lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CADZouDSYKVjDry_w535s8d8+3eXyLnMdrnOtbeYSMYWqxFkKbA@mail.gmail.com>
Date: Wed, 12 Jun 2024 17:46:29 +0200
From: chase xd <sl1589472800@...il.com>
To: Pavel Begunkov <asml.silence@...il.com>, Jens Axboe <axboe@...nel.dk>, io-uring@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [io-uring] WARNING in io_issue_sqe

here you go

```
# {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false
Fault:false FaultCall:0 FaultNth:0}}
r0 = syz_io_uring_setup(0x4d84, &(0x7f0000000000)={0x0, 0x649b, 0x80,
0x0, 0x4315}, &(0x7f0000000080)=<r1=>0x0, &(0x7f00000000c0)=<r2=>0x0)
open(&(0x7f0000000100)='./file0\x00', 0x214400, 0x84)
r3 = open$dir(&(0x7f0000000140)='./file0\x00', 0x0, 0x0)
r4 = socket(0x2a, 0x80800, 0x4)
epoll_create1(0x0)
eventfd2(0xffffffff, 0x100800)
io_uring_register$IORING_UNREGISTER_IOWQ_AFF(r0, 0x12, 0x0, 0x0)
syz_io_uring_submit(r1, r2, &(0x7f00000001c0)=@...ING_OP_ACCEPT={0xd,
0x10, 0x1, @sock=r4, &(0x7f0000000200)=0x80,
&(0x7f0000000240)=@...c=@...e, 0x0, 0x800})
io_uring_enter(r0, 0x1, 0x1, 0x9, 0x0, 0x0)
syz_io_uring_complete(r1, &(0x7f0000000380))
io_uring_register$IORING_REGISTER_PROBE(r0, 0x8,
&(0x7f0000002900)={0x0, 0x0, 0x0, '\x00', [{}, {}, {}, {}, {}, {}, {},
{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {},
{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {},
{}, {}, {}, {}, {}]}, 0x2e)
clock_gettime(0x0, 0x0)
syz_io_uring_submit(r1, r2, 0x0)
syz_io_uring_submit(r1, r2,
&(0x7f0000001680)=@...ING_OP_SYMLINKAT={0x26, 0x22, 0x0, @fd_dir=r3,
&(0x7f0000000180)='./file0\x00', &(0x7f0000000380)='./file0\x00'})
syz_io_uring_submit(r1, r2,
&(0x7f0000002a80)=@...ING_OP_ASYNC_CANCEL={0xe, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x4, 0x1})
syz_io_uring_submit(r1, r2,
&(0x7f0000002ac0)=@...ING_OP_ASYNC_CANCEL={0xe, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x10, 0x1})
io_uring_enter(r0, 0x4, 0x4, 0x5, 0x0, 0x0)
syz_io_uring_complete(r1, 0x0)
```


On Wed, Jun 12, 2024 at 5:41 PM Pavel Begunkov <asml.silence@...il.com> wrote:
>
> On 6/12/24 15:29, chase xd wrote:
> > Hi,
> >
> > Syzkaller hits a new bug in branch 6.10.0-rc1-00004-gff802a9f35cf-dirty #7.
> > Note: this is also not a reliable repro, might need to try more times
>
> Do you have a syz repro? It's easier to understand what it's doing,
> which request types are used and such.
