lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 8 Feb 2023 17:03:52 +0800
From:   Pengfei Xu <pengfei.xu@...el.com>
To:     <gregkh@...uxfoundation.org>, <linux-kernel@...r.kernel.org>
CC:     <gregkh@...uxfoundation.org>, <pengfei.xu@...el.com>,
        <heng.su@...el.com>
Subject: [Syzkaller & bisect] There is " __disarm_kprobe_ftrace" WARNING in
 v6.2-rc7 kernel

Hi Greg KH and kernel expert,

Greeting!

There is " __disarm_kprobe_ftrace" WARNING in v6.2-rc7 kernel in fault
injection test by syzkaller:
[   30.404796] FAULT_INJECTION: forcing a failure.
[   30.404796] name failslab, interval 1, probability 0, space 0, times 1
[   30.405595] CPU: 1 PID: 510 Comm: repro Not tainted 6.2.0-rc7-4ec5183ec486 #1
[   30.406044] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[   30.406724] Call Trace:
[   30.406890]  <TASK>
[   30.407032]  dump_stack_lvl+0xa7/0xdb
[   30.407310]  dump_stack+0x19/0x1f
[   30.407532]  should_fail_ex.cold.5+0x5/0xa
[   30.407820]  __should_failslab+0xca/0x120
[   30.408091]  should_failslab+0x12/0x30
[   30.408341]  __kmem_cache_alloc_node+0x62/0x280
[   30.408636]  ? alloc_ftrace_hash+0x4f/0x170
[   30.408916]  kmalloc_trace+0x2e/0x120
[   30.409161]  alloc_ftrace_hash+0x4f/0x170
[   30.409426]  alloc_and_copy_ftrace_hash.constprop.87+0x23/0x310
[   30.409804]  ? write_comp_data+0x2f/0x90
[   30.410078]  ftrace_set_hash+0x445/0x590
[   30.410350]  ? __sanitizer_cov_trace_pc+0x25/0x60
[   30.410671]  ftrace_set_filter_ip+0xcd/0x1a0
[   30.410967]  ? __pfx_ftrace_set_filter_ip+0x10/0x10
[   30.411295]  ? match_dev_by_uuid+0x4/0x100
[   30.411574]  ? unregister_ftrace_function+0x83/0x3c0
[   30.411906]  ? __this_cpu_preempt_check+0x20/0x30
[   30.412228]  ? write_comp_data+0x2f/0x90
[   30.412507]  __disarm_kprobe_ftrace.isra.24+0xe4/0x250
[   30.412851]  disarm_kprobe+0x24a/0x2d0
[   30.413112]  __disable_kprobe+0x2de/0x4b0
[   30.413390]  disable_kprobe+0x31/0x80
[   30.413643]  __disable_trace_kprobe+0xfb/0x1c0
[   30.413965]  disable_trace_kprobe+0x1f0/0x300
[   30.414266]  kprobe_register+0x4e/0xf0
[   30.414528]  perf_trace_event_unreg.isra.3+0xb6/0x1f0
[   30.414870]  perf_kprobe_destroy+0xcb/0x200
[   30.415156]  ? __pfx_perf_kprobe_destroy+0x10/0x10
[   30.415482]  _free_event+0x220/0x11c0
[   30.415754]  put_event+0x4d/0x60
[   30.415993]  perf_event_release_kernel+0x5d9/0x860
[   30.416330]  ? __pfx_perf_event_release_kernel+0x10/0x10
[   30.416680]  ? write_comp_data+0x2f/0x90
[   30.416950]  ? __sanitizer_cov_trace_pc+0x25/0x60
[   30.417292]  ? __pfx_perf_release+0x10/0x10
[   30.417579]  perf_release+0x40/0x50
[   30.417830]  __fput+0x26d/0xa40
[   30.418080]  ____fput+0x1e/0x30
[   30.418303]  task_work_run+0x1a4/0x2d0
[   30.418565]  ? write_comp_data+0x2f/0x90
[   30.418836]  ? __pfx_task_work_run+0x10/0x10
[   30.419138]  ? __this_cpu_preempt_check+0x20/0x30
[   30.419463]  ? lockdep_hardirqs_on+0x8a/0x110
[   30.419751]  ? exit_to_user_mode_prepare+0x100/0x210
[   30.420080]  exit_to_user_mode_prepare+0x200/0x210
[   30.420392]  syscall_exit_to_user_mode+0x2d/0x60
[   30.420698]  do_syscall_64+0x4a/0x90
[   30.420944]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   30.421282] RIP: 0033:0x7f3840f1059d
[   30.421537] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 8
[   30.422690] RSP: 002b:00007ffd19fb73a8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   30.423179] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3840f1059d
[   30.423630] RDX: 0000000000000010 RSI: 00007ffd19fb7370 RDI: 0000000000000003
[   30.424081] RBP: 00007ffd19fb73c0 R08: 0000000000000001 R09: 00007ffd19fb73c0
[   30.424531] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401180
[   30.424984] R13: 00007ffd19fb74e0 R14: 0000000000000000 R15: 0000000000000000
[   30.425459]  </TASK>
[   30.425891] ------------[ cut here ]------------
[   30.426223] Failed to disarm kprobe-ftrace at match_dev_by_uuid+0x4/0x100 (error -12)
