 2023 +0000

  io_uring/poll: clear single/double poll flags on poll arming

  
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in io_poll_remove_entries io-uring C done done 751 611d 990d 0/28 auto-obsoleted due to no activity on 2023/07/04 23:32

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 3628 Comm: syz-executor916 Not tainted 6.1.19-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:io_poll_remove_entry io_uring/poll.c:180 [inline]
RIP: 0010:io_poll_remove_entries+0x39a/0x5f0 io_uring/poll.c:218
Code: c4 40 4c 89 e0 48 c1 e8 03 4d 89 fd 42 80 3c 38 00 74 08 4c 89 e7 e8 15 ff ab fd 49 8b 1c 24 4c 8d 7b 08 4d 89 fe 49 c1 ee 03 <43> 80 3c 2e 00 74 08 4c 89 ff e8 f7 fe ab fd 49 8b 2f 48 85 ed 0f
RSP: 0018:ffffc90003bdf9d0 EFLAGS: 00010202
RAX: 1ffff110039d2ca8 RBX: 0000000000000000 RCX: ffff88807ca1ba80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000006
RBP: 0000000001000000 R08: ffffffff8434c5e5 R09: fffffbfff204cc31
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88801ce96540
R13: dffffc0000000000 R14: 0000000000000001 R15: 0000000000000008
FS:  0000555555749300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f64e4f17b20 CR3: 000000007cdfc000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __io_arm_poll_handler+0x5df/0x920 io_uring/poll.c:619
 io_arm_poll_handler+0x75d/0xd20 io_uring/poll.c:750
 io_queue_async+0xa6/0x640 io_uring/io_uring.c:1877
 handle_tw_list+0x2aa/0x480 io_uring/io_uring.c:1035
 tctx_task_work+0x11b/0x720 io_uring/io_uring.c:1087
 task_work_run+0x246/0x300 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xd9/0x100 kernel/entry/common.c:171
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x60/0x2d0 kernel/entry/common.c:296
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f64e4eaa5c3
Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8
RSP: 002b:00007ffffcc52f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f64e4eaa5c3
RDX: 0000000000000000 RSI: 000000000000561c RDI: 0000000000000003
RBP: 00007ffffcc52f90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffffcc52f88
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:io_poll_remove_entry io_uring/poll.c:180 [inline]
RIP: 0010:io_poll_remove_entries+0x39a/0x5f0 io_uring/poll.c:218
Code: c4 40 4c 89 e0 48 c1 e8 03 4d 89 fd 42 80 3c 38 00 74 08 4c 89 e7 e8 15 ff ab fd 49 8b 1c 24 4c 8d 7b 08 4d 89 fe 49 c1 ee 03 <43> 80 3c 2e 00 74 08 4c 89 ff e8 f7 fe ab fd 49 8b 2f 48 85 ed 0f
RSP: 0018:ffffc90003bdf9d0 EFLAGS: 00010202
RAX: 1ffff110039d2ca8 RBX: 0000000000000000 RCX: ffff88807ca1ba80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000006
RBP: 0000000001000000 R08: ffffffff8434c5e5 R09: fffffbfff204cc31
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88801ce96540
R13: dffffc0000000000 R14: 0000000000000001 R15: 0000000000000008
FS:  0000555555749300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffffcc52f48 CR3: 000000007cdfc000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	40                   	rex
   1:	4c 89 e0             	mov    %r12,%rax
   4:	48 c1 e8 03          	shr    $0x3,%rax
   8:	4d 89 fd             	mov    %r15,%r13
   b:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  10:	74 08                	je     0x1a
  12:	4c 89 e7             	mov    %r12,%rdi
  15:	e8 15 ff ab fd       	callq  0xfdabff2f
  1a:	49 8b 1c 24          	mov    (%r12),%rbx
  1e:	4c 8d 7b 08          	lea    0x8(%rbx),%r15
  22:	4d 89 fe             	mov    %r15,%r14
  25:	49 c1 ee 03          	shr    $0x3,%r14
* 29:	43 80 3c 2e 00       	cmpb   $0x0,(%r14,%r13,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	4c 89 ff             	mov    %r15,%rdi
  33:	e8 f7 fe ab fd       	callq  0xfdabff2f
  38:	49 8b 2f             	mov    (%r15),%rbp
  3b:	48 85 ed             	test   %rbp,%rbp
  3e:	0f                   	.byte 0xf

Crashes (21):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/03/15 00:44 linux-6.1.y 6449a0ba6843 0d5c4377 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/15 01:18 linux-6.1.y 6449a0ba6843 0d5c4377 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Read in io_poll_remove_entries
2023/04/01 17:27 linux-6.1.y 3b29299e5f60 f325deb0 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/04/02 09:53 linux-6.1.y 3b29299e5f60 f325deb0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/30 05:57 linux-6.1.y e3a87a10f259 f325deb0 .config console log report info ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/27 07:04 linux-6.1.y e3a87a10f259 fbf0499a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/26 16:33 linux-6.1.y e3a87a10f259 fbf0499a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/23 13:59 linux-6.1.y e3a87a10f259 f94b4a29 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/23 13:14 linux-6.1.y e3a87a10f259 f94b4a29 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/17 05:57 linux-6.1.y 6449a0ba6843 18b58603 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/15 08:57 linux-6.1.y 6449a0ba6843 18b58603 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/14 22:35 linux-6.1.y 6449a0ba6843 0d5c4377 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/14 18:33 linux-6.1.y 6449a0ba6843 0d5c4377 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/14 18:32 linux-6.1.y 6449a0ba6843 0d5c4377 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan general protection fault in io_poll_remove_entries
2023/03/30 05:51 linux-6.1.y e3a87a10f259 f325deb0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Read in io_poll_remove_entries
2023/03/26 16:28 linux-6.1.y e3a87a10f259 fbf0499a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Read in io_poll_remove_entries
2023/03/26 16:28 linux-6.1.y e3a87a10f259 fbf0499a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Read in io_poll_remove_entries
2023/03/26 16:27 linux-6.1.y e3a87a10f259 fbf0499a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Read in io_poll_remove_entries
2023/03/24 19:29 linux-6.1.y e3a87a10f259 9700afae .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Read in io_poll_remove_entries
2023/03/22 23:05 linux-6.1.y e3a87a10f259 f94b4a29 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Read in io_poll_remove_entries
2023/03/15 02:37 linux-6.1.y 6449a0ba6843 0d5c4377 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Read in io_poll_remove_entries
* Struck through repros no longer work on HEAD.