lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <IA0PR11MB71854F51212E1A3913951F44F8F3A@IA0PR11MB7185.namprd11.prod.outlook.com>
Date:   Sun, 10 Sep 2023 07:02:38 +0000
From:   "Kasireddy, Vivek" <vivek.kasireddy@...el.com>
To:     "Yin, Fengwei" <fengwei.yin@...el.com>
CC:     Daniel Vetter <daniel@...ll.ch>,
        "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
        syzbot <syzbot+17a207d226b8a5fb0fd9@...kaller.appspotmail.com>,
        "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
        "hughd@...gle.com" <hughd@...gle.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "syzkaller-bugs@...glegroups.com" <syzkaller-bugs@...glegroups.com>,
        "kraxel@...hat.com" <kraxel@...hat.com>,
        "sumit.semwal@...aro.org" <sumit.semwal@...aro.org>,
        "christian.koenig@....com" <christian.koenig@....com>
Subject: RE: [syzbot] [mm?] kernel BUG in filemap_unaccount_folio

Hi Fengwei,

> 
> Add udmabuf maintainers.
> 
> On 9/7/2023 2:51 AM, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    db906f0ca6bb Merge tag 'phy-for-6.6' of git://git.kernel.o..
> > git tree:       upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=16cbb32fa80000
> > kernel config:
> https://syzkaller.appspot.com/x/.config?x=3bd57a1ac08277b0
> > dashboard link:
> https://syzkaller.appspot.com/bug?extid=17a207d226b8a5fb0fd9
> > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
> Debian) 2.40
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11609f38680000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c1fc00680000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-
> assets/46394f3ca3eb/disk-db906f0c.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-
> assets/eeaa594bfd1f/vmlinux-db906f0c.xz
> > kernel image: https://storage.googleapis.com/syzbot-
> assets/5c8df8de79ec/bzImage-db906f0c.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> > Reported-by: syzbot+17a207d226b8a5fb0fd9@...kaller.appspotmail.com
> 
> Operations from user space before kernel BUG hit:
> 
> [pid  5043]
> memfd_create("\x79\x10\x35\x25\xfa\x2c\x1f\x99\xa2\xc9\x8e\xcd\x5c\xfa
> \xf6\x12\x95\x5e\xdf\x54\xe2\x3d\x0e\x7e\x46\xcd\x73\xa3\xff\x89\x3e\x
> 84\xa9\x86\x86\xa2\x46\x90\x93\x98\x4e\x05\x65\x92\x4a\x77\xce\x63\xc
> e\x9f\x32\xc8\x02\x66\x03\x07\x6d\x08\xb4\x48\x8f\x9e\xa5\x16\x8f\x61\
> xff\xb2\x22\x8a\x15\x13\xa2\x17\x25\x21\x54\x8b\xa1\xb9\x2d\x13\xf9\x
> 6f\x67\x95\x9d\x54\xef\xca\x68\x77\xf5\xff\x75\x7f\x75\xb8\x2a\xd3"...,
> MFD_ALLOW_SEALING) = 3
> [pid  5043] ftruncate(3, 65535)         = 0
> [pid  5043] fcntl(3, F_ADD_SEALS,
> F_SEAL_SEAL|F_SEAL_SHRINK|F_SEAL_GROW) = 0
> [pid  5043] openat(AT_FDCWD, "/dev/udmabuf", O_RDWR) = 4
> [pid  5043] ioctl(4, UDMABUF_CREATE, 0x20000000) = 5
> [pid  5043] mmap(0x20667000, 16384,
> PROT_WRITE|PROT_EXEC|PROT_SEM|PROT_GROWSDOWN,
> MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 5, 0) = 0x20667000
> 
> The crash happens when test app tried to close the memfd.
> 
> 
> It's like test app created udmabuf above memfd. But didn't boost memfd
> refcount.
> And mmap with MAP_POPULATE make the underneath folios mapped.
> 
> When memfd is closed without munmap 0x20667000, the memfd refcount
> hit zero and
> trigger evict() and hit
> 	VM_BUG_ON_FOLIO(folio_mapped(folio), folio);
> 
> 
> Related test code:
> 
>   res = syscall(__NR_memfd_create, /*name=*/0x20000040ul, /*flags=*/2ul);
>   if (res != -1)
>     r[0] = res;
>   syscall(__NR_ftruncate, /*fd=*/r[0], /*len=*/0xfffful);
>   syscall(__NR_fcntl, /*fd=*/r[0], /*cmd=*/0x409ul, /*seals=*/7ul);
>   memcpy((void*)0x200001c0, "/dev/udmabuf\000", 13);
>   res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200001c0ul,
>                 /*flags=*/2ul, 0);
>   if (res != -1)
>     r[1] = res;
>   *(uint32_t*)0x20000000 = r[0];
>   *(uint32_t*)0x20000004 = 0;
>   *(uint64_t*)0x20000008 = 0;
>   *(uint64_t*)0x20000010 = 0x8000;
>   res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40187542,
>                 /*arg=*/0x20000000ul);
>   if (res != -1)
>     r[2] = res;
>   syscall(__NR_mmap, /*addr=*/0x20667000ul, /*len=*/0x4000ul,
>           /*prot=*/0x100000eul, /*flags=*/0x28011ul, /*fd=*/r[2],
>           /*offset=*/0ul);
>   close_fds();
> 
> 
> Should memfd refcount increased when create udmabuf above it? Thanks.
I think the following patch should fix this crash:
https://lists.freedesktop.org/archives/dri-devel/2023-August/418952.html

