syzbot

 sign-in | mailing list | source | docs
🐞 Open [980] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12500] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll

Status: fixed on 2021/11/10 00:50
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+be51ca5a4d97f017cd50@syzkaller.appspotmail.com
Fix commit: 6d042ffb598e io_uring: Check current->io_uring in io_uring_cancel_sqpoll
First crash: 1153d, last: 898d
Discussions (4)
Title Replies (including bot) Last reply
[PATCH 5.12 000/384] 5.12.3-rc1 review 395 (395) 2021/05/11 21:07
[PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll 6 (6) 2021/04/27 17:04
Re: KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll 5 (5) 2021/04/27 11:20
KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll 0 (1) 2021/02/26 09:33

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
BUG: KASAN: null-ptr-deref in io_uring_cancel_sqpoll+0x2c7/0x450 fs/io_uring.c:8871
Write of size 4 at addr 0000000000000110 by task iou-sqp-16851/16863

CPU: 0 PID: 16863 Comm: iou-sqp-16851 Not tainted 5.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xfa/0x151 lib/dump_stack.c:120
 __kasan_report mm/kasan/report.c:403 [inline]
 kasan_report.cold+0x5f/0xd8 mm/kasan/report.c:416
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
 io_uring_cancel_sqpoll+0x2c7/0x450 fs/io_uring.c:8871
 io_sq_thread+0x1109/0x1ae0 fs/io_uring.c:6782
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 16863 Comm: iou-sqp-16851 Tainted: G    B             5.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xfa/0x151 lib/dump_stack.c:120
 panic+0x306/0x73d kernel/panic.c:231
 end_report mm/kasan/report.c:102 [inline]
 end_report.cold+0x5a/0x5a mm/kasan/report.c:88
 __kasan_report mm/kasan/report.c:406 [inline]
 kasan_report.cold+0x6a/0xd8 mm/kasan/report.c:416
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc include/asm-generic/atomic-instrumented.h:240 [inline]
 io_uring_cancel_sqpoll+0x2c7/0x450 fs/io_uring.c:8871
 io_sq_thread+0x1109/0x1ae0 fs/io_uring.c:6782
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (170):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/03/04 12:35 upstream f69d02e37a85 d7e4e604 .config console log report info ci-upstream-kasan-gce-root KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll
2021/03/04 11:01 upstream f69d02e37a85 d7e4e604 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll
2021/03/03 19:24 upstream f69d02e37a85 06ed56cd .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll
2021/04/15 15:35 upstream 7f75285ca572 fcdb12ba .config console log report info ci-qemu2-arm64-compat KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll
2021/04/07 18:50 upstream 2d743660786e 6a81331a .config console log report info ci-qemu2-arm64-compat KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll
2021/03/25 18:55 upstream e138138003eb 6a383ecf .config console log report info ci-qemu2-arm64 KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll
2021/03/10 10:54 upstream 280d542f6ffa 26967e35 .config console log report info ci-qemu-upstream-386 KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll
2021/02/26 09:19 linux-next d01f2f7e3557 76f7fc95 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll
2021/11/08 10:59 upstream bf152b0b41dc 4c1be0be .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/11/08 02:32 upstream bf152b0b41dc 4c1be0be .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/11/07 13:23 upstream bf152b0b41dc 4c1be0be .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/11/05 13:17 upstream bf152b0b41dc 4c1be0be .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/11/03 02:34 upstream bf152b0b41dc 17f3edd2 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/18 11:35 upstream bf152b0b41dc 0c5d9412 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/17 00:38 upstream bf152b0b41dc 0c5d9412 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/16 13:41 upstream bf152b0b41dc 0c5d9412 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/16 00:55 upstream bf152b0b41dc 0c5d9412 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/14 06:49 upstream bf152b0b41dc 5462d470 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/13 20:36 upstream bf152b0b41dc 2184365e .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/10 01:49 upstream bf152b0b41dc 838e7e2c .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/03 00:46 upstream bf152b0b41dc db0f5787 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/10/01 16:14 upstream bf152b0b41dc cc80db95 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/28 01:26 upstream bf152b0b41dc 78494d16 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/27 15:31 upstream bf152b0b41dc 78494d16 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/27 14:29 upstream bf152b0b41dc 78494d16 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/26 13:07 upstream bf152b0b41dc 8cac236e .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/25 22:28 upstream bf152b0b41dc 8cac236e .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/20 12:07 upstream bf152b0b41dc 3d9c9a2a .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/16 00:11 upstream bf152b0b41dc 07e953c1 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/10 05:26 upstream bf152b0b41dc e2776ee4 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/09/02 18:50 upstream bf152b0b41dc d0f0970b .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/30 03:03 upstream bf152b0b41dc be2c130d .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/29 23:59 upstream bf152b0b41dc be2c130d .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/23 16:28 upstream bf152b0b41dc b599f2fc .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/22 05:12 upstream bf152b0b41dc b599f2fc .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/20 13:12 upstream bf152b0b41dc b599f2fc .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/14 12:47 upstream bf152b0b41dc 2489ab88 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/12 13:39 upstream bf152b0b41dc 6972b106 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/12 01:25 upstream bf152b0b41dc 6972b106 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/03 06:16 upstream bf152b0b41dc 6c236867 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/02 20:14 upstream bf152b0b41dc 6c236867 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/02 12:18 upstream bf152b0b41dc 6c236867 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/08/02 07:02 upstream bf152b0b41dc 6c236867 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/07/26 01:42 upstream bf152b0b41dc 4d1b57d4 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/07/25 12:22 upstream bf152b0b41dc 4d1b57d4 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/07/20 12:29 upstream bf152b0b41dc 1b201b48 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/07/18 16:25 upstream bf152b0b41dc f115ae98 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/07/17 05:00 upstream bf152b0b41dc f115ae98 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/07/13 21:32 upstream bf152b0b41dc 70168d5c .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/07/05 05:31 upstream bf152b0b41dc 55aa55c2 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/07/04 09:58 upstream bf152b0b41dc 55aa55c2 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/06/26 01:00 upstream bf152b0b41dc ae6bf8dd .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/06/17 10:02 upstream bf152b0b41dc aba2b2fb .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/06/16 08:14 upstream bf152b0b41dc 990d3cbe .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/06/14 20:37 upstream bf152b0b41dc 1ba81399 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/06/14 16:01 upstream bf152b0b41dc 1ba81399 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/06/13 07:32 upstream bf152b0b41dc 1ba81399 .config console log report info ci-qemu2-arm32 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_sqpoll
2021/06/16 17:40 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 18a3c5f7abfd c06f97ad .config console log report info ci-qemu2-riscv64 BUG: unable to handle kernel access to user memory in io_uring_cancel_sqpoll
2021/06/14 16:21 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 18a3c5f7abfd 1ba81399 .config console log report info ci-qemu2-riscv64 BUG: unable to handle kernel access to user memory in io_uring_cancel_sqpoll
2021/06/13 05:44 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 18a3c5f7abfd 1ba81399 .config console log report info ci-qemu2-riscv64 BUG: unable to handle kernel access to user memory in io_uring_cancel_sqpoll
2021/06/12 00:28 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 18a3c5f7abfd 1ba81399 .config console log report info ci-qemu2-riscv64 BUG: unable to handle kernel access to user memory in io_uring_cancel_sqpoll
* Struck through repros no longer work on HEAD.