[syzbot] [io-uring?] KMSAN: uninit-value in io_sendrecv_fail
38 views
Skip to first unread message
syzbot
Mar 15, 2024, 6:28:16 PMMar 15
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8ede842f669b Merge tag 'rust-6.9' of https://github.com/Ru..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=138f0ad6180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a271c5dca0ff14df
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15b4a6fa180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14a59799180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/af1cd47b84ef/disk-8ede842f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/be9297712c37/vmlinux-8ede842f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c569fb33468d/bzImage-8ede842f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1334
io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1334
io_req_defer_failed+0x3bd/0x610 io_uring/io_uring.c:1050
io_queue_sqe_fallback+0x1e3/0x280 io_uring/io_uring.c:2126
io_submit_fail_init+0x4e1/0x790 io_uring/io_uring.c:2304
io_submit_sqes+0x19cd/0x2fb0 io_uring/io_uring.c:2480
__do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
__se_sys_io_uring_enter+0x409/0x43e0 io_uring/io_uring.c:3591
__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3591
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4592
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0x2d7/0x1400 mm/slub.c:2407
___slab_alloc+0x16b5/0x3970 mm/slub.c:3540
__kmem_cache_alloc_bulk mm/slub.c:4574 [inline]
kmem_cache_alloc_bulk+0x52a/0x1440 mm/slub.c:4648
__io_alloc_req_refill+0x248/0x780 io_uring/io_uring.c:1101
io_alloc_req io_uring/io_uring.h:405 [inline]
io_submit_sqes+0xaa1/0x2fb0 io_uring/io_uring.c:2469
__do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
__se_sys_io_uring_enter+0x409/0x43e0 io_uring/io_uring.c:3591
__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3591
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5021 Comm: syz-executor425 Not tainted 6.8.0-syzkaller-00648-g8ede842f669b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 8ede842f669b Merge tag 'rust-6.9' of https://github.com/Ru..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=138f0ad6180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a271c5dca0ff14df
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15b4a6fa180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14a59799180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/af1cd47b84ef/disk-8ede842f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/be9297712c37/vmlinux-8ede842f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c569fb33468d/bzImage-8ede842f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1334
io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1334
io_req_defer_failed+0x3bd/0x610 io_uring/io_uring.c:1050
io_queue_sqe_fallback+0x1e3/0x280 io_uring/io_uring.c:2126
io_submit_fail_init+0x4e1/0x790 io_uring/io_uring.c:2304
io_submit_sqes+0x19cd/0x2fb0 io_uring/io_uring.c:2480
__do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
__se_sys_io_uring_enter+0x409/0x43e0 io_uring/io_uring.c:3591
__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3591
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4592
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0x2d7/0x1400 mm/slub.c:2407
___slab_alloc+0x16b5/0x3970 mm/slub.c:3540
__kmem_cache_alloc_bulk mm/slub.c:4574 [inline]
kmem_cache_alloc_bulk+0x52a/0x1440 mm/slub.c:4648
__io_alloc_req_refill+0x248/0x780 io_uring/io_uring.c:1101
io_alloc_req io_uring/io_uring.h:405 [inline]
io_submit_sqes+0xaa1/0x2fb0 io_uring/io_uring.c:2469
__do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
__se_sys_io_uring_enter+0x409/0x43e0 io_uring/io_uring.c:3591
__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3591
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 1 PID: 5021 Comm: syz-executor425 Not tainted 6.8.0-syzkaller-00648-g8ede842f669b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Jens Axboe
Mar 15, 2024, 6:38:38 PMMar 15
to syzbot, asml.s...@gmail.com, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
commit 0a535eddbe0dc1de4386046ab849f08aeb2f8faf
Author: Jens Axboe <ax...@kernel.dk>
Date: Thu Dec 21 08:49:18 2023 -0700
io_uring/rw: ensure io->bytes_done is always initialized
which I did fix separately for this case, just not in the 6.9 pile. I'll
move it over there to silence this one.
Only side effect of this is that cqe->res may not be -EINVAL, when it
should've been, for an ill formed request that was issued with
ISOQE_ASYNC.
#syz test: git://git.kernel.dk/linux.git io_uring-6.0
--
Jens Axboe
Edward Adam Davis
Mar 15, 2024, 11:48:25 PMMar 15
to syzbot+f8e9a3...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
please test uv in io_sendrecv_fail
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index cd9a137ad6ce..3db59fd6f676 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1066,6 +1066,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
/* not necessary, but safer to zero */
memset(&req->cqe, 0, sizeof(req->cqe));
memset(&req->big_cqe, 0, sizeof(req->big_cqe));
+ memset(&req->cmd, 0, sizeof(req->cmd));
}
static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index cd9a137ad6ce..3db59fd6f676 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1066,6 +1066,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
