Dear Linux kernel maintainers,
Syzkaller reports this previously unknown bug on Linux
6.8.0-rc3-00043-ga69d20885494-dirty #4. Seems like the bug was
silently or unintendedly fixed in the latest version.
I found a similar bug report
[here](https://syzkaller.appspot.com/bug?id=ac425cc8dcf667de21cbe25208555a346ab658d0),
but I think this should be a different bug?
```
Syzkaller hit 'WARNING in __put_task_struct' bug.
------------[ cut here ]------------
WARNING: CPU: 2 PID: 10662 at kernel/fork.c:967
__put_task_struct+0x290/0x340 kernel/fork.c:967
Modules linked in:
CPU: 2 PID: 10662 Comm: syz-executor389 Not tainted
6.8.0-rc3-00043-ga69d20885494-dirty #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__put_task_struct+0x290/0x340 kernel/fork.c:967
Code: da ff ff 48 8b 3d b0 28 69 0f 4c 89 e6 e8 88 d2 7b 00 e9 45 ff
ff ff be 03 00 00 00 4c 89 e7 e8 46 be c7 02 e9 33 ff ff ff 90 <0f> 0b
90 e9 ac fd ff ff 90 0f 0b 90 e9 e9 fd ff ff 90 0f 0b 90 e9
RSP: 0018:ffffc90017f67b38 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff92002fecf6f RCX: 1ffff92002fecf36
RDX: 1ffff1100e71a530 RSI: ffffffff8a0bdce0 RDI: ffff8880738d2980
RBP: ffff8880738d2440 R08: 0000000000000000 R09: fffffbfff23d9a15
R10: ffffffff91ecd0af R11: 0000000000000000 R12: ffffffff840b8886
R13: ffff8880738d2468 R14: ffff888024ad7818 R15: ffff8880738d2440
FS: 0000555557445480(0000) GS:ffff8880b9880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff010cdf0b0 CR3: 0000000032094000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
put_task_struct include/linux/sched/task.h:138 [inline]
io_wq_exit_workers io_uring/io-wq.c:1274 [inline]
io_wq_put_and_exit+0x765/0x8f0 io_uring/io-wq.c:1296
io_uring_clean_tctx+0x10e/0x190 io_uring/tctx.c:193
io_uring_cancel_generic+0x643/0x7c0 io_uring/io_uring.c:3395
io_uring_files_cancel include/linux/io_uring.h:21 [inline]
do_exit+0x4bf/0x25a0 kernel/exit.c:829
do_group_exit+0xb4/0x250 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x39/0x40 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7ff010c59031
Code: b8 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 16 66 0f 1f 84 00
00 00 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d
00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
RSP: 002b:00007ffd577fbfb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ff010cde1f0 RCX: 00007ff010c59031
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffb8 R09: 000000000000ffff
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff010cde1f0
R13: 0000000000000000 R14: 00007ff010cdec80 R15: 00007ff010c13500
</TASK>
Syzkaller reproducer:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false
Fault:false FaultCall:0 FaultNth:0}}
r0 = syz_io_uring_setup(0x6e47, &(0x7f0000000000)={0x0, 0x8847, 0x80,
0x4000003, 0x3d6}, &(0x7f0000000080)=<r1=>0x0,
&(0x7f00000000c0)=<r2=>0x0)
open(&(0x7f0000000100)='./file0\x00', 0x2041, 0x8)
r3 = open$dir(&(0x7f0000000140)='./file0\x00', 0x680400, 0x104)
r4 = socket(0x28, 0x80000, 0x89)
epoll_create1(0x80000)
eventfd2(0x802, 0x80800)
syz_io_uring_submit(r1, r2,
&(0x7f0000000340)=@IORING_OP_SEND_ZC={0x2f, 0x1c, 0x1, @sock=r4,
&(0x7f0000000240)=@tipc=@name={0x1e, 0x2, 0x1, {{0x41, 0x4}, 0x3}},
&(0x7f00000002c0)=""/82, 0x52, 0x200, 0x1, 0x101, 0x0, {0x100}})
io_uring_enter(r0, 0x1, 0x1, 0x11, &(0x7f0000000380), 0x8)
syz_io_uring_complete(r1, &(0x7f0000000400))
io_uring_register$IORING_REGISTER_ENABLE_RINGS(r0, 0xc, 0x0, 0x0)
syz_io_uring_submit(r1, r2,
&(0x7f0000000180)=@IORING_OP_ASYNC_CANCEL={0xe, 0x1, 0x0, 0x0, 0x0,
0x1, 0x0, 0x4, 0x1})
syz_io_uring_submit(r1, r2, 0x0)
syz_io_uring_submit(r1, r2,
&(0x7f0000000680)=@IORING_OP_UNLINKAT={0x24, 0x50, 0x0, @fd_dir=r3,
0x0, &(0x7f0000000500)='./file0\x00'})
io_uring_enter(r0, 0x3, 0x3, 0xb, 0x0, 0x0)
syz_io_uring_complete(r1, 0x0)
```
crepro is in the attachment.
Best Regards
Xdchase
On 6/7/24 18:15, chase xd wrote:
> Dear Linux kernel maintainers,
>
> Syzkaller reports this previously unknown bug on Linux
> 6.8.0-rc3-00043-ga69d20885494-dirty #4. Seems like the bug was
> silently or unintendedly fixed in the latest version.
I can't reproduce it neither with upstream nor a69d20885494,
it's likely some funkiness of that branch, and sounds like
you already tested newer kernels with no success. You can
also try it with a stable kernel to see if you can hit it.
--
Pavel Begunkov
Repro hit the bug with a low probability, so maybe you need to try
more times on the branch I reported. Also, this bug still exists in
branch 6.10.0-rc1-00004-gff802a9f35cf-dirty #7.
Pavel Begunkov <[email protected]> 于2024年6月12日周三 03:17写道:
>
> On 6/7/24 18:15, chase xd wrote:
> > Dear Linux kernel maintainers,
> >
> > Syzkaller reports this previously unknown bug on Linux
> > 6.8.0-rc3-00043-ga69d20885494-dirty #4. Seems like the bug was
> > silently or unintendedly fixed in the latest version.
>
> I can't reproduce it neither with upstream nor a69d20885494,
> it's likely some funkiness of that branch, and sounds like
> you already tested newer kernels with no success. You can
> also try it with a stable kernel to see if you can hit it.
>
> --
> Pavel Begunkov
On 6/12/24 07:59, chase xd wrote:
> Repro hit the bug with a low probability, so maybe you need to try
> more times on the branch I reported. Also, this bug still exists in
> branch 6.10.0-rc1-00004-gff802a9f35cf-dirty #7.
Yeah, unreliable, just hit something with some version,
will try to repro with 6.10 and see what's going on
> Pavel Begunkov <[email protected]> 于2024年6月12日周三 03:17写道:
>>
>> On 6/7/24 18:15, chase xd wrote:
>>> Dear Linux kernel maintainers,
>>>
>>> Syzkaller reports this previously unknown bug on Linux
>>> 6.8.0-rc3-00043-ga69d20885494-dirty #4. Seems like the bug was
>>> silently or unintendedly fixed in the latest version.
>>
>> I can't reproduce it neither with upstream nor a69d20885494,
>> it's likely some funkiness of that branch, and sounds like
>> you already tested newer kernels with no success. You can
>> also try it with a stable kernel to see if you can hit it.
--
Pavel Begunkov