public inbox for [email protected]
 help / color / mirror / Atom feed
* [syzbot] general protection fault in __io_sync_cancel
@ 2022-08-24 16:35 syzbot
  2022-08-24 16:39 ` Jens Axboe
  0 siblings, 1 reply; 4+ messages in thread
From: syzbot @ 2022-08-24 16:35 UTC (permalink / raw)
  To: asml.silence, axboe, io-uring, linux-kernel, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    df0219d11b6f Merge tag 'parisc-for-6.0-2' of git://git.ker..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=108d7fcb080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=911efaff115942bb
dashboard link: https://syzkaller.appspot.com/bug?extid=bf76847df5f7359c9e09
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13ef1715080000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17fcebc3080000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 3614 Comm: syz-executor233 Not tainted 6.0.0-rc2-syzkaller-00044-gdf0219d11b6f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
RIP: 0010:__io_sync_cancel+0x10d/0x1c0 io_uring/cancel.c:224
Code: 48 c1 ea 03 80 3c 02 00 0f 85 aa 00 00 00 49 8b 86 f8 00 00 00 48 8d 1c d8 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 00 00 00 48 8b 1b 48 8d 7d 08 48 b8 00 00 00
RSP: 0018:ffffc900038ffc20 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff83f87914 RDI: ffff888146d8a0f8
RBP: ffffc900038ffce0 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88801c9df800 R14: ffff888146d8a000 R15: 0000000000000000
FS:  0000555556c5e300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005d84c8 CR3: 0000000070564000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 io_sync_cancel+0x240/0x630 io_uring/cancel.c:265
 __io_uring_register io_uring/io_uring.c:3833 [inline]
 __do_sys_io_uring_register+0x5c9/0x1110 io_uring/io_uring.c:3878
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f9ae908dd29
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc2e5075e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9ae908dd29
RDX: 0000000020000000 RSI: 0000000000000018 RDI: 000000000000000a
RBP: 00007f9ae9051ed0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00007f9ae9051f60
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__io_sync_cancel+0x10d/0x1c0 io_uring/cancel.c:224
Code: 48 c1 ea 03 80 3c 02 00 0f 85 aa 00 00 00 49 8b 86 f8 00 00 00 48 8d 1c d8 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 8e 00 00 00 48 8b 1b 48 8d 7d 08 48 b8 00 00 00
RSP: 0018:ffffc900038ffc20 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff83f87914 RDI: ffff888146d8a0f8
RBP: ffffc900038ffce0 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88801c9df800 R14: ffff888146d8a000 R15: 0000000000000000
FS:  0000555556c5e300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f622cf74268 CR3: 0000000070564000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 aa 00 00 00    	jne    0xb8
   e:	49 8b 86 f8 00 00 00 	mov    0xf8(%r14),%rax
  15:	48 8d 1c d8          	lea    (%rax,%rbx,8),%rbx
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 da             	mov    %rbx,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 8e 00 00 00    	jne    0xc2
  34:	48 8b 1b             	mov    (%rbx),%rbx
  37:	48 8d 7d 08          	lea    0x8(%rbp),%rdi
  3b:	48                   	rex.W
  3c:	b8                   	.byte 0xb8
  3d:	00 00                	add    %al,(%rax)


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [syzbot] general protection fault in __io_sync_cancel
  2022-08-24 16:35 [syzbot] general protection fault in __io_sync_cancel syzbot
@ 2022-08-24 16:39 ` Jens Axboe
  2022-08-24 17:20   ` syzbot
  0 siblings, 1 reply; 4+ messages in thread
From: Jens Axboe @ 2022-08-24 16:39 UTC (permalink / raw)
  To: syzbot, asml.silence, io-uring, linux-kernel, syzkaller-bugs

#syz test: git://git.kernel.dk/linux-block io_uring-6.0

-- 
Jens Axboe



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [syzbot] general protection fault in __io_sync_cancel
  2022-08-24 16:39 ` Jens Axboe
@ 2022-08-24 17:20   ` syzbot
  2022-08-24 17:22     ` Jens Axboe
  0 siblings, 1 reply; 4+ messages in thread
From: syzbot @ 2022-08-24 17:20 UTC (permalink / raw)
  To: asml.silence, axboe, io-uring, linux-kernel, syzkaller-bugs

