[io-uring] WARNING in __put_task_struct

From: chase xd
Date: Fri Jun 07 2024 - 13:15:52 EST


Dear Linux kernel maintainers,

Syzkaller reports this previously unknown bug on Linux
6.8.0-rc3-00043-ga69d20885494-dirty #4. Seems like the bug was
silently or unintendedly fixed in the latest version.

I found a similar bug report
[here](https://syzkaller.appspot.com/bug?id=ac425cc8dcf667de21cbe25208555a346ab658d0),
but I think this should be a different bug?

```
Syzkaller hit 'WARNING in __put_task_struct' bug.

------------[ cut here ]------------
WARNING: CPU: 2 PID: 10662 at kernel/fork.c:967
__put_task_struct+0x290/0x340 kernel/fork.c:967
Modules linked in:
CPU: 2 PID: 10662 Comm: syz-executor389 Not tainted
6.8.0-rc3-00043-ga69d20885494-dirty #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__put_task_struct+0x290/0x340 kernel/fork.c:967
Code: da ff ff 48 8b 3d b0 28 69 0f 4c 89 e6 e8 88 d2 7b 00 e9 45 ff
ff ff be 03 00 00 00 4c 89 e7 e8 46 be c7 02 e9 33 ff ff ff 90 <0f> 0b
90 e9 ac fd ff ff 90 0f 0b 90 e9 e9 fd ff ff 90 0f 0b 90 e9
RSP: 0018:ffffc90017f67b38 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff92002fecf6f RCX: 1ffff92002fecf36
RDX: 1ffff1100e71a530 RSI: ffffffff8a0bdce0 RDI: ffff8880738d2980
RBP: ffff8880738d2440 R08: 0000000000000000 R09: fffffbfff23d9a15
R10: ffffffff91ecd0af R11: 0000000000000000 R12: ffffffff840b8886
R13: ffff8880738d2468 R14: ffff888024ad7818 R15: ffff8880738d2440
FS: 0000555557445480(0000) GS:ffff8880b9880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff010cdf0b0 CR3: 0000000032094000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
<TASK>
put_task_struct include/linux/sched/task.h:138 [inline]
io_wq_exit_workers io_uring/io-wq.c:1274 [inline]
io_wq_put_and_exit+0x765/0x8f0 io_uring/io-wq.c:1296
io_uring_clean_tctx+0x10e/0x190 io_uring/tctx.c:193
io_uring_cancel_generic+0x643/0x7c0 io_uring/io_uring.c:3395
io_uring_files_cancel include/linux/io_uring.h:21 [inline]
do_exit+0x4bf/0x25a0 kernel/exit.c:829
do_group_exit+0xb4/0x250 kernel/exit.c:1020
__do_sys_exit_group kernel/exit.c:1031 [inline]
__se_sys_exit_group kernel/exit.c:1029 [inline]
__x64_sys_exit_group+0x39/0x40 kernel/exit.c:1029
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7ff010c59031
Code: b8 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 16 66 0f 1f 84 00
00 00 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d
00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
RSP: 002b:00007ffd577fbfb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ff010cde1f0 RCX: 00007ff010c59031
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffb8 R09: 000000000000ffff
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff010cde1f0
R13: 0000000000000000 R14: 00007ff010cdec80 R15: 00007ff010c13500
</TASK>


Syzkaller reproducer:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false
Fault:false FaultCall:0 FaultNth:0}}
r0 = syz_io_uring_setup(0x6e47, &(0x7f0000000000)={0x0, 0x8847, 0x80,
0x4000003, 0x3d6}, &(0x7f0000000080)=<r1=>0x0,
&(0x7f00000000c0)=<r2=>0x0)
open(&(0x7f0000000100)='./file0\x00', 0x2041, 0x8)
r3 = open$dir(&(0x7f0000000140)='./file0\x00', 0x680400, 0x104)
r4 = socket(0x28, 0x80000, 0x89)
epoll_create1(0x80000)
eventfd2(0x802, 0x80800)
syz_io_uring_submit(r1, r2,
&(0x7f0000000340)=@IORING_OP_SEND_ZC={0x2f, 0x1c, 0x1, @sock=r4,
&(0x7f0000000240)=@tipc=@name={0x1e, 0x2, 0x1, {{0x41, 0x4}, 0x3}},
&(0x7f00000002c0)=""/82, 0x52, 0x200, 0x1, 0x101, 0x0, {0x100}})
io_uring_enter(r0, 0x1, 0x1, 0x11, &(0x7f0000000380), 0x8)
syz_io_uring_complete(r1, &(0x7f0000000400))
io_uring_register$IORING_REGISTER_ENABLE_RINGS(r0, 0xc, 0x0, 0x0)
syz_io_uring_submit(r1, r2,
&(0x7f0000000180)=@IORING_OP_ASYNC_CANCEL={0xe, 0x1, 0x0, 0x0, 0x0,
0x1, 0x0, 0x4, 0x1})
syz_io_uring_submit(r1, r2, 0x0)
syz_io_uring_submit(r1, r2,
&(0x7f0000000680)=@IORING_OP_UNLINKAT={0x24, 0x50, 0x0, @fd_dir=r3,
0x0, &(0x7f0000000500)='./file0\x00'})
io_uring_enter(r0, 0x3, 0x3, 0xb, 0x0, 0x0)
syz_io_uring_complete(r1, 0x0)
```

crepro is in the attachment.

Best Regards
Xdchase

Attachment: repro.c
Description: Binary data