syzbot


BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers

Status: auto-obsoleted due to no activity on 2023/09/05 16:07
Subsystems: io-uring
[Documentation on labels]
Reported-by: syzbot+70de24bf68bee5f644e3@syzkaller.appspotmail.com
First crash: 391d, last: 391d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers (2) io-uring 86 257d 262d 25/27 fixed on 2023/12/21 03:45
upstream KASAN: use-after-free Read in __io_remove_buffers io-uring C done 2 684d 680d 22/27 fixed on 2023/02/24 13:50

Sample crash report:
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read
[0000000e] *pgd=80000080004003, *pmd=00000000
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 20796 Comm: kworker/u4:0 Not tainted 6.4.0-rc3-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: events_unbound io_ring_exit_work
PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline]
PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209
LR is at io_destroy_buffers+0x40/0x134 io_uring/kbuf.c:268
pc : [<807aeeb8>]    lr : [<807af454>]    psr: 20000113
sp : dfb61e48  ip : dfb61e78  fp : dfb61e74
r10: 87f58c28  r9 : 87f58800  r8 : ffffffff
r7 : 87f58ba8  r6 : 00000001  r5 : 87f5d000  r4 : 00000000
r3 : 00000000  r2 : 00000000  r1 : 87f5d000  r0 : 87f58800
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 85a92340  DAC: fffffffd
Register r0 information: slab kmalloc-2k start 87f58800 pointer offset 0 size 2048
Register r1 information: slab kmalloc-2k start 87f5d000 pointer offset 0 size 2048
Register r2 information: NULL pointer
Register r3 information: NULL pointer
Register r4 information: NULL pointer
Register r5 information: slab kmalloc-2k start 87f5d000 pointer offset 0 size 2048
Register r6 information: non-paged memory
Register r7 information: slab kmalloc-2k start 87f58800 pointer offset 936 size 2048
Register r8 information: non-paged memory
Register r9 information: slab kmalloc-2k start 87f58800 pointer offset 0 size 2048
Register r10 information: slab kmalloc-2k start 87f58800 pointer offset 1064 size 2048
Register r11 information: 2-page vmalloc region starting at 0xdfb60000 allocated at kernel_clone+0x9c/0x3dc kernel/fork.c:2918
Register r12 information: 2-page vmalloc region starting at 0xdfb60000 allocated at kernel_clone+0x9c/0x3dc kernel/fork.c:2918
Process kworker/u4:0 (pid: 20796, stack limit = 0xdfb60000)
Stack: (0xdfb61e48 to 0xdfb62000)
1e40:                   00000000 00000014 87f58800 87f58840 87f58ba8 81fe84f0
1e60: 00000005 87f58c28 dfb61e9c dfb61e78 807af454 807aee8c dfb61e74 9747b37e
1e80: 87f58c18 87f58800 87f58840 87f58ba8 dfb61efc dfb61ea0 817e0e38 807af420
1ea0: 81fe84f0 82604d40 00068ed8 87f58808 807d5fe4 817dfb8c 00000000 00000000
1ec0: dfb61ec0 dfb61ec0 87f58800 9747b37e 80264210 87f58c18 85fed600 8300e800
1ee0: 83016000 00000100 83289780 83016005 dfb61f44 dfb61f00 8026399c 817e0a9c
1f00: 80277dd0 802a6080 dfb61f2c dfb61f18 80264614 00000000 8300e800 85fed600
1f20: 8300e800 85fed618 8300e820 82604d40 00000088 8300e800 dfb61f84 dfb61f48
1f40: 80264190 8026379c dfb61f64 81f8f604 827e1633 83289780 dfb61f84 860514c0
1f60: 83289780 80264124 85fed600 86051b80 dfc75e9c 00000000 dfb61fac dfb61f88
1f80: 8026b19c 80264130 860514c0 8026b09c 00000000 00000000 00000000 00000000
1fa0: 00000000 dfb61fb0 80200100 8026b0a8 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
Backtrace: 
[<807aee80>] (__io_remove_buffers) from [<807af454>] (io_destroy_buffers+0x40/0x134 io_uring/kbuf.c:268)
 r10:87f58c28 r9:00000005 r8:81fe84f0 r7:87f58ba8 r6:87f58840 r5:87f58800
 r4:00000014 r3:00000000
[<807af414>] (io_destroy_buffers) from [<817e0e38>] (io_ring_ctx_free io_uring/io_uring.c:2846 [inline])
[<807af414>] (io_destroy_buffers) from [<817e0e38>] (io_ring_exit_work+0x3a8/0x600 io_uring/io_uring.c:3088)
 r7:87f58ba8 r6:87f58840 r5:87f58800 r4:87f58c18
[<817e0a90>] (io_ring_exit_work) from [<8026399c>] (process_one_work+0x20c/0x598 kernel/workqueue.c:2405)
 r10:83016005 r9:83289780 r8:00000100 r7:83016000 r6:8300e800 r5:85fed600
 r4:87f58c18
[<80263790>] (process_one_work) from [<80264190>] (worker_thread+0x6c/0x4e0 kernel/workqueue.c:2552)
 r10:8300e800 r9:00000088 r8:82604d40 r7:8300e820 r6:85fed618 r5:8300e800
 r4:85fed600
[<80264124>] (worker_thread) from [<8026b19c>] (kthread+0x100/0x130 kernel/kthread.c:379)
 r10:00000000 r9:dfc75e9c r8:86051b80 r7:85fed600 r6:80264124 r5:83289780
 r4:860514c0
[<8026b09c>] (kthread) from [<80200100>] (ret_from_fork+0x14/0x34 arch/arm/kernel/entry-common.S:133)
Exception stack(0xdfb61fb0 to 0xdfb61ff8)
1fa0:                                     00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026b09c r4:860514c0
Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	0a000022 	beq	0x90
   4:	e5913004 	ldr	r3, [r1, #4]
   8:	e1d120be 	ldrh	r2, [r1, #14]
   c:	e5d14013 	ldrb	r4, [r1, #19]
* 10:	e1d380be 	ldrh	r8, [r3, #14] <-- trapping instruction

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/05/26 07:06 upstream eb03e3181354 b40ef614 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers
* Struck through repros no longer work on HEAD.