syzbot


KASAN: null-ptr-deref Write in io_file_get_normal

Status: upstream: reported C repro on 2022/03/31 16:52
Reported-by: syzbot+c4b9303500a21750b250@syzkaller.appspotmail.com
Fix commit: d5361233e9ab io_uring: drop the old style inflight file tracking
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 90d, last: 5d02h

Cause bisection: introduced by (bisect log) :
commit c686f7a5cbe2eff3c9b41f225fb7cf9e163cde5c
Author: Jens Axboe <axboe@kernel.dk>
Date: Tue Mar 29 16:59:20 2022 +0000

  io_uring: defer splice/tee file validity check until command issue

Crash: KASAN: null-ptr-deref Write in io_file_get_normal (log)
Repro: C syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2022/03/31 18:51 11m axboe@kernel.dk git://git.kernel.dk/linux-block for-next OK

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline]
BUG: KASAN: null-ptr-deref in io_req_track_inflight fs/io_uring.c:1978 [inline]
BUG: KASAN: null-ptr-deref in io_file_get_normal+0x351/0x3b0 fs/io_uring.c:8595
Write of size 4 at addr 0000000000000118 by task iou-wrk-3625/3626

CPU: 1 PID: 3626 Comm: iou-wrk-3625 Not tainted 5.19.0-rc3-syzkaller-00027-g78ca55889a54 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_report mm/kasan/report.c:432 [inline]
 kasan_report.cold+0x61/0x1c6 mm/kasan/report.c:491
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline]
 io_req_track_inflight fs/io_uring.c:1978 [inline]
 io_file_get_normal+0x351/0x3b0 fs/io_uring.c:8595
 io_tee fs/io_uring.c:5142 [inline]
 io_issue_sqe+0x1a1a/0x91f0 fs/io_uring.c:8408
 io_wq_submit_work+0x287/0x740 fs/io_uring.c:8514
 io_worker_handle_work+0xb1c/0x1ab0 fs/io-wq.c:597
 io_wqe_worker+0x637/0xdb0 fs/io-wq.c:644
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3626 Comm: iou-wrk-3625 Not tainted 5.19.0-rc3-syzkaller-00027-g78ca55889a54 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 panic+0x2d7/0x64a kernel/panic.c:274
 end_report.part.0+0x3f/0x7c mm/kasan/report.c:168
 end_report include/trace/events/error_report.h:69 [inline]
 kasan_report.cold+0x93/0x1c6 mm/kasan/report.c:493
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc include/linux/atomic/atomic-instrumented.h:190 [inline]
 io_req_track_inflight fs/io_uring.c:1978 [inline]
 io_file_get_normal+0x351/0x3b0 fs/io_uring.c:8595
 io_tee fs/io_uring.c:5142 [inline]
 io_issue_sqe+0x1a1a/0x91f0 fs/io_uring.c:8408
 io_wq_submit_work+0x287/0x740 fs/io_uring.c:8514
 io_worker_handle_work+0xb1c/0x1ab0 fs/io-wq.c:597
 io_wqe_worker+0x637/0xdb0 fs/io-wq.c:644
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (107):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2022/06/21 13:24 upstream 78ca55889a54 0fc5c330 .config log report syz C KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/16 01:43 upstream 979086f5e006 1719ee24 .config log report syz C KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/14 09:36 upstream b13baccc3850 0f087040 .config log report syz C KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/12 02:31 linux-next 6d0c80680317 0d5abf15 .config log report syz C KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/03/31 11:01 linux-next fdcbcd1348f4 9d49f3a7 .config log report syz C KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/03/31 08:42 linux-next fdcbcd1348f4 9d49f3a7 .config log report syz C KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/24 04:07 upstream de5c208d533a 912f5df7 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/23 18:10 upstream de5c208d533a 912f5df7 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/23 16:58 upstream de5c208d533a 912f5df7 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/23 11:46 upstream 3abc3ae553c7 912f5df7 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/22 08:48 upstream ca1fdab7fd27 0fc5c330 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/21 19:34 upstream 78ca55889a54 0fc5c330 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/21 18:18 upstream 78ca55889a54 0fc5c330 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/21 15:14 upstream 78ca55889a54 0fc5c330 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/21 05:59 upstream 78ca55889a54 0fc5c330 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/21 00:09 upstream 78ca55889a54 8d15e28d .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/19 23:19 upstream 05c6ca8512f2 8f633d84 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/19 12:13 upstream 354c6e071be9 8f633d84 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/19 01:51 upstream 4b35035bcf80 8f633d84 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/18 21:23 upstream 4b35035bcf80 8f633d84 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/18 18:03 upstream 4b35035bcf80 8f633d84 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/18 11:53 upstream 4b35035bcf80 8f633d84 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/18 00:06 upstream f0ec9c65a8d6 cb58b3b2 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/17 21:30 upstream f0ec9c65a8d6 cb58b3b2 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/16 13:45 upstream 30306f6194ca 1719ee24 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/15 13:31 upstream 018ab4fabddd 127d1faf .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/15 12:17 upstream 018ab4fabddd 127d1faf .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/15 04:48 upstream 018ab4fabddd 127d1faf .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/14 06:47 upstream b13baccc3850 0f087040 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/13 19:50 upstream b13baccc3850 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/13 08:28 upstream 997952851843 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/12 21:13 upstream 7a68065eb9cd 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/12 14:01 upstream 7a68065eb9cd 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/12 13:20 upstream 1c27f1fc1549 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/11 22:39 upstream fe43c0188911 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/11 11:21 upstream 0885eacdc81f 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/11 08:15 upstream fe43c0188911 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/11 05:04 upstream fe43c0188911 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/10 09:30 upstream 95fc76c81b92 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/10 01:00 upstream 6bfb56e93bce 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/09 12:16 upstream 6bfb56e93bce 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/09 09:59 upstream 6bfb56e93bce 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-root 2022/06/09 09:58 upstream 6bfb56e93bce 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce 2022/06/09 09:58 upstream 6bfb56e93bce 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-selinux-root 2022/06/09 09:36 upstream 6bfb56e93bce 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-qemu-upstream 2022/06/09 06:41 upstream 34f4335c16a5 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-qemu-upstream-386 2022/06/20 10:08 upstream a111daf0c53a 8f633d84 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-qemu-upstream-386 2022/06/16 21:15 upstream 48a23ec6ff2b 1719ee24 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-qemu-upstream-386 2022/06/15 15:38 upstream 018ab4fabddd 1719ee24 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-386 2022/06/11 03:03 upstream 0885eacdc81f 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-kasan-gce-386 2022/06/09 19:03 upstream 6bfb56e93bce 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/22 10:18 linux-next 34d1d36073ea 0fc5c330 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/16 07:22 linux-next 6012273897fe 1719ee24 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/13 22:42 linux-next 6d0c80680317 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/13 10:39 linux-next 6d0c80680317 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/12 07:12 linux-next 6d0c80680317 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/11 20:50 linux-next 6d0c80680317 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/10 23:02 linux-next 6d0c80680317 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/06/09 21:54 linux-next ff539ac73ea5 0d5abf15 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal
ci-upstream-linux-next-kasan-gce-root 2022/03/31 04:49 linux-next fdcbcd1348f4 9d49f3a7 .config log report info KASAN: null-ptr-deref Write in io_file_get_normal