Re: [io_uring] b166b25674: BUG:KASAN:null-ptr-deref_in_i

[Pavel Begunkov]

On 10/10/2020 12:41, kernel test robot wrote:
> Greeting,
> 
> FYI, we noticed the following commit (built with gcc-9):
> 
> commit: b166b25674b991268afbe1bcbfee7d1eadf1203d ("io_uring: Fix XArray usage in io_uring_add_task_file")
> url: https://github.com/0day-ci/linux/commits/Matthew-Wilcox-Oracle/io_uring-Fix-use-of-XArray-in-__io_uring_files_cancel/20201009-205103

The patch was fixed by Jens upon queueing into io_uring tree, see
https://git.kernel.dk/cgit/linux-block/commit/?h=for-5.10/io_uring&id=236434c3438c4da3dfbd6aeeab807577b85e951a

> 
> 
> in testcase: trinity
> version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28
> with following parameters:
> 
> 	runtime: 300s
> 
> test-description: Trinity is a linux system call fuzz tester.
> test-url: http://codemonkey.org.uk/projects/trinity/
> 
> 
> on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
> 
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
> 
> 
> +---------------------------------------------+------------+------------+
> |                                             | 0fcb19f37b | b166b25674 |
> +---------------------------------------------+------------+------------+
> | boot_successes                              | 4          | 0          |
> | boot_failures                               | 0          | 4          |
> | BUG:KASAN:null-ptr-deref_in_i               | 0          | 4          |
> | BUG:kernel_NULL_pointer_dereference,address | 0          | 4          |
> | Oops:#[##]                                  | 0          | 4          |
> | RIP:io_uring_add_task_file                  | 0          | 4          |
> | Kernel_panic-not_syncing:Fatal_exception    | 0          | 4          |
> +---------------------------------------------+------------+------------+
> 
> 
> If you fix the issue, kindly add following tag
> Reported-by: kernel test robot <lkp@xxxxxxxxx>
> 
> 
> [   62.517646] BUG: KASAN: null-ptr-deref in io_uring_add_task_file+0x4c/0xe0
> [   62.519048] Read of size 8 at addr 00000000000000b0 by task trinity-c1/829
> [   62.523951] 
> [   62.524242] CPU: 1 PID: 829 Comm: trinity-c1 Not tainted 5.9.0-rc8-next-20201009-00002-gb166b25674b9 #2
> [   62.526099] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
> [   62.527815] Call Trace:
> [   62.528308]  dump_stack+0xd1/0x119
> [   62.529059]  ? io_uring_add_task_file+0x4c/0xe0
> [   62.529957]  ? io_uring_add_task_file+0x4c/0xe0
> [   62.530314] random: get_random_u64 called from arch_pick_mmap_layout+0xb6/0x280 with crng_init=1
> [   62.530331] random: get_random_u64 called from arch_pick_mmap_layout+0x1d4/0x280 with crng_init=1
> [   62.534194]  kasan_report.cold+0x5/0x37
> [   62.535041]  ? io_uring_add_task_file+0x4c/0xe0
> [   62.535996]  io_uring_add_task_file+0x4c/0xe0
> [   62.536869]  io_uring_create+0xa0c/0xc60
> [   62.537703]  io_uring_setup+0xb6/0x120
> [   62.538429]  ? io_uring_create+0xc60/0xc60
> [   62.539309]  ? syscall_enter_from_user_mode+0x74/0xc0
> [   62.540382]  ? trace_hardirqs_on+0x48/0x120
> [   62.541262]  do_syscall_64+0x34/0x50
> [   62.542051]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [   62.543035] RIP: 0033:0x453b29
> [   62.543562] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 84 00 00 c3 66 2e 0f 1f 84 00 00 00 00
> [   62.547371] RSP: 002b:00007ffc0a17d778 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
> [   62.565017] RAX: ffffffffffffffda RBX: 00000000000001a9 RCX: 0000000000453b29
> [   62.566269] RDX: 00000000000000e7 RSI: 00007f36ac820000 RDI: 00000000000000cf
