All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pavel Begunkov <asml.silence@gmail.com>
To: Hao Sun <sunhao.th@gmail.com>, axboe@kernel.dk, io-uring@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Subject: Re: BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_task_requests
Date: Sun, 11 Apr 2021 09:10:37 +0100	[thread overview]
Message-ID: <461a8447-bc48-145f-c3dc-4b049621afcc@gmail.com> (raw)
In-Reply-To: <CACkBjsb4Ad60ZTyaaObBj2DKxSv1avmTSo3WUrnvH+amuDuhrA@mail.gmail.com>

On 11/04/2021 04:08, Hao Sun wrote:
> Hi
> 
> When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> the Linux kernel, I found a null-ptr-deref bug in
> io_uring_cancel_task_requests under fault injection condition, but I'm
> not sure about this.
> Sorry, I do not have a reproducing program for this bug.
> I hope that the stack trace information in the crash log can help you
> locate the problem.

Thanks Hao. io_cqring_wait() fails should not anyhow affect
cancellation, so the log doesn't make sense from first sight,
something strange is going on.

> 
> Here is the details:
> commit:   3b9cdafb5358eb9f3790de2f728f765fef100731
> version:   linux 5.11
> git tree:    upstream
> Full log can be found in the attachment.
> cqwait()
> Fault injection log:
> FAULT_INJECTION: forcing a failure.
> name fail_usercopy, interval 1, probability 0, space 0, times 0
> CPU: 1 PID: 9161 Comm: executor Not tainted 5.11.0+ #5
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> Call Trace:
>  __dump_stack lib/dump_stack.c:79 [inline]
>  dump_stack+0x137/0x194 lib/dump_stack.c:120
>  fail_dump lib/fault-inject.c:52 [inline]
>  should_fail+0x23e/0x250 lib/fault-inject.c:146
>  should_fail_usercopy+0x16/0x20 lib/fault-inject-usercopy.c:37
>  _copy_from_user+0x1c/0xd0 lib/usercopy.c:14
>  copy_from_user include/linux/uaccess.h:192 [inline]
>  set_user_sigmask+0x4b/0x110 kernel/signal.c:3015
>  io_cqring_wait+0x2e3/0x8b0 fs/io_uring.c:7250
>  __do_sys_io_uring_enter fs/io_uring.c:9480 [inline]
>  __se_sys_io_uring_enter+0x8fc/0xb70 fs/io_uring.c:9397
>  __x64_sys_io_uring_enter+0x74/0x80 fs/io_uring.c:9397
>  do_syscall_64+0x39/0x80 arch/x86/entry/common.c:46
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x46a379
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f046fa19c58 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
> RAX: ffffffffffffffda RBX: 000000000078c080 RCX: 000000000046a379
> RDX: 00000000000066ab RSI: 0000000000000001 RDI: 0000000000000003
> RBP: 00007f046fa19c90 R08: 0000000020000040 R09: 0000000000000008
> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 000000000078c080 R15: 00007fff769deef0
> 
> Crash log:
> BUG: kernel NULL pointer dereference, address: 0000000000000040
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 49954067 P4D 49954067 PUD 45f92067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP
> CPU: 1 PID: 9161 Comm: executor Not tainted 5.11.0+ #5
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> RIP: 0010:io_uring_cancel_task_requests+0x3f/0x990 fs/io_uring.c:9045
> Code: 48 8b 04 25 28 00 00 00 48 89 44 24 68 e8 89 e6 c5 ff 65 4c 8b
> 34 25 00 6d 01 00 49 8d 7c 24 40 48 89 7c 24 30 e8 81 97 d6 ff <41> 8b
> 5c 24 40 89 de 83 e6 02 31 ff e8 70 ea c5 ff 83 e3 02 48 89
> RSP: 0018:ffffc90002a97b48 EFLAGS: 00010246
> RAX: ffff88804b8e0d38 RBX: ffff88804b8ad700 RCX: 0000000000000764
> RDX: 0000000000000040 RSI: ffff8880409d5140 RDI: 0000000000000040
> RBP: ffff8880409d5140 R08: 0000000000000000 R09: 0000000000000043
> R10: 0001ffffffffffff R11: ffff88804b8e0280 R12: 0000000000000000
> R13: ffff8880409d5140 R14: ffff88804b8e0280 R15: ffff8880481c1800
> FS:  00007f046fa1a700(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000040 CR3: 00000000479a5000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
>  __io_uring_files_cancel+0x9b/0x200 fs/io_uring.c:9140
>  io_uring_files_cancel include/linux/io_uring.h:65 [inline]
>  do_exit+0x1a8/0x16d0 kernel/exit.c:780
>  do_group_exit+0xc5/0x180 kernel/exit.c:922
>  get_signal+0xd90/0x1470 kernel/signal.c:2773
>  arch_do_signal_or_restart+0x2a/0x260 arch/x86/kernel/signal.c:811
>  handle_signal_work kernel/entry/common.c:147 [inline]
>  exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
>  exit_to_user_mode_prepare+0x109/0x1a0 kernel/entry/common.c:208
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
>  syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:301
>  do_syscall_64+0x45/0x80 arch/x86/entry/common.c:56
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x46a379
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f046fa19cd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffe00 RBX: 000000000078c080 RCX: 000000000046a379
> RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000078c088
> RBP: 000000000078c088 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078c08c
> R13: 0000000000000000 R14: 000000000078c080 R15: 00007fff769deef0
> Modules linked in:
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> CR2: 0000000000000040
> ---[ end trace 613db1a25ecf6443 ]---
> RIP: 0010:io_uring_cancel_task_requests+0x3f/0x990 fs/io_uring.c:9045
> Code: 48 8b 04 25 28 00 00 00 48 89 44 24 68 e8 89 e6 c5 ff 65 4c 8b
> 34 25 00 6d 01 00 49 8d 7c 24 40 48 89 7c 24 30 e8 81 97 d6 ff <41> 8b
> 5c 24 40 89 de 83 e6 02 31 ff e8 70 ea c5 ff 83 e3 02 48 89
> RSP: 0018:ffffc90002a97b48 EFLAGS: 00010246
> RAX: ffff88804b8e0d38 RBX: ffff88804b8ad700 RCX: 0000000000000764
> RDX: 0000000000000040 RSI: ffff8880409d5140 RDI: 0000000000000040
> RBP: ffff8880409d5140 R08: 0000000000000000 R09: 0000000000000043
> R10: 0001ffffffffffff R11: ffff88804b8e0280 R12: 0000000000000000
> R13: ffff8880409d5140 R14: ffff88804b8e0280 R15: ffff8880481c1800
> FS:  00007f046fa1a700(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000040 CR3: 00000000479a5000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> 

-- 
Pavel Begunkov

  reply	other threads:[~2021-04-11  8:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-11  3:08 BUG: unable to handle kernel NULL pointer dereference in io_uring_cancel_task_requests Hao Sun
2021-04-11  8:10 ` Pavel Begunkov [this message]
2021-04-11  8:58   ` Hao Sun
2021-04-11  9:09     ` Pavel Begunkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=461a8447-bc48-145f-c3dc-4b049621afcc@gmail.com \
    --to=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sunhao.th@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.