>
>
> >
> > ```
> >
> > [  153.857557][T21250] apt-get (21250) used greatest stack depth:
> > 22240 bytes left
> > [  249.711259][T57846] ------------[ cut here ]------------
> > [  249.711626][T57846] WARNING: CPU: 1 PID: 57846 at
> > io_uring/refs.h:38 io_issue_sqe+0x10dc/0x1720
> > [  249.712188][T57846] Modules linked in:
> > [  249.712431][T57846] CPU: 1 PID: 57846 Comm: iou-wrk-57845 Not
> > tainted 6.10.0-rc1-00004-gff802a9f35cf-dirty #7
> > [  249.713020][T57846] Hardware name: QEMU Standard PC (i440FX + PIIX,
> > 1996), BIOS 1.15.0-1 04/01/2014
> > [  249.713566][T57846] RIP: 0010:io_issue_sqe+0x10dc/0x1720
> > [  249.713894][T57846] Code: fc ff df 4c 89 e2 48 c1 ea 03 80 3c 02 00
> > 0f 85 c6 05 00 00 49 89 1c 24 49f
> > [  249.715023][T57846] RSP: 0018:ffffc9000e84fc00 EFLAGS: 00010293
> > [  249.715389][T57846] RAX: 0000000000000000 RBX: 0000000000000000
> > RCX: ffffffff84139c3c
> > [  249.715855][T57846] RDX: ffff88801eaad640 RSI: ffffffff8413a70b
> > RDI: 0000000000000007
> > [  249.716300][T57846] RBP: ffffc9000e84fc80 R08: 0000000000000007
> > R09: 0000000000000000
> > [  249.716676][T57846] R10: 0000000000000000 R11: 0000000000000000
> > R12: ffff8880001c3a00
> > [  249.717042][T57846] R13: 0000000000000000 R14: ffff888010600040
> > R15: ffff8880001c3a48
> > [  249.717428][T57846] FS:  00007f58ce931800(0000)
> > GS:ffff88807ec00000(0000) knlGS:0000000000000000
> > [  249.717837][T57846] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [  249.718135][T57846] CR2: 00007f58ce932128 CR3: 000000001b08a000
> > CR4: 00000000000006f0
> > [  249.718497][T57846] Call Trace:
> > [  249.718668][T57846]  <TASK>
> > [  249.718810][T57846]  ? __warn+0xc7/0x2f0
> > [  249.719003][T57846]  ? io_issue_sqe+0x10dc/0x1720
> > [  249.719233][T57846]  ? report_bug+0x347/0x410
> > [  249.719451][T57846]  ? handle_bug+0x3d/0x80
> > [  249.719654][T57846]  ? exc_invalid_op+0x18/0x50
> > [  249.719872][T57846]  ? asm_exc_invalid_op+0x1a/0x20
> > [  249.720127][T57846]  ? io_issue_sqe+0x60c/0x1720
> > [  249.720420][T57846]  ? io_issue_sqe+0x10db/0x1720
> > [  249.720711][T57846]  ? io_issue_sqe+0x10dc/0x1720
> > [  249.721012][T57846]  ? __fget_files+0x1bc/0x3d0
> > [  249.722194][T57846]  ? io_wq_submit_work+0x264/0xcb0
> > [  249.722521][T57846]  io_wq_submit_work+0x264/0xcb0
> > [  249.722826][T57846]  io_worker_handle_work+0x97e/0x1790
> > [  249.723159][T57846]  io_wq_worker+0x38e/0xe50
> > [  249.723435][T57846]  ? __pfx_io_wq_worker+0x10/0x10
> > [  249.723687][T57846]  ? ret_from_fork+0x16/0x70
> > [  249.723907][T57846]  ? __pfx_lock_release+0x10/0x10
> > [  249.724139][T57846]  ? do_raw_spin_lock+0x12c/0x2b0
> > [  249.724392][T57846]  ? __pfx_do_raw_spin_lock+0x10/0x10
> > [  249.724706][T57846]  ? __pfx_io_wq_worker+0x10/0x10
> > [  249.725015][T57846]  ret_from_fork+0x2f/0x70
> > [  249.725300][T57846]  ? __pfx_io_wq_worker+0x10/0x10
> > [  249.725603][T57846]  ret_from_fork_asm+0x1a/0x30
> > [  249.725897][T57846]  </TASK>
> > [  249.726083][T57846] Kernel panic - not syncing: kernel: panic_on_warn set ...
