general protection fault in io_disable_sqo

general protection fault in io_disable_sqo_submit
Status: fixed on 2021/03/10 01:48
Reported-by: syzbot+ab412638aeb652ded540@syzkaller.appspotmail.com
Fix commit: b4411616c26f io_uring: fix null-deref in io_disable_sqo_submit
First crash: 327d, last: 321d

Cause bisection: introduced by (bisect log) :
commit d9d05217cb6990b9a56e13b56e7a1b71e2551f6c
Author: Pavel Begunkov <asml.silence@gmail.com>
Date: Fri Jan 8 20:57:25 2021 +0000

io_uring: stop SQPOLL submit on creator's death

Crash: BUG: unable to handle kernel NULL pointer dereference in io_disable_sqo_submit (log)
Repro: C syz .config

duplicates (1):
Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
general protection fault in io_uring_setup	C	done		19	322d	324d	0/22	closed as dup on 2021/01/15 04:44

Sample crash report:

RDX: 0000000000000001 RSI: 0000000020000300 RDI: 00000000000000ff
RBP: 0000000000011fc2 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
general protection fault, probably for non-canonical address 0xdffffc0000000022: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000110-0x0000000000000117]
CPU: 1 PID: 8473 Comm: syz-executor814 Not tainted 5.11.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:io_ring_set_wakeup_flag fs/io_uring.c:6929 [inline]
RIP: 0010:io_disable_sqo_submit+0xdb/0x130 fs/io_uring.c:8891
Code: fa 48 c1 ea 03 80 3c 02 00 75 62 48 8b 9b c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 14 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1d 83
RSP: 0018:ffffc9000154fd78 EFLAGS: 00010007
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff815976e0
RDX: 0000000000000022 RSI: 0000000000000004 RDI: 0000000000000114
RBP: ffff8880149ee480 R08: 0000000000000001 R09: 0000000000000003
R10: fffff520002a9fa1 R11: 1ffffffff1d308df R12: fffffffffffffff4
R13: 0000000000000001 R14: ffff8880149ee054 R15: ffff8880149ee000
FS:  0000000000be4880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000304 CR3: 0000000014b50000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 io_uring_create fs/io_uring.c:9711 [inline]
 io_uring_setup+0x12b1/0x38e0 fs/io_uring.c:9739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441309
Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffea5e64578 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000001 RSI: 0000000020000300 RDI: 00000000000000ff
RBP: 0000000000011fc2 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 0941172fec2041bb ]---
RIP: 0010:io_ring_set_wakeup_flag fs/io_uring.c:6929 [inline]
RIP: 0010:io_disable_sqo_submit+0xdb/0x130 fs/io_uring.c:8891
Code: fa 48 c1 ea 03 80 3c 02 00 75 62 48 8b 9b c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 14 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1d 83
RSP: 0018:ffffc9000154fd78 EFLAGS: 00010007
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff815976e0
RDX: 0000000000000022 RSI: 0000000000000004 RDI: 0000000000000114
RBP: ffff8880149ee480 R08: 0000000000000001 R09: 0000000000000003
R10: fffff520002a9fa1 R11: 1ffffffff1d308df R12: fffffffffffffff4
R13: 0000000000000001 R14: ffff8880149ee054 R15: ffff8880149ee000
FS:  0000000000be4880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000304 CR3: 0000000014b50000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (124):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info
ci-upstream-kasan-gce	2021/01/11 20:27	upstream	7c53f6b671f4	2c1f2513	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2021/01/16 22:55	upstream	1d94330a437a	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/16 21:17	upstream	1d94330a437a	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/16 20:12	upstream	1d94330a437a	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/16 18:53	upstream	1d94330a437a	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/16 15:13	upstream	1d94330a437a	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/16 08:10	upstream	5ee88057889b	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/16 06:24	upstream	5ee88057889b	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/16 03:36	upstream	5ee88057889b	65a7a854	.config	log	report			info
ci-upstream-kasan-gce	2021/01/16 03:32	upstream	5ee88057889b	65a7a854	.config	log	report			info
ci-upstream-kasan-gce	2021/01/16 02:22	upstream	5ee88057889b	65a7a854	.config	log	report			info
ci-upstream-kasan-gce	2021/01/15 23:18	upstream	5ee88057889b	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/15 21:50	upstream	5ee88057889b	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/15 16:12	upstream	146620506274	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/15 14:32	upstream	146620506274	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/15 13:27	upstream	146620506274	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/15 11:29	upstream	146620506274	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/15 07:26	upstream	146620506274	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/14 23:29	upstream	65f0d2414b70	65a7a854	.config	log	report			info
ci-upstream-kasan-gce	2021/01/14 20:14	upstream	65f0d2414b70	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/14 14:59	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/14 13:35	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/14 12:26	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/14 11:35	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/14 09:39	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/14 08:01	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/14 05:13	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-qemu-upstream	2021/01/14 00:27	upstream	65f0d2414b70	269d24e8	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/13 22:43	upstream	e609571b5ffa	a945f0a3	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/13 19:19	upstream	e609571b5ffa	a945f0a3	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/13 18:22	upstream	e609571b5ffa	a945f0a3	.config	log	report			info
ci-upstream-kasan-gce	2021/01/13 16:45	upstream	e609571b5ffa	a945f0a3	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2021/01/13 10:12	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/13 10:03	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/13 07:50	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/13 07:19	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/13 06:51	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/13 06:01	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-upstream-kasan-gce	2021/01/11 20:13	upstream	7c53f6b671f4	2c1f2513	.config	log	report			info
ci-qemu-upstream-386	2021/01/16 22:25	upstream	1d94330a437a	65a7a854	.config	log	report			info
ci-qemu-upstream-386	2021/01/16 01:12	upstream	82821be8a2e1	65a7a854	.config	log	report			info
ci-qemu-upstream-386	2021/01/15 10:51	upstream	146620506274	65a7a854	.config	log	report			info
ci-qemu-upstream-386	2021/01/13 21:37	upstream	65f0d2414b70	a945f0a3	.config	log	report			info
ci-qemu-upstream-386	2021/01/13 14:23	upstream	e609571b5ffa	a945f0a3	.config	log	report			info
ci-qemu-upstream-386	2021/01/13 08:36	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-qemu-upstream-386	2021/01/12 21:47	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-upstream-kasan-gce-386	2021/01/12 12:43	upstream	a0d54b4f5b21	2c1f2513	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2021/01/17 09:47	linux-next	b3a3cbdec55b	65a7a854	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2021/01/17 06:37	linux-next	b3a3cbdec55b	65a7a854	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2021/01/17 01:30	linux-next	b3a3cbdec55b	65a7a854	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2021/01/15 08:36	linux-next	9152a993930d	65a7a854	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2021/01/13 04:42	linux-next	df869cab4b35	0cdd6185	.config	log	report			info