lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com>
Date: Mon, 12 May 2025 21:13:02 +0800
From: Tao Chen <chen.dylane@...il.com>
To: syzbot <syzbot+45b0c89a0fc7ae8dbadc@...kaller.appspotmail.com>,
 andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
 daniel@...earbox.net, eddyz87@...il.com, haoluo@...gle.com,
 john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org,
 linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org,
 martin.lau@...ux.dev, mathieu.desnoyers@...icios.com,
 mattbobrowski@...gle.com, mhiramat@...nel.org, rostedt@...dmis.org,
 sdf@...ichev.me, song@...nel.org, syzkaller-bugs@...glegroups.com,
 yonghong.song@...ux.dev
Subject: Re: [syzbot] [bpf?] [trace?] WARNING in get_bpf_raw_tp_regs

在 2025/5/12 11:56, syzbot 写道:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    707df3375124 Merge tag 'media/v6.15-2' of git://git.kernel..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15010768580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b39cb28b0a399ed3
> dashboard link: https://syzkaller.appspot.com/bug?extid=45b0c89a0fc7ae8dbadc
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b28670580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=159698f4580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-707df337.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/f71d162685b9/vmlinux-707df337.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/940cb473e515/bzImage-707df337.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+45b0c89a0fc7ae8dbadc@...kaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
> Modules linked in:
> CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
> Code: 48 83 fb 03 77 64 48 8d 04 9b 48 8d 04 83 48 8d 5c c5 00 e8 7e 76 f4 ff 48 89 d8 5b 5d 41 5c c3 cc cc cc cc e8 6d 76 f4 ff 90 <0f> 0b 90 65 ff 0d b2 5b de 11 e8 5d 76 f4 ff 48 c7 c3 f0 ff ff ff
> RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c
> RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005
> RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003
> R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004
> R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900
> FS:  0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <TASK>
>   ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]
>   bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931
>   bpf_prog_ec3b2eefa702d8d3+0x43/0x47
>   bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
>   __bpf_prog_run include/linux/filter.h:718 [inline]
>   bpf_prog_run include/linux/filter.h:725 [inline]
>   __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
>   bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
>   __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
>   __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
>   __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
>   __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
>   mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
>   stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
>   __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
>   ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
>   bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
>   ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
>   bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
>   bpf_prog_ec3b2eefa702d8d3+0x43/0x47
>   bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
>   __bpf_prog_run include/linux/filter.h:718 [inline]
>   bpf_prog_run include/linux/filter.h:725 [inline]
>   __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
>   bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
>   __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
>   __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
>   __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
>   __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
>   mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
>   stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
>   __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
>   ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
>   bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
>   ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
>   bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
>   bpf_prog_ec3b2eefa702d8d3+0x43/0x47
>   bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
>   __bpf_prog_run include/linux/filter.h:718 [inline]
>   bpf_prog_run include/linux/filter.h:725 [inline]
>   __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
>   bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
>   __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
>   __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
>   __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
>   __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
>   mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
>   stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
>   __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
>   ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
>   bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
>   ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
>   bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
>   bpf_prog_ec3b2eefa702d8d3+0x43/0x47
>   bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
>   __bpf_prog_run include/linux/filter.h:718 [inline]
>   bpf_prog_run include/linux/filter.h:725 [inline]
>   __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
>   bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
>   __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
>   __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
>   __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
>   __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
>   mmap_read_lock include/linux/mmap_lock.h:185 [inline]
>   exit_mm kernel/exit.c:565 [inline]
>   do_exit+0xf72/0x2c30 kernel/exit.c:940
>   do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
>   __do_sys_exit_group kernel/exit.c:1113 [inline]
>   __se_sys_exit_group kernel/exit.c:1111 [inline]
>   __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1111
>   x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f7baed8cfb9
> Code: 90 49 c7 c0 b8 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 12 0f 1f 44 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d 00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
> RSP: 002b:00007ffd9d933998 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7baed8cfb9
> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
> RBP: 00007f7baee082b0 R08: ffffffffffffffb8 R09: 0000000000000000
> R10: 0000000000000012 R11: 0000000000000246 R12: 00007f7baee082b0
> R13: 0000000000000000 R14: 00007f7baee08d20 R15: 00007f7baed5e160
>   </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 

Hi,

The issue seems to arise because a bpf_prog is used to trace the 
trace_mmap_lock_acquire_returned tracepoint. Within this BPF program, 
the bpf_get_stack function is called. If it collects user-space call 
stacks, it will go here:
       if (user_build_id)
                 stack_map_get_build_id_offset(buf, trace_nr, user, 
may_fault);

and in stack_map_get_build_id_offset, it will call mmap_read_trylock, 
which will call trace_mmap_lock_acquire_returned again.

So can we replace mmap_read_trylock with 
down_read_trylock(&mm->mmap_lock) to avoid calling 
__mmap_lock_trace_acquire_returned

-- 
Best Regards
Tao Chen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