/* not necessary, but safer to zero */
memset(&req->cqe, 0, sizeof(req->cqe));
memset(&req->big_cqe, 0, sizeof(req->big_cqe));
+ memset(&req->cmd, 0, sizeof(req->cmd));
}
static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,
syzbot
Mar 16, 2024, 3:41:04 AMMar 16
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
w interface driver emi26 - firmware loader
[ 4.930123][ T1] usbcore: registered new interface driver emi62 - firmware loader
[ 4.933583][ T1] usbcore: registered new interface driver idmouse
[ 4.936138][ T1] usbcore: registered new interface driver iowarrior
[ 4.938260][ T1] usbcore: registered new interface driver isight_firmware
[ 4.941539][ T1] usbcore: registered new interface driver usblcd
[ 4.944208][ T1] usbcore: registered new interface driver ldusb
[ 4.946236][ T1] usbcore: registered new interface driver legousbtower
[ 4.948760][ T1] usbcore: registered new interface driver usbtest
[ 4.951336][ T1] usbcore: registered new interface driver usb_ehset_test
[ 4.953754][ T1] usbcore: registered new interface driver trancevibrator
[ 4.956657][ T1] usbcore: registered new interface driver uss720
[ 4.958553][ T1] uss720: USB Parport Cable driver for Cables using the Lucent Technologies USS720 Chip
[ 4.961696][ T1] uss720: NOTE: this is a special purpose driver to allow nonstandard
[ 4.965815][ T1] uss720: protocols (eg. bitbang) over USS720 usb to parallel cables
[ 4.968828][ T1] uss720: If you just want to connect to a printer, use usblp instead
[ 4.971404][ T1] usbcore: registered new interface driver usbsevseg
[ 4.973400][ T1] usbcore: registered new interface driver yurex
[ 4.975425][ T1] usbcore: registered new interface driver chaoskey
[ 4.977627][ T1] usbcore: registered new interface driver sisusb
[ 4.979915][ T1] usbcore: registered new interface driver lvs
[ 4.981851][ T1] usbcore: registered new interface driver cxacru
[ 4.983985][ T1] usbcore: registered new interface driver speedtch
[ 4.985950][ T1] usbcore: registered new interface driver ueagle-atm
[ 4.988079][ T1] xusbatm: malformed module parameters
[ 4.990267][ T1] dummy_hcd dummy_hcd.0: USB Host+Gadget Emulator, driver 02 May 2005
[ 4.992631][ T1] dummy_hcd dummy_hcd.0: Dummy host controller
[ 4.994246][ T1] dummy_hcd dummy_hcd.0: new USB bus registered, assigned bus number 1
[ 4.996646][ T1] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 4.999972][ T1] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.002339][ T1] usb usb1: Product: Dummy host controller
[ 5.004170][ T1] usb usb1: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.006694][ T1] usb usb1: SerialNumber: dummy_hcd.0
[ 5.008294][ T1] hub 1-0:1.0: USB hub found
[ 5.009512][ T1] hub 1-0:1.0: 1 port detected
[ 5.011319][ T1] dummy_hcd dummy_hcd.1: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.013887][ T1] dummy_hcd dummy_hcd.1: Dummy host controller
[ 5.016176][ T1] dummy_hcd dummy_hcd.1: new USB bus registered, assigned bus number 2
[ 5.018574][ T1] usb usb2: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.020979][ T1] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.022687][ T1] usb usb2: Product: Dummy host controller
[ 5.024450][ T1] usb usb2: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.027608][ T1] usb usb2: SerialNumber: dummy_hcd.1
[ 5.029702][ T1] hub 2-0:1.0: USB hub found
[ 5.031266][ T1] hub 2-0:1.0: 1 port detected
[ 5.032936][ T1] dummy_hcd dummy_hcd.2: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.035475][ T1] dummy_hcd dummy_hcd.2: Dummy host controller
[ 5.037713][ T1] dummy_hcd dummy_hcd.2: new USB bus registered, assigned bus number 3
[ 5.040503][ T1] usb usb3: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.043261][ T1] usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.045104][ T1] usb usb3: Product: Dummy host controller
[ 5.046289][ T1] usb usb3: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.048827][ T1] usb usb3: SerialNumber: dummy_hcd.2
[ 5.050576][ T1] hub 3-0:1.0: USB hub found
[ 5.051876][ T1] hub 3-0:1.0: 1 port detected
[ 5.053553][ T1] dummy_hcd dummy_hcd.3: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.055781][ T1] dummy_hcd dummy_hcd.3: Dummy host controller
[ 5.057706][ T1] dummy_hcd dummy_hcd.3: new USB bus registered, assigned bus number 4
[ 5.060296][ T1] usb usb4: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.062797][ T1] usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.064685][ T1] usb usb4: Product: Dummy host controller
[ 5.066160][ T1] usb usb4: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.068499][ T1] usb usb4: SerialNumber: dummy_hcd.3
[ 5.070209][ T1] hub 4-0:1.0: USB hub found
[ 5.071787][ T1] hub 4-0:1.0: 1 port detected
[ 5.073440][ T1] dummy_hcd dummy_hcd.4: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.075182][ T1] dummy_hcd dummy_hcd.4: Dummy host controller
[ 5.076592][ T1] dummy_hcd dummy_hcd.4: new USB bus registered, assigned bus number 5
[ 5.078624][ T1] usb usb5: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.080862][ T1] usb usb5: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.083013][ T1] usb usb5: Product: Dummy host controller
[ 5.084611][ T1] usb usb5: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.087050][ T1] usb usb5: SerialNumber: dummy_hcd.4
