syzbot

 sign-in | mailing list | source | docs
🐞 Open [962] Subsystems 🐞 Fixed [4564] 🐞 Invalid [10526] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in io_issue_sqe

Status: auto-obsoleted due to no activity on 2023/04/19 14:13
Labels: io-uring fs (incorrect?)
Reported-by: syzbot+de67aa0cf1053e405871@syzkaller.appspotmail.com
First crash: 641d, last: 283d

Cause bisection: introduced by (bisect log) :
commit a8295b982c46d4a7c259a4cdd58a2681929068a9
Author: Hao Xu <haoxu@linux.alibaba.com>
Date: Fri Aug 27 09:46:09 2021 +0000

  io_uring: fix failed linkchain code logic

Crash: general protection fault in io_issue_sqe (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) [no-op commit]:
commit 9af9dcf11bda3e2c0e24c1acaacb8685ad974e93
Author: Peter Zijlstra <peterz@infradead.org>
Date: Thu Jun 24 09:41:00 2021 +0000

  x86/xen: Mark cpu_bringup_and_idle() as dead_end_function

Discussions (1)
Title Replies (including bot) Last reply
[syzbot] general protection fault in io_issue_sqe 2 (5) 2021/09/02 19:14
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in io_fallback_req_func C 8 408d 408d 0/24 auto-obsoleted due to no activity on 2022/09/28 20:35
upstream KMSAN: uninit-value in io_req_caches_free C 6 464d 541d 0/24 auto-closed as invalid on 2022/09/27 16:29
upstream KMSAN: uninit-value in preempt_count_add C 6657 238d 238d 0/24 closed as invalid on 2022/10/10 13:29
upstream KMSAN: uninit-value in io_req_cqe_overflow io-uring C 604 26d 271d 0/24 upstream: reported C repro on 2022/09/06 13:22
Last patch testing requests (7)
Created Duration User Patch Repo Result
2023/04/19 13:54 18m retest repro linux-next OK log
2022/12/03 23:30 22m retest repro https://github.com/google/kmsan.git master OK log
2022/12/03 23:30 21m retest repro linux-next error
2022/12/03 23:30 20m retest repro upstream OK log
2022/12/03 23:30 18m retest repro upstream OK log
2021/09/02 18:47 16m axboe@kernel.dk git://git.kernel.dk/linux-block for-5.15/io_uring OK
2021/09/02 17:36 10m axboe@kernel.dk git://git.kernel.dk/linux-block for-5.15/io_uring report log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
CPU: 1 PID: 8426 Comm: syz-executor497 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:io_accept fs/io_uring.c:5041 [inline]
RIP: 0010:io_issue_sqe+0x2522/0x6ba0 fs/io_uring.c:6596
Code: 48 c1 ea 03 80 3c 02 00 0f 85 66 42 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 27 49 8d bc 24 80 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 47 42 00 00 45 8b ac 24 80 00
RSP: 0018:ffffc900010dfb48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffffff81e2c2cd RDI: 0000000000000080
RBP: ffff888016a5179c R08: 0000000000000000 R09: ffffffff81e29ff8
R10: ffffffff81e2c2bf R11: 000000000000000d R12: 0000000000000000
R13: 1ffff11002d4a2f9 R14: 0000000000000003 R15: ffff888016a51780
FS:  0000000000675300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74bb07a6c0 CR3: 0000000026e49000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __io_queue_sqe+0x90/0xb50 fs/io_uring.c:6864
 io_req_task_submit+0xbf/0x1b0 fs/io_uring.c:2218
 tctx_task_work+0x166/0x610 fs/io_uring.c:2143
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_signal include/linux/tracehook.h:212 [inline]
 handle_signal_work kernel/entry/common.c:146 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43f069
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc12dd2538 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: 0000000000000304 RBX: 0000000000000003 RCX: 000000000043f069
RDX: 0000000000000000 RSI: 0000000000000304 RDI: 0000000000000003
RBP: 0000000000403050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030e0
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
Modules linked in:
---[ end trace 51fb6b52dc1cb8ce ]---
RIP: 0010:io_accept fs/io_uring.c:5041 [inline]
RIP: 0010:io_issue_sqe+0x2522/0x6ba0 fs/io_uring.c:6596
Code: 48 c1 ea 03 80 3c 02 00 0f 85 66 42 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 27 49 8d bc 24 80 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 47 42 00 00 45 8b ac 24 80 00
RSP: 0018:ffffc900010dfb48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffffff81e2c2cd RDI: 0000000000000080
RBP: ffff888016a5179c R08: 0000000000000000 R09: ffffffff81e29ff8
R10: ffffffff81e2c2bf R11: 000000000000000d R12: 0000000000000000
R13: 1ffff11002d4a2f9 R14: 0000000000000003 R15: ffff888016a51780
FS:  0000000000675300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f544adff000 CR3: 0000000026e49000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 66 42 00 00    	jne    0x4274
   e:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  15:	fc ff df
  18:	4d 8b 27             	mov    (%r15),%r12
  1b:	49 8d bc 24 80 00 00 	lea    0x80(%r12),%rdi
  22:	00
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e 47 42 00 00    	jle    0x4281
  3a:	45                   	rex.RB
  3b:	8b                   	.byte 0x8b
  3c:	ac                   	lods   %ds:(%rsi),%al
  3d:	24 80                	and    $0x80,%al