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

    T1] Segment Routing with IPv6
[   11.778749][    T1] RPL Segment Routing with IPv6
[   11.780518][    T1] In-situ OAM (IOAM) with IPv6
[   11.782042][    T1] mip6: Mobile IPv6
[   11.786486][    T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[   11.793665][    T1] ip6_gre: GRE over IPv6 tunneling driver
[   11.798208][    T1] NET: Registered PF_PACKET protocol family
[   11.799896][    T1] NET: Registered PF_KEY protocol family
[   11.802055][    T1] Bridge firewalling registered
[   11.803589][    T1] NET: Registered PF_X25 protocol family
[   11.804806][    T1] X25: Linux Version 0.2
[   11.847206][    T1] NET: Registered PF_NETROM protocol family
[   11.888898][    T1] NET: Registered PF_ROSE protocol family
[   11.892054][    T1] NET: Registered PF_AX25 protocol family
[   11.893357][    T1] can: controller area network core
[   11.894670][    T1] NET: Registered PF_CAN protocol family
[   11.895475][    T1] can: raw protocol
[   11.896141][    T1] can: broadcast manager protocol
[   11.897027][    T1] can: netlink gateway - max_hops=1
[   11.898177][    T1] can: SAE J1939
[   11.898810][    T1] can: isotp protocol
[   11.901860][    T1] Bluetooth: RFCOMM TTY layer initialized
[   11.902785][    T1] Bluetooth: RFCOMM socket layer initialized
[   11.904012][    T1] Bluetooth: RFCOMM ver 1.11
[   11.904822][    T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[   11.905764][    T1] Bluetooth: BNEP filters: protocol multicast
[   11.907262][    T1] Bluetooth: BNEP socket layer initialized
[   11.908295][    T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[   11.909403][    T1] Bluetooth: CMTP socket layer initialized
[   11.911056][    T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[   11.912703][    T1] Bluetooth: HIDP socket layer initialized
[   11.917719][    T1] NET: Registered PF_RXRPC protocol family
[   11.919950][    T1] Key type rxrpc registered
[   11.920646][    T1] Key type rxrpc_s registered
[   11.922687][    T1] NET: Registered PF_KCM protocol family
[   11.924005][    T1] lec:lane_module_init: lec.c: initialized
[   11.925480][    T1] mpoa:atm_mpoa_init: mpc.c: initialized
[   11.926437][    T1] l2tp_core: L2TP core driver, V2.0
[   11.927682][    T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[   11.928781][    T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[   11.935470][    T1] l2tp_netlink: L2TP netlink interface
[   11.941080][    T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[   11.947835][    T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[   11.955837][    T1] NET: Registered PF_PHONET protocol family
[   11.962541][    T1] 8021q: 802.1Q VLAN Support v1.8
[   11.981227][    T1] DCCP: Activated CCID 2 (TCP-like)
[   11.987131][    T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[   11.996367][    T1] sctp: Hash tables configured (bind 32/56)
[   12.004581][    T1] NET: Registered PF_RDS protocol family
[   12.011589][    T1] Registered RDS/infiniband transport
[   12.018376][    T1] Registered RDS/tcp transport
[   12.023397][    T1] tipc: Activated (version 2.0.0)
[   12.029562][    T1] NET: Registered PF_TIPC protocol family
[   12.035917][    T1] tipc: Started in single node mode
[   12.042799][    T1] NET: Registered PF_SMC protocol family
[   12.048895][    T1] 9pnet: Installing 9P2000 support
[   12.055031][    T1] NET: Registered PF_CAIF protocol family
[   12.066266][    T1] NET: Registered PF_IEEE802154 protocol family
[   12.073314][    T1] Key type dns_resolver registered
[   12.078510][    T1] Key type ceph registered
[   12.084022][    T1] libceph: loaded (mon/osd proto 15/24)
[   12.091969][    T1] batman_adv: B.A.T.M.A.N. advanced 2022.2 (compatibility version 15) loaded
[   12.100976][    T1] openvswitch: Open vSwitch switching datapath
[   12.110679][    T1] NET: Registered PF_VSOCK protocol family
[   12.116771][    T1] mpls_gso: MPLS GSO support
[   12.132488][    T1] IPI shorthand broadcast: enabled
[   12.137708][    T1] AVX2 version of gcm_enc/dec engaged.
[   12.143629][    T1] AES CTR mode by8 optimization enabled
[   12.153389][    T1] sched_clock: Marking stable (12128368826, 24694216)->(12161609834, -8546792)
[   12.164371][    T1] registered taskstats version 1
[   12.176236][    T1] Loading compiled-in X.509 certificates
[   12.187851][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 56474817b0befbc4db6691a48efa9e68df22c0e8'
