Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1376455rdb; Mon, 2 Oct 2023 07:48:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHPmOA9ztWjxJ7esvzsNBTYzKoyE0x2aE40RoJPdeUKk7XyF8czhM80ty0ewm4m9BENBSn7 X-Received: by 2002:a17:902:dacd:b0:1c4:4f01:d18f with SMTP id q13-20020a170902dacd00b001c44f01d18fmr13223481plx.14.1696258134165; Mon, 02 Oct 2023 07:48:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696258134; cv=none; d=google.com; s=arc-20160816; b=zDs8brwbsgmEOe3hWPEtKXR1qdKW76d6zOE25D6Zbgdy7d0VHB33jkSwrDRak0m4dQ RKWefdBOrvtw2tEN2s5g5MNHe8MJduhNEG09JSCaq2I/H6AeNX8VmkF24rOT3m7vYK9i UXDAekbS9A7Sl9AuIwEs5DserwdOocXfUrNegppNsDRiOkVoFDtCkYiTM6o9cxWqq44/ cnDLvEzXsXtW2NT1fCtcIk1tSJo6PW2PHvE6PipqKtOofh04TTImhEALb8b31xl2ujDL iL5pSHPMONOnJ8H4w6D57zSPC+RaFmiDfZR0xyYNl7vd/g9xDm7M+7CV5w2kYsqkE87n nkPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:from:subject:message-id:date:mime-version; bh=cPvlpVCxggrsJ1ZuYlyGtFjY4Bpm1Ku4mYIQDej4bsU=; fh=XOb7Rm5sWn9Hswyo9JV+QX2PRflxUu2jPuyK3tDa2SY=; b=W74J0EAIqc9vJM5mOxGUXr1weErvIWdrrm9OF/q9Je+mkUgjLnBeynrFQg/cBLKFp0 AM0RCW4nw20uVLre+tkWRW9i+nTRS4fQU4ucIQu4G3BTW8x8yf5uSiQxkGF+DAkBmt42 7ggDXNl3O4i9Up6cn23DgwknZGTMeoNsjN20vhnE6atJjowT+aiq21ixWhfjH04ZQRjW z0gu2ALAc1QIEcqADVYhxuHKHd+0feoaYzNiqHi0+0rmpg4YVZsteTvb3SlxG3Bgv92E f3vyZNEVE9ZJ4jDMrNUS6iy+yfZMPJPmZCidAtlM9iEMVY3GbaczSeBQg6TJVOqUKbW5 12/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id h21-20020a170902eed500b001c3e98a0d79si20811880plb.401.2023.10.02.07.48.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 07:48:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 1AD8980963A1; Mon, 2 Oct 2023 07:38:39 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237820AbjJBOiJ (ORCPT + 99 others); Mon, 2 Oct 2023 10:38:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48542 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237806AbjJBOiH (ORCPT ); Mon, 2 Oct 2023 10:38:07 -0400 Received: from mail-ot1-f79.google.com (mail-ot1-f79.google.com [209.85.210.79]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3262B3 for ; Mon, 2 Oct 2023 07:38:02 -0700 (PDT) Received: by mail-ot1-f79.google.com with SMTP id 46e09a7af769-6c4d128e090so29547334a34.1 for ; Mon, 02 Oct 2023 07:38:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696257482; x=1696862282; h=to:from:subject:message-id:date:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=cPvlpVCxggrsJ1ZuYlyGtFjY4Bpm1Ku4mYIQDej4bsU=; b=HUL8HmZS7cqkskersI9PcZINg95gkVSnnNBiC2M4O8jIfWJMvTBLuRgDfDwR2g4i54 pkl/br8S+cD6Q5jEyB++2D6W4QqYHgcjSXNppIXaj0pBCbbnxtirl0vEE9aLqnTQ0b1t lS/ZRQVxUP2iz8dkuRV9Kmz2ISzHkEJM8K1/W6vA8Sw1QveJmf29yMCYnw/VEoCWNZRY GkOLpaIPhcSfsOvSIUfbk1i28nZNe0vbFZVVQFqdbbNbmL1Um33smI/28vSDaWHdleQ/ k0J93kjeq1Cgg3g5E11BB7Uip2K3qixHbF4VDRUGa22Ra41i4+PExD7+cjLelbvYy0g2 Iz+g== X-Gm-Message-State: AOJu0YxWVkzms+WAuNvpv7REB0nkd6MAox4G21IGMttf0w+0VwR7lbhF gqqsvFYOauHWp3EA//aOgid3/AKxWvsg2cJ0Xp7P9ChjH0j4 MIME-Version: 1.0 X-Received: by 2002:a05:6830:d7:b0:6c4:b847:cb9a with SMTP id