Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2791297rwb; Thu, 17 Nov 2022 16:28:33 -0800 (PST) X-Google-Smtp-Source: AA0mqf60qfTUHCoUccXZS+Y1nczBQJsISTmUr1ex9rYcbG5GFpmjsvqmwHG5wzffdGWematEosrT X-Received: by 2002:a63:1d03:0:b0:46f:abcc:a793 with SMTP id d3-20020a631d03000000b0046fabcca793mr4545793pgd.234.1668731313649; Thu, 17 Nov 2022 16:28:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668731313; cv=none; d=google.com; s=arc-20160816; b=EBsFnLAn4NNLIXtqjXC+86NSe+jq1EyWfGu2T5ujEsC8YKDnWBl3u3rsR4Gl+vF7Qb 4hdZ5SF+GWejDCrGM8EYuXQIblcD4RdGT3Io3FUYkxDqtCS909Az8Owa+WNQVgxAuo1C irGznkqix3acu05uQVHolQuM9GT64TIby6GgXsSSUCMdf/f/El3YAf1FGObRySf0m84Z ZWCwtMlEsrc2YZ8HINrVsZyb7boy0rotm9vva9p6LT0qoWbCEXBAMqFKCDnrzV6qdAdL dwbCydftPel/Uv2HIremSeYRHzj7lons1s1fVSupL78ApiEvKz51/S7eseUET9MbnD1O P6Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=lZ9h0bt6Jo+9fCE5vQcx0pDwFY9OuShej95BgGTToEE=; b=1DJxxjt7KvrrqUQvyXyFVQgonN2mofZ0JvlKFuego/ZdJtpcURAfP1djhL96ebX448 CFvo3H82C0QB1h31meH0XuzCi8Fz/JDCDVLfDEUb3Li6NdOPJ+TLAW2Dr2QyxMCh+RX7 6KREhHTyDCXBbbG9J9LUl6HI2vdlPS0I82Y6r3YAP4ex7SXeaGAwvdnGn7QcWSdO50Xp 7+JSUIRy0ouxKZK3k87/6srwROcH4L/Y/GZdKoG08gf4j9Y+T+IcdUHKUUO6NbyED2wD m6Plu9ds7JN0hk5DhspPatv2it8ho8EtiW4hELlgsE3IWQnZEknZeWmBqHeks7YpAbV6 hhRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UhaAJHav; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ng10-20020a17090b1a8a00b00202fd098892si2526272pjb.190.2022.11.17.16.28.21; Thu, 17 Nov 2022 16:28:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=UhaAJHav; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240308AbiKQXxf (ORCPT + 92 others); Thu, 17 Nov 2022 18:53:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51714 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234724AbiKQXxc (ORCPT ); Thu, 17 Nov 2022 18:53:32 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD4DF7FF08 for ; Thu, 17 Nov 2022 15:52:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668729158; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lZ9h0bt6Jo+9fCE5vQcx0pDwFY9OuShej95BgGTToEE=; b=UhaAJHavhUun0q9sruNOzGa7lHBXOR5WmGZ9os3zYN5PfqfftDQJ8DmS5wv16TBEy3moSe sWP5HJhM7G3kLIZnKrXi6uKt0VDlbbqeUOr7VJFgzVxBDO/Msa4OmRn1gfrk98vzjvWYda DKOW6wB8JYNT6/FVkft1e0fJumuxfy0= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-332-KWOLNxNFMUKFB1U8qqTgmA-1; Thu, 17 Nov 2022 18:52:33 -0500 X-MC-Unique: KWOLNxNFMUKFB1U8qqTgmA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3A72D1C0CE68; Thu, 17 Nov 2022 23:52:32 +0000 (UTC) Received: from [10.22.16.250] (unknown [10.22.16.250]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2BD8A42222; Thu, 17 Nov 2022 23:52:31 +0000 (UTC) Message-ID: Date: Thu, 17 Nov 2022 18:52:28 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.0 Subject: Re: Syzkaller found a bug: KASAN: null-ptr-deref Write in prepare_to_wait Content-Language: en-US To: Sanan Hasanov , "peterz@infradead.org" , "mingo@redhat.com" , "will@kernel.org" , "boqun.feng@gmail.com" , "linux-kernel@vger.kernel.org" , "akpm@linux-foundation.org" , "glider@google.com" , "elver@google.com" , "arnd@arndb.de" , "linux-arch@vger.kernel.org" , "juri.lelli@redhat.com" , "vincent.guittot@linaro.org" , "dietmar.eggemann@arm.com" , "rostedt@goodmis.org" , "bsegall@google.com" , "mgorman@suse.de" , "bristot@redhat.com" , "vschneid@redhat.com" Cc: "syzkaller@googlegroups.com" , Paul Gazzillo References: From: Waiman Long In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/17/22 17:17, Sanan Hasanov wrote: > Good day, dear maintainers, > > We found a bug using a modified kernel configuration file used by syzbot. > > We enhanced the coverage of the configuration file using our tool, klocalizer. > > Kernel branch: linux-next 5.11.0+ (HEAD detached at 8310b77b48c5) > > config file and c reproducer are attached. > > Thank you! > > ================================================================== > BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] > BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:705 [inline] > BUG: KASAN: null-ptr-deref in queued_spin_lock include/asm-generic/qspinlock.h:82 [inline] > BUG: KASAN: null-ptr-deref in do_raw_spin_lock_flags include/linux/spinlock.h:195 [inline] > BUG: KASAN: null-ptr-deref in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline] > BUG: KASAN: null-ptr-deref in _raw_spin_lock_irqsave+0x6c/0xd0 kernel/locking/spinlock.c:159 > Write of size 4 at addr 0000000000000010 by task syz-executor.3/1879 > > CPU: 1 PID: 1879 Comm: syz-executor.3 Not tainted 5.11.0+ #4 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 > Call Trace: > __dump_stack lib/dump_stack.c:79 [inline] > dump_stack+0xb0/0xf3 lib/dump_stack.c:120 > __kasan_report mm/kasan/report.c:400 [inline] > kasan_report.cold+0x10c/0x10e mm/kasan/report.c:413 > check_memory_region_inline mm/kasan/generic.c:179 [inline] > check_memory_region+0x17c/0x1e0 mm/kasan/generic.c:185 > instrument_atomic_read_write include/linux/instrumented.h:101 [inline] > atomic_try_cmpxchg_acquire include/asm-generic/atomic-instrumented.h:705 [inline] > queued_spin_lock include/asm-generic/qspinlock.h:82 [inline] > do_raw_spin_lock_flags include/linux/spinlock.h:195 [inline] > __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline] > _raw_spin_lock_irqsave+0x6c/0xd0 kernel/locking/spinlock.c:159 > prepare_to_wait+0x79/0x3c0 kernel/sched/wait.c:259 > io_uring_cancel_files fs/io_uring.c:9014 [inline] > io_uring_cancel_task_requests+0x986/0xfa0 fs/io_uring.c:9054 > io_uring_flush+0x311/0x470 fs/io_uring.c:9236 > filp_close+0xad/0x150 fs/open.c:1286 > close_files fs/file.c:403 [inline] > put_files_struct fs/file.c:418 [inline] > put_files_struct+0x193/0x280 fs/file.c:415 > exit_files+0xa4/0xd0 fs/file.c:435 > do_exit+0xa35/0x27d0 kernel/exit.c:820 > do_group_exit+0xee/0x310 kernel/exit.c:922 > get_signal+0x3b5/0x1a60 kernel/signal.c:2773 > arch_do_signal_or_restart+0x2eb/0x18e0 arch/x86/kernel/signal.c:811 > handle_signal_work kernel/entry/common.c:147 [inline] > exit_to_user_mode_loop kernel/entry/common.c:171 [inline] > exit_to_user_mode_prepare+0xba/0x130 kernel/entry/common.c:208 > __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] > syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:301 > entry_SYSCALL_64_after_hwframe+0x44/0xae > RIP: 0033:0x7f06219f6dcd > Code: Unable to access opcode bytes at RIP 0x7f06219f6da3. > RSP: 002b:00007f0620b66c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca > RAX: fffffffffffffe00 RBX: 00007f0621b23f80 RCX: 00007f06219f6dcd > RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f0621b23f88 > RBP: 00007f0621b23f88 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0621b23f8c > R13: 00007ffcf7101edf R14: 00007ffcf7102080 R15: 00007f0620b66d80 > ================================================================== > BUG: kernel NULL pointer dereference, address: 0000000000000010 > #PF: supervisor write access in kernel mode > #PF: error_code(0x0002) - not-present page > PGD 0 P4D 0 > Oops: 0002 [#1] SMP KASAN NOPTI According to this kernel splat, the spinlock address is at 0x10. 253 void 254 prepare_to_wait(struct wait_queue_head *wq_head, struct wait_queue_entry *wq_entry, int state) 255 { 256         unsigned long flags; 257 258         wq_entry->flags &= ~WQ_FLAG_EXCLUSIVE; 259         spin_lock_irqsave(&wq_head->lock, flags); 260         if (list_empty(&wq_entry->entry)) 261                 __add_wait_queue(wq_head, wq_entry); 262         set_current_state(state); 263         spin_unlock_irqrestore(&wq_head->lock, flags); 264 } 265 EXPORT_SYMBOL(prepare_to_wait); The first element of wait_queue_head structure is a spinlock. That means wq_head has a value of 0x10 too. Since it is called by io_uring_cancel_files(), I think the bug is in the io_uring code as it passed the wrong value to prepare_to_wait(). I didn't try to go further as I am not that familiar with the io_uring code. Cheers, Longman