[ 5.088518][ T1] hub 5-0:1.0: USB hub found
[ 5.089972][ T1] hub 5-0:1.0: 1 port detected
[ 5.091603][ T1] dummy_hcd dummy_hcd.5: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.094464][ T1] dummy_hcd dummy_hcd.5: Dummy host controller
[ 5.096179][ T1] dummy_hcd dummy_hcd.5: new USB bus registered, assigned bus number 6
[ 5.098245][ T1] usb usb6: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.100696][ T1] usb usb6: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.102751][ T1] usb usb6: Product: Dummy host controller
[ 5.104243][ T1] usb usb6: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.106248][ T1] usb usb6: SerialNumber: dummy_hcd.5
[ 5.107854][ T1] hub 6-0:1.0: USB hub found
[ 5.109089][ T1] hub 6-0:1.0: 1 port detected
[ 5.110733][ T1] dummy_hcd dummy_hcd.6: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.112657][ T1] dummy_hcd dummy_hcd.6: Dummy host controller
[ 5.113957][ T1] dummy_hcd dummy_hcd.6: new USB bus registered, assigned bus number 7
[ 5.115878][ T1] usb usb7: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.117770][ T1] usb usb7: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.119911][ T1] usb usb7: Product: Dummy host controller
[ 5.121564][ T1] usb usb7: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.123794][ T1] usb usb7: SerialNumber: dummy_hcd.6
[ 5.125643][ T1] hub 7-0:1.0: USB hub found
[ 5.128371][ T1] hub 7-0:1.0: 1 port detected
[ 5.130464][ T1] dummy_hcd dummy_hcd.7: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.132874][ T1] dummy_hcd dummy_hcd.7: Dummy host controller
[ 5.134563][ T1] dummy_hcd dummy_hcd.7: new USB bus registered, assigned bus number 8
[ 5.136921][ T1] usb usb8: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.139796][ T1] usb usb8: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.142568][ T1] usb usb8: Product: Dummy host controller
[ 5.144170][ T1] usb usb8: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.146630][ T1] usb usb8: SerialNumber: dummy_hcd.7
[ 5.148441][ T1] hub 8-0:1.0: USB hub found
[ 5.150215][ T1] hub 8-0:1.0: 1 port detected
[ 5.153433][ T1] general protection fault, probably for non-canonical address 0xffff000000000800: 0000 [#1] PREEMPT SMP
[ 5.157506][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc1-syzkaller-00033-gd59bd748db0a #0
[ 5.159433][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 5.160818][ T1] RIP: 0010:kmem_cache_alloc_trace+0x6a/0x1e0
[ 5.161856][ T1] Code: 48 85 c0 74 7e 49 89 c7 49 8b 07 65 48 03 05 4d 31 af 7e 48 8b 50 08 48 8b 38 48 85 ff 74 7d 48 83 78 10 00 74 76 41 8b 47 28 <48> 8b 1c 07 48 8d 4a 08 4d 8b 07 48 89 f8 65 49 0f c7 08 0f 94 c0
[ 5.162052][ T1] RSP: 0000:ffff8881001af8a0 EFLAGS: 00010286
[ 5.162052][ T1] RAX: 0000000000000800 RBX: 0000000000000000 RCX: 0000000000000000
[ 5.162052][ T1] RDX: 0000000000009e48 RSI: 0000000000000dc0 RDI: ffff000000000000
[ 5.162052][ T1] RBP: ffff8881001af8e0 R08: 0000000000000dc0 R09: ffffffff82992c5d
[ 5.162052][ T1] R10: 0000000000000004 R11: ffff8881001e8000 R12: ffff888100041d00
[ 5.162052][ T1] R13: ffffffff823e1d01 R14: 0000000000000dc0 R15: ffff888100041d00
[ 5.162052][ T1] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 5.162052][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.162052][ T1] CR2: ffff88823ffff000 CR3: 0000000005c29000 CR4: 00000000003506f0
[ 5.162052][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5.162052][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5.162052][ T1] Call Trace:
[ 5.162052][ T1] <TASK>
[ 5.162052][ T1] kobject_uevent_env+0x151/0x4c0
[ 5.162052][ T1] ? device_links_driver_bound+0x596/0x5b0
[ 5.162052][ T1] kobject_uevent+0x23/0x30
[ 5.162052][ T1] driver_bound+0x1da/0x200
[ 5.162052][ T1] ? platform_uevent+0x90/0x90
[ 5.162052][ T1] really_probe+0x424/0x4c0
[ 5.162052][ T1] ? __driver_probe_device+0xeb/0x140
[ 5.162052][ T1] __driver_probe_device+0xf6/0x140
[ 5.162052][ T1] driver_probe_device+0x31/0x210
[ 5.162052][ T1] __device_attach_driver+0x1e1/0x250
[ 5.162052][ T1] ? coredump_store+0x50/0x50
[ 5.162052][ T1] bus_for_each_drv+0xae/0x100
[ 5.162052][ T1] __device_attach+0x13d/0x220
[ 5.162052][ T1] device_initial_probe+0x1e/0x30
[ 5.162052][ T1] bus_probe_device+0x62/0xf0
[ 5.162052][ T1] device_add+0x655/0x7b0
[ 5.162052][ T1] platform_device_add+0x22f/0x330
[ 5.162052][ T1] dummy_hcd_init+0x4ce/0x6dc
[ 5.162052][ T1] ? configfs_register_subsystem+0x228/0x240
[ 5.162052][ T1] ? usb_udc_init+0x9d/0x9d
[ 5.162052][ T1] do_one_initcall+0xa8/0x390
[ 5.162052][ T1] ? skip_spaces+0x2c/0x40
[ 5.162052][ T1] ? next_arg+0x266/0x280
[ 5.162052][ T1] ? parse_args+0x577/0x5b0
[ 5.162052][ T1] do_initcall_level+0x94/0x171
[ 5.162052][ T1] do_initcalls+0x4e/0x89
[ 5.162052][ T1] do_basic_setup+0x1d/0x1f
[ 5.200701][ T1] kernel_init_freeable+0x113/0x189
[ 5.200701][ T1] ? rest_init+0xd0/0xd0
[ 5.200701][ T1] kernel_init+0x1f/0x2a0
[ 5.200701][ T1] ? rest_init+0xd0/0xd0
[ 5.200701][ T1] ret_from_fork+0x1f/0x30
[ 5.200701][ T1] </TASK>
[ 5.200701][ T1] Modules linked in:
[ 5.210897][ C0] vkms_vblank_simulate: vblank timer overrun
[ 5.212396][ T1] ---[ end trace 0000000000000000 ]---
[ 5.213702][ T1] RIP: 0010:kmem_cache_alloc_trace+0x6a/0x1e0