[   12.201889][    T1] zswap: loaded using pool lzo/zbud
[   12.209454][    T1] debug_vm_pgtable: [debug_vm_pgtable         ]: Validating architecture page table helpers
[   14.002305][    T1] Key type ._fscrypt registered
[   14.007306][    T1] Key type .fscrypt registered
[   14.012126][    T1] Key type fscrypt-provisioning registered
[   14.024575][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   14.041755][    T1] Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
[   14.050906][    T1] Key type big_key registered
[   14.058508][    T1] Key type encrypted registered
[   14.063568][    T1] AppArmor: AppArmor sha1 policy hashing enabled
[   14.070180][    T1] ima: No TPM chip found, activating TPM-bypass!
[   14.076527][    T1] Loading compiled-in module X.509 certificates
[   14.086703][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 56474817b0befbc4db6691a48efa9e68df22c0e8'
[   14.097558][    T1] ima: Allocated hash algorithm: sha256
[   14.103429][    T1] ima: No architecture policies found
[   14.109151][    T1] evm: Initialising EVM extended attributes:
[   14.115568][    T1] evm: security.selinux (disabled)
[   14.120773][    T1] evm: security.SMACK64 (disabled)
[   14.126049][    T1] evm: security.SMACK64EXEC (disabled)
[   14.131557][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   14.137432][    T1] evm: security.SMACK64MMAP (disabled)
[   14.142977][    T1] evm: security.apparmor
[   14.147215][    T1] evm: security.ima
[   14.151081][    T1] evm: security.capability
[   14.155477][    T1] evm: HMAC attrs: 0x1
[   14.243494][    T1] PM:   Magic number: 2:237:189
[   14.249013][    T1] tty ttys1: hash matches
[   14.253781][    T1] acpi device:1b: hash matches
[   14.261317][    T1] printk: console [netcon0] enabled
[   14.266586][    T1] netconsole: network logging started
[   14.273514][    T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[   14.282346][    T1] rdma_rxe: loaded
[   14.286627][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   14.297869][    T1] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   14.306790][   T14] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   14.313129][    T1] ALSA device list:
[   14.316846][   T14] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[   14.320575][    T1]   #0: Dummy 1
[   14.332576][    T1]   #1: Loopback 1
[   14.336298][    T1]   #2: Virtual MIDI Card 1
[   14.343790][    T1] md: Waiting for all devices to be available before autodetect
[   14.351699][    T1] md: If you don't use raid, use raid=noautodetect
[   14.358204][    T1] md: Autodetecting RAID arrays.
[   14.363414][    T1] md: autorun ...
[   14.367120][    T1] md: ... autorun DONE.
[   14.478701][    T1] EXT4-fs (sda1): mounted filesystem with ordered data mode. Quota mode: none.
[   14.488011][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   14.503979][    T1] devtmpfs: mounted
[   14.580996][    T1] Freeing unused kernel image (initmem) memory: 2724K
[   14.587928][    T1] Write protecting the kernel read-only data: 176128k
[   14.599937][    T1] Freeing unused kernel image (text/rodata gap) memory: 2016K
[   14.608369][    T1] Freeing unused kernel image (rodata/data gap) memory: 376K
[   14.623046][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   14.632909][    T1] Run /sbin/init as init process
[   15.125500][ T2940] EXT4-fs (sda1): re-mounted. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
mount: mounting selinuxfs on /sys/fs/selinux failed: No such file or directory
mount: mounting mqueue on /dev/mqueue failed: No such file or directory
mount: mounting hugetlbfs on /dev/hugepages failed: No such file or directory
mount: mounting fuse.lxcfs on /v[   15.247660][ T2942] mount (2942) used greatest stack depth: 23392 bytes left
ar/lib/lxcfs failed: No such file or directory
Starting syslogd: OK
Starting acpid: OK
Starting klogd: OK
Running sysctl: [   15.777837][ T2969] logger (2969) used greatest stack depth: 23000 bytes left
OK
Populating /dev using udev: [   16.034860][ T2971] udevd[2971]: starting version 3.2.10
[   16.293122][ T2972] udevd[2972]: starting eudev-3.2.10
[   16.297135][ T2971] udevd (2971) used greatest stack depth: 22776 bytes left
[   17.605358][ T2986] ------------[ cut here ]------------
[   17.613372][ T2986] kernel BUG at arch/x86/mm/physaddr.c:28!
[   17.621301][ T2986] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[   17.627417][ T2986] CPU: 1 PID: 2986 Comm: udevadm Not tainted 6.0.0-rc1-syzkaller-00014-g0596fa5ef9af #0
