KASAN: null-ptr-deref Write in io_wq_cancel_all

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 139c2d13 Add linux-next specific files for 20191025
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17ab5a70e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=28fd7a693df38d29
dashboard link: https://syzkaller.appspot.com/bug?extid=d958a65633ea70280b23
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d958a6...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: null-ptr-deref in set_bit
include/asm-generic/bitops-instrumented.h:28 [inline]
BUG: KASAN: null-ptr-deref in io_wq_cancel_all+0x28/0x2a0 fs/io-wq.c:574
Write of size 8 at addr 0000000000000004 by task syz-executor.5/17477

CPU: 1 PID: 17477 Comm: syz-executor.5 Not tainted 5.4.0-rc4-next-20191025
#0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__kasan_report.cold+0x5/0x41 mm/kasan/report.c:510
kasan_report+0x12/0x20 mm/kasan/common.c:634
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
__kasan_check_write+0x14/0x20 mm/kasan/common.c:98
set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
io_wq_cancel_all+0x28/0x2a0 fs/io-wq.c:574
io_ring_ctx_wait_and_kill+0x1e2/0x710 fs/io_uring.c:3679
io_uring_release+0x42/0x50 fs/io_uring.c:3691
__fput+0x2ff/0x890 fs/file_table.c:280
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0x145/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x904/0x2e60 kernel/exit.c:817
do_group_exit+0x135/0x360 kernel/exit.c:921
get_signal+0x47c/0x24f0 kernel/signal.c:2734
do_signal+0x87/0x1700 arch/x86/kernel/signal.c:815
exit_to_usermode_loop+0x286/0x380 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
do_syscall_64+0x65f/0x760 arch/x86/entry/common.c:300
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459ef9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7129716c78 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
RAX: 0000000000000005 RBX: 0000000000000002 RCX: 0000000000459ef9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000ebf
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f71297176d4
R13: 00000000004c14ae R14: 00000000004d4c68 R15: 00000000ffffffff
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[Dmitry Vyukov]

On Fri, Oct 25, 2019 at 1:51 PM syzbot
<syzbot+d958a6...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 139c2d13 Add linux-next specific files for 20191025
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=17ab5a70e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=28fd7a693df38d29
> dashboard link: https://syzkaller.appspot.com/bug?extid=d958a65633ea70280b23
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+d958a6...@syzkaller.appspotmail.com

+Jens

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000fbbe1e0595bac322%40google.com.

[Jens Axboe]

On 10/25/19 5:58 AM, Dmitry Vyukov wrote:
> On Fri, Oct 25, 2019 at 1:51 PM syzbot
> <syzbot+d958a6...@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 139c2d13 Add linux-next specific files for 20191025
>> git tree: linux-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=17ab5a70e00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=28fd7a693df38d29
>> dashboard link: https://syzkaller.appspot.com/bug?extid=d958a65633ea70280b23
>> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>>
>> Unfortunately, I don't have any reproducer for this crash yet.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+d958a6...@syzkaller.appspotmail.com
>
> +Jens

Let me know if/when you have a reproducer for this one. I initially thought
this was a basic NULL pointer check, but it doesn't look like it. I wonder
if the thread handling the request got a signal, and since it had the
task file_table with the io_uring fd attached, it's triggering an exit.

I'll poke at it, but don't immediately see the issue.

--
Jens Axboe

[Jens Axboe]

Ah, I see it, if we run into work needing to get done as the worker
is exiting, we do that work. But that makes us busy, and we can then
exit the thread without having dropped the mm/files associated with
the original task. I've folded in a fix.

--
Jens Axboe

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 139c2d13 Add linux-next specific files for 20191025
git tree: linux-next

console output: https://syzkaller.appspot.com/x/log.txt?x=12888a00e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=28fd7a693df38d29
dashboard link: https://syzkaller.appspot.com/bug?extid=d958a65633ea70280b23
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160573c0e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d958a6...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: null-ptr-deref in set_bit
include/asm-generic/bitops-instrumented.h:28 [inline]
BUG: KASAN: null-ptr-deref in io_wq_cancel_all+0x28/0x2a0 fs/io-wq.c:574

Write of size 8 at addr 0000000000000004 by task syz-executor.2/9365

CPU: 1 PID: 9365 Comm: syz-executor.2 Not tainted 5.4.0-rc4-next-20191025 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__kasan_report.cold+0x5/0x41 mm/kasan/report.c:510
kasan_report+0x12/0x20 mm/kasan/common.c:634
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
__kasan_check_write+0x14/0x20 mm/kasan/common.c:98
set_bit include/asm-generic/bitops-instrumented.h:28 [inline]
io_wq_cancel_all+0x28/0x2a0 fs/io-wq.c:574
io_ring_ctx_wait_and_kill+0x1e2/0x710 fs/io_uring.c:3679
io_uring_release+0x42/0x50 fs/io_uring.c:3691
__fput+0x2ff/0x890 fs/file_table.c:280
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0x145/0x1c0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x904/0x2e60 kernel/exit.c:817
do_group_exit+0x135/0x360 kernel/exit.c:921
get_signal+0x47c/0x24f0 kernel/signal.c:2734
do_signal+0x87/0x1700 arch/x86/kernel/signal.c:815
exit_to_usermode_loop+0x286/0x380 arch/x86/entry/common.c:159
prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]

syscall_return_slowpath+0x47a/0x530 arch/x86/entry/common.c:274
ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:344
RIP: 0033:0x45c909
Code: ff 48 85 f6 0f 84 d7 8c fb ff 48 83 ee 10 48 89 4e 08 48 89 3e 48 89
d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 0f 8c
ae 8c fb ff 74 01 c3 31 ed 48 f7 c7 00 00 01 00 75
RSP: 002b:00007fe3de137db0 EFLAGS: 00000202 ORIG_RAX: 0000000000000038
RAX: 0000000000000000 RBX: 00007fe3de138700 RCX: 000000000045c909
RDX: 00007fe3de1389d0 RSI: 00007fe3de137db0 RDI: 00000000003d0f00
RBP: 00007ffff688f6a0 R08: 00007fe3de138700 R09: 00007fe3de138700
R10: 00007fe3de1389d0 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffff688f53f R14: 00007fe3de1389c0 R15: 000000000075bfd4
==================================================================

[Jens Axboe]

This one should be fixed in the current tree, and the version posted
yesterday. I don't know if linux-next has been updated since. I'll
check the reproducer and verify when I get the chance.

--
Jens Axboe

[syzbot]

syzbot has bisected this bug to:

commit d5f773aba1186142d52aef8242a426310a39fa86
Author: Jens Axboe <ax...@kernel.dk>
Date: Thu Oct 24 13:25:42 2019 +0000

io_uring: replace workqueue usage with io-wq

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=142c6d18e00000
start commit: 139c2d13 Add linux-next specific files for 20191025
git tree: linux-next
final crash: https://syzkaller.appspot.com/x/report.txt?x=162c6d18e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=122c6d18e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=28fd7a693df38d29
dashboard link: https://syzkaller.appspot.com/bug?extid=d958a65633ea70280b23

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=160573c0e00000

Reported-by: syzbot+d958a6...@syzkaller.appspotmail.com
Fixes: d5f773aba118 ("io_uring: replace workqueue usage with io-wq")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Eric Biggers]

This stopped occurring around Oct. 31, so it's likely to have been fixed.
Invalidating this bug:

#syz invalid

- Eric