lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3d956ccb-8f2d-e3aa-eee3-254185314915@kernel.dk>
Date:   Thu, 2 Sep 2021 12:46:57 -0600
From:   Jens Axboe <axboe@...nel.dk>
To:     syzbot <syzbot+de67aa0cf1053e405871@...kaller.appspotmail.com>,
        asml.silence@...il.com, haoxu@...ux.alibaba.com,
        io-uring@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] general protection fault in io_issue_sqe

On 9/2/21 12:28 PM, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> general protection fault in io_ring_ctx_wait_and_kill
> 
> general protection fault, probably for non-canonical address 0xdffffc0000000016: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x00000000000000b0-0x00000000000000b7]
> CPU: 0 PID: 10163 Comm: syz-executor.2 Not tainted 5.14.0-rc7-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:io_ring_ctx_wait_and_kill+0x24d/0x450 fs/io_uring.c:9180
> Code: ff 48 89 df e8 c4 fb ff ff e8 6f a8 94 ff 48 8b 04 24 48 8d b8 b0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d3 01 00 00 48 8b 04 24 48 8b a8 b0 00 00 00 48
> RSP: 0018:ffffc9000a8b7a60 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffff888046aa6000 RCX: 0000000000000000
> RDX: 0000000000000016 RSI: ffffffff81e10061 RDI: 00000000000000b0
> RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888046aa6643
> R10: ffffffff81e1004b R11: 0000000000000000 R12: ffff888046aa63f8
> R13: ffffc9000a8b7a90 R14: ffff8881453f4000 R15: ffff888046aa6040
> FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000561b3ede9400 CR3: 000000000b68e000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  io_uring_release+0x3e/0x50 fs/io_uring.c:9198
>  __fput+0x288/0x920 fs/file_table.c:280
>  task_work_run+0xdd/0x1a0 kernel/task_work.c:164
>  exit_task_work include/linux/task_work.h:32 [inline]
>  do_exit+0xbae/0x2a30 kernel/exit.c:825
>  do_group_exit+0x125/0x310 kernel/exit.c:922
>  get_signal+0x47f/0x2160 kernel/signal.c:2808
>  arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865
>  handle_signal_work kernel/entry/common.c:148 [inline]
>  exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
>  exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
>  syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302
>  do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x4665f9
> Code: Unable to access opcode bytes at RIP 0x4665cf.
> RSP: 002b:00007faa595bc218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 000000000056c040 RCX: 00000000004665f9
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000056c040
> RBP: 000000000056c038 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c044
> R13: 00007fff98399dff R14: 00007faa595bc300 R15: 0000000000022000
> Modules linked in:
> ---[ end trace 641488e48828d1de ]---
> RIP: 0010:io_ring_ctx_wait_and_kill+0x24d/0x450 fs/io_uring.c:9180
> Code: ff 48 89 df e8 c4 fb ff ff e8 6f a8 94 ff 48 8b 04 24 48 8d b8 b0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d3 01 00 00 48 8b 04 24 48 8b a8 b0 00 00 00 48
> RSP: 0018:ffffc9000a8b7a60 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffff888046aa6000 RCX: 0000000000000000
> RDX: 0000000000000016 RSI: ffffffff81e10061 RDI: 00000000000000b0
> RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888046aa6643
> R10: ffffffff81e1004b R11: 0000000000000000 R12: ffff888046aa63f8
> R13: ffffc9000a8b7a90 R14: ffff8881453f4000 R15: ffff888046aa6040
> FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000561b3ede9400 CR3: 000000003cbf0000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess), 1 bytes skipped:
>    0:	48 89 df             	mov    %rbx,%rdi
>    3:	e8 c4 fb ff ff       	callq  0xfffffbcc
>    8:	e8 6f a8 94 ff       	callq  0xff94a87c
>    d:	48 8b 04 24          	mov    (%rsp),%rax
>   11:	48 8d b8 b0 00 00 00 	lea    0xb0(%rax),%rdi
>   18:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
>   1f:	fc ff df
>   22:	48 89 fa             	mov    %rdi,%rdx
>   25:	48 c1 ea 03          	shr    $0x3,%rdx
> * 29:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
>   2d:	0f 85 d3 01 00 00    	jne    0x206
>   33:	48 8b 04 24          	mov    (%rsp),%rax
>   37:	48 8b a8 b0 00 00 00 	mov    0xb0(%rax),%rbp
>   3e:	48                   	rex.W

That's unrelated, but probably my fault. Let's rerun:

#syz test git://git.kernel.dk/linux-block for-5.15/io_uring

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