Crashes (502):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2021/09/01 08:56 upstream 9c849ce86e0f 7eb7e152 .config console log report syz C ci-upstream-kasan-gce general protection fault in io_issue_sqe
2022/05/12 20:59 linux-next 187b9ac8c348 9ad6612a .config strace log report syz C ci-upstream-linux-next-kasan-gce-root general protection fault in io_issue_sqe
2022/06/16 06:30 upstream 979086f5e006 1719ee24 .config strace log report syz C ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Write in io_issue_sqe
2022/05/16 18:03 https://github.com/google/kmsan.git master d6e2c8c7eb40 744a39e2 .config strace log report syz C ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2021/09/05 07:44 upstream 49624efa65ac d236a457 .config console log report info ci-upstream-kasan-gce general protection fault in io_issue_sqe
2021/09/01 08:20 upstream 9c849ce86e0f 7eb7e152 .config console log report info ci-upstream-kasan-gce general protection fault in io_issue_sqe
2021/09/03 11:46 upstream a9c9a6f741cd f62a5829 .config console log report info ci-upstream-kasan-gce-386 general protection fault in io_issue_sqe
2022/05/17 20:39 linux-next 3f7bdc402fb0 744a39e2 .config console log report info ci-upstream-linux-next-kasan-gce-root general protection fault in io_issue_sqe
2022/05/16 00:18 linux-next 1e1b28b936ae 744a39e2 .config console log report info ci-upstream-linux-next-kasan-gce-root general protection fault in io_issue_sqe
2022/06/23 05:09 upstream 3abc3ae553c7 912f5df7 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Write in io_issue_sqe
2022/06/21 15:27 upstream 78ca55889a54 0fc5c330 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: null-ptr-deref Write in io_issue_sqe
2021/09/03 02:47 upstream 4ac6d90867a4 15cea0a3 .config console log report info ci-upstream-kasan-gce-386 BUG: corrupted list in io_issue_sqe
2022/08/25 22:43 https://github.com/google/kmsan.git master d891e35583bf 9b5bf4cd .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/25 21:15 https://github.com/google/kmsan.git master d891e35583bf 9b5bf4cd .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/25 14:42 https://github.com/google/kmsan.git master d891e35583bf e5fb9cf5 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/25 12:47 https://github.com/google/kmsan.git master d891e35583bf 514514f6 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/25 00:12 https://github.com/google/kmsan.git master 1b070a5d1a2c 514514f6 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/24 22:44 https://github.com/google/kmsan.git master 1b070a5d1a2c 514514f6 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/24 00:26 https://github.com/google/kmsan.git master 1b070a5d1a2c cea8b0f7 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/23 22:57 https://github.com/google/kmsan.git master 1b070a5d1a2c cea8b0f7 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/23 19:34 https://github.com/google/kmsan.git master 1b070a5d1a2c cea8b0f7 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/23 07:26 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/23 00:23 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/22 21:24 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/22 18:16 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/22 14:14 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/22 10:08 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/22 08:08 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/22 06:01 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/21 23:24 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/21 18:44 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/21 16:48 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/21 10:58 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/20 23:25 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/20 20:00 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/20 13:58 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/20 07:33 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/19 22:53 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/19 17:31 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/19 15:59 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/19 12:59 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/18 23:46 https://github.com/google/kmsan.git master 1b070a5d1a2c 26a13b38 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/18 17:55 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/18 13:50 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/18 08:27 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/18 01:51 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/18 00:27 https://github.com/google/kmsan.git master 1b070a5d1a2c d58e263f .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/17 07:53 https://github.com/google/kmsan.git master 1b070a5d1a2c 4e72d229 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/17 02:37 https://github.com/google/kmsan.git master 1b070a5d1a2c 4e72d229 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/16 22:19 https://github.com/google/kmsan.git master 1b070a5d1a2c 7a7cb304 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/16 19:44 https://github.com/google/kmsan.git master 1b070a5d1a2c 7a7cb304 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/15 23:53 https://github.com/google/kmsan.git master 1b070a5d1a2c 8dfcaa3d .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/15 15:38 https://github.com/google/kmsan.git master 1b070a5d1a2c 8dfcaa3d .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/15 12:54 https://github.com/google/kmsan.git master 1b070a5d1a2c 8dfcaa3d .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in io_issue_sqe
2022/08/17 09:10 https://github.com/google/kmsan.git master 1b070a5d1a2c 4e72d229 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in io_issue_sqe
2022/08/17 05:32 https://github.com/google/kmsan.git master 1b070a5d1a2c 4e72d229 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in io_issue_sqe
* Struck through repros no longer work on HEAD.