syzbot


general protection fault in io_disable_sqo_submit

Status: fixed on 2021/03/10 01:48
Subsystems: fs io-uring
[Documentation on labels]
Reported-by: syzbot+ab412638aeb652ded540@syzkaller.appspotmail.com
Fix commit: b4411616c26f io_uring: fix null-deref in io_disable_sqo_submit
First crash: 1162d, last: 1156d
Cause bisection: introduced by (bisect log) :
commit d9d05217cb6990b9a56e13b56e7a1b71e2551f6c
Author: Pavel Begunkov <asml.silence@gmail.com>
Date: Fri Jan 8 20:57:25 2021 +0000

  io_uring: stop SQPOLL submit on creator's death

Crash: BUG: unable to handle kernel NULL pointer dereference in io_disable_sqo_submit (log)
Repro: C syz .config
  
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
general protection fault in io_uring_setup fs io-uring C done 19 1157d 1159d 0/26 closed as dup on 2021/01/15 04:44
Discussions (4)
Title Replies (including bot) Last reply
Re: general protection fault in io_disable_sqo_submit 1 (1) 2021/01/15 12:45
Re: general protection fault in io_disable_sqo_submit 1 (1) 2021/01/14 21:07
[PATCH 0/2] syzbot reports on sqo_dead 4 (4) 2021/01/13 15:29
general protection fault in io_disable_sqo_submit 0 (1) 2021/01/13 10:37

