lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CA+-ZZ_jfkdgs+cz+HED+0k2tDFpuDgev9pBDYF0hYuAnO5yOCg@mail.gmail.com>
Date: Tue, 7 Jan 2025 19:24:43 -0500
From: reveliofuzzing <reveliofuzzing@...il.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: tglx@...utronix.de, mingo@...hat.com, bp@...en8.de, 
	dave.hansen@...ux.intel.com, kirill.shutemov@...ux.intel.com, x86@...nel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: reproducible GPF error in native_tss_update_io_bitmap

On Tue, Jan 7, 2025 at 4:28 PM Dave Hansen <dave.hansen@...el.com> wrote:
>
> On 1/6/25 18:32, reveliofuzzing wrote:
> > Hello,
> >
> > We found the following general protection fault bug in Linux kernel 6.12, and
> > it can be reproduced stably in a QEMU VM. To our knowledge, this problem has not
> > been observed by SyzBot so we would like to report it for your reference.
> >
> > - dmesg
> > syzkaller login: [   90.849309] Oops: general protection fault,
> > probably for non-canonical address 0xdffffc0000000000: 0000 [#1]
> > PREEMPTI
> > [   90.853735] KASAN: null-ptr-deref in range
> > [0x0000000000000000-0x0000000000000007]
> > [   90.856772] CPU: 0 PID: 3265 Comm: iou-sqp-3264 Not tainted 6.10.0 #2
> > [   90.859386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> > BIOS 1.13.0-1ubuntu1.1 04/01/2014
> > [   90.862774] RIP: 0010:native_tss_update_io_bitmap+0x143/0x510
>
> The whole thing looks like an issue in the failure path when trying to
> create an io_uring io worker thread. It's probably some confusion in
> treating the worker thread like a userspace thread with an io bitmap
> when the worker thread doesn't have one.
>
> It's _probably_ only reproducible with io_uring. It's arguable whether
> it's likely an x86 issue or an io_uring issue.
>
> In any case, running:
>
>         scripts/decode_stacktrace.sh
>
Here is the output of running this script:
[   90.853735] KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007]
[   90.856772] CPU: 0 PID: 3265 Comm: iou-sqp-3264 Not tainted 6.10.0 #2
[   90.859386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   90.862774] RIP: 0010:native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:470)
[ 90.865203] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85
ae 03 00 00 48 89 da 4d 8b 75 68 48 b8 00 00 00 00 00 fc ff df 4c