[   17.637288][ T2986] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
[   17.647372][ T2986] RIP: 0010:__phys_addr+0xd3/0x140
[   17.652560][ T2986] Code: e3 44 89 e9 31 ff 48 d3 eb 48 89 de e8 26 22 45 00 48 85 db 75 0f e8 3c 25 45 00 4c 89 e0 5b 5d 41 5c 41 5d c3 e8 2d 25 45 00 <0f> 0b e8 26 25 45 00 48 c7 c0 10 50 cb 8b 48 ba 00 00 00 00 00 fc
[   17.672198][ T2986] RSP: 0018:ffffc90002d8fc90 EFLAGS: 00010293
[   17.678322][ T2986] RAX: 0000000000000000 RBX: ffff000000000000 RCX: 0000000000000000
[   17.686329][ T2986] RDX: ffff888021510000 RSI: ffffffff8136e1c3 RDI: 0000000000000006
[   17.694351][ T2986] RBP: ffff000080000000 R08: 0000000000000006 R09: ffff000080000000
[   17.702441][ T2986] R10: ffff778000000000 R11: 0000000000000000 R12: ffff778000000000
[   17.710451][ T2986] R13: ffffc90002d8fcf8 R14: ffff000000000000 R15: 0000000000000000
[   17.718890][ T2986] FS:  00007f452d713840(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
[   17.728368][ T2986] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   17.735074][ T2986] CR2: 0000558861bac008 CR3: 000000001e706000 CR4: 00000000003506e0
[   17.743071][ T2986] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   17.751043][ T2986] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   17.759039][ T2986] Call Trace:
[   17.762331][ T2986]  <TASK>
[   17.765282][ T2986]  qlist_free_all+0x86/0x170
[   17.769889][ T2986]  kasan_quarantine_reduce+0x180/0x200
[   17.775358][ T2986]  __kasan_slab_alloc+0xa2/0xc0
[   17.780217][ T2986]  kmem_cache_alloc+0x267/0x3b0
[   17.785076][ T2986]  getname_flags.part.0+0x50/0x4f0
[   17.790221][ T2986]  getname_flags+0x9a/0xe0
[   17.794694][ T2986]  user_path_at_empty+0x2b/0x60
[   17.799556][ T2986]  do_readlinkat+0xcd/0x2f0
[   17.804066][ T2986]  ? cp_compat_stat+0x830/0x830
[   17.808925][ T2986]  ? syscall_enter_from_user_mode+0x22/0xb0
[   17.814848][ T2986]  __x64_sys_readlink+0x74/0xb0
[   17.819708][ T2986]  do_syscall_64+0x35/0xb0
[   17.824135][ T2986]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   17.830033][ T2986] RIP: 0033:0x7f452d327277
[   17.834538][ T2986] Code: 73 01 c3 48 8b 0d 01 dc 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 59 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d1 db 0c 00 f7 d8 64 89 01 48
[   17.854257][ T2986] RSP: 002b:00007ffedcc439a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000059
[   17.862678][ T2986] RAX: ffffffffffffffda RBX: 00007ffedcc439b8 RCX: 00007f452d327277
[   17.870653][ T2986] RDX: 0000000000000400 RSI: 00007ffedcc439b8 RDI: 00007ffedcc43e98
[   17.878628][ T2986] RBP: 0000000000000400 R08: 0000000000003fff R09: 0000000000000000
[   17.886603][ T2986] R10: 0000000000000012 R11: 0000000000000246 R12: 00007ffedcc43e98
[   17.895108][ T2986] R13: 00007ffedcc43e08 R14: 0000558861ba3910 R15: 0000558861ba3a60
[   17.903094][ T2986]  </TASK>
[   17.906110][ T2986] Modules linked in:
[   17.915398][ T2986] ---[ end trace 0000000000000000 ]---
[   17.922149][ T2986] RIP: 0010:__phys_addr+0xd3/0x140
[   17.928659][ T2986] Code: e3 44 89 e9 31 ff 48 d3 eb 48 89 de e8 26 22 45 00 48 85 db 75 0f e8 3c 25 45 00 4c 89 e0 5b 5d 41 5c 41 5d c3 e8 2d 25 45 00 <0f> 0b e8 26 25 45 00 48 c7 c0 10 50 cb 8b 48 ba 00 00 00 00 00 fc
[   17.959306][ T2986] RSP: 0018:ffffc90002d8fc90 EFLAGS: 00010293
[   17.965635][ T2986] RAX: 0000000000000000 RBX: ffff000000000000 RCX: 0000000000000000
[   17.973707][ T2986] RDX: ffff888021510000 RSI: ffffffff8136e1c3 RDI: 0000000000000006
[   17.982205][ T2986] RBP: ffff000080000000 R08: 0000000000000006 R09: ffff000080000000
[   17.990257][ T2986] R10: ffff778000000000 R11: 0000000000000000 R12: ffff778000000000
[   17.999595][ T2986] R13: ffffc90002d8fcf8 R14: ffff000000000000 R15: 0000000000000000
[   18.009718][ T2986] FS:  00007f452d713840(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
[   18.018693][ T2986] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   18.026893][ T2986] CR2: 0000558861bac008 CR3: 000000001e706000 CR4: 00000000003506e0
[   18.036928][ T2986] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   18.047510][ T2986] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   18.055838][ T2986] Kernel panic - not syncing: Fatal exception
[   18.062093][ T2986] Kernel Offset: disabled
[   18.066545][ T2986] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2121451332=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at cea8b0f72
nothing to commit, working tree clean