x23-20020a05683000d700b006c4b847cb9amr3174297oto.0.1696257482382; Mon, 02 Oct 2023 07:38:02 -0700 (PDT) Date: Mon, 02 Oct 2023 07:38:02 -0700 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <000000000000af635c0606bcb889@google.com> Subject: [syzbot] [io-uring?] BUG: unable to handle kernel NULL pointer dereference in __io_remove_buffers (2) From: syzbot To: asml.silence@gmail.com, axboe@kernel.dk, io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-0.4 required=5.0 tests=FROM_LOCAL_HEX, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 02 Oct 2023 07:38:39 -0700 (PDT) Hello, syzbot found the following issue on: HEAD commit: ec8c298121e3 Merge tag 'x86-urgent-2023-10-01' of git://gi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16ef0ed6680000 kernel config: https://syzkaller.appspot.com/x/.config?x=3be743fa9361d5b0 dashboard link: https://syzkaller.appspot.com/bug?extid=2113e61b8848fa7951d8 compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-ec8c2981.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/e19aa754d61c/vmlinux-ec8c2981.xz kernel image: https://storage.googleapis.com/syzbot-assets/709e546bab85/zImage-ec8c2981.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2113e61b8848fa7951d8@syzkaller.appspotmail.com 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 0000000e when read [0000000e] *pgd=80000080004003, *pmd=00000000 Internal error: Oops: 207 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 28152 Comm: kworker/u5:4 Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: ARM-Versatile Express Workqueue: events_unbound io_ring_exit_work PC is at __io_remove_buffers io_uring/kbuf.c:219 [inline] PC is at __io_remove_buffers+0x38/0x184 io_uring/kbuf.c:209 LR is at io_destroy_buffers+0x48/0x138 io_uring/kbuf.c:264 pc : [<807c966c>] lr : [<807c9c28>] psr: 20000013 sp : eab35e48 ip : eab35e78 fp : eab35e74 r10: 827e4691 r9 : 8b0de000 r8 : ffffffff r7 : 8b0de34c r6 : 00000001 r5 : 8b0dc800 r4 : 00000000 r3 : 00000000 r2 : 00000000 r1 : 8b0dc800 r0 : 8b0de000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 8be86780 DAC: fffffffd Register r0 information: slab kmalloc-2k start 8b0de000 pointer offset 0 size 2048 Register r1 information: slab kmalloc-2k start 8b0dc800 pointer offset 0 size 2048 Register r2 information: NULL pointer Register r3 information: NULL pointer Register r4 information: NULL pointer Register r5 information: slab kmalloc-2k start 8b0dc800 pointer offset 0 size 2048 Register r6 information: non-paged memory Register r7 information: slab kmalloc-2k start 8b0de000 pointer offset 844 size 2048 Register r8 information: non-paged memory Register r9 information: slab kmalloc-2k start 8b0de000 pointer offset 0 size 2048 Register r10 information: non-slab/vmalloc memory Register r11 information: 2-page vmalloc region starting at 0xeab34000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Register r12 information: 2-page vmalloc region starting at 0xeab34000 allocated at kernel_clone+0xac/0x424 