syzbot

 sign-in | mailing list | source | docs
🐞 Open [1135] 🐞 Fixed [4217] 🐞 Invalid [9346] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

general protection fault in io_issue_sqe

Status: upstream: reported C repro on 2021/09/02 17:34
Reported-by: syzbot+de67aa0cf1053e405871@syzkaller.appspotmail.com
First crash: 461d, last: 103d

Cause bisection: introduced by (bisect log) :
commit a8295b982c46d4a7c259a4cdd58a2681929068a9
Author: Hao Xu <haoxu@linux.alibaba.com>
Date: Fri Aug 27 09:46:09 2021 +0000

  io_uring: fix failed linkchain code logic

Crash: general protection fault in io_issue_sqe (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) [no-op commit]:
commit 9af9dcf11bda3e2c0e24c1acaacb8685ad974e93
Author: Peter Zijlstra <peterz@infradead.org>
Date: Thu Jun 24 09:41:00 2021 +0000

  x86/xen: Mark cpu_bringup_and_idle() as dead_end_function

similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in io_fallback_req_func C 8 228d 228d 0/24 auto-obsoleted due to no activity on 2022/09/28 20:35
upstream KMSAN: uninit-value in io_req_caches_free C 6 284d 361d 0/24 auto-closed as invalid on 2022/09/27 16:29
upstream KMSAN: uninit-value in preempt_count_add C 6657 58d 58d 0/24 closed as invalid on 2022/10/10 13:29
upstream KMSAN: uninit-value in io_req_cqe_overflow C 172 1h57m 91d 0/24 upstream: reported C repro on 2022/09/06 13:22
Patch testing requests:
Created Duration User Patch Repo Result
2022/12/03 23:30 22m retest repro https://github.com/google/kmsan.git master OK log
2022/12/03 23:30 21m retest repro linux-next error
2022/12/03 23:30 20m retest repro upstream OK log
2022/12/03 23:30 18m retest repro upstream OK log
2021/09/02 18:47 16m axboe@kernel.dk git://git.kernel.dk/linux-block for-5.15/io_uring OK
2021/09/02 17:36 10m axboe@kernel.dk git://git.kernel.dk/linux-block for-5.15/io_uring report log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 3683 Comm: iou-wrk-3682 Not tainted 5.18.0-rc6-next-20220512-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__list_add_valid+0x47/0xa0 lib/list_debug.c:26
Code: fa 48 c1 ea 03 80 3c 02 00 75 50 49 8b 54 24 08 48 39 f2 0f 85 56 73 43 05 48 b8 00 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 <80> 3c 02 00 75 3a 48 8b 16 4c 39 e2 0f 85 5b 73 43 05 48 39 f5 0f
RSP: 0018:ffffc90002fd7ae8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888023ed0000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801ef405c8
RBP: ffff888023ed0000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81f05205 R11: 0000000000000000 R12: ffff88801ef405c0
R13: ffff88801ef405c8 R14: ffff88807a30f1e0 R15: ffff888023ed0020
FS:  000055555604c300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2aed5d7b08 CR3: 0000000023ed5000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_add include/linux/list.h:69 [inline]
 list_add_tail include/linux/list.h:102 [inline]
 list_move_tail include/linux/list.h:230 [inline]
 io_add_buffers fs/io_uring.c:5596 [inline]
 io_provide_buffers fs/io_uring.c:5655 [inline]
 io_issue_sqe+0x2b72/0xa140 fs/io_uring.c:8174
 io_wq_submit_work+0x22a/0x600 fs/io_uring.c:8286
 io_worker_handle_work+0xb1c/0x1ab0 fs/io-wq.c:597
 io_wqe_worker+0x637/0xdb0 fs/io-wq.c:644
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:297
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid+0x47/0xa0 lib/list_debug.c:26
Code: fa 48 c1 ea 03 80 3c 02 00 75 50 49 8b 54 24 08 48 39 f2 0f 85 56 73 43 05 48 b8 00 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 <80> 3c 02 00 75 3a 48 8b 16 4c 39 e2 0f 85 5b 73 43 05 48 39 f5 0f
RSP: 0018:ffffc90002fd7ae8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888023ed0000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801ef405c8
RBP: ffff888023ed0000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81f05205 R11: 0000000000000000 R12: ffff88801ef405c0
R13: ffff88801ef405c8 R14: ffff88807a30f1e0 R15: ffff888023ed0020
FS:  000055555604c300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2aed5d7b08 CR3: 0000000023ed5000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	fa                   	cli
   1:	48 c1 ea 03          	shr    $0x3,%rdx
   5:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   9:	75 50                	jne    0x5b
   b:	49 8b 54 24 08       	mov    0x8(%r12),%rdx
  10:	48 39 f2             	cmp    %rsi,%rdx
  13:	0f 85 56 73 43 05    	jne    0x543736f
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 f2             	mov    %rsi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	75 3a                	jne    0x6a
  30:	48 8b 16             	mov    (%rsi),%rdx
  33:	4c 39 e2             	cmp    %r12,%rdx
  36:	0f 85 5b 73 43 05    	jne    0x5437397
  3c:	48 39 f5             	cmp    %rsi,%rbp
  3f:	0f                   	.byte 0xf

