Re: [syzbot] KASAN: use-after-free Write in __io_free_req

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+78b76ebc91042904f34e@syzkaller.appspotmail.com>
To: asml.silence@gmail.com, axboe@kernel.dk,
	io-uring@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Write in __io_free_req
Date: Fri, 29 Oct 2021 20:58:13 -0700	[thread overview]
Message-ID: <000000000000ea455405cf89f33d@google.com> (raw)
In-Reply-To: <cebb75d5-076d-0b05-6c37-b880accc320e@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: refcount bug in delayed_put_task_struct

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 19 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.15.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28
Code: e9 db fe ff ff 48 89 df e8 7c aa 1a fe e9 8a fe ff ff e8 92 6c d3 fd 48 c7 c7 80 bb be 89 c6 05 95 a4 8d 09 01 e8 5b 36 19 05 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55
RSP: 0018:ffffc90000d97d00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888011af5580 RSI: ffffffff815e8868 RDI: fffff520001b2f92
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815e260e R11: 0000000000000000 R12: ffff888071c45580
R13: ffff888071c455a8 R14: 0000000000000004 R15: ffff888071c46a50
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe200c24218 CR3: 000000006f2d8000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 put_task_struct include/linux/sched/task.h:112 [inline]
 delayed_put_task_struct+0x2e3/0x340 kernel/exit.c:172
 rcu_do_batch kernel/rcu/tree.c:2508 [inline]
 rcu_core+0x7ab/0x1470 kernel/rcu/tree.c:2743
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 run_ksoftirqd kernel/softirq.c:920 [inline]
 run_ksoftirqd+0x2d/0x60 kernel/softirq.c:912
 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295


Tested on:

commit:         3ecd20a9 io-wq: remove worker to owner tw dependency
git tree:       https://github.com/isilence/linux.git syz-test-iofree
console output: https://syzkaller.appspot.com/x/log.txt?x=160209d4b00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=10c050a45aafafcc
dashboard link: https://syzkaller.appspot.com/bug?extid=78b76ebc91042904f34e
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

next prev parent reply	other threads:[~2021-10-30  3:58 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-29 14:34 [syzbot] KASAN: use-after-free Write in __io_free_req syzbot
2021-10-29 14:45 ` Pavel Begunkov
2021-10-29 17:59   ` Pavel Begunkov
2021-10-29 21:12     ` syzbot
2021-10-29 21:20       ` Pavel Begunkov
2021-10-30  3:58         ` syzbot [this message]
2021-10-29 20:53   ` syzbot
2021-10-29 14:46 ` Pavel Begunkov
2021-10-29 21:11   ` syzbot
2021-10-31 12:14 ` Pavel Begunkov
2021-10-31 22:59 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000ea455405cf89f33d@google.com \
    --to=syzbot+78b76ebc91042904f34e@syzkaller.appspotmail.com \
    --cc=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.