Hello io-uring maintainers/developers,
This is a 30-day syzbot report for the io-uring subsystem.
All related reports/information can be found at:
https://syzkaller.appspot.com/upstream/s/io-uring
During the period, 5 new issues were detected and 0 were fixed.
In total, 49 issues are still open and 105 have been fixed so far.
Some of the still happening issues:
Crashes Repro Title
3393 Yes WARNING in io_ring_exit_work
https://syzkaller.appspot.com/bug?extid=00e15cda746c5bc70e24
3241 Yes general protection fault in try_to_wake_up (2)
https://syzkaller.appspot.com/bug?extid=b4a81dc8727e513f364d
1873 Yes WARNING in split_huge_page_to_list (2)
https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
772 Yes INFO: task hung in io_ring_exit_work
https://syzkaller.appspot.com/bug?extid=93f72b3885406bb09e0d
718 Yes KASAN: use-after-free Read in io_poll_remove_entries
https://syzkaller.appspot.com/bug?extid=cd301bb6523ea8cc8ca2
443 Yes KMSAN: uninit-value in io_req_cqe_overflow
https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285
73 Yes INFO: task hung in io_wq_put_and_exit (3)
https://syzkaller.appspot.com/bug?extid=adb05ed2853417be49ce
38 Yes KASAN: use-after-free Read in nfc_llcp_find_local
https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
On 3/27/23 5:01?AM, syzbot wrote:
> 1873 Yes WARNING in split_huge_page_to_list (2)
> https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
> 38 Yes KASAN: use-after-free Read in nfc_llcp_find_local
> https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
These two are not io_uring. Particularly for the latter, I think syzbot
has a tendency to guess it's io_uring if any kind of task_work is
involved. That means anything off fput ends up in that bucket. Can we
get that improved please?
--
Jens Axboe
On Mon, Mar 27, 2023 at 8:23 PM Jens Axboe <[email protected]> wrote:
>
> On 3/27/23 5:01?AM, syzbot wrote:
> > 1873 Yes WARNING in split_huge_page_to_list (2)
> > https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
> > 38 Yes KASAN: use-after-free Read in nfc_llcp_find_local
> > https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
>
> These two are not io_uring. Particularly for the latter, I think syzbot
> has a tendency to guess it's io_uring if any kind of task_work is
> involved. That means anything off fput ends up in that bucket. Can we
> get that improved please?
Sure, I'll update the rules and rerun the subsystem recognition.
Currently syzbot sets io_uring if at least one is true
a) The crash stack trace points to the io_uring sources (according to
MAINTAINERS)
b) At least one reproducer has the syz_io_uring_setup call (that's a
helper function that's part of syzkaller).
In general syzbot tries to minimize the reproducer, but unfortunately
sometimes there remain some calls, which are not necessary per se. It
definitely tried to get rid of them, but the reproducer was just not
working with those calls cut out. Maybe they were just somehow
affecting the global state and in the execution log there didn't exist
any other call candidates, which could have fulfilled the purpose just
as well.
I can update b) to "all reproducers have syz_io_uring_setup". Then
those two bugs won't match the criteria.
If it doesn't suffice and there are still too many false positives, I
can drop b) completely.
By the way, should F: fs/io-wq.c also be added to the IO_URING's
record in the MAINTAINERS file?
--
Aleksandr
>
> --
> Jens Axboe
>
On 3/27/23 1:12?PM, Aleksandr Nogikh wrote:
> On Mon, Mar 27, 2023 at 8:23?PM Jens Axboe <[email protected]> wrote:
>>
>> On 3/27/23 5:01?AM, syzbot wrote:
>>> 1873 Yes WARNING in split_huge_page_to_list (2)
>>> https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
>>> 38 Yes KASAN: use-after-free Read in nfc_llcp_find_local
>>> https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
>>
>> These two are not io_uring. Particularly for the latter, I think syzbot
>> has a tendency to guess it's io_uring if any kind of task_work is
>> involved. That means anything off fput ends up in that bucket. Can we
>> get that improved please?
>
> Sure, I'll update the rules and rerun the subsystem recognition.