go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=cea8b0f72c56f0c82a465154bb7412407e78dcd8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220823-115137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=cea8b0f72c56f0c82a465154bb7412407e78dcd8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220823-115137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=cea8b0f72c56f0c82a465154bb7412407e78dcd8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220823-115137'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"cea8b0f72c56f0c82a465154bb7412407e78dcd8\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1597dfd3080000


Tested on:

commit:         0596fa5e io_uring/net: save address for sendzc async e..
git tree:       git://git.kernel.dk/linux-block io_uring-6.0
kernel config:  https://syzkaller.appspot.com/x/.config?x=3b9175e0879a7749
dashboard link: https://syzkaller.appspot.com/bug?extid=bf76847df5f7359c9e09
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [syzbot] general protection fault in __io_sync_cancel
  2022-08-24 17:20   ` syzbot
@ 2022-08-24 17:22     ` Jens Axboe
  0 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2022-08-24 17:22 UTC (permalink / raw)
  To: syzbot, asml.silence, io-uring, linux-kernel, syzkaller-bugs

On 8/24/22 11:20 AM, syzbot wrote:
> Hello,
> 
> syzbot tried to test the proposed patch but the build/boot failed:

Gah, that's the virtio-net issue that got fixed, not related. Maybe test
this one on master:

diff --git a/io_uring/cancel.c b/io_uring/cancel.c
index e4e1dc0325f0..5fc5d3e80fcb 100644
--- a/io_uring/cancel.c
+++ b/io_uring/cancel.c
@@ -218,7 +218,7 @@ static int __io_sync_cancel(struct io_uring_task *tctx,
 	    (cd->flags & IORING_ASYNC_CANCEL_FD_FIXED)) {
 		unsigned long file_ptr;
 
-		if (unlikely(fd > ctx->nr_user_files))
+		if (unlikely(fd >= ctx->nr_user_files))
 			return -EBADF;
 		fd = array_index_nospec(fd, ctx->nr_user_files);
 		file_ptr = io_fixed_file_slot(&ctx->file_table, fd)->file_ptr;

-- 
Jens Axboe

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-08-24 17:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-24 16:35 [syzbot] general protection fault in __io_sync_cancel syzbot
2022-08-24 16:39 ` Jens Axboe
2022-08-24 17:20   ` syzbot
2022-08-24 17:22     ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox