syzbot

 sign-in | mailing list | source | docs
🐞 Open [970] 🐞 Fixed [3880] 🐞 Invalid [8364] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

general protection fault in io_issue_sqe

Status: upstream: reported C repro on 2021/09/02 17:34
Reported-by: syzbot+de67aa0cf1053e405871@syzkaller.appspotmail.com
First crash: 306d, last: 2h28m

Cause bisection: introduced by (bisect log) :
commit a8295b982c46d4a7c259a4cdd58a2681929068a9
Author: Hao Xu <haoxu@linux.alibaba.com>
Date: Fri Aug 27 09:46:09 2021 +0000

  io_uring: fix failed linkchain code logic

Crash: general protection fault in io_issue_sqe (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) [no-op commit]:
commit 9af9dcf11bda3e2c0e24c1acaacb8685ad974e93
Author: Peter Zijlstra <peterz@infradead.org>
Date: Thu Jun 24 09:41:00 2021 +0000

  x86/xen: Mark cpu_bringup_and_idle() as dead_end_function

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in io_fallback_req_func C 8 73d 73d 0/22 upstream: reported C repro on 2022/04/22 09:35
upstream KASAN: use-after-free Read in tctx_task_work (2) C unreliable 353 6d11h 319d 0/22 upstream: reported C repro on 2021/08/19 08:10
Patch testing requests:
Created Duration User Patch Repo Result
2021/09/02 18:47 16m axboe@kernel.dk git://git.kernel.dk/linux-block for-5.15/io_uring OK
2021/09/02 17:36 10m axboe@kernel.dk git://git.kernel.dk/linux-block for-5.15/io_uring report log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
CPU: 1 PID: 8426 Comm: syz-executor497 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:io_accept fs/io_uring.c:5041 [inline]
RIP: 0010:io_issue_sqe+0x2522/0x6ba0 fs/io_uring.c:6596
Code: 48 c1 ea 03 80 3c 02 00 0f 85 66 42 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 27 49 8d bc 24 80 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 47 42 00 00 45 8b ac 24 80 00
RSP: 0018:ffffc900010dfb48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffffff81e2c2cd RDI: 0000000000000080
RBP: ffff888016a5179c R08: 0000000000000000 R09: ffffffff81e29ff8
R10: ffffffff81e2c2bf R11: 000000000000000d R12: 0000000000000000
R13: 1ffff11002d4a2f9 R14: 0000000000000003 R15: ffff888016a51780
FS:  0000000000675300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74bb07a6c0 CR3: 0000000026e49000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __io_queue_sqe+0x90/0xb50 fs/io_uring.c:6864
 io_req_task_submit+0xbf/0x1b0 fs/io_uring.c:2218
 tctx_task_work+0x166/0x610 fs/io_uring.c:2143
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_signal include/linux/tracehook.h:212 [inline]
 handle_signal_work kernel/entry/common.c:146 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43f069
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc12dd2538 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: 0000000000000304 RBX: 0000000000000003 RCX: 000000000043f069
RDX: 0000000000000000 RSI: 0000000000000304 RDI: 0000000000000003
RBP: 0000000000403050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030e0
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
Modules linked in:
---[ end trace 51fb6b52dc1cb8ce ]---
RIP: 0010:io_accept fs/io_uring.c:5041 [inline]
RIP: 0010:io_issue_sqe+0x2522/0x6ba0 fs/io_uring.c:6596
Code: 48 c1 ea 03 80 3c 02 00 0f 85 66 42 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 27 49 8d bc 24 80 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 47 42 00 00 45 8b ac 24 80 00
RSP: 0018:ffffc900010dfb48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffffff81e2c2cd RDI: 0000000000000080
RBP: ffff888016a5179c R08: 0000000000000000 R09: ffffffff81e29ff8
R10: ffffffff81e2c2bf R11: 000000000000000d R12: 0000000000000000
R13: 1ffff11002d4a2f9 R14: 0000000000000003 R15: ffff888016a51780
FS:  0000000000675300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f544adff000 CR3: 0000000026e49000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 66 42 00 00    	jne    0x4274
   e:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  15:	fc ff df
  18:	4d 8b 27             	mov    (%r15),%r12
  1b:	49 8d bc 24 80 00 00 	lea    0x80(%r12),%rdi
  22:	00
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e 47 42 00 00    	jle    0x4281
  3a:	45                   	rex.RB
  3b:	8b                   	.byte 0x8b
  3c:	ac                   	lods   %ds:(%rsi),%al
  3d:	24 80                	and    $0x80,%al