[ 5.215084][ T1] Code: 48 85 c0 74 7e 49 89 c7 49 8b 07 65 48 03 05 4d 31 af 7e 48 8b 50 08 48 8b 38 48 85 ff 74 7d 48 83 78 10 00 74 76 41 8b 47 28 <48> 8b 1c 07 48 8d 4a 08 4d 8b 07 48 89 f8 65 49 0f c7 08 0f 94 c0
[ 5.220767][ T1] RSP: 0000:ffff8881001af8a0 EFLAGS: 00010286
[ 5.222164][ T1] RAX: 0000000000000800 RBX: 0000000000000000 RCX: 0000000000000000
[ 5.224220][ T1] RDX: 0000000000009e48 RSI: 0000000000000dc0 RDI: ffff000000000000
[ 5.226644][ T1] RBP: ffff8881001af8e0 R08: 0000000000000dc0 R09: ffffffff82992c5d
[ 5.229009][ T1] R10: 0000000000000004 R11: ffff8881001e8000 R12: ffff888100041d00
[ 5.231225][ T1] R13: ffffffff823e1d01 R14: 0000000000000dc0 R15: ffff888100041d00
[ 5.233220][ T1] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 5.235486][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.237106][ T1] CR2: ffff88823ffff000 CR3: 0000000005c29000 CR4: 00000000003506f0
[ 5.238923][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5.240518][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5.242066][ T1] Kernel panic - not syncing: Fatal exception
[ 5.244082][ T1] Kernel Offset: disabled
[ 5.245268][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3912001592=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 6ee49f2e6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6ee49f2e61b06b3d64c676dd2232a5ac362902a6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240308-214706'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6ee49f2e61b06b3d64c676dd2232a5ac362902a6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240308-214706'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6ee49f2e61b06b3d64c676dd2232a5ac362902a6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240308-214706'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6ee49f2e61b06b3d64c676dd2232a5ac362902a6\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=146d8aa5180000
Tested on:
commit: d59bd748 io_uring/poll: disable level triggered poll
git tree: git://git.kernel.dk/linux.git io_uring-6.0
kernel config: https://syzkaller.appspot.com/x/.config?x=7646c61aacfb37b5
syzbot tried to test the proposed patch but the build/boot failed:
w interface driver emi26 - firmware loader
[ 4.930123][ T1] usbcore: registered new interface driver emi62 - firmware loader
[ 4.933583][ T1] usbcore: registered new interface driver idmouse
[ 4.936138][ T1] usbcore: registered new interface driver iowarrior
[ 4.938260][ T1] usbcore: registered new interface driver isight_firmware
[ 4.941539][ T1] usbcore: registered new interface driver usblcd
[ 4.944208][ T1] usbcore: registered new interface driver ldusb
[ 4.946236][ T1] usbcore: registered new interface driver legousbtower
[ 4.948760][ T1] usbcore: registered new interface driver usbtest
[ 4.951336][ T1] usbcore: registered new interface driver usb_ehset_test
[ 4.953754][ T1] usbcore: registered new interface driver trancevibrator
[ 4.956657][ T1] usbcore: registered new interface driver uss720
[ 4.958553][ T1] uss720: USB Parport Cable driver for Cables using the Lucent Technologies USS720 Chip
[ 4.961696][ T1] uss720: NOTE: this is a special purpose driver to allow nonstandard
[ 4.965815][ T1] uss720: protocols (eg. bitbang) over USS720 usb to parallel cables
[ 4.968828][ T1] uss720: If you just want to connect to a printer, use usblp instead
[ 4.971404][ T1] usbcore: registered new interface driver usbsevseg
[ 4.973400][ T1] usbcore: registered new interface driver yurex
[ 4.975425][ T1] usbcore: registered new interface driver chaoskey
[ 4.977627][ T1] usbcore: registered new interface driver sisusb
[ 4.979915][ T1] usbcore: registered new interface driver lvs
[ 4.981851][ T1] usbcore: registered new interface driver cxacru
[ 4.983985][ T1] usbcore: registered new interface driver speedtch
[ 4.985950][ T1] usbcore: registered new interface driver ueagle-atm
[ 4.988079][ T1] xusbatm: malformed module parameters
[ 4.990267][ T1] dummy_hcd dummy_hcd.0: USB Host+Gadget Emulator, driver 02 May 2005
[ 4.992631][ T1] dummy_hcd dummy_hcd.0: Dummy host controller
[ 4.994246][ T1] dummy_hcd dummy_hcd.0: new USB bus registered, assigned bus number 1
[ 4.996646][ T1] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 4.999972][ T1] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.002339][ T1] usb usb1: Product: Dummy host controller
[ 5.004170][ T1] usb usb1: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.006694][ T1] usb usb1: SerialNumber: dummy_hcd.0
[ 5.008294][ T1] hub 1-0:1.0: USB hub found
[ 5.009512][ T1] hub 1-0:1.0: 1 port detected
[ 5.011319][ T1] dummy_hcd dummy_hcd.1: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.013887][ T1] dummy_hcd dummy_hcd.1: Dummy host controller
[ 5.016176][ T1] dummy_hcd dummy_hcd.1: new USB bus registered, assigned bus number 2
[ 5.018574][ T1] usb usb2: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.020979][ T1] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.022687][ T1] usb usb2: Product: Dummy host controller
[ 5.024450][ T1] usb usb2: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.027608][ T1] usb usb2: SerialNumber: dummy_hcd.1
[ 5.029702][ T1] hub 2-0:1.0: USB hub found
[ 5.031266][ T1] hub 2-0:1.0: 1 port detected
[ 5.032936][ T1] dummy_hcd dummy_hcd.2: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.035475][ T1] dummy_hcd dummy_hcd.2: Dummy host controller
[ 5.037713][ T1] dummy_hcd dummy_hcd.2: new USB bus registered, assigned bus number 3
[ 5.040503][ T1] usb usb3: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.043261][ T1] usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.045104][ T1] usb usb3: Product: Dummy host controller
[ 5.046289][ T1] usb usb3: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.048827][ T1] usb usb3: SerialNumber: dummy_hcd.2
[ 5.050576][ T1] hub 3-0:1.0: USB hub found
[ 5.051876][ T1] hub 3-0:1.0: 1 port detected
[ 5.053553][ T1] dummy_hcd dummy_hcd.3: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.055781][ T1] dummy_hcd dummy_hcd.3: Dummy host controller
[ 5.057706][ T1] dummy_hcd dummy_hcd.3: new USB bus registered, assigned bus number 4
[ 5.060296][ T1] usb usb4: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.062797][ T1] usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.064685][ T1] usb usb4: Product: Dummy host controller
[ 5.066160][ T1] usb usb4: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.068499][ T1] usb usb4: SerialNumber: dummy_hcd.3
[ 5.070209][ T1] hub 4-0:1.0: USB hub found
[ 5.071787][ T1] hub 4-0:1.0: 1 port detected
[ 5.073440][ T1] dummy_hcd dummy_hcd.4: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.075182][ T1] dummy_hcd dummy_hcd.4: Dummy host controller
[ 5.076592][ T1] dummy_hcd dummy_hcd.4: new USB bus registered, assigned bus number 5
[ 5.078624][ T1] usb usb5: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.080862][ T1] usb usb5: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.083013][ T1] usb usb5: Product: Dummy host controller
[ 5.084611][ T1] usb usb5: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.087050][ T1] usb usb5: SerialNumber: dummy_hcd.4
[ 5.088518][ T1] hub 5-0:1.0: USB hub found
[ 5.089972][ T1] hub 5-0:1.0: 1 port detected
[ 5.091603][ T1] dummy_hcd dummy_hcd.5: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.094464][ T1] dummy_hcd dummy_hcd.5: Dummy host controller
[ 5.096179][ T1] dummy_hcd dummy_hcd.5: new USB bus registered, assigned bus number 6
[ 5.098245][ T1] usb usb6: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.100696][ T1] usb usb6: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.102751][ T1] usb usb6: Product: Dummy host controller
[ 5.104243][ T1] usb usb6: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.106248][ T1] usb usb6: SerialNumber: dummy_hcd.5
[ 5.107854][ T1] hub 6-0:1.0: USB hub found
[ 5.109089][ T1] hub 6-0:1.0: 1 port detected
[ 5.110733][ T1] dummy_hcd dummy_hcd.6: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.112657][ T1] dummy_hcd dummy_hcd.6: Dummy host controller
[ 5.113957][ T1] dummy_hcd dummy_hcd.6: new USB bus registered, assigned bus number 7
[ 5.115878][ T1] usb usb7: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.117770][ T1] usb usb7: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.119911][ T1] usb usb7: Product: Dummy host controller
[ 5.121564][ T1] usb usb7: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.123794][ T1] usb usb7: SerialNumber: dummy_hcd.6
[ 5.125643][ T1] hub 7-0:1.0: USB hub found
[ 5.128371][ T1] hub 7-0:1.0: 1 port detected
[ 5.130464][ T1] dummy_hcd dummy_hcd.7: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.132874][ T1] dummy_hcd dummy_hcd.7: Dummy host controller
[ 5.134563][ T1] dummy_hcd dummy_hcd.7: new USB bus registered, assigned bus number 8
[ 5.136921][ T1] usb usb8: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.00
[ 5.139796][ T1] usb usb8: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.142568][ T1] usb usb8: Product: Dummy host controller
[ 5.144170][ T1] usb usb8: Manufacturer: Linux 6.0.0-rc1-syzkaller-00033-gd59bd748db0a dummy_hcd
[ 5.146630][ T1] usb usb8: SerialNumber: dummy_hcd.7
[ 5.148441][ T1] hub 8-0:1.0: USB hub found
[ 5.150215][ T1] hub 8-0:1.0: 1 port detected
[ 5.153433][ T1] general protection fault, probably for non-canonical address 0xffff000000000800: 0000 [#1] PREEMPT SMP
[ 5.157506][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc1-syzkaller-00033-gd59bd748db0a #0
[ 5.159433][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
[ 5.160818][ T1] RIP: 0010:kmem_cache_alloc_trace+0x6a/0x1e0
[ 5.161856][ T1] Code: 48 85 c0 74 7e 49 89 c7 49 8b 07 65 48 03 05 4d 31 af 7e 48 8b 50 08 48 8b 38 48 85 ff 74 7d 48 83 78 10 00 74 76 41 8b 47 28 <48> 8b 1c 07 48 8d 4a 08 4d 8b 07 48 89 f8 65 49 0f c7 08 0f 94 c0
[ 5.162052][ T1] RSP: 0000:ffff8881001af8a0 EFLAGS: 00010286
[ 5.162052][ T1] RAX: 0000000000000800 RBX: 0000000000000000 RCX: 0000000000000000
[ 5.162052][ T1] RDX: 0000000000009e48 RSI: 0000000000000dc0 RDI: ffff000000000000
[ 5.162052][ T1] RBP: ffff8881001af8e0 R08: 0000000000000dc0 R09: ffffffff82992c5d
[ 5.162052][ T1] R10: 0000000000000004 R11: ffff8881001e8000 R12: ffff888100041d00
[ 5.162052][ T1] R13: ffffffff823e1d01 R14: 0000000000000dc0 R15: ffff888100041d00
[ 5.162052][ T1] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 5.162052][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.162052][ T1] CR2: ffff88823ffff000 CR3: 0000000005c29000 CR4: 00000000003506f0
[ 5.162052][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5.162052][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5.162052][ T1] Call Trace:
[ 5.162052][ T1] <TASK>
[ 5.162052][ T1] kobject_uevent_env+0x151/0x4c0
