Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp4260263pxy; Tue, 27 Apr 2021 00:09:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwpW7yxnN7qN7s9ZscdYlysWJocLJ6lRV8Xuypk/gmgAt4bptb49i1YAJrveaGXMkRQG9QX X-Received: by 2002:a17:906:13d6:: with SMTP id g22mr21952536ejc.475.1619507369600; Tue, 27 Apr 2021 00:09:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619507369; cv=none; d=google.com; s=arc-20160816; b=yyBxR/5d2Swvc99rszfjG5KuYNkJ5Oh9YEinnJZE9FGbzNXyBVU1qUhtbeG8svlgkU 0bvxUlQivok/bpN91PgPjjKNQ52YYN2Afm48rTWCmvuBeO8DLbny1jgDZo7xUirEp6Ih ZkSHC8pqyzQAPLlVl9+ucJeZ4ww5rkYUnD4hsJxQt40dvQZY5pC6AM2cyrkekWIaZEl0 qKZKsQrvVJcLExl1h+8jdNDJw97y9MJpHcg7CHkzKvXtRDCfdAvA6CYv0sgQ9izQrtW3 m1d2EneWj2LkuG966PPyl+ls8zpcEIyl5g/pXh+Pgjh+xqbiEo8fxX6kIscAg4c9yoNh Mdiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=gDHuq6cKvw3UBA//AzKnWt1sxYQoNAnBwsBQK/T1M9U=; b=majm8J5zGo5Msuome3VWdziw57eIvfI0aBT4aZZbIL2uWOXxzuFkucMTEeSYmWyD+c XAuF3GIrNV74DX2ZwHRZHekYdSv2B/qIloA+KQyQ7mVLUzB+MdMupckwobQbD73kZPhR LwkmYNzFb37Wpfjdu0HnEXNtKj4ZpV9ub/xFSFJdnnjCAIv8dWHm5giz0yEV8s4sPGmY 8tQlhqnYwVbs9cZscWd16Iz90YnxWkpx1wIZ+BMEL6h0Ye9+KfTeL3eZmieG05A8Ri/a 9h3by7AwePCJ6A3y5z9FQg8w0xA+Z08ewLca97wwjneneFZwDx3o2vQhWUFnXuZaoOup zNgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DOB3ARQC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o32si1976517eda.316.2021.04.27.00.09.05; Tue, 27 Apr 2021 00:09:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DOB3ARQC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234645AbhD0HG0 (ORCPT + 99 others); Tue, 27 Apr 2021 03:06:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40964 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230255AbhD0HGS (ORCPT ); Tue, 27 Apr 2021 03:06:18 -0400 Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 784ABC06175F; Tue, 27 Apr 2021 00:05:34 -0700 (PDT) Received: by mail-lj1-x231.google.com with SMTP id z23so20523997lji.4; Tue, 27 Apr 2021 00:05:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gDHuq6cKvw3UBA//AzKnWt1sxYQoNAnBwsBQK/T1M9U=; b=DOB3ARQCSqStyJ0EDKG1D0WdzeKunnvDdLpowdqw/8aeEI+vHt496CqbQPy0eTNOZ/ FOBDGKMH+w5R3aNT1wtcFZ7pL5imwknr+QLAl6OfUNNjM80WSgNUFEQ7IMKXXDUxLCD4 0guMwLz8vtag7hQIFACRZVMEAWnRAQWNxwuIHeKmr9pMHgguG2NybN4e+OM5qFSZUCdO o6JbPvnMViO/2a/KGfx/3yyjcn/N667DFpC0BQlAlsF0ESq7LRZaBp2b6UBqwmnjSgxA qQkDs/b3kr4NC6SZX+Ak3xaa/33n0N2+nYTC/4Kmmi9cKOjviXROx73wlKdgMixg2V6u mtbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gDHuq6cKvw3UBA//AzKnWt1sxYQoNAnBwsBQK/T1M9U=; b=INnEmgc1OUgiiZnx7q0oj/GULL53CN7e9zc8AK05Ee3ur/oi4BvvLDsuDeTO/sbuNM jrzP6H0j//4FHVa8k+XtisT2vzJ9ZNAnZmuJ2iWwyBRsPHoZNH8CnetH91B1AL09gSM8 XMWEm6VoD4FQYPvoqMgDQpUnMGUQ2Eo/oLCNMCgw+pO81cgZqidYIJkavJZvfdU3dYh5 laXRXLtAvc0E9pvLVH3N0KwAn0IEsug6WwR+I9EnhDygc6qSz1siLLKUaddRvgTbNEAQ XIWQjtzVnC2DIoKaFOjYzncrzndjadIOx6KAsZmXNNmxlETY8lIEBvAs2h4BBKuG8Iya 5MYA== X-Gm-Message-State: AOAM531zHVQEDW9wcZ5M8+wVHwyjjFLgrzdxc52VrtDQeKJoyp6F11lR fpSisTdLxNglGY0yxxyuWynfrLh9g9m1k18upqwY+U70Hf406A== X-Received: by 2002:a2e:b5b5:: with SMTP id f21mr15760684ljn.340.1619507132866; Tue, 27 Apr 2021 00:05:32 -0700 (PDT) MIME-Version: 1.0 References: <00000000000022ebeb05bc39f582@google.com> In-Reply-To: From: Palash Oswal Date: Tue, 27 Apr 2021 12:35:21 +0530 Message-ID: Subject: Re: KASAN: null-ptr-deref Write in io_uring_cancel_sqpoll To: Dmitry Vyukov Cc: Jens Axboe , io-uring@vger.kernel.org, LKML , syzkaller-bugs , syzbot+be51ca5a4d97f017cd50@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > +kernel lists and syzbot email > (almost nobody is reading syzkaller-bugs@ itself) Thanks Dmitry. I used "reply-all" in the google groups UI, and I didn't check the cc list before hitting send :/ I have made progress on this bug. I applied a diff (to print some debug values) on the v5.12 fs/io_uring.c code and got a fairly consistent reproducer on a non-kvm based qemu VM (had to slow down the rate of syscalls processed for this to trigger early). My initial speculation was very wrong. And the real issue seems to be that current->io_uring