Crashes (502):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-linux-next-kasan-gce-root 2022/05/12 20:59 linux-next 187b9ac8c348 9ad6612a .config log report syz C general protection fault in io_issue_sqe
ci-upstream-kasan-gce 2021/09/01 08:56 upstream 9c849ce86e0f 7eb7e152 .config log report syz C general protection fault in io_issue_sqe
ci-upstream-kasan-gce-smack-root 2022/06/16 06:30 upstream 979086f5e006 1719ee24 .config log report syz C KASAN: null-ptr-deref Write in io_issue_sqe
ci-upstream-kmsan-gce 2022/05/16 18:03 https://github.com/google/kmsan.git master d6e2c8c7eb40 744a39e2 .config log report syz C KMSAN: uninit-value in io_issue_sqe
ci-upstream-kasan-gce 2021/09/05 07:44 upstream 49624efa65ac d236a457 .config log report info general protection fault in io_issue_sqe
ci-upstream-kasan-gce 2021/09/01 08:20 upstream 9c849ce86e0f 7eb7e152 .config log report info general protection fault in io_issue_sqe
ci-upstream-kasan-gce-386 2021/09/03 11:46 upstream a9c9a6f741cd f62a5829 .config log report info general protection fault in io_issue_sqe
ci-upstream-linux-next-kasan-gce-root 2022/05/17 20:39 linux-next 3f7bdc402fb0 744a39e2 .config log report info general protection fault in io_issue_sqe
ci-upstream-linux-next-kasan-gce-root 2022/05/16 00:18 linux-next 1e1b28b936ae 744a39e2 .config log report info general protection fault in io_issue_sqe
ci-upstream-kasan-gce-smack-root 2022/06/23 05:09 upstream 3abc3ae553c7 912f5df7 .config log report info KASAN: null-ptr-deref Write in io_issue_sqe
ci-upstream-kasan-gce-smack-root 2022/06/21 15:27 upstream 78ca55889a54 0fc5c330 .config log report info KASAN: null-ptr-deref Write in io_issue_sqe
ci-upstream-kasan-gce-386 2021/09/03 02:47 upstream 4ac6d90867a4 15cea0a3 .config log report info BUG: corrupted list in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/25 22:43 https://github.com/google/kmsan.git master d891e35583bf 9b5bf4cd .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/25 21:15 https://github.com/google/kmsan.git master d891e35583bf 9b5bf4cd .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/25 14:42 https://github.com/google/kmsan.git master d891e35583bf e5fb9cf5 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/25 12:47 https://github.com/google/kmsan.git master d891e35583bf 514514f6 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/25 00:12 https://github.com/google/kmsan.git master 1b070a5d1a2c 514514f6 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/24 22:44 https://github.com/google/kmsan.git master 1b070a5d1a2c 514514f6 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/24 00:26 https://github.com/google/kmsan.git master 1b070a5d1a2c cea8b0f7 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/23 22:57 https://github.com/google/kmsan.git master 1b070a5d1a2c cea8b0f7 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/23 19:34 https://github.com/google/kmsan.git master 1b070a5d1a2c cea8b0f7 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/23 07:26 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/23 00:23 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/22 21:24 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/22 18:16 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/22 14:14 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/22 10:08 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/22 08:08 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/22 06:01 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/21 23:24 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/21 18:44 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/21 16:48 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/21 10:58 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/20 23:25 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/20 20:00 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/20 13:58 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/20 07:33 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/19 22:53 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/19 17:31 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/19 15:59 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/19 12:59 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/18 23:46 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/18 17:55 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/18 13:50 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/18 08:27 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/18 01:51 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/18 00:27 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/17 07:53 https://github.com/google/kmsan.git master 1b070a5d1a2c 4e72d229 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/17 02:37 https://github.com/google/kmsan.git master 1b070a5d1a2c 4e72d229 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/16 22:19 https://github.com/google/kmsan.git master 1b070a5d1a2c 7a7cb304 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/16 19:44 https://github.com/google/kmsan.git master 1b070a5d1a2c 7a7cb304 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/15 23:53 https://github.com/google/kmsan.git master 1b070a5d1a2c 8dfcaa3d .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/15 15:38 https://github.com/google/kmsan.git master 1b070a5d1a2c 8dfcaa3d .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce 2022/08/15 12:54 https://github.com/google/kmsan.git master 1b070a5d1a2c 8dfcaa3d .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce-386 2022/08/17 09:10 https://github.com/google/kmsan.git master 1b070a5d1a2c 4e72d229 .config log report info KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce-386 2022/08/17 05:32 https://github.com/google/kmsan.git master 1b070a5d1a2c 4e72d229 .config log report info KMSAN: uninit-value in io_issue_sqe
* Struck through repros no longer work on HEAD.