[ 5.162052][ T1] ? device_links_driver_bound+0x596/0x5b0
[ 5.162052][ T1] kobject_uevent+0x23/0x30
[ 5.162052][ T1] driver_bound+0x1da/0x200
[ 5.162052][ T1] ? platform_uevent+0x90/0x90
[ 5.162052][ T1] really_probe+0x424/0x4c0
[ 5.162052][ T1] ? __driver_probe_device+0xeb/0x140
[ 5.162052][ T1] __driver_probe_device+0xf6/0x140
[ 5.162052][ T1] driver_probe_device+0x31/0x210
[ 5.162052][ T1] __device_attach_driver+0x1e1/0x250
[ 5.162052][ T1] ? coredump_store+0x50/0x50
[ 5.162052][ T1] bus_for_each_drv+0xae/0x100
[ 5.162052][ T1] __device_attach+0x13d/0x220
[ 5.162052][ T1] device_initial_probe+0x1e/0x30
[ 5.162052][ T1] bus_probe_device+0x62/0xf0
[ 5.162052][ T1] device_add+0x655/0x7b0
[ 5.162052][ T1] platform_device_add+0x22f/0x330
[ 5.162052][ T1] dummy_hcd_init+0x4ce/0x6dc
[ 5.162052][ T1] ? configfs_register_subsystem+0x228/0x240
[ 5.162052][ T1] ? usb_udc_init+0x9d/0x9d
[ 5.162052][ T1] do_one_initcall+0xa8/0x390
[ 5.162052][ T1] ? skip_spaces+0x2c/0x40
[ 5.162052][ T1] ? next_arg+0x266/0x280
[ 5.162052][ T1] ? parse_args+0x577/0x5b0
[ 5.162052][ T1] do_initcall_level+0x94/0x171
[ 5.162052][ T1] do_initcalls+0x4e/0x89
[ 5.162052][ T1] do_basic_setup+0x1d/0x1f
[ 5.200701][ T1] kernel_init_freeable+0x113/0x189
[ 5.200701][ T1] ? rest_init+0xd0/0xd0
[ 5.200701][ T1] kernel_init+0x1f/0x2a0
[ 5.200701][ T1] ? rest_init+0xd0/0xd0
[ 5.200701][ T1] ret_from_fork+0x1f/0x30
[ 5.200701][ T1] </TASK>
[ 5.200701][ T1] Modules linked in:
[ 5.210897][ C0] vkms_vblank_simulate: vblank timer overrun
[ 5.212396][ T1] ---[ end trace 0000000000000000 ]---
[ 5.213702][ T1] RIP: 0010:kmem_cache_alloc_trace+0x6a/0x1e0
[ 5.215084][ T1] Code: 48 85 c0 74 7e 49 89 c7 49 8b 07 65 48 03 05 4d 31 af 7e 48 8b 50 08 48 8b 38 48 85 ff 74 7d 48 83 78 10 00 74 76 41 8b 47 28 <48> 8b 1c 07 48 8d 4a 08 4d 8b 07 48 89 f8 65 49 0f c7 08 0f 94 c0
[ 5.220767][ T1] RSP: 0000:ffff8881001af8a0 EFLAGS: 00010286
[ 5.222164][ T1] RAX: 0000000000000800 RBX: 0000000000000000 RCX: 0000000000000000
[ 5.224220][ T1] RDX: 0000000000009e48 RSI: 0000000000000dc0 RDI: ffff000000000000
[ 5.226644][ T1] RBP: ffff8881001af8e0 R08: 0000000000000dc0 R09: ffffffff82992c5d
[ 5.229009][ T1] R10: 0000000000000004 R11: ffff8881001e8000 R12: ffff888100041d00
[ 5.231225][ T1] R13: ffffffff823e1d01 R14: 0000000000000dc0 R15: ffff888100041d00
[ 5.233220][ T1] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 5.235486][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.237106][ T1] CR2: ffff88823ffff000 CR3: 0000000005c29000 CR4: 00000000003506f0
[ 5.238923][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5.240518][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5.242066][ T1] Kernel panic - not syncing: Fatal exception
[ 5.244082][ T1] Kernel Offset: disabled
[ 5.245268][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3912001592=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 6ee49f2e6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6ee49f2e61b06b3d64c676dd2232a5ac362902a6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240308-214706'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6ee49f2e61b06b3d64c676dd2232a5ac362902a6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240308-214706'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6ee49f2e61b06b3d64c676dd2232a5ac362902a6 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240308-214706'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6ee49f2e61b06b3d64c676dd2232a5ac362902a6\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=146d8aa5180000
Tested on:
commit: d59bd748 io_uring/poll: disable level triggered poll
git tree: git://git.kernel.dk/linux.git io_uring-6.0
kernel config: https://syzkaller.appspot.com/x/.config?x=7646c61aacfb37b5
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Mar 16, 2024, 6:26:03 AMMar 16
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
Tested on:
commit: 66a27aba Merge tag 'powerpc-6.9-1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14619985180000
kernel config: https://syzkaller.appspot.com/x/.config?x=48bb382b96e7eda7
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
Tested on:
commit: 66a27aba Merge tag 'powerpc-6.9-1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14619985180000
kernel config: https://syzkaller.appspot.com/x/.config?x=48bb382b96e7eda7
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=110a1d66180000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Edward Adam Davis
Mar 16, 2024, 8:42:45 AMMar 16
to syzbot+f8e9a3...@syzkaller.appspotmail.com, asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
[Syzbot reported]
[Fix]
When initializing the req object, increase its member cmd initialization.
Reported-and-tested-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
io_uring/io_uring.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index cd9a137ad6ce..3db59fd6f676 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1066,6 +1066,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
/* not necessary, but safer to zero */
memset(&req->cqe, 0, sizeof(req->cqe));
memset(&req->big_cqe, 0, sizeof(req->big_cqe));
+ memset(&req->cmd, 0, sizeof(req->cmd));
}
static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,
--
2.43.0
When initializing the req object, increase its member cmd initialization.