Code starting with the faulting instruction
===========================================
   0:   00 fc                   add    %bh,%ah
   2:   ff                      (bad)
   3:   df 48 89                fisttps -0x77(%rax)
   6:   fa                      cli
   7:   48 c1 ea 03             shr    $0x3,%rdx
   b:   80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)
   f:   0f 85 ae 03 00 00       jne    0x3c3
  15:   48 89 da                mov    %rbx,%rdx
  18:   4d 8b 75 68             mov    0x68(%r13),%r14
  1c:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  23:   fc ff df
  26:   4c                      rex.WR
[   90.872684] RSP: 0018:ffff8880079776c0 EFLAGS: 00010246
[   90.875623] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff810a7045
[   90.878708] RDX: 0000000000000000 RSI: ffffffff810a70a6 RDI: ffff88806d20a068
[   90.881705] RBP: ffff888007977740 R08: ffffffff8171dc14 R09: ffffed10014763c1
[   90.884683] R10: ffffed10014763c0 R11: ffff88800a3b1e07 R12: 1ffff11000f2eed8
[   90.887673] R13: ffff88806d20a000 R14: 00000000000005d4 R15: ffff888007977950
[   90.890639] FS:  000055557b069940(0000) GS:ffff88806d200000(0000)
knlGS:0000000000000000
[   90.894196] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   90.896589] CR2: 0000000000004028 CR3: 000000000bf84000 CR4: 00000000000006f0
[   90.899520] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   90.902247] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   90.904931] Call Trace:
[   90.905938]  <TASK>
[   90.906804] ? show_regs (linux-6.12/arch/x86/kernel/dumpstack.c:419)
[   90.908166] ? __die_body (linux-6.12/arch/x86/kernel/dumpstack.c:423)
[   90.909495] ? die_addr (linux-6.12/arch/x86/kernel/dumpstack.c:463)
[   90.910773] ? exc_general_protection
(linux-6.12/arch/x86/kernel/traps.c:751
linux-6.12/arch/x86/kernel/traps.c:693)
[   90.912665] ? asm_exc_general_protection
(linux-6.12/./arch/x86/include/asm/idtentry.h:617)
[   90.914566] ? kasan_save_stack (linux-6.12/mm/kasan/common.c:48)
[   90.916239] ? native_tss_update_io_bitmap
(linux-6.12/./arch/x86/include/asm/bitops.h:206
linux-6.12/./arch/x86/include/asm/bitops.h:238
linux-6.12/./include/asm-generic/bitops/instrumented-non-atomic.h:142
linux-6.12/./include/linux/thread_info.h:118
linux-6.12/arch/x86/kernel/process.c:456)
[   90.918173] ? native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:464)
[   90.920145] ? native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:470)
[   90.922509] ? __pfx_native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:451)
[   90.925039] ? __pfx_refcount_dec_not_one (linux-6.12/lib/refcount.c:75)
[   90.927396] ? __virt_addr_valid (linux-6.12/arch/x86/mm/physaddr.c:66)
[   90.929218] ? __pfx_delayed_put_pid (linux-6.12/kernel/pid.c:128)
[   90.930957] task_update_io_bitmap
(linux-6.12/./arch/x86/include/asm/preempt.h:94
linux-6.12/arch/x86/kernel/ioport.c:48
linux-6.12/arch/x86/kernel/ioport.c:36)
[   90.932599] io_bitmap_exit (linux-6.12/arch/x86/kernel/ioport.c:58)
[   90.933995] exit_thread (linux-6.12/arch/x86/kernel/process.c:122)
[   90.935319] copy_process (linux-6.12/kernel/fork.c:1764
linux-6.12/kernel/fork.c:2362)
[   90.936878] ? __pfx_copy_process (linux-6.12/kernel/fork.c:2123)
[   90.938857] ? _raw_spin_lock_irqsave
(linux-6.12/./arch/x86/include/asm/atomic.h:107
linux-6.12/./include/linux/atomic/atomic-arch-fallback.h:2170
linux-6.12/./include/linux/atomic/atomic-instrumented.h:1302
linux-6.12/./include/asm-generic/qspinlock.h:111
linux-6.12/./include/linux/spinlock.h:187
linux-6.12/./include/linux/spinlock_api_smp.h:111
linux-6.12/kernel/locking/spinlock.c:162)
[   90.940957] ? try_to_wake_up
(linux-6.12/./include/linux/spinlock.h:551
linux-6.12/kernel/sched/core.c:4165)
[   90.942490] ? __pfx_io_wq_worker (linux-6.12/io_uring/io-wq.c:632)
[   90.944116] create_io_thread (linux-6.12/kernel/fork.c:2721)
[   90.945578] ? __pfx_create_io_thread (linux-6.12/kernel/fork.c:2721)
[   90.947344] ? __pfx_io_wq_worker (linux-6.12/io_uring/io-wq.c:632)
[   90.948935] ? kasan_save_track
(linux-6.12/./arch/x86/include/asm/current.h:49
linux-6.12/mm/kasan/common.c:60 linux-6.12/mm/kasan/common.c:69)
[   90.950458] create_io_worker (linux-6.12/io_uring/io-wq.c:851)
[   90.952015] io_wq_enqueue (linux-6.12/io_uring/io-wq.c:326
linux-6.12/io_uring/io-wq.c:966)
[   90.953427] ? __pfx_io_wq_enqueue (linux-6.12/io_uring/io-wq.c:933)
[   90.955081] ? __pfx__raw_spin_lock (linux-6.12/kernel/locking/spinlock.c:153)
[   90.957061] ? __pfx_io_wq_work_match_item (linux-6.12/io_uring/io-wq.c:928)
[   90.958969] io_queue_iowq (linux-6.12/io_uring/io_uring.c:534)
[   90.960413] io_queue_sqe_fallback (linux-6.12/io_uring/io_uring.c:1980)
[   90.962097] io_submit_sqes (linux-6.12/io_uring/io_uring.c:2194
linux-6.12/io_uring/io_uring.c:2324)
[   90.963627] io_sq_thread (linux-6.12/io_uring/napi.h:25
linux-6.12/io_uring/sqpoll.c:324)
[   90.965272] ? __pfx_io_sq_thread (linux-6.12/io_uring/sqpoll.c:268)
[   90.966960] ? __pfx_autoremove_wake_function
(linux-6.12/kernel/sched/wait.c:383)
[   90.969010] ? _raw_spin_lock_irq
(linux-6.12/./arch/x86/include/asm/atomic.h:107
linux-6.12/./include/linux/atomic/atomic-arch-fallback.h:2170
linux-6.12/./include/linux/atomic/atomic-instrumented.h:1302
linux-6.12/./include/asm-generic/qspinlock.h:111
linux-6.12/./include/linux/spinlock.h:187
linux-6.12/./include/linux/spinlock_api_smp.h:120
linux-6.12/kernel/locking/spinlock.c:170)
[   90.970775] ? finish_task_switch
(linux-6.12/./arch/x86/include/asm/atomic.h:67
linux-6.12/./include/linux/atomic/atomic-arch-fallback.h:2278
linux-6.12/./include/linux/atomic/atomic-instrumented.h:1384
linux-6.12/./include/linux/sched/mm.h:54
linux-6.12/./include/linux/sched/mm.h:83
linux-6.12/./include/linux/sched/mm.h:110
linux-6.12/kernel/sched/core.c:5227)
[   90.972809] ? __pfx_io_sq_thread (linux-6.12/io_uring/sqpoll.c:268)
[   90.974572] ? __pfx_io_sq_thread (linux-6.12/io_uring/sqpoll.c:268)
[   90.976372] ret_from_fork (linux-6.12/arch/x86/kernel/process.c:153)
[   90.977916] ? __pfx_io_sq_thread (linux-6.12/io_uring/sqpoll.c:268)
[   90.979704] ret_from_fork_asm (linux-6.12/arch/x86/entry/entry_64.S:257)
[   90.981443]  </TASK>
[   90.982411] Modules linked in:
[   90.984086] ---[ end trace 0000000000000000 ]---
[   90.986042] RIP: 0010:native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:470)
[ 90.989080] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85
ae 03 00 00 48 89 da 4d 8b 75 68 48 b8 00 00 00 00 00 fc ff df 4c