Crashes (235):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/09/01 08:56 upstream 9c849ce86e0f 7eb7e152 .config log report syz C general protection fault in io_issue_sqe
ci-upstream-linux-next-kasan-gce-root 2022/05/12 20:59 linux-next 187b9ac8c348 9ad6612a .config log report syz C general protection fault in io_issue_sqe
ci-upstream-kasan-gce-smack-root 2022/06/16 06:30 upstream 979086f5e006 1719ee24 .config log report syz C KASAN: null-ptr-deref Write in io_issue_sqe
ci-upstream-kmsan-gce 2022/05/16 18:03 https://github.com/google/kmsan.git master d6e2c8c7eb40 744a39e2 .config log report syz C KMSAN: uninit-value in io_issue_sqe
ci-upstream-kasan-gce 2021/09/05 07:44 upstream 49624efa65ac d236a457 .config log report info general protection fault in io_issue_sqe
ci-upstream-kasan-gce 2021/09/01 08:20 upstream 9c849ce86e0f 7eb7e152 .config log report info general protection fault in io_issue_sqe
ci-upstream-kasan-gce-386 2021/09/03 11:46 upstream a9c9a6f741cd f62a5829 .config log report info general protection fault in io_issue_sqe
ci-upstream-linux-next-kasan-gce-root 2022/05/17 20:39 linux-next 3f7bdc402fb0 744a39e2 .config log report info general protection fault in io_issue_sqe
ci-upstream-linux-next-kasan-gce-root 2022/05/16 00:18 linux-next 1e1b28b936ae 744a39e2 .config log report info general protection fault in io_issue_sqe
ci-upstream-kasan-gce-smack-root 2022/06/23 05:09 upstream 3abc3ae553c7 912f5df7 .config log report info KASAN: null-ptr-deref Write in io_issue_sqe
ci-upstream-kasan-gce-smack-root 2022/06/21 15:27 upstream 78ca55889a54 0fc5c330 .config log report info KASAN: null-ptr-deref Write in io_issue_sqe
ci-upstream-kasan-gce-386 2021/09/03 02:47 upstream 4ac6d90867a4 15cea0a3 .config log report info BUG: corrupted list in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/04 21:49 https://github.com/google/kmsan.git master 97117d69c353 bff65f44 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/04 20:07 https://github.com/google/kmsan.git master 97117d69c353 bff65f44 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/04 19:07 https://github.com/google/kmsan.git master 97117d69c353 bff65f44 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/04 13:52 https://github.com/google/kmsan.git master 97117d69c353 bff65f44 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/03 20:34 https://github.com/google/kmsan.git master 97117d69c353 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/03 18:51 https://github.com/google/kmsan.git master 97117d69c353 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/03 12:50 https://github.com/google/kmsan.git master 97117d69c353 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/03 12:50 https://github.com/google/kmsan.git master 97117d69c353 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/03 10:37 https://github.com/google/kmsan.git master 97117d69c353 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/02 19:17 https://github.com/google/kmsan.git master 97117d69c353 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/02 04:22 https://github.com/google/kmsan.git master 97117d69c353 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/02 02:00 https://github.com/google/kmsan.git master 97117d69c353 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/01 15:26 https://github.com/google/kmsan.git master ef4d99f50920 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/01 13:08 https://github.com/google/kmsan.git master ef4d99f50920 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/07/01 10:40 https://github.com/google/kmsan.git master b3e6d59bab08 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/30 20:05 https://github.com/google/kmsan.git master b3e6d59bab08 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/30 13:59 https://github.com/google/kmsan.git master ec1cbf8b060e 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/30 13:49 https://github.com/google/kmsan.git master ec1cbf8b060e 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/30 11:45 https://github.com/google/kmsan.git master ec1cbf8b060e 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/30 05:38 https://github.com/google/kmsan.git master ec1cbf8b060e 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/29 09:51 https://github.com/google/kmsan.git master ec1cbf8b060e 496a8536 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/29 08:39 https://github.com/google/kmsan.git master ec1cbf8b060e 496a8536 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/29 06:56 https://github.com/google/kmsan.git master ec1cbf8b060e 496a8536 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/29 04:00 https://github.com/google/kmsan.git master ec1cbf8b060e 496a8536 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/29 00:17 https://github.com/google/kmsan.git master ec1cbf8b060e 496a8536 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/28 16:23 https://github.com/google/kmsan.git master ec1cbf8b060e ef82eb2c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/28 16:11 https://github.com/google/kmsan.git master ec1cbf8b060e ef82eb2c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/28 09:36 https://github.com/google/kmsan.git master 4b28366af7d9 ef82eb2c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/28 05:32 https://github.com/google/kmsan.git master 4b28366af7d9 ef82eb2c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/27 08:57 https://github.com/google/kmsan.git master 4b28366af7d9 a371c43c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/27 06:13 https://github.com/google/kmsan.git master 4b28366af7d9 a371c43c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/26 22:40 https://github.com/google/kmsan.git master 4b28366af7d9 a371c43c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/26 20:11 https://github.com/google/kmsan.git master 4b28366af7d9 a371c43c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/26 17:21 https://github.com/google/kmsan.git master 4b28366af7d9 a371c43c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/26 09:30 https://github.com/google/kmsan.git master 4b28366af7d9 a371c43c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/25 03:15 https://github.com/google/kmsan.git master 4b28366af7d9 a371c43c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/25 01:45 https://github.com/google/kmsan.git master 4b28366af7d9 a371c43c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/24 09:39 https://github.com/google/kmsan.git master 4b28366af7d9 a5dbd430 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/24 08:14 https://github.com/google/kmsan.git master 4b28366af7d9 912f5df7 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/24 06:57 https://github.com/google/kmsan.git master 4b28366af7d9 912f5df7 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/24 05:14 https://github.com/google/kmsan.git master 4b28366af7d9 912f5df7 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/06/24 01:56 https://github.com/google/kmsan.git master 4b28366af7d9 912f5df7 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce-386 2022/06/29 21:25 https://github.com/google/kmsan.git master ec1cbf8b060e 1434eec0 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce-386 2022/06/27 23:00 https://github.com/google/kmsan.git master d60755a5e2cb ef82eb2c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce-386 2022/06/27 21:19 https://github.com/google/kmsan.git master d60755a5e2cb ef82eb2c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce-386 2022/06/27 18:52 https://github.com/google/kmsan.git master d60755a5e2cb ef82eb2c .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce-386 2022/06/24 12:23 https://github.com/google/kmsan.git master 4b28366af7d9 a5dbd430 .config log report info KMSAN: uninit-value in io_issue_sqe