>
> Currently syzbot sets io_uring if at least one is true
> a) The crash stack trace points to the io_uring sources (according to
> MAINTAINERS)
> b) At least one reproducer has the syz_io_uring_setup call (that's a
> helper function that's part of syzkaller).
>
> In general syzbot tries to minimize the reproducer, but unfortunately
> sometimes there remain some calls, which are not necessary per se. It
> definitely tried to get rid of them, but the reproducer was just not
> working with those calls cut out. Maybe they were just somehow
> affecting the global state and in the execution log there didn't exist
> any other call candidates, which could have fulfilled the purpose just
> as well.
>
> I can update b) to "all reproducers have syz_io_uring_setup". Then
> those two bugs won't match the criteria.
> If it doesn't suffice and there are still too many false positives, I
> can drop b) completely.
Whatever cuts down on the noise is good with me. Not sure how 38 above
got lumped in? Maybe someone else did syz_io_uring_setup at some point?
> By the way, should F: fs/io-wq.c also be added to the IO_URING's
> record in the MAINTAINERS file?
I think you're looking at a really old tree, none of the supported
stable trees even have any io_uring code in fs/ anymore. Maybe they need
a MAINTAINERS update though? But even 5.10-stable has io-wq included,
though it's pointing at the wrong path now...
--
Jens Axboe
On Mon, Mar 27, 2023 at 04:01:54AM -0700, syzbot wrote:
> Hello io-uring maintainers/developers,
>
> This is a 30-day syzbot report for the io-uring subsystem.
> All related reports/information can be found at:
> https://syzkaller.appspot.com/upstream/s/io-uring
>
> During the period, 5 new issues were detected and 0 were fixed.
> In total, 49 issues are still open and 105 have been fixed so far.
>
> Some of the still happening issues:
>
> Crashes Repro Title
> 3393 Yes WARNING in io_ring_exit_work
> https://syzkaller.appspot.com/bug?extid=00e15cda746c5bc70e24
> 3241 Yes general protection fault in try_to_wake_up (2)
> https://syzkaller.appspot.com/bug?extid=b4a81dc8727e513f364d
> 1873 Yes WARNING in split_huge_page_to_list (2)
> https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
> 772 Yes INFO: task hung in io_ring_exit_work
> https://syzkaller.appspot.com/bug?extid=93f72b3885406bb09e0d
> 718 Yes KASAN: use-after-free Read in io_poll_remove_entries
> https://syzkaller.appspot.com/bug?extid=cd301bb6523ea8cc8ca2
> 443 Yes KMSAN: uninit-value in io_req_cqe_overflow
> https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285
> 73 Yes INFO: task hung in io_wq_put_and_exit (3)
> https://syzkaller.appspot.com/bug?extid=adb05ed2853417be49ce
> 38 Yes KASAN: use-after-free Read in nfc_llcp_find_local
> https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at [email protected].
Thanks for getting syzbot to classify reports by subsystem and send these
reminders! These should be very helpful over time.
One thing that is missing in these reminders is a mention of how to change the
subsystem of miscategorized bugs. Yes, it's in https://goo.gl/tpsmEJ halfway
down the page, but it's not obvious.
I think adding something like "See https://goo.gl/tpsmEJ#subsystems for how to
change the subsystem of miscategorized reports" would be helpful. Probably not
in all syzbot emails, but just in these remainder emails.
- Eric
On 3/27/23 1:21?PM, Eric Biggers wrote:
> On Mon, Mar 27, 2023 at 04:01:54AM -0700, syzbot wrote:
>> Hello io-uring maintainers/developers,
>>
>> This is a 30-day syzbot report for the io-uring subsystem.
>> All related reports/information can be found at:
>> https://syzkaller.appspot.com/upstream/s/io-uring
>>
>> During the period, 5 new issues were detected and 0 were fixed.
>> In total, 49 issues are still open and 105 have been fixed so far.