Code starting with the faulting instruction
===========================================
   0:   00 fc                   add    %bh,%ah
   2:   ff                      (bad)
   3:   df 48 89                fisttps -0x77(%rax)
   6:   fa                      cli
   7:   48 c1 ea 03             shr    $0x3,%rdx
   b:   80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)
   f:   0f 85 ae 03 00 00       jne    0x3c3
  15:   48 89 da                mov    %rbx,%rdx
  18:   4d 8b 75 68             mov    0x68(%r13),%r14
  1c:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  23:   fc ff df
  26:   4c                      rex.WR
[   90.997385] RSP: 0018:ffff8880079776c0 EFLAGS: 00010246
[   91.000093] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff810a7045
[   91.003230] RDX: 0000000000000000 RSI: ffffffff810a70a6 RDI: ffff88806d20a068
[   91.006468] RBP: ffff888007977740 R08: ffffffff8171dc14 R09: ffffed10014763c1
[   91.010241] R10: ffffed10014763c0 R11: ffff88800a3b1e07 R12: 1ffff11000f2eed8
[   91.014085] R13: ffff88806d20a000 R14: 00000000000005d4 R15: ffff888007977950
[   91.017484] FS:  000055557b069940(0000) GS:ffff88806d200000(0000)
knlGS:0000000000000000
[   91.020992] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   91.023575] CR2: 0000000000004028 CR3: 000000000bf84000 CR4: 00000000000006f0
[   91.026987] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   91.030017] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   91.033300] note: iou-sqp-3264[3265] exited with preempt_count 1

> and providing a full vmlinux might be helpful if folks want to dig into
> this more.
Here is the vmlinux we use:
https://drive.google.com/file/d/1ESzENhJM9xQsFWAgbIsaxKa-AqcexmFO/view?usp=sharing

>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