> > [  249.726521][T57846] CPU: 1 PID: 57846 Comm: iou-wrk-57845 Not
> > tainted 6.10.0-rc1-00004-gff802a9f35cf-dirty #7
> > [  249.727110][T57846] Hardware name: QEMU Standard PC (i440FX + PIIX,
> > 1996), BIOS 1.15.0-1 04/01/2014
> > [  249.727647][T57846] Call Trace:
> > [  249.727842][T57846]  <TASK>
> > [  249.728018][T57846]  panic+0x4fa/0x5a0
> > [  249.728252][T57846]  ? __pfx_panic+0x10/0x10
> > [  249.728516][T57846]  ? show_trace_log_lvl+0x284/0x390
> > [  249.728832][T57846]  ? io_issue_sqe+0x10dc/0x1720
> > [  249.729120][T57846]  check_panic_on_warn+0x61/0x80
> > [  249.729416][T57846]  __warn+0xd3/0x2f0
> > [  249.729650][T57846]  ? io_issue_sqe+0x10dc/0x1720
> > [  249.729941][T57846]  report_bug+0x347/0x410
> > [  249.730206][T57846]  handle_bug+0x3d/0x80
> > [  249.730460][T57846]  exc_invalid_op+0x18/0x50
> > [  249.730730][T57846]  asm_exc_invalid_op+0x1a/0x20
> > [  249.731031][T57846] RIP: 0010:io_issue_sqe+0x10dc/0x1720
> > [  249.731365][T57846] Code: fc ff df 4c 89 e2 48 c1 ea 03 80 3c 02 00
> > 0f 85 c6 05 00 00 49 89 1c 24 49f
> > [  249.732508][T57846] RSP: 0018:ffffc9000e84fc00 EFLAGS: 00010293
> > [  249.732873][T57846] RAX: 0000000000000000 RBX: 0000000000000000
> > RCX: ffffffff84139c3c
> > [  249.733351][T57846] RDX: ffff88801eaad640 RSI: ffffffff8413a70b
> > RDI: 0000000000000007
> > [  249.733822][T57846] RBP: ffffc9000e84fc80 R08: 0000000000000007
> > R09: 0000000000000000
> > [  249.734285][T57846] R10: 0000000000000000 R11: 0000000000000000
> > R12: ffff8880001c3a00
> > [  249.734757][T57846] R13: 0000000000000000 R14: ffff888010600040
> > R15: ffff8880001c3a48
> > [  249.735236][T57846]  ? io_issue_sqe+0x60c/0x1720
> > [  249.735529][T57846]  ? io_issue_sqe+0x10db/0x1720
> > [  249.735825][T57846]  ? __fget_files+0x1bc/0x3d0
> > [  249.736116][T57846]  ? io_wq_submit_work+0x264/0xcb0
> > [  249.736428][T57846]  io_wq_submit_work+0x264/0xcb0
> > [  249.736731][T57846]  io_worker_handle_work+0x97e/0x1790
> > [  249.737061][T57846]  io_wq_worker+0x38e/0xe50
> > [  249.737353][T57846]  ? __pfx_io_wq_worker+0x10/0x10
> > [  249.737646][T57846]  ? ret_from_fork+0x16/0x70
> > [  249.737861][T57846]  ? __pfx_lock_release+0x10/0x10
> > [  249.738091][T57846]  ? do_raw_spin_lock+0x12c/0x2b0
> > [  249.738398][T57846]  ? __pfx_do_raw_spin_lock+0x10/0x10
> > [  249.738729][T57846]  ? __pfx_io_wq_worker+0x10/0x10
> > [  249.739033][T57846]  ret_from_fork+0x2f/0x70
> > [  249.739308][T57846]  ? __pfx_io_wq_worker+0x10/0x10
> > [  249.739617][T57846]  ret_from_fork_asm+0x1a/0x30
> > [  249.739913][T57846]  </TASK>
> > [  249.740236][T57846] Kernel Offset: disabled
> > [  249.740518][T57846] Rebooting in 86400 seconds..
> >
> > ```
> >
> > crepro is in attachments.
> >
> > Regards
>
> --
> Pavel Begunkov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