KASAN: use-after-free Read in io_poll_remove


Created	Duration	User	Repo	Result
2022/11/15 10:30	18m	retest repro	upstream	OK log
2022/11/15 10:30	18m	retest repro	upstream	OK log
2022/11/15 10:30	19m	retest repro	upstream	OK log
2022/03/23 01:22	12m	axboe@kernel.dk	git://git.kernel.dk/linux-block for-5.18/io_uring	OK

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 5079 Comm: syz-executor197 Not tainted 6.3.0-rc2-syzkaller-00050-g9c1bec9c0b08 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 RIP: 0010:io_poll_remove_entry io_uring/poll.c:182 [inline] RIP: 0010:io_poll_remove_entries.part.0+0x376/0x810 io_uring/poll.c:220 Code: ea 03 80 3c 02 00 0f 85 89 03 00 00 48 8b 5b 40 e8 ef d8 78 fd 4c 8d 73 08 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 33 03 00 00 48 8b 6b 08 48 85 ed 0f 84 29 01 00 RSP: 0018:ffffc90003c0fa40 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff840a0c11 RDI: ffff88802183b1c0 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000006 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888075c08904 R13: 0000000000000000 R14: 0000000000000008 R15: ffff88802183b188 FS: 00005555563b6300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000001d6f3f8 CR3: 0000000021c98000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> io_poll_remove_entries io_uring/poll.c:198 [inline] __io_arm_poll_handler+0x7ec/0xe00 io_uring/poll.c:603 io_arm_poll_handler+0x4f2/0xc60 io_uring/poll.c:734 io_queue_async+0xc1/0x5b0 io_uring/io_uring.c:2057 io_queue_sqe io_uring/io_uring.c:2088 [inline] io_req_task_submit+0x256/0x290 io_uring/io_uring.c:1425 io_poll_task_func+0x994/0x1240 io_uring/poll.c:346 handle_tw_list io_uring/io_uring.c:1184 [inline] tctx_task_work+0x2d7/0xa00 io_uring/io_uring.c:1246 task_work_run+0x16f/0x270 kernel/task_work.c:179 ptrace_notify+0x118/0x140 kernel/signal.c:2354 ptrace_report_syscall include/linux/ptrace.h:411 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline] syscall_exit_work kernel/entry/common.c:251 [inline] syscall_exit_to_user_mode_prepare+0x129/0x220 kernel/entry/common.c:278 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0xd/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f753700a5a3 Code: c7 c2 c0 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb ba 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 RSP: 002b:00007ffce2ad3f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f753700a5a3 RDX: 0000000000000000 RSI: 000000000000561c RDI: 0000000000000003 RBP: 00007ffce2ad3fa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffce2ad3f98 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:io_poll_remove_entry io_uring/poll.c:182 [inline] RIP: 0010:io_poll_remove_entries.part.0+0x376/0x810 io_uring/poll.c:220 Code: ea 03 80 3c 02 00 0f 85 89 03 00 00 48 8b 5b 40 e8 ef d8 78 fd 4c 8d 73 08 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 33 03 00 00 48 8b 6b 08 48 85 ed 0f 84 29 01 00 RSP: 0018:ffffc90003c0fa40 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff840a0c11 RDI: ffff88802183b1c0 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000006 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888075c08904 R13: 0000000000000000 R14: 0000000000000008 R15: ffff88802183b188 FS: 00005555563b6300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7537077b00 CR3: 0000000021c98000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 03 80 3c 02 00 0f add 0xf00023c(%rax),%eax 6: 85 89 03 00 00 48 test %ecx,0x48000003(%rcx) c: 8b 5b 40 mov 0x40(%rbx),%ebx f: e8 ef d8 78 fd callq 0xfd78d903 14: 4c 8d 73 08 lea 0x8(%rbx),%r14 18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1f: fc ff df 22: 4c 89 f2 mov %r14,%rdx 25: 48 c1 ea 03 shr $0x3,%rdx * 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2d: 0f 85 33 03 00 00 jne 0x366 33: 48 8b 6b 08 mov 0x8(%rbx),%rbp 37: 48 85 ed test %rbp,%rbp 3a: 0f .byte 0xf 3b: 84 29 test %ch,(%rcx) 3d: 01 00 add %eax,(%rax)

