lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <237f8f44-3ac7-4b61-bb04-e86730efbe10@intel.com>
Date:   Sun, 10 Sep 2023 19:53:33 +0800
From:   "Yin, Fengwei" <fengwei.yin@...el.com>
To:     "Kasireddy, Vivek" <vivek.kasireddy@...el.com>
CC:     Daniel Vetter <daniel@...ll.ch>,
        "dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
        syzbot <syzbot+17a207d226b8a5fb0fd9@...kaller.appspotmail.com>,
        "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
        "hughd@...gle.com" <hughd@...gle.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "syzkaller-bugs@...glegroups.com" <syzkaller-bugs@...glegroups.com>,
        "kraxel@...hat.com" <kraxel@...hat.com>,
        "sumit.semwal@...aro.org" <sumit.semwal@...aro.org>,
        "christian.koenig@....com" <christian.koenig@....com>
Subject: Re: [syzbot] [mm?] kernel BUG in filemap_unaccount_folio



On 9/10/2023 3:02 PM, Kasireddy, Vivek wrote:
> Hi Fengwei,
> 
>>
>> Add udmabuf maintainers.
>>
>> On 9/7/2023 2:51 AM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    db906f0ca6bb Merge tag 'phy-for-6.6' of git://git.kernel.o..
>>> git tree:       upstream
>>> console+strace: https://syzkaller.appspot.com/x/log.txt?x=16cbb32fa80000
>>> kernel config:
>> https://syzkaller.appspot.com/x/.config?x=3bd57a1ac08277b0
>>> dashboard link:
>> https://syzkaller.appspot.com/bug?extid=17a207d226b8a5fb0fd9
>>> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
>> Debian) 2.40
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11609f38680000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c1fc00680000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-
>> assets/46394f3ca3eb/disk-db906f0c.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-
>> assets/eeaa594bfd1f/vmlinux-db906f0c.xz
>>> kernel image: https://storage.googleapis.com/syzbot-
>> assets/5c8df8de79ec/bzImage-db906f0c.xz
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the
>> commit:
>>> Reported-by: syzbot+17a207d226b8a5fb0fd9@...kaller.appspotmail.com
>>
>> Operations from user space before kernel BUG hit:
>>
>> [pid  5043]
>> memfd_create("\x79\x10\x35\x25\xfa\x2c\x1f\x99\xa2\xc9\x8e\xcd\x5c\xfa
>> \xf6\x12\x95\x5e\xdf\x54\xe2\x3d\x0e\x7e\x46\xcd\x73\xa3\xff\x89\x3e\x
>> 84\xa9\x86\x86\xa2\x46\x90\x93\x98\x4e\x05\x65\x92\x4a\x77\xce\x63\xc
>> e\x9f\x32\xc8\x02\x66\x03\x07\x6d\x08\xb4\x48\x8f\x9e\xa5\x16\x8f\x61\
>> xff\xb2\x22\x8a\x15\x13\xa2\x17\x25\x21\x54\x8b\xa1\xb9\x2d\x13\xf9\x
>> 6f\x67\x95\x9d\x54\xef\xca\x68\x77\xf5\xff\x75\x7f\x75\xb8\x2a\xd3"...,
>> MFD_ALLOW_SEALING) = 3
>> [pid  5043] ftruncate(3, 65535)         = 0
>> [pid  5043] fcntl(3, F_ADD_SEALS,
>> F_SEAL_SEAL|F_SEAL_SHRINK|F_SEAL_GROW) = 0
>> [pid  5043] openat(AT_FDCWD, "/dev/udmabuf", O_RDWR) = 4
>> [pid  5043] ioctl(4, UDMABUF_CREATE, 0x20000000) = 5
>> [pid  5043] mmap(0x20667000, 16384,
>> PROT_WRITE|PROT_EXEC|PROT_SEM|PROT_GROWSDOWN,
>> MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 5, 0) = 0x20667000
>>
>> The crash happens when test app tried to close the memfd.
>>
>>
>> It's like test app created udmabuf above memfd. But didn't boost memfd
>> refcount.