>>
>> Some of the still happening issues:
>>
>> Crashes Repro Title
>> 3393 Yes WARNING in io_ring_exit_work
>> https://syzkaller.appspot.com/bug?extid=00e15cda746c5bc70e24
>> 3241 Yes general protection fault in try_to_wake_up (2)
>> https://syzkaller.appspot.com/bug?extid=b4a81dc8727e513f364d
>> 1873 Yes WARNING in split_huge_page_to_list (2)
>> https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
>> 772 Yes INFO: task hung in io_ring_exit_work
>> https://syzkaller.appspot.com/bug?extid=93f72b3885406bb09e0d
>> 718 Yes KASAN: use-after-free Read in io_poll_remove_entries
>> https://syzkaller.appspot.com/bug?extid=cd301bb6523ea8cc8ca2
>> 443 Yes KMSAN: uninit-value in io_req_cqe_overflow
>> https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285
>> 73 Yes INFO: task hung in io_wq_put_and_exit (3)
>> https://syzkaller.appspot.com/bug?extid=adb05ed2853417be49ce
>> 38 Yes KASAN: use-after-free Read in nfc_llcp_find_local
>> https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at [email protected].
>
> Thanks for getting syzbot to classify reports by subsystem and send these
> reminders! These should be very helpful over time.
>
> One thing that is missing in these reminders is a mention of how to change the
> subsystem of miscategorized bugs. Yes, it's in https://goo.gl/tpsmEJ halfway
> down the page, but it's not obvious.
>
> I think adding something like "See https://goo.gl/tpsmEJ#subsystems for how to
> change the subsystem of miscategorized reports" would be helpful. Probably not
> in all syzbot emails, but just in these remainder emails.
I did go poke, it is listed off the reports too. But it'd be really
handy if you could do this on the web page. When I see a report like
that that's not for me, I just archive it. And like any chatter with
syzbot, I have to look up what to reply to it every time. It'd be a lot
easy if I could just click on that page to either mark as invalid
(providing the info there) or move it to another subsystem.
--
Jens Axboe
On Mon, Mar 27, 2023 at 01:25:14PM -0600, Jens Axboe wrote:
> On 3/27/23 1:21?PM, Eric Biggers wrote:
> > On Mon, Mar 27, 2023 at 04:01:54AM -0700, syzbot wrote:
> >> Hello io-uring maintainers/developers,
> >>
> >> This is a 30-day syzbot report for the io-uring subsystem.
> >> All related reports/information can be found at:
> >> https://syzkaller.appspot.com/upstream/s/io-uring
> >>
> >> During the period, 5 new issues were detected and 0 were fixed.
> >> In total, 49 issues are still open and 105 have been fixed so far.
> >>
> >> Some of the still happening issues:
> >>
> >> Crashes Repro Title
> >> 3393 Yes WARNING in io_ring_exit_work
> >> https://syzkaller.appspot.com/bug?extid=00e15cda746c5bc70e24
> >> 3241 Yes general protection fault in try_to_wake_up (2)
> >> https://syzkaller.appspot.com/bug?extid=b4a81dc8727e513f364d
> >> 1873 Yes WARNING in split_huge_page_to_list (2)
> >> https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
> >> 772 Yes INFO: task hung in io_ring_exit_work
> >> https://syzkaller.appspot.com/bug?extid=93f72b3885406bb09e0d
> >> 718 Yes KASAN: use-after-free Read in io_poll_remove_entries
> >> https://syzkaller.appspot.com/bug?extid=cd301bb6523ea8cc8ca2
> >> 443 Yes KMSAN: uninit-value in io_req_cqe_overflow
> >> https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285
> >> 73 Yes INFO: task hung in io_wq_put_and_exit (3)
> >> https://syzkaller.appspot.com/bug?extid=adb05ed2853417be49ce
> >> 38 Yes KASAN: use-after-free Read in nfc_llcp_find_local
> >> https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
> >>
> >> ---
> >> This report is generated by a bot. It may contain errors.
> >> See https://goo.gl/tpsmEJ for more information about syzbot.
> >> syzbot engineers can be reached at [email protected].
> >
> > Thanks for getting syzbot to classify reports by subsystem and send these
> > reminders! These should be very helpful over time.
> >
> > One thing that is missing in these reminders is a mention of how to change the
> > subsystem of miscategorized bugs. Yes, it's in https://goo.gl/tpsmEJ halfway
> > down the page, but it's not obvious.