kernel/fork.c:2909 Process kworker/u5:4 (pid: 28152, stack limit = 0xeab34000) Stack: (0xeab35e48 to 0xeab36000) 5e40: 8bce69c0 00000014 8b0de000 8b0de040 8b0de34c 82604d40 5e60: 8b0de3cc 827e4691 eab35e9c eab35e78 807c9c28 807c9640 00000000 6ae810d6 5e80: 8b0de3bc 8b0de000 8b0de040 8b0de34c eab35f04 eab35ea0 818264d0 807c9bec 5ea0: eab35ebc 8b0de3cc 00079ebb 8b0de000 00000000 00000000 00000000 81825000 5ec0: 00000000 00030003 eab35ec8 eab35ec8 8b0de000 6ae810d6 eab35f48 8be74900 5ee0: 8b0de3bc 82c21400 82c0f000 00000140 8bce69c0 82c21405 eab35f44 eab35f08 5f00: 80265fd4 81826134 eab35f2c eab35f18 eab35f44 eab35f20 8026196c 8be74900 5f20: 8be7492c 82c0f000 82604d40 82c0f020 8bce69c0 61c88647 eab35f84 eab35f48 5f40: 80266520 80265e44 eab35f64 eab35f58 81847bb0 80278e68 eab35f84 8a4e0180 5f60: 8bce69c0 802662e0 8be74900 8b121ac0 e04f5e98 00000000 eab35fac eab35f88 5f80: 8026d8e0 802662ec 8a4e0180 8026d7dc 00000000 00000000 00000000 00000000 5fa0: 00000000 eab35fb0 80200104 8026d7e8 00000000 00000000 00000000 00000000 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 Backtrace: [<807c9634>] (__io_remove_buffers) from [<807c9c28>] (io_destroy_buffers+0x48/0x138 io_uring/kbuf.c:264) r10:827e4691 r9:8b0de3cc r8:82604d40 r7:8b0de34c r6:8b0de040 r5:8b0de000 r4:00000014 r3:8bce69c0 [<807c9be0>] (io_destroy_buffers) from [<818264d0>] (io_ring_ctx_free io_uring/io_uring.c:2895 [inline]) [<807c9be0>] (io_destroy_buffers) from [<818264d0>] (io_ring_exit_work+0x3a8/0x5ec io_uring/io_uring.c:3151) r7:8b0de34c r6:8b0de040 r5:8b0de000 r4:8b0de3bc [<81826128>] (io_ring_exit_work) from [<80265fd4>] (process_one_work+0x19c/0x4a8 kernel/workqueue.c:2630) r10:82c21405 r9:8bce69c0 r8:00000140 r7:82c0f000 r6:82c21400 r5:8b0de3bc r4:8be74900 [<80265e38>] (process_one_work) from [<80266520>] (process_scheduled_works kernel/workqueue.c:2703 [inline]) [<80265e38>] (process_one_work) from [<80266520>] (worker_thread+0x240/0x48c kernel/workqueue.c:2784) r10:61c88647 r9:8bce69c0 r8:82c0f020 r7:82604d40 r6:82c0f000 r5:8be7492c r4:8be74900 [<802662e0>] (worker_thread) from [<8026d8e0>] (kthread+0x104/0x134 kernel/kthread.c:388) r10:00000000 r9:e04f5e98 r8:8b121ac0 r7:8be74900 r6:802662e0 r5:8bce69c0 r4:8a4e0180 [<8026d7dc>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134) Exception stack(0xeab35fb0 to 0xeab35ff8) 5fa0: 00000000 00000000 00000000 00000000 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026d7dc r4:8a4e0180 Code: 0a000022 e5913004 e1d120be e5d14013 (e1d380be) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 0a000022 beq 0x90 4: e5913004 ldr r3, [r1, #4] 8: e1d120be ldrh r2, [r1, #14] c: e5d14013 ldrb r4, [r1, #19] * 10: e1d380be ldrh r8, [r3, #14] <-- trapping instruction --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the bug is already fixed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite bug's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the bug is a duplicate of another bug, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup