From: Guoqing Jiang <jiangguoqing@kylinos.cn>
To: syzbot <syzbot+9ca43ff47167c0ee3466@syzkaller.appspotmail.com>,
axboe@kernel.dk, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
hch@lst.de
Subject: Re: [syzbot] general protection fault in blk_mq_run_hw_queues
Date: Mon, 5 Jul 2021 14:00:17 +0800 [thread overview]
Message-ID: <79eae2c8-3540-f257-6068-2620570fa7f7@kylinos.cn> (raw)
In-Reply-To: <0000000000005093cb05c659dae4@google.com>
Hi,
On 7/5/21 1:48 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: dbe69e43 Merge tag 'net-next-5.14' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12690d94300000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ef0afdedbe2d773d
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ca43ff47167c0ee3466
> compiler: Debian clang version 11.0.1-2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ded6ac300000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12af1344300000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9ca43ff47167c0ee3466@syzkaller.appspotmail.com
>
> netlink: 4 bytes leftover after parsing attributes in process `syz-executor092'.
> netlink: 4 bytes leftover after parsing attributes in process `syz-executor092'.
> nbd: socks must be embedded in a SOCK_ITEM attr
> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 0 PID: 8422 Comm: syz-executor092 Tainted: G W 5.13.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:blk_mq_map_queue_type block/blk-mq.h:96 [inline]
> RIP: 0010:blk_mq_get_sq_hctx block/blk-mq.c:1663 [inline]
> RIP: 0010:blk_mq_run_hw_queues+0x14f/0x430 block/blk-mq.c:1682
> Code: 80 3c 08 00 74 08 48 89 ef e8 0d 0f dd fd 44 89 fb 48 c1 e3 02 48 03 5d 00 48 89 d8 48 c1 e8 03 48 bd 00 00 00 00 00 fc ff df <8a> 04 28 84 c0 0f 85 b7 02 00 00 8b 03 49 8d 1c c4 48 89 d8 48 c1
> RSP: 0018:ffffc9000183f160 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801f912b38
> RBP: dffffc0000000000 R08: ffffffff83eb6412 R09: ffffed1003f22687
> R10: ffffed1003f22687 R11: 0000000000000000 R12: ffff88814615f4d8
> R13: 0000000000000000 R14: ffff88801f912af0 R15: 0000000000000000
> FS: 0000000001ab6300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa915ace020 CR3: 0000000018231000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> blk_set_queue_dying block/blk-core.c:353 [inline]
> blk_cleanup_queue+0x9c/0x220 block/blk-core.c:380
> blk_cleanup_disk+0x3b/0x80 block/genhd.c:1324
> nbd_dev_remove drivers/block/nbd.c:226 [inline]
> nbd_put+0x9d/0x170 drivers/block/nbd.c:246
> nbd_genl_connect+0x17e7/0x1aa0 drivers/block/nbd.c:1957
> genl_family_rcv_msg_doit net/netlink/genetlink.c:739 [inline]
> genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
> genl_rcv_msg+0xfb4/0x13c0 net/netlink/genetlink.c:800
> netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2504
> genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
> netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
> netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1340
> netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1929
> sock_sendmsg_nosec net/socket.c:702 [inline]
> sock_sendmsg net/socket.c:722 [inline]
> ____sys_sendmsg+0x5a2/0x900 net/socket.c:2385
> ___sys_sendmsg net/socket.c:2439 [inline]
> __sys_sendmsg+0x319/0x400 net/socket.c:2468
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x43fa29
> Code: 28 c3 e8 5a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffcd5946088 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00000000004004a0 RCX: 000000000043fa29
> RDX: 0000000000000000 RSI: 0000000020000b40 RDI: 0000000000000003
> RBP: 0000000000403490 R08: 0000000000000000 R09: 00000000004004a0
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403520
> R13: 0000000000000000 R14: 00000000004ad018 R15: 00000000004004a0
> Modules linked in:
> ---[ end trace d9ad06d2dab45e1b ]---
> RIP: 0010:blk_mq_map_queue_type block/blk-mq.h:96 [inline]
> RIP: 0010:blk_mq_get_sq_hctx block/blk-mq.c:1663 [inline]
> RIP: 0010:blk_mq_run_hw_queues+0x14f/0x430 block/blk-mq.c:1682
> Code: 80 3c 08 00 74 08 48 89 ef e8 0d 0f dd fd 44 89 fb 48 c1 e3 02 48 03 5d 00 48 89 d8 48 c1 e8 03 48 bd 00 00 00 00 00 fc ff df <8a> 04 28 84 c0 0f 85 b7 02 00 00 8b 03 49 8d 1c c4 48 89 d8 48 c1
> RSP: 0018:ffffc9000183f160 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801f912b38
> RBP: dffffc0000000000 R08: ffffffff83eb6412 R09: ffffed1003f22687
> R10: ffffed1003f22687 R11: 0000000000000000 R12: ffff88814615f4d8
> R13: 0000000000000000 R14: ffff88801f912af0 R15: 0000000000000000
> FS: 0000000001ab6300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa915ace020 CR3: 0000000018231000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Maybe it can be fixed like this as commit
6a03cd9843fa4dcf827dc3ad60fa9b4217f3057c did.
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 614d82e7fae4..d2548d36bf21 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -222,8 +222,8 @@ static void nbd_dev_remove(struct nbd_device *nbd)
if (disk) {
del_gendisk(disk);
- blk_mq_free_tag_set(&nbd->tag_set);
blk_cleanup_disk(disk);
+ blk_mq_free_tag_set(&nbd->tag_set);
}
Also paride/pd.c needs the same change, is my understanding correct?
Christoph.
Thanks,
Guoqing
next prev parent reply other threads:[~2021-07-05 6:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-05 5:48 [syzbot] general protection fault in blk_mq_run_hw_queues syzbot
2021-07-05 6:00 ` Guoqing Jiang [this message]
2021-07-05 10:24 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=79eae2c8-3540-f257-6068-2620570fa7f7@kylinos.cn \
--to=jiangguoqing@kylinos.cn \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+9ca43ff47167c0ee3466@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.