>> And mmap with MAP_POPULATE make the underneath folios mapped.
>>
>> When memfd is closed without munmap 0x20667000, the memfd refcount
>> hit zero and
>> trigger evict() and hit
>> 	VM_BUG_ON_FOLIO(folio_mapped(folio), folio);
>>
>>
>> Related test code:
>>
>>   res = syscall(__NR_memfd_create, /*name=*/0x20000040ul, /*flags=*/2ul);
>>   if (res != -1)
>>     r[0] = res;
>>   syscall(__NR_ftruncate, /*fd=*/r[0], /*len=*/0xfffful);
>>   syscall(__NR_fcntl, /*fd=*/r[0], /*cmd=*/0x409ul, /*seals=*/7ul);
>>   memcpy((void*)0x200001c0, "/dev/udmabuf\000", 13);
>>   res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200001c0ul,
>>                 /*flags=*/2ul, 0);
>>   if (res != -1)
>>     r[1] = res;
>>   *(uint32_t*)0x20000000 = r[0];
>>   *(uint32_t*)0x20000004 = 0;
>>   *(uint64_t*)0x20000008 = 0;
>>   *(uint64_t*)0x20000010 = 0x8000;
>>   res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x40187542,
>>                 /*arg=*/0x20000000ul);
>>   if (res != -1)
>>     r[2] = res;
>>   syscall(__NR_mmap, /*addr=*/0x20667000ul, /*len=*/0x4000ul,
>>           /*prot=*/0x100000eul, /*flags=*/0x28011ul, /*fd=*/r[2],
>>           /*offset=*/0ul);
>>   close_fds();
>>
>>
>> Should memfd refcount increased when create udmabuf above it? Thanks.
> I think the following patch should fix this crash:
> https://lists.freedesktop.org/archives/dri-devel/2023-August/418952.html
Yes. This patch avoid playing with struct page when mmap memory to user
space. And avoid make pages marked as mapped.


Regards
Yin, Fengwei

> 
> Thanks,
> Vivek
>>
>> Regards
>> Yin, Fengwei
>>
>>>
>>>  search_binary_handler fs/exec.c:1739 [inline]
>>>  exec_binprm fs/exec.c:1781 [inline]
>>>  bprm_execve fs/exec.c:1856 [inline]
>>>  bprm_execve+0x80a/0x1a50 fs/exec.c:1812
>>>  do_execveat_common.isra.0+0x5d3/0x740 fs/exec.c:1964
>>>  do_execve fs/exec.c:2038 [inline]
>>>  __do_sys_execve fs/exec.c:2114 [inline]
>>>  __se_sys_execve fs/exec.c:2109 [inline]
>>>  __x64_sys_execve+0x8c/0xb0 fs/exec.c:2109
>>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>>>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>>> ------------[ cut here ]------------
>>> kernel BUG at mm/filemap.c:158!