is unset when io_uring_cancel_sqpoll is called. Adding the c reproducer here: #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #define sys_io_uring_setup 425 #define WAIT_FLAGS __WALL static unsigned long long procid; static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } while (waitpid(-1, status, __WALL) != pid) { } } static void execute_one(void) { *(uint32_t*)0x20000084 = 0x850e; *(uint32_t*)0x20000088 = 2; *(uint32_t*)0x2000008c = 2; *(uint32_t*)0x20000090 = 0x1b4; *(uint32_t*)0x20000098 = -1; memset((void*)0x2000009c, 0, 12); syscall(sys_io_uring_setup, 0x329b, 0x20000080); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; sleep_ms(1); kill_and_wait(pid, &status); break; } } } int main(void) { syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); for (procid = 0; procid < 8; procid++) { if (fork() == 0) { loop(); } } sleep(1000000); return 0; } Changes to the kernel on v5.12: diff --git a/fs/io_uring.c b/fs/io_uring.c index dff34975d86b..beff12baaebf 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6758,6 +6758,7 @@ static int io_sq_thread(void *data) io_run_task_work_head(&sqd->park_task_work); while (!test_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state)) { + pr_info("In the loop, need to stop"); int ret; bool cap_entries, sqt_spin, needs_sched; @@ -6831,7 +6832,7 @@ static int io_sq_thread(void *data) io_run_task_work_head(&sqd->park_task_work); timeout = jiffies + sqd->sq_thread_idle; } - + printk("ctx is %d",&ctx); list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) io_uring_cancel_sqpoll(ctx); sqd->thread = NULL; @@ -7171,6 +7172,7 @@ static void io_sq_thread_stop(struct io_sq_data *sqd) WARN_ON_ONCE(sqd->thread == current); mutex_lock(&sqd->lock); + pr_info("Setting Doom bit"); set_bit(IO_SQ_THREAD_SHOULD_STOP, &sqd->state); if (sqd->thread) wake_up_process(sqd->thread); @@ -8994,7 +8996,11 @@ void __io_uring_files_cancel(struct files_struct *files) static void io_uring_cancel_sqpoll(struct io_ring_ctx *ctx) { struct io_sq_data *sqd = ctx->sq_data; + printk("io_uring_cancel_sqpoll called with ctx :%d\n",&ctx); + printk("ctx->sq_data is %p \n",ctx->sq_data); struct io_uring_task *tctx = current->io_uring; + printk("current is %p\n", current); + printk("current->io_uring is :%p\n",current->io_uring); s64 inflight; DEFINE_WAIT(wait); @@ -9548,7 +9554,6 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p, ret = io_allocate_scq_urings(ctx, p); if (ret) goto err; - ret = io_sq_offload_create(ctx, p); if (ret) goto err; Some debug console logs: [ 58.455071] ctx is 39386608 [ 58.455415] io_uring_cancel_sqpoll called with ctx :39386080 [ 58.455913] ctx->sq_data is 00000000c9f086d5 [ 58.456146] current is 000000005e7bf8a0 [ 58.456346] current->io_uring is :0000000000000000 [ 58.457244] ================================================================== [ 58.457663] BUG: KASAN: null-ptr-deref in io_uring_cancel_sqpoll+0x341/0x4b0 [ 58.458214] Write of size 4 at addr 0000000000000060 by task iou-sqp-1857/1860 [ 58.458699] [ 58.459061] CPU: 1 PID: 1860 Comm: iou-sqp-1857 Not tainted 5.12.0+ #83 [ 58.459522] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014 [ 58.460065] Call Trace: [ 58.460402] dump_stack+0xe9/0x168 [ 58.460749] ? io_uring_cancel_sqpoll+0x341/0x4b0 [ 58.460846] __kasan_report+0x166/0x1c0 [ 58.460846] ? io_uring_cancel_sqpoll+0x341/0x4b0 [ 58.460846] kasan_report+0x4f/0x70 [ 58.460846] kasan_check_range+0x2f3/0x340 [ 58.460846] __kasan_check_write+0x14/0x20 [ 58.460846] io_uring_cancel_sqpoll+0x341/0x4b0 [ 58.460846] ? io_sq_thread_unpark+0xd0/0xd0 [ 58.460846] ? init_wait_entry+0xe0/0xe0 [ 58.460846] io_sq_thread+0x1a0d/0x1c50 [ 58.460846] ? io_rsrc_put_work+0x380/0x380 [ 58.460846] ? init_wait_entry+0xe0/0xe0 [ 58.460846] ? _raw_spin_lock_irq+0xa5/0x180 [ 58.460846] ? _raw_spin_lock_irqsave+0x190/0x190 [ 58.460846] ? calculate_sigpending+0x6b/0xa0 [ 58.460846] ? io_rsrc_put_work+0x380/0x380 [ 58.460846] ret_from_fork+0x22/0x30 I'm going to look further into why this is happening.