Sample crash report:
RDX: 0000000000000001 RSI: 0000000020000300 RDI: 00000000000000ff
RBP: 0000000000011fc2 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
general protection fault, probably for non-canonical address 0xdffffc0000000022: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000110-0x0000000000000117]
CPU: 1 PID: 8473 Comm: syz-executor814 Not tainted 5.11.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:io_ring_set_wakeup_flag fs/io_uring.c:6929 [inline]
RIP: 0010:io_disable_sqo_submit+0xdb/0x130 fs/io_uring.c:8891
Code: fa 48 c1 ea 03 80 3c 02 00 75 62 48 8b 9b c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 14 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1d 83
RSP: 0018:ffffc9000154fd78 EFLAGS: 00010007
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff815976e0
RDX: 0000000000000022 RSI: 0000000000000004 RDI: 0000000000000114
RBP: ffff8880149ee480 R08: 0000000000000001 R09: 0000000000000003
R10: fffff520002a9fa1 R11: 1ffffffff1d308df R12: fffffffffffffff4
R13: 0000000000000001 R14: ffff8880149ee054 R15: ffff8880149ee000
FS:  0000000000be4880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000304 CR3: 0000000014b50000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 io_uring_create fs/io_uring.c:9711 [inline]
 io_uring_setup+0x12b1/0x38e0 fs/io_uring.c:9739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441309
Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffea5e64578 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000001 RSI: 0000000020000300 RDI: 00000000000000ff
RBP: 0000000000011fc2 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 0941172fec2041bb ]---
RIP: 0010:io_ring_set_wakeup_flag fs/io_uring.c:6929 [inline]
RIP: 0010:io_disable_sqo_submit+0xdb/0x130 fs/io_uring.c:8891
Code: fa 48 c1 ea 03 80 3c 02 00 75 62 48 8b 9b c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 14 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1d 83
RSP: 0018:ffffc9000154fd78 EFLAGS: 00010007
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff815976e0
RDX: 0000000000000022 RSI: 0000000000000004 RDI: 0000000000000114
RBP: ffff8880149ee480 R08: 0000000000000001 R09: 0000000000000003
R10: fffff520002a9fa1 R11: 1ffffffff1d308df R12: fffffffffffffff4
R13: 0000000000000001 R14: ffff8880149ee054 R15: ffff8880149ee000
FS:  0000000000be4880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000304 CR3: 0000000014b50000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (124):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/11 20:27 upstream 7c53f6b671f4 2c1f2513 .config console log report syz C ci-upstream-kasan-gce
2021/01/16 22:55 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/16 21:17 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/16 20:12 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/16 18:53 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/16 15:13 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/16 08:10 upstream 5ee88057889b 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/16 06:24 upstream 5ee88057889b 65a7a854 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/16 03:36 upstream 5ee88057889b 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/16 03:32 upstream 5ee88057889b 65a7a854 .config console log report info ci-upstream-kasan-gce
2021/01/16 02:22 upstream 5ee88057889b 65a7a854 .config console log report info ci-upstream-kasan-gce
2021/01/15 23:18 upstream 5ee88057889b 65a7a854 .config console log report info ci-upstream-kasan-gce
2021/01/15 21:50 upstream 5ee88057889b 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/15 16:12 upstream 146620506274 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/15 14:32 upstream 146620506274 65a7a854 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/15 13:27 upstream 146620506274 65a7a854 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/15 11:29 upstream 146620506274 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/15 07:26 upstream 146620506274 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/14 23:29 upstream 65f0d2414b70 65a7a854 .config console log report info ci-upstream-kasan-gce-root
2021/01/14 20:14 upstream 65f0d2414b70 65a7a854 .config console log report info ci-upstream-kasan-gce
2021/01/14 14:59 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/14 13:35 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-root
2021/01/14 12:26 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-root
2021/01/14 11:35 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/14 09:39 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-root
2021/01/14 08:01 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/14 05:13 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-root
2021/01/14 00:27 upstream 65f0d2414b70 269d24e8 .config console log report info ci-qemu-upstream
2021/01/13 22:43 upstream e609571b5ffa a945f0a3 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/13 19:19 upstream e609571b5ffa a945f0a3 .config console log report info ci-upstream-kasan-gce-root
2021/01/13 18:22 upstream e609571b5ffa a945f0a3 .config console log report info ci-upstream-kasan-gce-root
2021/01/13 16:45 upstream e609571b5ffa a945f0a3 .config console log report info ci-upstream-kasan-gce
2021/01/13 10:12 upstream e609571b5ffa 0cdd6185 .config console log report info ci-upstream-kasan-gce-selinux-root
2021/01/13 10:03 upstream e609571b5ffa 0cdd6185 .config console log report info ci-upstream-kasan-gce-root
2021/01/13 07:50 upstream e609571b5ffa 0cdd6185 .config console log report info ci-upstream-kasan-gce-root
2021/01/13 07:19 upstream e609571b5ffa 0cdd6185 .config console log report info ci-upstream-kasan-gce-root
2021/01/13 06:51 upstream e609571b5ffa 0cdd6185 .config console log report info ci-upstream-kasan-gce-root
2021/01/13 06:01 upstream e609571b5ffa 0cdd6185 .config console log report info ci-upstream-kasan-gce-root
2021/01/11 20:13 upstream 7c53f6b671f4 2c1f2513 .config console log report info ci-upstream-kasan-gce
2021/01/16 22:25 upstream 1d94330a437a 65a7a854 .config console log report info ci-qemu-upstream-386
2021/01/16 01:12 upstream 82821be8a2e1 65a7a854 .config console log report info ci-qemu-upstream-386
2021/01/15 10:51 upstream 146620506274 65a7a854 .config console log report info ci-qemu-upstream-386
2021/01/13 21:37 upstream 65f0d2414b70 a945f0a3 .config console log report info ci-qemu-upstream-386
2021/01/13 14:23 upstream e609571b5ffa a945f0a3 .config console log report info ci-qemu-upstream-386
2021/01/13 08:36 upstream e609571b5ffa 0cdd6185 .config console log report info ci-qemu-upstream-386
2021/01/12 21:47 upstream e609571b5ffa 0cdd6185 .config console log report info ci-qemu-upstream-386
2021/01/12 12:43 upstream a0d54b4f5b21 2c1f2513 .config console log report info ci-upstream-kasan-gce-386
2021/01/17 09:47 linux-next b3a3cbdec55b 65a7a854 .config console log report info ci-upstream-linux-next-kasan-gce-root
2021/01/17 06:37 linux-next b3a3cbdec55b 65a7a854 .config console log report info ci-upstream-linux-next-kasan-gce-root
2021/01/17 01:30 linux-next b3a3cbdec55b 65a7a854 .config console log report info ci-upstream-linux-next-kasan-gce-root
2021/01/15 08:36 linux-next 9152a993930d 65a7a854 .config console log report info ci-upstream-linux-next-kasan-gce-root
2021/01/13 04:42 linux-next df869cab4b35 0cdd6185 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.