> [   62.567534] RBP: 00007ffc0a17d820 R08: 00000000c00000ce R09: 00000000000000bb
> [   62.568803] R10: 000000000000ff93 R11: 0000000000000246 R12: 0000000000000002
> [   62.570093] R13: 00007f36acb4e058 R14: 0000000001afd830 R15: 00007f36acb4e000
> [   62.571485] ==================================================================
> [   62.572888] Disabling lock debugging due to kernel taint
> [   62.574137] BUG: kernel NULL pointer dereference, address: 00000000000000b0
> [   62.575657] #PF: supervisor read access in kernel mode
> [   62.576757] #PF: error_code(0x0000) - not-present page
> [   62.577826] PGD 8000000125f81067 P4D 8000000125f81067 PUD 10c4f8067 PMD 0 
> [   62.579272] Oops: 0000 [#1] SMP KASAN PTI
> [   62.590855] CPU: 1 PID: 829 Comm: trinity-c1 Tainted: G    B             5.9.0-rc8-next-20201009-00002-gb166b25674b9 #2
> [   62.592683] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
> [   62.594078] RIP: 0010:io_uring_add_task_file+0x4c/0xe0
> [   62.594962] Code: e8 69 70 f1 ff 49 8b ac 24 e8 05 00 00 48 85 ed 0f 84 89 00 00 00 e8 13 4b d1 ff 4c 8d a5 b0 00 00 00 4c 89 e7 e8 44 70 f1 ff <48> 39 9d b0 00 00 00 74 29 e8 f6 4a d1 ff 48 89 de 48 89 ef e8 ab
> [   62.597942] RSP: 0018:ffff8881180b7db0 EFLAGS: 00010282
> [   62.598810] RAX: 0000000000000001 RBX: ffff88811bb9c7c0 RCX: ffffffff81192dd3
> [   62.600042] RDX: 0000000000000000 RSI: ffffffff8127c238 RDI: ffffffff823657c9
> [   62.601200] RBP: 0000000000000000 R08: ffffffff81192dc4 R09: fffffbfff0722d8d
> [   62.602476] R10: ffffffff83916c63 R11: fffffbfff0722d8c R12: 00000000000000b0
> [   62.603680] R13: ffff8881180b7e6c R14: ffff8881268b8aa8 R15: ffff88811bb9c7c0
> [   62.604885] FS:  0000000001afd880(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
> [   62.609926] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   62.611890] CR2: 00000000000000b0 CR3: 000000010d07e000 CR4: 00000000000406a0
> [   62.614187] DR0: 00007f36ac420000 DR1: 0000000000000000 DR2: 0000000000000000
> [   62.616402] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> [   62.617646] Call Trace:
> [   62.618083]  io_uring_create+0xa0c/0xc60
> [   62.618744]  io_uring_setup+0xb6/0x120
> [   62.630890]  ? io_uring_create+0xc60/0xc60
> [   62.633250]  ? syscall_enter_from_user_mode+0x74/0xc0
> [   62.635172]  ? trace_hardirqs_on+0x48/0x120
> [   62.644116]  do_syscall_64+0x34/0x50
> [   62.644736]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [   62.645564] RIP: 0033:0x453b29
> [   62.646478] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 84 00 00 c3 66 2e 0f 1f 84 00 00 00 00
> [   62.658096] RSP: 002b:00007ffc0a17d778 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
> [   62.659354] RAX: ffffffffffffffda RBX: 00000000000001a9 RCX: 0000000000453b29
> [   62.660754] RDX: 00000000000000e7 RSI: 00007f36ac820000 RDI: 00000000000000cf
> [   62.661911] RBP: 00007ffc0a17d820 R08: 00000000c00000ce R09: 00000000000000bb
> [   62.663066] R10: 000000000000ff93 R11: 0000000000000246 R12: 0000000000000002
> [   62.664242] R13: 00007f36acb4e058 R14: 0000000001afd830 R15: 00007f36acb4e000
> [   62.665397] Modules linked in: input_leds led_class parport_pc qemu_fw_cfg
> [   62.666562] CR2: 00000000000000b0
> [   62.667344] ---[ end trace b0d4015dae9c12ae ]---
> 
> 
> To reproduce:
> 
>         # build kernel
> 	cd linux
> 	cp config-5.9.0-rc8-next-20201009-00002-gb166b25674b9 .config
> 	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
> 
>         git clone https://github.com/intel/lkp-tests.git
>         cd lkp-tests
>         bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
> 
> 
> 
> Thanks,
> lkp
> 

-- 
Pavel Begunkov