[   30.426785] WARNING: CPU: 1 PID: 510 at kernel/kprobes.c:1130 __disarm_kprobe_ftrace.isra.24+0x1ed/0x250
[   30.427381] Modules linked in:
[   30.427595] CPU: 1 PID: 510 Comm: repro Not tainted 6.2.0-rc7-4ec5183ec486 #1
[   30.428052] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[   30.428759] RIP: 0010:__disarm_kprobe_ftrace.isra.24+0x1ed/0x250
[   30.429156] Code: 37 f5 05 01 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 64 49 8b 75 00 89 da 48 c7 c7 80 67 6f 85 e8 12 72 bf 03 <0f> 0b e9 03 a
[   30.430300] RSP: 0018:ffff88800c387a90 EFLAGS: 00010282
[   30.430642] RAX: 0000000000000000 RBX: 00000000fffffff4 RCX: ffffffff813dde2e
[   30.431124] RDX: 0000000000000000 RSI: ffff8880125e0000 RDI: 0000000000000002
[   30.431575] RBP: ffff88800c387ab0 R08: ffffed1001870f0b R09: ffffed1001870f0b
[   30.432028] R10: ffff88800c387857 R11: ffffed1001870f0a R12: 0000000000000000
[   30.432483] R13: ffff88800a4a9040 R14: ffffffff875a0ea0 R15: ffff88800a4a9090
[   30.432940] FS:  00007f3840deb740(0000) GS:ffff88806cd00000(0000) knlGS:0000000000000000
[   30.433467] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   30.433847] CR2: 00007f3840e4d700 CR3: 0000000011a84001 CR4: 0000000000770ee0
[   30.434301] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   30.434782] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
[   30.435234] PKRU: 55555554
[   30.435418] Call Trace:
[   30.435588]  <TASK>
[   30.435743]  disarm_kprobe+0x24a/0x2d0
[   30.436011]  __disable_kprobe+0x2de/0x4b0
[   30.436295]  disable_kprobe+0x31/0x80
[   30.436552]  __disable_trace_kprobe+0xfb/0x1c0
[   30.436862]  disable_trace_kprobe+0x1f0/0x300
[   30.437165]  kprobe_register+0x4e/0xf0
[   30.437429]  perf_trace_event_unreg.isra.3+0xb6/0x1f0
[   30.437778]  perf_kprobe_destroy+0xcb/0x200
[   30.438077]  ? __pfx_perf_kprobe_destroy+0x10/0x10
[   30.438407]  _free_event+0x220/0x11c0
[   30.438707]  put_event+0x4d/0x60
[   30.438938]  perf_event_release_kernel+0x5d9/0x860
[   30.439275]  ? __pfx_perf_event_release_kernel+0x10/0x10
[   30.439633]  ? write_comp_data+0x2f/0x90
[   30.439913]  ? __sanitizer_cov_trace_pc+0x25/0x60
[   30.440245]  ? __pfx_perf_release+0x10/0x10
[   30.440533]  perf_release+0x40/0x50
[   30.440780]  __fput+0x26d/0xa40
[   30.441020]  ____fput+0x1e/0x30
[   30.441246]  task_work_run+0x1a4/0x2d0
[   30.441509]  ? write_comp_data+0x2f/0x90
[   30.441794]  ? __pfx_task_work_run+0x10/0x10
[   30.442090]  ? __this_cpu_preempt_check+0x20/0x30
[   30.442389]  ? lockdep_hardirqs_on+0x8a/0x110
[   30.442705]  ? exit_to_user_mode_prepare+0x100/0x210
[   30.443042]  exit_to_user_mode_prepare+0x200/0x210
[   30.443366]  syscall_exit_to_user_mode+0x2d/0x60
[   30.443683]  do_syscall_64+0x4a/0x90
[   30.443937]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   30.444281] RIP: 0033:0x7f3840f1059d
[   30.444530] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 8
[   30.445701] RSP: 002b:00007ffd19fb73a8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[   30.446211] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3840f1059d
[   30.446716] RDX: 0000000000000010 RSI: 00007ffd19fb7370 RDI: 0000000000000003
[   30.447193] RBP: 00007ffd19fb73c0 R08: 0000000000000001 R09: 00007ffd19fb73c0
[   30.447661] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401180
[   30.448128] R13: 00007ffd19fb74e0 R14: 0000000000000000 R15: 0000000000000000
[   30.448618]  </TASK>
[   30.448787] irq event stamp: 2017
[   30.449020] hardirqs last  enabled at (2025): [<ffffffff813dd0a1>] __up_console_sem+0x91/0xb0
[   30.449594] hardirqs last disabled at (2032): [<ffffffff813dd086>] __up_console_sem+0x76/0xb0
[   30.450803] softirqs last  enabled at (1974): [<ffffffff8536af3f>] __do_softirq+0x53f/0x836
[   30.452095] softirqs last disabled at (1965): [<ffffffff812498b0>] irq_exit_rcu+0x100/0x140
[   30.453375] ---[ end trace 0000000000000000 ]---

