Created attachment 297707 [details]
Recvmsg with provide_buffers bug

Hi,

I found a kernel NULL pointer dereference bug when running recvmsg() on io_uring using provide buffers. I am attaching a C program (based on https://github.com/axboe/liburing/blob/master/test/send_recvmsg.c) as a reference.

To reproduce the issue, compile the attached code, link to liburing, execute and then run:

nc -u 127.0.0.1 10200 < /dev/random

It might run a few times without triggering the bug, even though the provide buffers call to return the buffers fails after a while.

Below is the error report:

Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.374691] BUG: kernel NULL pointer dereference, address: 0000000000000008
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.375728] #PF: supervisor read access in kernel mode
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.376531] #PF: error_code(0x0000) - not-present page
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.377225] PGD 0 P4D 0 
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.377675] Oops: 0000 [#1] SMP PTI
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.378432] CPU: 2 PID: 7197 Comm: stalwart Tainted: G           OE     5.11.0-051100-generic #202102142330
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.380422] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.381566] RIP: 0010:_copy_to_iter+0x5e/0x300
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.382176] Code: f4 48 85 d2 0f 84 a2 00 00 00 49 8b 5d 08 a8 10 0f 85 0e 01 00 00 a8 08 0f 85 ea 01 00 00 a8 40 0f 85 73 02 00 00 4d 8b 75 18 <4d> 8b 7e 08 49 29 df 49 39 f7 4c 0f 47 fe 4d 85 ff 0f 84 60 02 00
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.385441] RSP: 0018:ffffa26d45ff7878 EFLAGS: 00010246
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.386395] RAX: 0000000000000004 RBX: 0000000000000000 RCX: ffff91db80000000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.387838] RDX: 000000000000ffff RSI: 0000000000004000 RDI: ffff91dc8413002c
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.388759] RBP: ffffa26d45ff78c8 R08: ffff91dc8413002c R09: ffffa26d45ff7b60
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.389690] R10: 0000000000004000 R11: 0000000000004000 R12: 0000000000004000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.390640] R13: ffffa26d45ff7b60 R14: 0000000000000000 R15: 0000000000004000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.391606] FS:  00007f96699c1b80(0000) GS:ffff91dd97d00000(0000) knlGS:0000000000000000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.393485] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.394279] CR2: 0000000000000008 CR3: 0000000108e5c006 CR4: 00000000000706e0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.395486] Call Trace:
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.396074]  ? __check_object_size.part.0+0x4a/0x150
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.397154]  udp_recvmsg+0x34f/0x5a0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.397679]  ? udp_recvmsg+0x1ef/0x5a0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.398172]  inet_recvmsg+0xfd/0x120
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.398642]  ? security_socket_recvmsg+0x3d/0x60
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.399714]  sock_recvmsg+0x69/0x80
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.400396]  ____sys_recvmsg+0x98/0x1b0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.400971]  ? __copy_msghdr_from_user+0x3d/0x150
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.401672]  ? radix_tree_lookup+0xd/0x10
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.402227]  __sys_recvmsg_sock+0x39/0x50
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.402760]  io_recvmsg+0xba/0x2c0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.403284]  ? x2apic_send_IPI+0x4d/0x60
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.404252]  ? native_send_call_func_single_ipi+0x1e/0x20
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.405308]  ? send_call_function_single_ipi+0x58/0x90
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.406307]  ? __smp_call_single_queue+0x3a/0x40
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.407233]  ? ttwu_queue_wakelist+0xd1/0xf0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.408145]  ? kmem_cache_alloc_trace+0xf6/0x200
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.409077]  ? io_provide_buffers+0xa3/0x230
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.409981]  ? io_provide_buffers+0x10b/0x230
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.410885]  io_issue_sqe+0x864/0xaa0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.411734]  __io_queue_sqe+0xcb/0x2f0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.412732]  io_queue_sqe+0x12f/0x180
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.413677]  io_submit_sqe+0x1c2/0x250
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.414476]  io_submit_sqes+0x1a2/0x5b0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.415248]  ? tty_ldisc_deref+0x16/0x20
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.416095]  ? file_tty_write.constprop.0+0x9e/0xc0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.417016]  ? tty_write+0x11/0x20
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.417805]  ? new_sync_write+0x114/0x1a0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.418643]  __do_sys_io_uring_enter+0x294/0x400
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.419605]  ? ksys_write+0x67/0xe0
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.420342]  __x64_sys_io_uring_enter+0x29/0x30
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.421281]  do_syscall_64+0x38/0x90
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.422010]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.422987] RIP: 0033:0x7f9669ae489d
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.423826] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.427143] RSP: 002b:00007ffd0342a9a8 EFLAGS: 00000216 ORIG_RAX: 00000000000001aa
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.428529] RAX: ffffffffffffffda RBX: 000056090c49a480 RCX: 00007f9669ae489d
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.429879] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000004
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.431149] RBP: 00007ffd03a6ab10 R08: 0000000000000000 R09: 0000000000000008
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.432510] R10: 0000000000000000 R11: 0000000000000216 R12: 000056090c446420
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.433833] R13: 00007ffd03a6ac00 R14: 0000000000000000 R15: 0000000000000000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.435078] Modules linked in: vboxsf(OE) nls_utf8 isofs binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua intel_rapl_msr intel_rapl_common rapl snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_timer snd input_leds soundcore mac_hid serio_raw vboxguest(OE) sch_fq_codel ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear vboxvideo(OE) drm_ttm_helper ttm drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect crc32_pclmul sysimgblt ghash_clmulni_intel fb_sys_fops cec mptspi rc_core mptscsih video mptbase drm psmouse aesni_intel scsi_transport_spi crypto_simd e1000 cryptd glue_helper i2c_piix4 pata_acpi
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.446904] CR2: 0000000000000008
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.447790] ---[ end trace cf84cbb0d4f9835b ]---
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.448918] RIP: 0010:_copy_to_iter+0x5e/0x300
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.450002] Code: f4 48 85 d2 0f 84 a2 00 00 00 49 8b 5d 08 a8 10 0f 85 0e 01 00 00 a8 08 0f 85 ea 01 00 00 a8 40 0f 85 73 02 00 00 4d 8b 75 18 <4d> 8b 7e 08 49 29 df 49 39 f7 4c 0f 47 fe 4d 85 ff 0f 84 60 02 00
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.454280] RSP: 0018:ffffa26d45ff7878 EFLAGS: 00010246
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.455505] RAX: 0000000000000004 RBX: 0000000000000000 RCX: ffff91db80000000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.456820] RDX: 000000000000ffff RSI: 0000000000004000 RDI: ffff91dc8413002c
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.458069] RBP: ffffa26d45ff78c8 R08: ffff91dc8413002c R09: ffffa26d45ff7b60
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.459495] R10: 0000000000004000 R11: 0000000000004000 R12: 0000000000004000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.460771] R13: ffffa26d45ff7b60 R14: 0000000000000000 R15: 0000000000004000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.462019] FS:  00007f96699c1b80(0000) GS:ffff91dd97d00000(0000) knlGS:0000000000000000
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.463483] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul  4 09:09:29 ubuntu-focal kernel: [ 1421.464701] CR2: 0000000000000008 CR3: 0000000108e5c006 CR4: 00000000000706e0

Once this error occurs, the process cannot be SIGKILLed as superuser and netstat shows the port as having no program attached to it:

$ sudo netstat -unlf --program
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp   231168      0 0.0.0.0:10200           0.0.0.0:*                           -                  

 
Thank you in advance.