io_uring regression in the Ubuntu kernel (deadlock)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Triaged
|
Critical
|
Unassigned | ||
Kinetic |
Won't Fix
|
High
|
Unassigned |
Bug Description
Whenever using io_uring on the Ubuntu 5.15 or 5.19 kernel, one gets:
```
[ 123.226074] BUG: kernel NULL pointer dereference, address: 000000000000001d
[ 123.226160] #PF: supervisor read access in kernel mode
[ 123.226201] #PF: error_code(0x0000) - not-present page
[ 123.226241] PGD 0 P4D 0
[ 123.226272] Oops: 0000 [#1] PREEMPT SMP PTI
[ 123.226310] CPU: 2 PID: 4326 Comm: qemu-system-x86 Tainted: P O 5.19.0-42-generic #43~22.04.1-Ubuntu
[ 123.226381] Hardware name: /D33217GKE, BIOS GKPPT10H.
[ 123.228698] RIP: 0010:__
[ 123.231029] Code: 00 00 83 f8 09 0f 84 e7 00 00 00 83 f8 03 0f 84 15 01 00 00 48 89 d1 4c 89 c6 4c 89 ca e8 b5 f2 ff ff 48 89 c3 48 85 db 74 5f <44> 8b 63 28 81 4b 10 00 40 00 00 49 be 00 00 00 00 00 00 00 80 4c
[ 123.235909] RSP: 0018:ffff9bb341
[ 123.238328] RAX: fffffffffffffff5 RBX: fffffffffffffff5 RCX: 0000000000000000
[ 123.240737] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 123.243093] RBP: ffff9bb341477a08 R08: 0000000000000000 R09: 0000000000000000
[ 123.245435] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8e095d629ac0
[ 123.247735] R13: ffff9bb341477a18 R14: ffff8e0940df2040 R15: 0000000001400000
[ 123.250024] FS: 00007fa1cff602c
[ 123.252306] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 123.254591] CR2: 000000000000001d CR3: 0000000111ccc006 CR4: 00000000001726e0
[ 123.256899] Call Trace:
[ 123.259174] <TASK>
[ 123.261406] blk_mq_
[ 123.263626] __submit_
[ 123.265795] __submit_
[ 123.267922] submit_
[ 123.270016] ? blk_cgroup_
[ 123.272076] ? recalibrate_
[ 123.274114] ? ktime_get+0x46/0xc0
[ 123.276126] submit_
[ 123.278132] submit_
[ 123.280121] __blkdev_
[ 123.282108] blkdev_
[ 123.284097] blkdev_
[ 123.286065] io_read+0xea/0x510
[ 123.288080] ? fget+0x83/0xc0
[ 123.290031] io_issue_
[ 123.291960] ? io_init_
[ 123.293847] io_submit_
[ 123.295703] ? __fget_
[ 123.297537] __do_sys_
[ 123.299345] ? __secure_
[ 123.301153] __x64_sys_
[ 123.302900] do_syscall_
[ 123.304608] ? do_syscall_
[ 123.306286] ? exit_to_
[ 123.307969] ? syscall_
[ 123.309605] ? do_syscall_
[ 123.311176] ? do_syscall_
[ 123.312717] ? sysvec_
[ 123.314252] entry_SYSCALL_
[ 123.315791] RIP: 0033:0x7fa1d28855e1
[ 123.317314] Code: 89 55 e4 89 4d e0 4c 89 45 d8 4c 89 4d d0 44 8b 55 e0 4c 8b 45 d8 4c 8b 4d d0 b8 aa 01 00 00 8b 7d ec 8b 75 e8 8b 55 e4 0f 05 <48> 89 45 f8 48 8b 45 f8 5d c3 55 48 89 e5 48 83 ec 18 89 7d fc 89
[ 123.320664] RSP: 002b:00007fa175
[ 123.322364] RAX: ffffffffffffffda RBX: 00005603c0418a28 RCX: 00007fa1d28855e1
[ 123.324060] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000002d
[ 123.325684] RBP: 00007fa17550ae68 R08: 0000000000000000 R09: 0000000000000008
[ 123.327225] R10: 0000000000000000 R11: 0000000000000216 R12: 00005603c0418b10
[ 123.328734] R13: 00005603bdc48948 R14: 00005603bdc48988 R15: 0000000000000000
[ 123.330247] </TASK>
[ 123.331740] Modules linked in: nft_masq nft_chain_nat zfs(PO) zunicode(PO) zzstd(O) zlua(O) zavl(PO) icp(PO) zcommon(PO) znvpair(PO) spl(O) ebtable_filter ebtables ip6table_raw ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter nf_tables nfnetlink vhost_vsock vmw_vsock_
[ 123.331923] async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear i915 drm_buddy i2c_algo_bit ttm hid_generic drm_display_helper cec usbhid hid rc_core drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect crc32_pclmul sysimgblt fb_sys_fops ghash_clmulni_intel cryptd ahci drm i2c_i801 e1000e i2c_smbus lpc_ich libahci video
[ 123.350700] CR2: 000000000000001d
[ 123.352644] ---[ end trace 0000000000000000 ]---
[ 123.354014] RIP: 0010:__
[ 123.355051] Code: 00 00 83 f8 09 0f 84 e7 00 00 00 83 f8 03 0f 84 15 01 00 00 48 89 d1 4c 89 c6 4c 89 ca e8 b5 f2 ff ff 48 89 c3 48 85 db 74 5f <44> 8b 63 28 81 4b 10 00 40 00 00 49 be 00 00 00 00 00 00 00 80 4c
[ 123.357377] RSP: 0018:ffff9bb341
[ 123.358553] RAX: fffffffffffffff5 RBX: fffffffffffffff5 RCX: 0000000000000000
[ 123.359798] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 123.361170] RBP: ffff9bb341477a08 R08: 0000000000000000 R09: 0000000000000000
[ 123.362410] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8e095d629ac0
[ 123.363544] R13: ffff9bb341477a18 R14: ffff8e0940df2040 R15: 0000000001400000
[ 123.364704] FS: 00007fa1cff602c
[ 123.365949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 123.367059] CR2: 000000000000001d CR3: 0000000111ccc006 CR4: 00000000001726e0
```
This is due to a bad backport in the Ubuntu kernel:
https:/
As that can be triggered by an unprivileged user and causes a NULL pointer deref, this may be exploitable either as a way to DoS the system or even panic it in some cases.
information type: | Private Security → Public Security |
Changed in linux (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Kinetic): | |
importance: | Undecided → High |
status: | In Progress → Fix Committed |
We first saw this hit maybe a month or 6 weeks ago in 5.15. As we didn't have time to debug it at the time, we just moved our CI to the 5.19 kernel and moved on, but now it's hitting 5.19 as well...