Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp4119269ybg; Fri, 25 Oct 2019 13:37:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqx+fbHCV+TBTOV9fk+QkffA946+8hyugOCWmsvNBYzb0VFnSU4RKecCptMtKFJHvzrKuAqQ X-Received: by 2002:a50:970e:: with SMTP id c14mr6248810edb.20.1572035877298; Fri, 25 Oct 2019 13:37:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572035877; cv=none; d=google.com; s=arc-20160816; b=Pd4ztUvF1M7Od2BvfqZsPdI8BNjcVtwaplIdD8inJq8OjWmbJKwZlwCFPYwPkVxS3y vKZiHTZ3ajM3t5WCP5wXIAI4ow/l9GebISaEIYttBy47zXAnYS2mNQx0v8Yh2X4Nde9s Qqyct2DBK9vYzL4FrRWK1BRSk3kZIvmXqX44/k2hTv5ibm0CnG6jU9OqjcUHXdj2gVDd tcnketuH/s3RpqWGj2sYpyFLkjznVwCFDhLhCVCjjJh6TVk2oE4wAhYHz9iwo9NpiCOu KM9n+jjjN9F3KgzOuKm+jc1HFqXzqYD9h5+/DxkTYU22BEUerXsRQik/UlcFQJzOXlXV nO1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:from:subject:dkim-signature; bh=/9qYAuqixNYfI9Kr55bTuc8CcvxFw8cE5OUFu4p4+58=; b=RCmhWjMUuJR9SSiLavaCpB1Cug2cfCrcdHMTgoZM3ymeuJV9eXj7AGiqU/a/VL4J8f 0ps6Tev+RxGuxTVqK0qFX/jVDZu+QCth+xRxlT9doM52t6ZyWu2wSYhteXllpUh4HWrY cRPUCF3g1gJrhRVDZya95ImLfCQ/0jnM7dZvp9GT0ZGG4/NijRa+6OBbaSJTbMhTmou4 3URIOxqbPSQt/4LArLaBqt9igJdGypM0vEbZXle4ppQrOa9T40Vn79Q26bkqPF7X9HYF W21XNM4xjo/MnmSM1C9+/gD+tESwl1X2jp9fYTvP/S/53j+Ng9fn/H1ey3s8TzLg/cys AoGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=aONyD56R; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h3si1696315edd.54.2019.10.25.13.37.33; Fri, 25 Oct 2019 13:37:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=aONyD56R; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2439778AbfJYOfo (ORCPT + 99 others); Fri, 25 Oct 2019 10:35:44 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:34161 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726168AbfJYOfn (ORCPT ); Fri, 25 Oct 2019 10:35:43 -0400 Received: by mail-io1-f66.google.com with SMTP id q1so2692368ion.1 for ; Fri, 25 Oct 2019 07:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=/9qYAuqixNYfI9Kr55bTuc8CcvxFw8cE5OUFu4p4+58=; b=aONyD56Rkk05rXhXwzoK/uYqJbja4qx+1mP3kVvNy/OHTq88vOZ8YaZYDYI7iMLSmx XgIEoQylbIWIPnKB0FFKF6+zFZiT9+gYngQw2+fLw/M8dsH6Bu7fX5t6sMdXFWaHu1cg KjjBOAbOlwOW4yKcuJdMW+02anTbEghiAOw6aGAZ1aKD0vUXtApsCFNVagGBGH9JMhOc whJJUPtJJXlquRk61K6rPqvD1HZZsiftCg2fPylAFNkcM0qaqV2ZL7XN5TyhmGE92u6m TIgxyeyK3ekrXaRaxA8a8yuIHZS/FCoTmzwBwdLkgB7n+JJ1l3wx7OvxjfbjmriTNTrP e1gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=/9qYAuqixNYfI9Kr55bTuc8CcvxFw8cE5OUFu4p4+58=; b=TIv3LJNHod7rldI1zcU0OusqJl9ZcgnKyT9JTRaKVuFNWUT8IwrAMMMBS+M9dMsEgB SogNZtzPmlH6lsLZvLCXrW5NeyK069swSRJMcModWx+AsBR9au9nT6LbVsnK1s1oqw41 jmj+7myyMsUA43K6eIE8Lfp0oEa3LdfJ4WyX2PjbRs3Ba85M74n9hPZP+f7iSVhHWfQd 7L5vZcAAVSRL/qrtoZl09hdfzGyUg7ZGlALtk9Unm3hcAsT6TRwtfx74IXbO0+PXTjLG VAnGA9gvac/VUhsZRTp7ASP4NPn5gmm/g55Zpyypd9qFkTYo1ATueHSkhDK4fTvvrFYC FvKA== X-Gm-Message-State: APjAAAWjphpEdpEOLfB5jfb6DlQ9fCRPjnWfx1o567R60d47+Fb4DZ4R KxLbNbVHaTvfyeqXyduAL78EYA== X-Received: by 2002:a6b:7945:: with SMTP id j5mr3665548iop.12.1572014142897; Fri, 25 Oct 2019 07:35:42 -0700 (PDT) Received: from [192.168.1.159] ([65.144.74.34]) by smtp.gmail.com with ESMTPSA id z19sm366997ilj.49.2019.10.25.07.35.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Oct 2019 07:35:41 -0700 (PDT) Subject: Re: KASAN: null-ptr-deref Write in io_wq_cancel_all From: Jens Axboe To: Dmitry Vyukov , syzbot Cc: linux-fsdevel , LKML , syzkaller-bugs , Al Viro References: <000000000000fbbe1e0595bac322@google.com> <0e1b3410-95b0-f9d9-6838-486eae0bf5d7@kernel.dk> Message-ID: Date: Fri, 25 Oct 2019 08:35:39 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <0e1b3410-95b0-f9d9-6838-486eae0bf5d7@kernel.dk> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/25/19 7:50 AM, Jens Axboe wrote: > On 10/25/19 5:58 AM, Dmitry Vyukov wrote: >> On Fri, Oct 25, 2019 at 1:51 PM syzbot >> wrote: >>> >>> Hello, >>> >>> syzbot found the following crash on: >>> >>> HEAD commit: 139c2d13 Add linux-next specific files for 20191025 >>> git tree: linux-next >>> console output: https://syzkaller.appspot.com/x/log.txt?x=17ab5a70e00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=28fd7a693df38d29 >>> dashboard link: https://syzkaller.appspot.com/bug?extid=d958a65633ea70280b23 >>> compiler: gcc (GCC) 9.0.0 20181231 (experimental) >>> >>> Unfortunately, I don't have any reproducer for this crash yet. >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+d958a65633ea70280b23@syzkaller.appspotmail.com >> >> +Jens > > Let me know if/when you have a reproducer for this one. I initially thought > this was a basic NULL pointer check, but it doesn't look like it. I wonder > if the thread handling the request got a signal, and since it had the > task file_table with the io_uring fd attached, it's triggering an exit. > > I'll poke at it, but don't immediately see the issue. Ah, I see it, if we run into work needing to get done as the worker is exiting, we do that work. But that makes us busy, and we can then exit the thread without having dropped the mm/files associated with the original task. I've folded in a fix. -- Jens Axboe