lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 8 Sep 2023 08:50:56 +0800
From:   "Yin, Fengwei" <fengwei.yin@...el.com>
To:     syzbot <syzbot+17a207d226b8a5fb0fd9@...kaller.appspotmail.com>,
        <akpm@...ux-foundation.org>, <hughd@...gle.com>,
        <linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>,
        <syzkaller-bugs@...glegroups.com>, <kraxel@...hat.com>,
        <sumit.semwal@...aro.org>, <christian.koenig@....com>
Subject: Re: [syzbot] [mm?] kernel BUG in filemap_unaccount_folio

Add udmabuf maintainers.

On 9/7/2023 2:51 AM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    db906f0ca6bb Merge tag 'phy-for-6.6' of git://git.kernel.o..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=16cbb32fa80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=3bd57a1ac08277b0
> dashboard link: https://syzkaller.appspot.com/bug?extid=17a207d226b8a5fb0fd9
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11609f38680000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c1fc00680000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/46394f3ca3eb/disk-db906f0c.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/eeaa594bfd1f/vmlinux-db906f0c.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/5c8df8de79ec/bzImage-db906f0c.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+17a207d226b8a5fb0fd9@...kaller.appspotmail.com

Operations from user space before kernel BUG hit:

[pid  5043] memfd_create("\x79\x10\x35\x25\xfa\x2c\x1f\x99\xa2\xc9\x8e\xcd\x5c\xfa\xf6\x12\x95\x5e\xdf\x54\xe2\x3d\x0e\x7e\x46\xcd\x73\xa3\xff\x89\x3e\x84\xa9\x86\x86\xa2\x46\x90\x93\x98\x4e\x05\x65\x92\x4a\x77\xce\x63\xce\x9f\x32\xc8\x02\x66\x03\x07\x6d\x08\xb4\x48\x8f\x9e\xa5\x16\x8f\x61\xff\xb2\x22\x8a\x15\x13\xa2\x17\x25\x21\x54\x8b\xa1\xb9\x2d\x13\xf9\x6f\x67\x95\x9d\x54\xef\xca\x68\x77\xf5\xff\x75\x7f\x75\xb8\x2a\xd3"..., MFD_ALLOW_SEALING) = 3
[pid  5043] ftruncate(3, 65535)         = 0
[pid  5043] fcntl(3, F_ADD_SEALS, F_SEAL_SEAL|F_SEAL_SHRINK|F_SEAL_GROW) = 0
[pid  5043] openat(AT_FDCWD, "/dev/udmabuf", O_RDWR) = 4
[pid  5043] ioctl(4, UDMABUF_CREATE, 0x20000000) = 5
[pid  5043] mmap(0x20667000, 16384, PROT_WRITE|PROT_EXEC|PROT_SEM|PROT_GROWSDOWN, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 5, 0) = 0x20667000

The crash happens when test app tried to close the memfd.


It's like test app created udmabuf above memfd. But didn't boost memfd refcount.
And mmap with MAP_POPULATE make the underneath folios mapped.

When memfd is closed without munmap 0x20667000, the memfd refcount hit zero and
trigger evict() and hit
	VM_BUG_ON_FOLIO(folio_mapped(folio), folio);


Related test code:

  res = syscall(__NR_memfd_create, /*name=*/0x20000040ul, /*flags=*/2ul);
  if (res != -1)
    r[0] = res;
  syscall(__NR_ftruncate, /*fd=*/r[0], /*len=*/0xfffful);
  syscall(__NR_fcntl, /*fd=*/r[0], /*cmd=*/0x409ul, /*seals=*/7ul);
  memcpy((void*)0x200001c0, "/dev/udmabuf\000", 13);
  res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200001c0ul,
                /*flags=*/2ul, 0);
  if (res != -1)
    r[1] = res;
  *(uint32_t*)0x20000000 = r[0];
  *(uint32_t*)0x20000004 = 0;
  *(uint64_t*)0x20000008 = 0;
  *(uint64_t*)0x20000010 = 0x8000;
  res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40187542,
                /*arg=*/0x20000000ul);
  if (res != -1)
    r[2] = res;
  syscall(__NR_mmap, /*addr=*/0x20667000ul, /*len=*/0x4000ul,
          /*prot=*/0x100000eul, /*flags=*/0x28011ul, /*fd=*/r[2],
          /*offset=*/0ul);
  close_fds();


Should memfd refcount increased when create udmabuf above it? Thanks. 

Regards
Yin, Fengwei

> 
>  search_binary_handler fs/exec.c:1739 [inline]
>  exec_binprm fs/exec.c:1781 [inline]
>  bprm_execve fs/exec.c:1856 [inline]
>  bprm_execve+0x80a/0x1a50 fs/exec.c:1812
>  do_execveat_common.isra.0+0x5d3/0x740 fs/exec.c:1964
>  do_execve fs/exec.c:2038 [inline]
>  __do_sys_execve fs/exec.c:2114 [inline]
>  __se_sys_execve fs/exec.c:2109 [inline]
>  __x64_sys_execve+0x8c/0xb0 fs/exec.c:2109
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> ------------[ cut here ]------------
> kernel BUG at mm/filemap.c:158!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 5043 Comm: syz-executor729 Not tainted 6.5.0-syzkaller-11275-gdb906f0ca6bb #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
> RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158
> Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d
> RSP: 0018:ffffc900039ef828 EFLAGS: 00010093
> RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000
> RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000
> RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a
> R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8
> R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420
> FS:  0000555556b42380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  __filemap_remove_folio+0x110/0x820 mm/filemap.c:227
>  filemap_remove_folio+0xca/0x210 mm/filemap.c:260
>  truncate_inode_folio+0x49/0x70 mm/truncate.c:195
>  shmem_undo_range+0x365/0x1040 mm/shmem.c:1018
>  shmem_truncate_range mm/shmem.c:1114 [inline]
>  shmem_evict_inode+0x392/0xb50 mm/shmem.c:1243
>  evict+0x2ed/0x6b0 fs/inode.c:664
>  iput_final fs/inode.c:1775 [inline]
>  iput.part.0+0x55e/0x7a0 fs/inode.c:1801
>  iput+0x5c/0x80 fs/inode.c:1791
>  dentry_unlink_inode+0x292/0x430 fs/dcache.c:401
>  __dentry_kill+0x3b8/0x640 fs/dcache.c:607
>  dentry_kill fs/dcache.c:733 [inline]
>  dput+0x8dd/0xfd0 fs/dcache.c:913
>  __fput+0x536/0xa70 fs/file_table.c:392
>  __fput_sync+0x47/0x50 fs/file_table.c:465
>  __do_sys_close fs/open.c:1572 [inline]
>  __se_sys_close fs/open.c:1557 [inline]
>  __x64_sys_close+0x87/0xf0 fs/open.c:1557
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7f6700c6aa90
> Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d f1 85 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
> RSP: 002b:00007ffd27935ca8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6700c6aa90
> RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000000000003
> RBP: 00007ffd27935cc0 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000028011 R11: 0000000000000202 R12: 00007f6700cde5f0
> R13: 00007ffd27935ea8 R14: 0000000000000001 R15: 0000000000000001
>  </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158
> Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d
> RSP: 0018:ffffc900039ef828 EFLAGS: 00010093
> RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000
> RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000
> RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a
> R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8
> R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420
> FS:  0000555556b42380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