general protection fault in io_issue

general protection fault in io_issue_sqe
Status: upstream: reported C repro on 2021/09/02 17:34
Reported-by: syzbot+de67aa0cf1053e405871@syzkaller.appspotmail.com
First crash: 44d, last: 10d

Cause bisection: introduced by (bisect log) :
commit a8295b982c46d4a7c259a4cdd58a2681929068a9
Author: Hao Xu <haoxu@linux.alibaba.com>
Date: Fri Aug 27 09:46:09 2021 +0000

io_uring: fix failed linkchain code logic

Crash: general protection fault in io_issue_sqe (log)
Repro: C syz .config

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/09/02 18:47	16m	axboe@kernel.dk		git://git.kernel.dk/linux-block for-5.15/io_uring	OK
2021/09/02 17:36	10m	axboe@kernel.dk		git://git.kernel.dk/linux-block for-5.15/io_uring	report log

Sample crash report:

general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
CPU: 1 PID: 8426 Comm: syz-executor497 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:io_accept fs/io_uring.c:5041 [inline]
RIP: 0010:io_issue_sqe+0x2522/0x6ba0 fs/io_uring.c:6596
Code: 48 c1 ea 03 80 3c 02 00 0f 85 66 42 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 27 49 8d bc 24 80 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 47 42 00 00 45 8b ac 24 80 00
RSP: 0018:ffffc900010dfb48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffffff81e2c2cd RDI: 0000000000000080
RBP: ffff888016a5179c R08: 0000000000000000 R09: ffffffff81e29ff8
R10: ffffffff81e2c2bf R11: 000000000000000d R12: 0000000000000000
R13: 1ffff11002d4a2f9 R14: 0000000000000003 R15: ffff888016a51780
FS:  0000000000675300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74bb07a6c0 CR3: 0000000026e49000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __io_queue_sqe+0x90/0xb50 fs/io_uring.c:6864
 io_req_task_submit+0xbf/0x1b0 fs/io_uring.c:2218
 tctx_task_work+0x166/0x610 fs/io_uring.c:2143
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_signal include/linux/tracehook.h:212 [inline]
 handle_signal_work kernel/entry/common.c:146 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x256/0x290 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43f069
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc12dd2538 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: 0000000000000304 RBX: 0000000000000003 RCX: 000000000043f069
RDX: 0000000000000000 RSI: 0000000000000304 RDI: 0000000000000003
RBP: 0000000000403050 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030e0
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
Modules linked in:
---[ end trace 51fb6b52dc1cb8ce ]---
RIP: 0010:io_accept fs/io_uring.c:5041 [inline]
RIP: 0010:io_issue_sqe+0x2522/0x6ba0 fs/io_uring.c:6596
Code: 48 c1 ea 03 80 3c 02 00 0f 85 66 42 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 27 49 8d bc 24 80 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 47 42 00 00 45 8b ac 24 80 00
RSP: 0018:ffffc900010dfb48 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffffffff81e2c2cd RDI: 0000000000000080
RBP: ffff888016a5179c R08: 0000000000000000 R09: ffffffff81e29ff8
R10: ffffffff81e2c2bf R11: 000000000000000d R12: 0000000000000000
R13: 1ffff11002d4a2f9 R14: 0000000000000003 R15: ffff888016a51780
FS:  0000000000675300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f544adff000 CR3: 0000000026e49000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 66 42 00 00    	jne    0x4274
   e:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  15:	fc ff df
  18:	4d 8b 27             	mov    (%r15),%r12
  1b:	49 8d bc 24 80 00 00 	lea    0x80(%r12),%rdi
  22:	00
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e 47 42 00 00    	jle    0x4281
  3a:	45                   	rex.RB
  3b:	8b                   	.byte 0x8b
  3c:	ac                   	lods   %ds:(%rsi),%al
  3d:	24 80                	and    $0x80,%al

Crashes (14):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce	2021/09/01 08:56	upstream	9c849ce86e0f	7eb7e152	.config	log	report	syz	C		general protection fault in io_issue_sqe
ci-upstream-kasan-gce-smack-root	2021/09/06 12:22	upstream	0319b848b155	d236a457	.config	log	report			info	general protection fault in io_issue_sqe
ci-upstream-kasan-gce	2021/09/05 07:44	upstream	49624efa65ac	d236a457	.config	log	report			info	general protection fault in io_issue_sqe
ci-upstream-kasan-gce-smack-root	2021/09/02 23:44	upstream	4ac6d90867a4	15cea0a3	.config	log	report			info	general protection fault in io_issue_sqe
ci-upstream-kasan-gce	2021/09/01 11:07	upstream	9c849ce86e0f	7eb7e152	.config	log	report			info	general protection fault in io_issue_sqe
ci-upstream-kasan-gce	2021/09/01 08:20	upstream	9c849ce86e0f	7eb7e152	.config	log	report			info	general protection fault in io_issue_sqe
ci-upstream-kasan-gce-386	2021/09/03 11:46	upstream	a9c9a6f741cd	f62a5829	.config	log	report			info	general protection fault in io_issue_sqe
ci-upstream-kasan-gce-386	2021/09/03 02:47	upstream	4ac6d90867a4	15cea0a3	.config	log	report			info	BUG: corrupted list in io_issue_sqe
ci-upstream-kmsan-gce	2021/10/05 02:26	https://github.com/google/kmsan.git master	90f502f5d016	ce697b49	.config	log	report			info	KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce	2021/09/27 16:54	https://github.com/google/kmsan.git master	cd2c05533838	78494d16	.config	log	report			info	KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce	2021/09/26 10:29	https://github.com/google/kmsan.git master	cd2c05533838	8cac236e	.config	log	report			info	KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce	2021/09/25 14:10	https://github.com/google/kmsan.git master	cd2c05533838	8cac236e	.config	log	report			info	KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce	2021/09/24 23:02	https://github.com/google/kmsan.git master	cd2c05533838	8cac236e	.config	log	report			info	KMSAN: uninit-value in io_issue_sqe
ci-upstream-kmsan-gce	2021/09/24 21:50	https://github.com/google/kmsan.git master	cd2c05533838	8cac236e	.config	log	report			info	KMSAN: uninit-value in io_issue_sqe