Reported-and-tested-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
io_uring/io_uring.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index cd9a137ad6ce..3db59fd6f676 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1066,6 +1066,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
/* not necessary, but safer to zero */
memset(&req->cqe, 0, sizeof(req->cqe));
memset(&req->big_cqe, 0, sizeof(req->big_cqe));
+ memset(&req->cmd, 0, sizeof(req->cmd));
}
static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,
2.43.0
Jens Axboe
Mar 16, 2024, 9:11:24 AMMar 16
to Edward Adam Davis, syzbot+f8e9a3...@syzkaller.appspotmail.com, asml.s...@gmail.com, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 3/16/24 6:42 AM, Edward Adam Davis wrote:
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index cd9a137ad6ce..3db59fd6f676 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -1066,6 +1066,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
> /* not necessary, but safer to zero */
> memset(&req->cqe, 0, sizeof(req->cqe));
> memset(&req->big_cqe, 0, sizeof(req->big_cqe));
> + memset(&req->cmd, 0, sizeof(req->cmd));
> }
>
> static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,
This will just silence the syzbot report, as the memory is initialized
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index cd9a137ad6ce..3db59fd6f676 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -1066,6 +1066,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
> /* not necessary, but safer to zero */
> memset(&req->cqe, 0, sizeof(req->cqe));
> memset(&req->big_cqe, 0, sizeof(req->big_cqe));
> + memset(&req->cmd, 0, sizeof(req->cmd));
> }
>
> static void io_flush_cached_locked_reqs(struct io_ring_ctx *ctx,
upfront. But it's not the real fix, as ->done_io could still be recycled
from a previous issue.
--
Jens Axboe
Jens Axboe
Mar 16, 2024, 9:13:18 AMMar 16
to syzbot, asml.s...@gmail.com, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Mar 16, 2024, 9:37:05 AMMar 16
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in io_sendrecv_fail
=====================================================
BUG: KMSAN: uninit-value in io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1341
io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1341
Tested on:
commit: 6c677dd4 io_uring/net: ensure async prep handlers alwa..
git tree: git://git.kernel.dk/linux.git io_uring-6.9
console output: https://syzkaller.appspot.com/x/log.txt?x=17f26711180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a271c5dca0ff14df
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in io_sendrecv_fail
=====================================================
BUG: KMSAN: uninit-value in io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1341
io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1341
io_req_defer_failed+0x3bd/0x610 io_uring/io_uring.c:1050
io_queue_sqe_fallback+0x1e3/0x280 io_uring/io_uring.c:2126
io_submit_fail_init+0x4e1/0x790 io_uring/io_uring.c:2304
io_submit_sqes+0x19cd/0x2fb0 io_uring/io_uring.c:2480
__do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
__se_sys_io_uring_enter+0x409/0x4390 io_uring/io_uring.c:3591
io_queue_sqe_fallback+0x1e3/0x280 io_uring/io_uring.c:2126
io_submit_fail_init+0x4e1/0x790 io_uring/io_uring.c:2304
io_submit_sqes+0x19cd/0x2fb0 io_uring/io_uring.c:2480
__do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3591
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4592
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0x2d7/0x1400 mm/slub.c:2407
___slab_alloc+0x16b5/0x3970 mm/slub.c:3540
__kmem_cache_alloc_bulk mm/slub.c:4574 [inline]
kmem_cache_alloc_bulk+0x52a/0x1440 mm/slub.c:4648
__io_alloc_req_refill+0x248/0x780 io_uring/io_uring.c:1101
io_alloc_req io_uring/io_uring.h:405 [inline]
io_submit_sqes+0xaa1/0x2fb0 io_uring/io_uring.c:2469
__do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
__se_sys_io_uring_enter+0x409/0x4390 io_uring/io_uring.c:3591
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4592
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0x2d7/0x1400 mm/slub.c:2407
___slab_alloc+0x16b5/0x3970 mm/slub.c:3540
__kmem_cache_alloc_bulk mm/slub.c:4574 [inline]
kmem_cache_alloc_bulk+0x52a/0x1440 mm/slub.c:4648
__io_alloc_req_refill+0x248/0x780 io_uring/io_uring.c:1101
io_alloc_req io_uring/io_uring.h:405 [inline]
io_submit_sqes+0xaa1/0x2fb0 io_uring/io_uring.c:2469
__do_sys_io_uring_enter io_uring/io_uring.c:3656 [inline]
__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3591
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 0 PID: 5482 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-00721-g6c677dd4eac2 #0
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
=====================================================
Tested on:
commit: 6c677dd4 io_uring/net: ensure async prep handlers alwa..
git tree: git://git.kernel.dk/linux.git io_uring-6.9
console output: https://syzkaller.appspot.com/x/log.txt?x=17f26711180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a271c5dca0ff14df
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Jens Axboe
Mar 16, 2024, 10:42:20 AMMar 16
to syzbot, asml.s...@gmail.com, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Mar 16, 2024, 11:20:04 AMMar 16
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
Tested on:
commit: c9285260 io_uring/net: ensure async prep handlers alwa..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
Tested on:
git tree: git://git.kernel.dk/linux.git io_uring-6.9
console output: https://syzkaller.appspot.com/x/log.txt?x=162a6711180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a271c5dca0ff14df
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Pavel Begunkov
Mar 16, 2024, 11:30:52 AMMar 16
to syzbot, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 3/16/24 13:37, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KMSAN: uninit-value in io_sendrecv_fail
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KMSAN: uninit-value in io_sendrecv_fail
index 3ae4bb988906..826989e2f601 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1063,6 +1063,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
/* not necessary, but safer to zero */
memset(&req->cqe, 0, sizeof(req->cqe));
memset(&req->big_cqe, 0, sizeof(req->big_cqe));
+ memset(&req->cmd, 0, sizeof(req->cmd));
}
What's the point of testing it? You said it yourself, it hides the
memset(&req->cqe, 0, sizeof(req->cqe));
memset(&req->big_cqe, 0, sizeof(req->big_cqe));
+ memset(&req->cmd, 0, sizeof(req->cmd));
}
problem under the carpet but doesn't solve it. Do some valid IO first,
then send that failed request. If done_io is aliased with with some
interesting field of a previously completed request you're royally
screwed, but syz would be just happy about it.