Bisected and found the first bad commit is:
71a7507afbc3f27c346898f13ab9bfd918613c34
Merge tag 'driver-core-6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

It's just a clue for this issue, because reverted above commit on top
of v6.2-rc7 kernel failed.

I didn't find this kind of info in syzbot:
https://syzkaller.appspot.com/upstream

Reproduced code from syzkaller, kconfig, bisect info and v6.2-rc7 failed log
are in attached.

More info like bzimage for v6.2-rc7, each time bisect dmesg detailes are in
link: https://github.com/xupengfe/syzkaller_logs/tree/main/230207_221438___disarm_kprobe_ftrace


If you need the reproduced virtual machine environment:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
   // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
   // You could change the bzImage_xxx as you want
In vm and login with root,  there is no password for root.

After login vm successfully, you could transfer reproduced binary to the VM by below way, and reproduce the problem:
scp -P 10023 reproduced_binary root@...alhost:/root/

Get the bzImage for target kernel:
Please use the provided kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage           //x should equal or less than cpu num your pc has

Fill the bzImage file into above start3.sh to load the target kernel vm.


Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl
make
make install

I hope it's helpful.

Thanks!
BR.

View attachment "repro.c" of type "text/plain" (7295 bytes)

View attachment "bisect_info.log" of type "text/plain" (3993 bytes)

View attachment "kconfig" of type "text/plain" (287948 bytes)

View attachment "4ec5183ec48656cec489c49f989c508b68b518e3_dmesg.log" of type "text/plain" (477419 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