Crashes (751):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets	Manager	Title
2023/03/16 07:42	upstream	9c1bec9c0b08	18b58603	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/02/27 19:46	linux-next	7f7a8831520f	e792ae78	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	general protection fault in io_poll_remove_entries
2023/03/15 01:21	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	fe15c26ee26e	0d5c4377	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: null-ptr-deref Read in io_poll_remove_entries
2022/06/02 22:19	upstream	d1dc87763f40	5783034f	.config	console log	report	syz	C			ci-upstream-kasan-gce	KASAN: use-after-free Read in io_poll_remove_entries
2022/04/18 23:51	upstream	b2d229d4ddb1	8bcc32a6	.config	console log	report	syz	C			ci-upstream-kasan-gce	KASAN: use-after-free Read in io_poll_remove_entries
2022/04/18 23:25	upstream	b2d229d4ddb1	8bcc32a6	.config	console log	report	syz	C			ci-upstream-kasan-gce-root	KASAN: use-after-free Read in io_poll_remove_entries
2022/03/23 01:20	upstream	b47d5a4f6b8d	d88ef0c5	.config	console log	report	syz	C			ci-upstream-kasan-gce-smack-root	KASAN: use-after-free Read in io_poll_remove_entries
2022/03/22 06:18	upstream	8565d64430f8	e2d91b1d	.config	console log	report			info		ci-upstream-kasan-gce-selinux-root	KASAN: use-after-free Read in io_poll_remove_entries
2023/01/14 10:10	linux-next	0a093b2893c7	529798b0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in io_poll_remove_entries
2023/03/31 11:20	upstream	62bad54b26db	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/31 09:18	upstream	62bad54b26db	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/31 04:13	upstream	8bb95a1662f8	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/31 00:38	upstream	8bb95a1662f8	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	general protection fault in io_poll_remove_entries
2023/03/30 20:55	upstream	8bb95a1662f8	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	general protection fault in io_poll_remove_entries
2023/03/30 18:55	upstream	8bb95a1662f8	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/30 14:45	upstream	ffe78bbd5121	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	general protection fault in io_poll_remove_entries
2023/03/30 07:44	upstream	ffe78bbd5121	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	general protection fault in io_poll_remove_entries
2023/03/30 05:51	upstream	ffe78bbd5121	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	general protection fault in io_poll_remove_entries
2023/03/30 01:25	upstream	ffe78bbd5121	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/29 09:50	upstream	fcd476ea6a88	fc067f05	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/29 05:13	upstream	fcd476ea6a88	fc067f05	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-selinux-root	general protection fault in io_poll_remove_entries
2023/03/29 03:05	upstream	fcd476ea6a88	fc067f05	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-selinux-root	general protection fault in io_poll_remove_entries
2023/03/28 21:56	upstream	fcd476ea6a88	48c74771	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/28 16:54	upstream	3a93e40326c8	48c74771	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/28 14:06	upstream	3a93e40326c8	48c74771	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/28 12:06	upstream	3a93e40326c8	47f3aaf1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/28 11:06	upstream	3a93e40326c8	47f3aaf1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/28 08:14	upstream	3a93e40326c8	47f3aaf1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/28 01:04	upstream	3a93e40326c8	47f3aaf1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	general protection fault in io_poll_remove_entries
2023/03/27 23:18	upstream	3a93e40326c8	47f3aaf1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/27 19:49	upstream	197b6b60ae7b	f8f96aa9	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/27 13:08	upstream	197b6b60ae7b	f8f96aa9	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	general protection fault in io_poll_remove_entries
2023/03/27 07:21	upstream	0ec57cfa721f	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/27 01:42	upstream	0ec57cfa721f	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	general protection fault in io_poll_remove_entries
2023/03/26 23:34	upstream	197b6b60ae7b	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	general protection fault in io_poll_remove_entries
2023/03/26 16:08	upstream	da8e7da11e4b	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/25 13:59	upstream	65aca32efdcb	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	general protection fault in io_poll_remove_entries
2023/03/25 04:33	upstream	65aca32efdcb	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/24 20:01	upstream	4bae0ad148f4	9700afae	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/24 17:35	upstream	4bae0ad148f4	9700afae	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/24 12:01	upstream	1e760fa3596e	f94b4a29	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/24 05:22	upstream	9fd6ba5420ba	f94b4a29	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/23 12:22	upstream	fff5a5e7f528	f94b4a29	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-selinux-root	general protection fault in io_poll_remove_entries
2023/03/23 10:37	upstream	fff5a5e7f528	f94b4a29	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/23 00:44	upstream	fff5a5e7f528	f94b4a29	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce	general protection fault in io_poll_remove_entries
2023/03/22 18:19	upstream	a1effab7a3a3	d846e076	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-selinux-root	general protection fault in io_poll_remove_entries
2023/03/22 17:36	upstream	a1effab7a3a3	d846e076	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	general protection fault in io_poll_remove_entries
2023/03/22 08:53	upstream	2faac9a98f01	8b4eb097	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	general protection fault in io_poll_remove_entries
2023/03/04 23:49	upstream	c29214bc8916	f8902b57	.config	console log	report			info		ci-qemu-upstream	general protection fault in io_poll_remove_entries
2022/04/10 16:19	upstream	e1f700ebd6be	e22c3da3	.config	console log	report			info		ci-upstream-kasan-gce	KFENCE: use-after-free in io_poll_remove_entries
2023/03/29 21:59	upstream	ffe78bbd5121	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-386	general protection fault in io_poll_remove_entries
2023/03/26 10:26	upstream	da8e7da11e4b	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-386	general protection fault in io_poll_remove_entries
2023/03/25 19:34	upstream	4bdec23f971b	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-386	general protection fault in io_poll_remove_entries
2023/03/25 08:21	upstream	65aca32efdcb	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-386	general protection fault in io_poll_remove_entries
2023/03/25 04:08	upstream	65aca32efdcb	fbf0499a	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-386	general protection fault in io_poll_remove_entries
2023/03/23 20:18	upstream	9fd6ba5420ba	f94b4a29	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-386	general protection fault in io_poll_remove_entries
2023/03/22 15:42	upstream	a1effab7a3a3	d846e076	.config	console log	report			info		ci-qemu-upstream-386	general protection fault in io_poll_remove_entries
2023/03/22 12:55	upstream	a1effab7a3a3	d846e076	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-386	general protection fault in io_poll_remove_entries
2023/03/22 11:43	upstream	a1effab7a3a3	d846e076	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-386	general protection fault in io_poll_remove_entries
2022/04/01 13:45	upstream	e8b767f5e040	20955a24	.config	console log	report			info		ci-upstream-kasan-gce-386	BUG: corrupted list in io_poll_remove_entries
2023/03/06 06:29	linux-next	dc837c1a5137	f8902b57	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	general protection fault in io_poll_remove_entries
2023/04/05 23:31	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	59caa87f9dfb	8b834965	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: null-ptr-deref Read in io_poll_remove_entries
2023/04/01 17:51	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	59caa87f9dfb	f325deb0	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: null-ptr-deref Read in io_poll_remove_entries

Crashes (751):

2023/03/16 07:42

upstream