Thanks,
Vivek
> 
> Regards
> Yin, Fengwei
> 
> >
> >  search_binary_handler fs/exec.c:1739 [inline]
> >  exec_binprm fs/exec.c:1781 [inline]
> >  bprm_execve fs/exec.c:1856 [inline]
> >  bprm_execve+0x80a/0x1a50 fs/exec.c:1812
> >  do_execveat_common.isra.0+0x5d3/0x740 fs/exec.c:1964
> >  do_execve fs/exec.c:2038 [inline]
> >  __do_sys_execve fs/exec.c:2114 [inline]
> >  __se_sys_execve fs/exec.c:2109 [inline]
> >  __x64_sys_execve+0x8c/0xb0 fs/exec.c:2109
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > ------------[ cut here ]------------
> > kernel BUG at mm/filemap.c:158!
> > invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> > CPU: 0 PID: 5043 Comm: syz-executor729 Not tainted 6.5.0-syzkaller-11275-
> gdb906f0ca6bb #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 07/26/2023
> > RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158
> > Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1
> 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48
> 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d
> > RSP: 0018:ffffc900039ef828 EFLAGS: 00010093
> > RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000
> > RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000
> > RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a
> > R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8
> > R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420
> > FS:  0000555556b42380(0000) GS:ffff8880b9800000(0000)
> knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  <TASK>
> >  __filemap_remove_folio+0x110/0x820 mm/filemap.c:227
> >  filemap_remove_folio+0xca/0x210 mm/filemap.c:260
> >  truncate_inode_folio+0x49/0x70 mm/truncate.c:195
> >  shmem_undo_range+0x365/0x1040 mm/shmem.c:1018
> >  shmem_truncate_range mm/shmem.c:1114 [inline]
> >  shmem_evict_inode+0x392/0xb50 mm/shmem.c:1243
> >  evict+0x2ed/0x6b0 fs/inode.c:664
> >  iput_final fs/inode.c:1775 [inline]
> >  iput.part.0+0x55e/0x7a0 fs/inode.c:1801
> >  iput+0x5c/0x80 fs/inode.c:1791
> >  dentry_unlink_inode+0x292/0x430 fs/dcache.c:401
> >  __dentry_kill+0x3b8/0x640 fs/dcache.c:607
> >  dentry_kill fs/dcache.c:733 [inline]
> >  dput+0x8dd/0xfd0 fs/dcache.c:913
> >  __fput+0x536/0xa70 fs/file_table.c:392
> >  __fput_sync+0x47/0x50 fs/file_table.c:465
> >  __do_sys_close fs/open.c:1572 [inline]
> >  __se_sys_close fs/open.c:1557 [inline]
> >  __x64_sys_close+0x87/0xf0 fs/open.c:1557
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > RIP: 0033:0x7f6700c6aa90
> > Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66
> 90 80 3d f1 85 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3
> 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
> > RSP: 002b:00007ffd27935ca8 EFLAGS: 00000202 ORIG_RAX:
> 0000000000000003
> > RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6700c6aa90
> > RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000000000003
> > RBP: 00007ffd27935cc0 R08: 0000000000000005 R09: 0000000000000000
> > R10: 0000000000028011 R11: 0000000000000202 R12: 00007f6700cde5f0
> > R13: 00007ffd27935ea8 R14: 0000000000000001 R15: 0000000000000001
> >  </TASK>
> > Modules linked in:
> > ---[ end trace 0000000000000000 ]---
> > RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158
> > Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1
> 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48
> 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d
> > RSP: 0018:ffffc900039ef828 EFLAGS: 00010093
> > RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000
> > RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000
> > RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a
> > R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8
> > R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420
> > FS:  0000555556b42380(0000) GS:ffff8880b9800000(0000)
> knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@...glegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >
> > If the bug is already fixed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before testing.
> >
> > If you want to overwrite bug's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the bug is a duplicate of another bug, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