> >
> > I think adding something like "See https://goo.gl/tpsmEJ#subsystems for how to
> > change the subsystem of miscategorized reports" would be helpful. Probably not
> > in all syzbot emails, but just in these remainder emails.
>
> I did go poke, it is listed off the reports too. But it'd be really
> handy if you could do this on the web page. When I see a report like
> that that's not for me, I just archive it. And like any chatter with
> syzbot, I have to look up what to reply to it every time. It'd be a lot
> easy if I could just click on that page to either mark as invalid
> (providing the info there) or move it to another subsystem.
>
Well, one problem that syzbot has to deal with is that to meet the kernel
community's needs, it can't require authentication to issue commands.
I understand that the current email-only interface, where all commands are Cc'ed
to the syzkaller-bug mailing list, makes that not a complete disaster currently.
I'd imagine that if anyone could just go to a web page and mess around with bug
statuses with no authentication, that might be more problematic.
- Eric
On 3/27/23 1:56 PM, Eric Biggers wrote:
> On Mon, Mar 27, 2023 at 01:25:14PM -0600, Jens Axboe wrote:
>> On 3/27/23 1:21?PM, Eric Biggers wrote:
>>> On Mon, Mar 27, 2023 at 04:01:54AM -0700, syzbot wrote:
>>>> Hello io-uring maintainers/developers,
>>>>
>>>> This is a 30-day syzbot report for the io-uring subsystem.
>>>> All related reports/information can be found at:
>>>> https://syzkaller.appspot.com/upstream/s/io-uring
>>>>
>>>> During the period, 5 new issues were detected and 0 were fixed.
>>>> In total, 49 issues are still open and 105 have been fixed so far.
>>>>
>>>> Some of the still happening issues:
>>>>
>>>> Crashes Repro Title
>>>> 3393 Yes WARNING in io_ring_exit_work
>>>> https://syzkaller.appspot.com/bug?extid=00e15cda746c5bc70e24
>>>> 3241 Yes general protection fault in try_to_wake_up (2)
>>>> https://syzkaller.appspot.com/bug?extid=b4a81dc8727e513f364d
>>>> 1873 Yes WARNING in split_huge_page_to_list (2)
>>>> https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
>>>> 772 Yes INFO: task hung in io_ring_exit_work
>>>> https://syzkaller.appspot.com/bug?extid=93f72b3885406bb09e0d
>>>> 718 Yes KASAN: use-after-free Read in io_poll_remove_entries
>>>> https://syzkaller.appspot.com/bug?extid=cd301bb6523ea8cc8ca2
>>>> 443 Yes KMSAN: uninit-value in io_req_cqe_overflow
>>>> https://syzkaller.appspot.com/bug?extid=12dde80bf174ac8ae285
>>>> 73 Yes INFO: task hung in io_wq_put_and_exit (3)
>>>> https://syzkaller.appspot.com/bug?extid=adb05ed2853417be49ce
>>>> 38 Yes KASAN: use-after-free Read in nfc_llcp_find_local
>>>> https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
>>>>
>>>> ---
>>>> This report is generated by a bot. It may contain errors.
>>>> See https://goo.gl/tpsmEJ for more information about syzbot.
>>>> syzbot engineers can be reached at [email protected].
>>>
>>> Thanks for getting syzbot to classify reports by subsystem and send these
>>> reminders! These should be very helpful over time.
>>>
>>> One thing that is missing in these reminders is a mention of how to change the
>>> subsystem of miscategorized bugs. Yes, it's in https://goo.gl/tpsmEJ halfway
>>> down the page, but it's not obvious.
>>>
>>> I think adding something like "See https://goo.gl/tpsmEJ#subsystems for how to
>>> change the subsystem of miscategorized reports" would be helpful. Probably not
>>> in all syzbot emails, but just in these remainder emails.
>>
>> I did go poke, it is listed off the reports too. But it'd be really
>> handy if you could do this on the web page. When I see a report like
>> that that's not for me, I just archive it. And like any chatter with
>> syzbot, I have to look up what to reply to it every time. It'd be a lot
>> easy if I could just click on that page to either mark as invalid
>> (providing the info there) or move it to another subsystem.
