general protection fault in io_disable_sqo_submit
11 views
Skip to first unread message
syzbot
Jan 13, 2021, 5:37:16āÆAM1/13/21
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzbot found the following issue on:
HEAD commit: 7c53f6b6 Linux 5.11-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1606a757500000
kernel config: https://syzkaller.appspot.com/x/.config?x=c60c9ff9cc916cbc
dashboard link: https://syzkaller.appspot.com/bug?extid=ab412638aeb652ded540
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13adb0d0d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1527be48d00000
The issue was bisected to:
commit d9d05217cb6990b9a56e13b56e7a1b71e2551f6c
Author: Pavel Begunkov <asml.s...@gmail.com>
Date: Fri Jan 8 20:57:25 2021 +0000
io_uring: stop SQPOLL submit on creator's death
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b3b248d00000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1473b248d00000
console output: https://syzkaller.appspot.com/x/log.txt?x=1073b248d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab4126...@syzkaller.appspotmail.com
Fixes: d9d05217cb69 ("io_uring: stop SQPOLL submit on creator's death")
RDX: 0000000000000001 RSI: 0000000020000300 RDI: 00000000000000ff
RBP: 0000000000011fc2 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
general protection fault, probably for non-canonical address 0xdffffc0000000022: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000110-0x0000000000000117]
CPU: 1 PID: 8473 Comm: syz-executor814 Not tainted 5.11.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:io_ring_set_wakeup_flag fs/io_uring.c:6929 [inline]
RIP: 0010:io_disable_sqo_submit+0xdb/0x130 fs/io_uring.c:8891
Code: fa 48 c1 ea 03 80 3c 02 00 75 62 48 8b 9b c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 14 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1d 83
RSP: 0018:ffffc9000154fd78 EFLAGS: 00010007
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff815976e0
RDX: 0000000000000022 RSI: 0000000000000004 RDI: 0000000000000114
RBP: ffff8880149ee480 R08: 0000000000000001 R09: 0000000000000003
R10: fffff520002a9fa1 R11: 1ffffffff1d308df R12: fffffffffffffff4
R13: 0000000000000001 R14: ffff8880149ee054 R15: ffff8880149ee000
FS: 0000000000be4880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000304 CR3: 0000000014b50000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
io_uring_create fs/io_uring.c:9711 [inline]
io_uring_setup+0x12b1/0x38e0 fs/io_uring.c:9739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441309
Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffea5e64578 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000001 RSI: 0000000020000300 RDI: 00000000000000ff
RBP: 0000000000011fc2 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 0941172fec2041bb ]---
RIP: 0010:io_ring_set_wakeup_flag fs/io_uring.c:6929 [inline]
RIP: 0010:io_disable_sqo_submit+0xdb/0x130 fs/io_uring.c:8891
Code: fa 48 c1 ea 03 80 3c 02 00 75 62 48 8b 9b c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 14 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1d 83
RSP: 0018:ffffc9000154fd78 EFLAGS: 00010007
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff815976e0
RDX: 0000000000000022 RSI: 0000000000000004 RDI: 0000000000000114
RBP: ffff8880149ee480 R08: 0000000000000001 R09: 0000000000000003
R10: fffff520002a9fa1 R11: 1ffffffff1d308df R12: fffffffffffffff4
R13: 0000000000000001 R14: ffff8880149ee054 R15: ffff8880149ee000
FS: 0000000000be4880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000304 CR3: 0000000014b50000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 7c53f6b6 Linux 5.11-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1606a757500000
kernel config: https://syzkaller.appspot.com/x/.config?x=c60c9ff9cc916cbc
dashboard link: https://syzkaller.appspot.com/bug?extid=ab412638aeb652ded540
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13adb0d0d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1527be48d00000
The issue was bisected to:
commit d9d05217cb6990b9a56e13b56e7a1b71e2551f6c
Author: Pavel Begunkov <asml.s...@gmail.com>
Date: Fri Jan 8 20:57:25 2021 +0000
io_uring: stop SQPOLL submit on creator's death
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b3b248d00000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1473b248d00000
console output: https://syzkaller.appspot.com/x/log.txt?x=1073b248d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab4126...@syzkaller.appspotmail.com
Fixes: d9d05217cb69 ("io_uring: stop SQPOLL submit on creator's death")
RDX: 0000000000000001 RSI: 0000000020000300 RDI: 00000000000000ff
RBP: 0000000000011fc2 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
general protection fault, probably for non-canonical address 0xdffffc0000000022: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000110-0x0000000000000117]
CPU: 1 PID: 8473 Comm: syz-executor814 Not tainted 5.11.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:io_ring_set_wakeup_flag fs/io_uring.c:6929 [inline]
RIP: 0010:io_disable_sqo_submit+0xdb/0x130 fs/io_uring.c:8891
Code: fa 48 c1 ea 03 80 3c 02 00 75 62 48 8b 9b c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 14 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1d 83
RSP: 0018:ffffc9000154fd78 EFLAGS: 00010007
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff815976e0
RDX: 0000000000000022 RSI: 0000000000000004 RDI: 0000000000000114
RBP: ffff8880149ee480 R08: 0000000000000001 R09: 0000000000000003
R10: fffff520002a9fa1 R11: 1ffffffff1d308df R12: fffffffffffffff4
R13: 0000000000000001 R14: ffff8880149ee054 R15: ffff8880149ee000
FS: 0000000000be4880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000304 CR3: 0000000014b50000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
io_uring_create fs/io_uring.c:9711 [inline]
io_uring_setup+0x12b1/0x38e0 fs/io_uring.c:9739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441309
Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffea5e64578 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000001 RSI: 0000000020000300 RDI: 00000000000000ff
RBP: 0000000000011fc2 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004021d0
R13: 0000000000402260 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 0941172fec2041bb ]---
RIP: 0010:io_ring_set_wakeup_flag fs/io_uring.c:6929 [inline]
RIP: 0010:io_disable_sqo_submit+0xdb/0x130 fs/io_uring.c:8891
Code: fa 48 c1 ea 03 80 3c 02 00 75 62 48 8b 9b c0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 14 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1d 83
RSP: 0018:ffffc9000154fd78 EFLAGS: 00010007
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff815976e0
RDX: 0000000000000022 RSI: 0000000000000004 RDI: 0000000000000114
RBP: ffff8880149ee480 R08: 0000000000000001 R09: 0000000000000003
R10: fffff520002a9fa1 R11: 1ffffffff1d308df R12: fffffffffffffff4
R13: 0000000000000001 R14: ffff8880149ee054 R15: ffff8880149ee000
FS: 0000000000be4880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000304 CR3: 0000000014b50000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Hillf Danton
Jan 14, 2021, 2:40:29āÆAM1/14/21
to syzbot, asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Wed, 13 Jan 2021 02:37:15 -0800
Fix d9d05217cb69 ("io_uring: stop SQPOLL submit on creator's death")
by setting ctx->sqo_dead as part of cleanup in case of failing to
create io uring context, to quiesce the warning added in the commit.
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9700,15 +9700,14 @@ static int io_uring_create(unsigned entr
*/
ret = io_uring_install_fd(ctx, file);
if (ret < 0) {
- /* fput will clean it up */
fput(file);
- return ret;
+ ctx->sqo_dead = 1;
}
trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
return ret;
err:
- io_disable_sqo_submit(ctx);
+ ctx->sqo_dead = 1;
io_ring_ctx_wait_and_kill(ctx);
return ret;
}
by setting ctx->sqo_dead as part of cleanup in case of failing to
create io uring context, to quiesce the warning added in the commit.
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9700,15 +9700,14 @@ static int io_uring_create(unsigned entr
*/
ret = io_uring_install_fd(ctx, file);
if (ret < 0) {
- /* fput will clean it up */
fput(file);
- return ret;
+ ctx->sqo_dead = 1;
}
trace_io_uring_create(ret, ctx, p->sq_entries, p->cq_entries, p->flags);
return ret;
err:
- io_disable_sqo_submit(ctx);
+ ctx->sqo_dead = 1;
io_ring_ctx_wait_and_kill(ctx);
return ret;
}
Pavel Begunkov
Jan 14, 2021, 4:10:43āÆPM1/14/21
to Hillf Danton, syzbot, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
--
Pavel Begunkov
Hillf Danton
Jan 15, 2021, 4:33:43āÆAM1/15/21
to Pavel Begunkov, Hillf Danton, syzbot, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Pavel,
It helps much if you can add a link to the fix next time.
Apart from that, I do not think it is a complete fix yet - it only
fixes what Reported-by: syzbot+9c9c35...@syzkaller.appspotmail.com
though correct, but the one-line fix is unable to cover this report,
as per the Call Trace in both reports.
Feel free to double check if what you trimmed fixes both reports.
Hillf
Apart from that, I do not think it is a complete fix yet - it only
fixes what Reported-by: syzbot+9c9c35...@syzkaller.appspotmail.com
though correct, but the one-line fix is unable to cover this report,
as per the Call Trace in both reports.
Feel free to double check if what you trimmed fixes both reports.
Hillf
Pavel Begunkov
Jan 15, 2021, 7:49:06āÆAM1/15/21
to Hillf Danton, syzbot, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 15/01/2021 09:33, Hillf Danton wrote:
>> Thanks, but it was fixed the day before
>>
> It helps much if you can add a link to the fix next time.
https://git.kernel.dk/cgit/linux-block/commit/?h=io_uring-5.11&id=b4411616c26f26c4017b8fa4d3538b1a02028733
>> Thanks, but it was fixed the day before
>>
> It helps much if you can add a link to the fix next time.
https://git.kernel.dk/cgit/linux-block/commit/?h=io_uring-5.11&id=06585c497b55045ec21aa8128e340f6a6587351c
sure, for this report and the other report
>
> Apart from that, I do not think it is a complete fix yet - it only
> fixes what Reported-by: syzbot+9c9c35...@syzkaller.appspotmail.com
> though correct, but the one-line fix is unable to cover this report,
> as per the Call Trace in both reports.
>
> Feel free to double check if what you trimmed fixes both reports.
--
Pavel Begunkov
Reply all
Reply to author
Forward
0 new messages