>>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>>> CPU: 0 PID: 5043 Comm: syz-executor729 Not tainted 6.5.0-syzkaller-11275-
>> gdb906f0ca6bb #0
>>> Hardware name: Google Google Compute Engine/Google Compute Engine,
>> BIOS Google 07/26/2023
>>> RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158
>>> Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1
>> 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48
>> 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d
>>> RSP: 0018:ffffc900039ef828 EFLAGS: 00010093
>>> RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000
>>> RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000
>>> RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a
>>> R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8
>>> R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420
>>> FS:  0000555556b42380(0000) GS:ffff8880b9800000(0000)
>> knlGS:0000000000000000
>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0
>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>> Call Trace:
>>>  <TASK>
>>>  __filemap_remove_folio+0x110/0x820 mm/filemap.c:227
>>>  filemap_remove_folio+0xca/0x210 mm/filemap.c:260
>>>  truncate_inode_folio+0x49/0x70 mm/truncate.c:195
>>>  shmem_undo_range+0x365/0x1040 mm/shmem.c:1018
>>>  shmem_truncate_range mm/shmem.c:1114 [inline]
>>>  shmem_evict_inode+0x392/0xb50 mm/shmem.c:1243
>>>  evict+0x2ed/0x6b0 fs/inode.c:664
>>>  iput_final fs/inode.c:1775 [inline]
>>>  iput.part.0+0x55e/0x7a0 fs/inode.c:1801
>>>  iput+0x5c/0x80 fs/inode.c:1791
>>>  dentry_unlink_inode+0x292/0x430 fs/dcache.c:401
>>>  __dentry_kill+0x3b8/0x640 fs/dcache.c:607
>>>  dentry_kill fs/dcache.c:733 [inline]
>>>  dput+0x8dd/0xfd0 fs/dcache.c:913
>>>  __fput+0x536/0xa70 fs/file_table.c:392
>>>  __fput_sync+0x47/0x50 fs/file_table.c:465
>>>  __do_sys_close fs/open.c:1572 [inline]
>>>  __se_sys_close fs/open.c:1557 [inline]
>>>  __x64_sys_close+0x87/0xf0 fs/open.c:1557
>>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>>  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>>>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>>> RIP: 0033:0x7f6700c6aa90
>>> Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66
>> 90 80 3d f1 85 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3
>> 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
>>> RSP: 002b:00007ffd27935ca8 EFLAGS: 00000202 ORIG_RAX:
>> 0000000000000003
>>> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f6700c6aa90
>>> RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000000000003
>>> RBP: 00007ffd27935cc0 R08: 0000000000000005 R09: 0000000000000000
>>> R10: 0000000000028011 R11: 0000000000000202 R12: 00007f6700cde5f0
>>> R13: 00007ffd27935ea8 R14: 0000000000000001 R15: 0000000000000001
>>>  </TASK>
>>> Modules linked in:
>>> ---[ end trace 0000000000000000 ]---
>>> RIP: 0010:filemap_unaccount_folio+0x62e/0x870 mm/filemap.c:158
>>> Code: 0f 85 68 01 00 00 8b 6b 5c 31 ff 89 ee e8 6a 3e d2 ff 85 ed 7e 16 e8 f1
>> 42 d2 ff 48 c7 c6 c0 3b 97 8a 48 89 df e8 a2 58 10 00 <0f> 0b e8 db 42 d2 ff 48
>> 8d 6b 58 be 04 00 00 00 48 89 ef e8 0a 0d
>>> RSP: 0018:ffffc900039ef828 EFLAGS: 00010093
>>> RAX: 0000000000000000 RBX: ffffea0001cfe400 RCX: 0000000000000000
>>> RDX: ffff88807e171dc0 RSI: ffffffff81b559ae RDI: 0000000000000000
>>> RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff1d9be7a
>>> R10: ffffffff8ecdf3d7 R11: 0000000000000001 R12: ffff8880258003b8
>>> R13: ffffea0001cfe400 R14: ffffea0001cfe418 R15: ffffea0001cfe420
>>> FS:  0000555556b42380(0000) GS:ffff8880b9800000(0000)
>> knlGS:0000000000000000
>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 00000000005fdeb8 CR3: 000000007a443000 CR4: 00000000003506f0
>>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>>
>>>
>>> ---
>>> This report is generated by a bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for more information about syzbot.
>>> syzbot engineers can be reached at syzkaller@...glegroups.com.
>>>
>>> syzbot will keep track of this issue. See:
>>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>>
>>> If the bug is already fixed, let syzbot know by replying with:
>>> #syz fix: exact-commit-title
>>>
>>> If you want syzbot to run the reproducer, reply with:
>>> #syz test: git://repo/address.git branch-or-commit-hash
>>> If you attach or paste a git patch, syzbot will apply it before testing.
>>>
>>> If you want to overwrite bug's subsystems, reply with:
>>> #syz set subsystems: new-subsystem
>>> (See the list of subsystem names on the web dashboard)
>>>
>>> If the bug is a duplicate of another bug, reply with:
>>> #syz dup: exact-subject-of-another-report
>>>
>>> If you want to undo deduplication, reply with:
>>> #syz undup
>>>
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