>>
>
> Well, one problem that syzbot has to deal with is that to meet the kernel
> community's needs, it can't require authentication to issue commands.
>
> I understand that the current email-only interface, where all commands are Cc'ed
> to the syzkaller-bug mailing list, makes that not a complete disaster currently.
>
> I'd imagine that if anyone could just go to a web page and mess around with bug
> statuses with no authentication, that might be more problematic.
What prevents anyone from just sending an email to the syzbot issue email
and modifying it?
I love using email as it's easier when you're replying anyway, but the
problem is that I can never remember the magic incantations that I need
to send it. So I invariably click the link ANYWAY to find out what to
reply, and now it's more hassle using email. Maybe we can solve this by
making the email footer actually contain the common responses? Then
I would not have to click, switch desktops, scroll to find, copy part
of it, switch desktops, paste into email, open terminal to generate
the rest, switch back to email, paste in, click send. It really isn't
a very pleasurable experience.
--
Jens Axboe
On Mon, Mar 27, 2023 at 9:20 PM Jens Axboe <[email protected]> wrote:
>
> > By the way, should F: fs/io-wq.c also be added to the IO_URING's
> > record in the MAINTAINERS file?
>
> I think you're looking at a really old tree, none of the supported
> stable trees even have any io_uring code in fs/ anymore. Maybe they need
> a MAINTAINERS update though? But even 5.10-stable has io-wq included,
> though it's pointing at the wrong path now...
Ah, sorry, I was indeed looking at an old crash report.
>
> --
> Jens Axboe
>
On Mon, Mar 27, 2023 at 10:00 PM Jens Axboe <[email protected]> wrote:
>
> On 3/27/23 1:56 PM, Eric Biggers wrote:
> > On Mon, Mar 27, 2023 at 01:25:14PM -0600, Jens Axboe wrote:
> >> On 3/27/23 1:21?PM, Eric Biggers wrote:
> >>> Thanks for getting syzbot to classify reports by subsystem and send these
> >>> reminders! These should be very helpful over time.
> >>>
> >>> One thing that is missing in these reminders is a mention of how to change the
> >>> subsystem of miscategorized bugs. Yes, it's in https://goo.gl/tpsmEJ halfway
> >>> down the page, but it's not obvious.
> >>>
> >>> I think adding something like "See https://goo.gl/tpsmEJ#subsystems for how to
> >>> change the subsystem of miscategorized reports" would be helpful. Probably not
> >>> in all syzbot emails, but just in these remainder emails.
That makes sense, thanks!
FWIW We can also add a subsystem-changing command that could be sent
just as a reply to such reminder email, so that there's no need to go
to the per-bug threads.
> >>
> >> I did go poke, it is listed off the reports too. But it'd be really
> >> handy if you could do this on the web page. When I see a report like
> >> that that's not for me, I just archive it. And like any chatter with
> >> syzbot, I have to look up what to reply to it every time. It'd be a lot
> >> easy if I could just click on that page to either mark as invalid
> >> (providing the info there) or move it to another subsystem.
> >>
> >
> > Well, one problem that syzbot has to deal with is that to meet the kernel
> > community's needs, it can't require authentication to issue commands.
> >
> > I understand that the current email-only interface, where all commands are Cc'ed
> > to the syzkaller-bug mailing list, makes that not a complete disaster currently.
> >
> > I'd imagine that if anyone could just go to a web page and mess around with bug
> > statuses with no authentication, that might be more problematic.
>
> What prevents anyone from just sending an email to the syzbot issue email
> and modifying it?
>
> I love using email as it's easier when you're replying anyway, but the
> problem is that I can never remember the magic incantations that I need
> to send it. So I invariably click the link ANYWAY to find out what to
> reply, and now it's more hassle using email. Maybe we can solve this by
> making the email footer actually contain the common responses? Then
> I would not have to click, switch desktops, scroll to find, copy part
> of it, switch desktops, paste into email, open terminal to generate
> the rest, switch back to email, paste in, click send. It really isn't
> a very pleasurable experience.
Thanks for the feedback and the idea!
It would indeed be much easier if we listed some sample commands at the bottom.
>
> --
> Jens Axboe
>
>