It's likely that syz is complaining about is the early fail case
I told about yesterday.
Pavel Begunkov
Jens Axboe
Mar 16, 2024, 11:46:24 AMMar 16
to Pavel Begunkov, syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 3/16/24 9:28 AM, Pavel Begunkov wrote:
> On 3/16/24 13:37, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> KMSAN: uninit-value in io_sendrecv_fail
>
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 3ae4bb988906..826989e2f601 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -1063,6 +1063,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
> /* not necessary, but safer to zero */
> memset(&req->cqe, 0, sizeof(req->cqe));
> memset(&req->big_cqe, 0, sizeof(req->big_cqe));
> + memset(&req->cmd, 0, sizeof(req->cmd));
> }
>
> What's the point of testing it? You said it yourself, it hides the
> problem under the carpet but doesn't solve it. Do some valid IO first,
> then send that failed request. If done_io is aliased with with some
> interesting field of a previously completed request you're royally
> screwed, but syz would be just happy about it.
Yeah I agree, as per my email. I think we're better off just doing the
> On 3/16/24 13:37, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> KMSAN: uninit-value in io_sendrecv_fail
>
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 3ae4bb988906..826989e2f601 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -1063,6 +1063,7 @@ static void io_preinit_req(struct io_kiocb *req, struct io_ring_ctx *ctx)
> /* not necessary, but safer to zero */
> memset(&req->cqe, 0, sizeof(req->cqe));
> memset(&req->big_cqe, 0, sizeof(req->big_cqe));
> + memset(&req->cmd, 0, sizeof(req->cmd));
> }
>
> What's the point of testing it? You said it yourself, it hides the
> problem under the carpet but doesn't solve it. Do some valid IO first,
> then send that failed request. If done_io is aliased with with some
> interesting field of a previously completed request you're royally
> screwed, but syz would be just happy about it.
EARLY_FAIL in general, and forget about the specific case. I just wanted
to make sure I wasn't off in the weeds, since I can't trigger this.
Could probably write a specific test case for it, but the syzbot
reproducer didn't for me.
--
Jens Axboe
Jens Axboe
Mar 16, 2024, 12:01:50 PMMar 16
to syzbot, asml.s...@gmail.com, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Mar 16, 2024, 12:29:03 PMMar 16
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in io_sendrecv_fail
=====================================================
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KMSAN: uninit-value in io_sendrecv_fail
BUG: KMSAN: uninit-value in io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1334
io_sendrecv_fail+0x91/0x1e0 io_uring/net.c:1334
io_req_defer_failed+0x456/0x6d0 io_uring/io_uring.c:1050
io_queue_sqe_fallback+0x1e3/0x280 io_uring/io_uring.c:2126
io_submit_fail_init+0x4e1/0x790 io_uring/io_uring.c:2310
io_submit_sqes+0x1a60/0x3030 io_uring/io_uring.c:2486
__do_sys_io_uring_enter io_uring/io_uring.c:3662 [inline]
__se_sys_io_uring_enter+0x409/0x4390 io_uring/io_uring.c:3597
__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3597
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4592
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0x2d7/0x1400 mm/slub.c:2407
___slab_alloc+0x16b5/0x3970 mm/slub.c:3540
__kmem_cache_alloc_bulk mm/slub.c:4574 [inline]
kmem_cache_alloc_bulk+0x52a/0x1440 mm/slub.c:4648
__io_alloc_req_refill+0x248/0x780 io_uring/io_uring.c:1101
io_alloc_req io_uring/io_uring.h:405 [inline]
io_submit_sqes+0xaa2/0x3030 io_uring/io_uring.c:2475
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
__alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4592
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0x2d7/0x1400 mm/slub.c:2407
___slab_alloc+0x16b5/0x3970 mm/slub.c:3540
__kmem_cache_alloc_bulk mm/slub.c:4574 [inline]
kmem_cache_alloc_bulk+0x52a/0x1440 mm/slub.c:4648
__io_alloc_req_refill+0x248/0x780 io_uring/io_uring.c:1101
io_alloc_req io_uring/io_uring.h:405 [inline]
__do_sys_io_uring_enter io_uring/io_uring.c:3662 [inline]
__se_sys_io_uring_enter+0x409/0x4390 io_uring/io_uring.c:3597
__x64_sys_io_uring_enter+0x11b/0x1a0 io_uring/io_uring.c:3597
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
CPU: 0 PID: 5478 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-00721-g3fdefe13e0a9 #0
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
=====================================================
Tested on:
commit: 3fdefe13 io_uring: explicitly flag early request failure
=====================================================
Tested on:
git tree: git://git.kernel.dk/linux.git io_uring-6.9
console output: https://syzkaller.appspot.com/x/log.txt?x=15c58006180000
Jens Axboe
Mar 16, 2024, 12:36:24 PMMar 16
to syzbot, asml.s...@gmail.com, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Let's try this one more time:
syzbot
Mar 16, 2024, 1:18:02 PMMar 16
to asml.s...@gmail.com, ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
Tested on:
commit: ae551333 io_uring: clear opcode specific data for an e..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f8e9a3...@syzkaller.appspotmail.com
Tested on:
git tree: git://git.kernel.dk/linux.git io_uring-6.9
console output: https://syzkaller.appspot.com/x/log.txt?x=12656231180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a271c5dca0ff14df
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
dashboard link: https://syzkaller.appspot.com/bug?extid=f8e9a371388aa62ecab4
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Reply all
Reply to author
Forward
0 new messages