general protection fault in io_ring_exit_work
15 views
Skip to first unread message
syzbot
Nov 3, 2021, 7:16:29 PM11/3/21
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 8bb7eca972ad Linux 5.15
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1088bf22b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=163f131d973555b5
dashboard link: https://syzkaller.appspot.com/bug?extid=00d5d9e6172cd6384b9a
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [asml.s...@gmail.com ax...@kernel.dk io-u...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00d5d9...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 148 Comm: kworker/u4:2 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound io_ring_exit_work
RIP: 0010:__list_del_entry_valid+0xa9/0xf0 lib/list_debug.c:54
Code: ea 03 80 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 92 e7 23 05 49 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 22 49 8b 55 08 48 39 ea 0f 85 a3 e7 23 05 5d b8 01
RSP: 0018:ffffc9000174fb70 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff81e3305b RDI: 0000000000000008
RBP: ffff888000101000 R08: 00000000ffffffff R09: ffffffff8fd01ad7
R10: ffffffff81e33136 R11: 0000000000086089 R12: ffff888072112ac0
R13: 0000000000000000 R14: ffff888072112ac0 R15: ffff888000101008
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561e88aa2fd8 CR3: 000000007a5ca000 CR4: 0000000000350ef0
Call Trace:
__list_del_entry include/linux/list.h:132 [inline]
list_del include/linux/list.h:146 [inline]
__io_remove_buffers fs/io_uring.c:4303 [inline]
__io_remove_buffers fs/io_uring.c:4289 [inline]
io_destroy_buffers fs/io_uring.c:9213 [inline]
io_ring_ctx_free fs/io_uring.c:9272 [inline]
io_ring_exit_work+0xaeb/0x19a0 fs/io_uring.c:9446
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
---[ end trace 0e8a2174890a75da ]---
RIP: 0010:__list_del_entry_valid+0xa9/0xf0 lib/list_debug.c:54
Code: ea 03 80 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 92 e7 23 05 49 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 22 49 8b 55 08 48 39 ea 0f 85 a3 e7 23 05 5d b8 01
RSP: 0018:ffffc9000174fb70 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff81e3305b RDI: 0000000000000008
RBP: ffff888000101000 R08: 00000000ffffffff R09: ffffffff8fd01ad7
R10: ffffffff81e33136 R11: 0000000000086089 R12: ffff888072112ac0
R13: 0000000000000000 R14: ffff888072112ac0 R15: ffff888000101008
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561e88b42087 CR3: 00000000194f8000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 03 80 3c 02 00 75 add 0x7500023c(%rax),%eax
6: 51 push %rcx
7: 49 8b 14 24 mov (%r12),%rdx
b: 48 39 ea cmp %rbp,%rdx
e: 0f 85 92 e7 23 05 jne 0x523e7a6
14: 49 8d 7d 08 lea 0x8(%r13),%rdi
18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1f: fc ff df
22: 48 89 fa mov %rdi,%rdx
25: 48 c1 ea 03 shr $0x3,%rdx
* 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2d: 75 22 jne 0x51
2f: 49 8b 55 08 mov 0x8(%r13),%rdx
33: 48 39 ea cmp %rbp,%rdx
36: 0f 85 a3 e7 23 05 jne 0x523e7df
3c: 5d pop %rbp
3d: b8 .byte 0xb8
3e: 01 .byte 0x1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 8bb7eca972ad Linux 5.15
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1088bf22b00000
kernel config: https://syzkaller.appspot.com/x/.config?x=163f131d973555b5
dashboard link: https://syzkaller.appspot.com/bug?extid=00d5d9e6172cd6384b9a
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [asml.s...@gmail.com ax...@kernel.dk io-u...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+00d5d9...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 148 Comm: kworker/u4:2 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound io_ring_exit_work
RIP: 0010:__list_del_entry_valid+0xa9/0xf0 lib/list_debug.c:54
Code: ea 03 80 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 92 e7 23 05 49 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 22 49 8b 55 08 48 39 ea 0f 85 a3 e7 23 05 5d b8 01
RSP: 0018:ffffc9000174fb70 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff81e3305b RDI: 0000000000000008
RBP: ffff888000101000 R08: 00000000ffffffff R09: ffffffff8fd01ad7
R10: ffffffff81e33136 R11: 0000000000086089 R12: ffff888072112ac0
R13: 0000000000000000 R14: ffff888072112ac0 R15: ffff888000101008
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561e88aa2fd8 CR3: 000000007a5ca000 CR4: 0000000000350ef0
Call Trace:
__list_del_entry include/linux/list.h:132 [inline]
list_del include/linux/list.h:146 [inline]
__io_remove_buffers fs/io_uring.c:4303 [inline]
__io_remove_buffers fs/io_uring.c:4289 [inline]
io_destroy_buffers fs/io_uring.c:9213 [inline]
io_ring_ctx_free fs/io_uring.c:9272 [inline]
io_ring_exit_work+0xaeb/0x19a0 fs/io_uring.c:9446
process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297
worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
kthread+0x3e5/0x4d0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
---[ end trace 0e8a2174890a75da ]---
RIP: 0010:__list_del_entry_valid+0xa9/0xf0 lib/list_debug.c:54
Code: ea 03 80 3c 02 00 75 51 49 8b 14 24 48 39 ea 0f 85 92 e7 23 05 49 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 22 49 8b 55 08 48 39 ea 0f 85 a3 e7 23 05 5d b8 01
RSP: 0018:ffffc9000174fb70 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff81e3305b RDI: 0000000000000008
RBP: ffff888000101000 R08: 00000000ffffffff R09: ffffffff8fd01ad7
R10: ffffffff81e33136 R11: 0000000000086089 R12: ffff888072112ac0
R13: 0000000000000000 R14: ffff888072112ac0 R15: ffff888000101008
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561e88b42087 CR3: 00000000194f8000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 03 80 3c 02 00 75 add 0x7500023c(%rax),%eax
6: 51 push %rcx
7: 49 8b 14 24 mov (%r12),%rdx
b: 48 39 ea cmp %rbp,%rdx
e: 0f 85 92 e7 23 05 jne 0x523e7a6
14: 49 8d 7d 08 lea 0x8(%r13),%rdi
18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1f: fc ff df
22: 48 89 fa mov %rdi,%rdx
25: 48 c1 ea 03 shr $0x3,%rdx
* 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2d: 75 22 jne 0x51
2f: 49 8b 55 08 mov 0x8(%r13),%rdx
33: 48 39 ea cmp %rbp,%rdx
36: 0f 85 a3 e7 23 05 jne 0x523e7df
3c: 5d pop %rbp
3d: b8 .byte 0xb8
3e: 01 .byte 0x1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 27, 2022, 11:41:19 AM2/27/22
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages