[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <26ba9ac3-28a8-43ee-98b1-285ec180583f@linux.dev>
Date: Mon, 15 Jul 2024 09:45:33 -0700
From: Yonghong Song <yonghong.song@...ux.dev>
To: syzbot <syzbot+ad9ec60c8eaf69e6f99c@...kaller.appspotmail.com>,
andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
daniel@...earbox.net, davem@...emloft.net, eddyz87@...il.com,
edumazet@...gle.com, haoluo@...gle.com, hawk@...nel.org,
john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org,
kuba@...nel.org, linux-kernel@...r.kernel.org, martin.lau@...ux.dev,
netdev@...r.kernel.org, pabeni@...hat.com, sdf@...ichev.me, sdf@...gle.com,
song@...nel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bpf?] [net?] BUG: unable to handle kernel paging
request in bpf_prog_ADDR (3)
On 7/13/24 9:24 AM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 8b9b59e27aa8 i40e: fix: remove needless retries of NVM upd..
> git tree: bpf
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=135ee4f6980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b63b35269462a0e0
> dashboard link: https://syzkaller.appspot.com/bug?extid=ad9ec60c8eaf69e6f99c
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171399dd980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e4054e980000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/535b0bcd3e1f/disk-8b9b59e2.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/127f5ddff150/vmlinux-8b9b59e2.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/a3ac9910529c/bzImage-8b9b59e2.xz
>
> The issue was bisected to:
>
> commit 1f1e864b65554e33fe74e3377e58b12f4302f2eb
> Author: Yonghong Song <yonghong.song@...ux.dev>
> Date: Fri Jul 28 01:12:07 2023 +0000
>
> bpf: Handle sign-extenstin ctx member accesses
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=121c054e980000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=111c054e980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=161c054e980000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+ad9ec60c8eaf69e6f99c@...kaller.appspotmail.com
> Fixes: 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses")
>
> BUG: unable to handle page fault for address: 000000002aebd040
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 80000000226b6067 P4D 80000000226b6067 PUD 226b7067 PMD 0
> Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 PID: 5096 Comm: syz-executor365 Not tainted 6.10.0-rc7-syzkaller-00133-g8b9b59e27aa8 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
> RIP: 0010:bpf_prog_82ec301e76077160+0x5c/0xa0
> Code: 0a b8 02 00 00 00 41 5d 5b c9 c3 48 89 df 48 8b b7 d8 00 00 00 48 63 f6 48 8b 57 50 48 89 f0 48 83 c0 08 48 39 c2 77 02 eb dc <48> 0f b7 5e 00 4c 0f bf eb 48 81 fb 0f ff 07 00 74 00 48 c1 e3 20
> RSP: 0018:ffffc900031f7980 EFLAGS: 00010292
> RAX: 000000002aebd048 RBX: 0000000000000000 RCX: ffff888076a99e00
> RDX: ffff88802aebd050 RSI: 000000002aebd040 RDI: ffff8880226b4b40
> RBP: ffffc900031f7990 R08: ffffffff8183cf51 R09: 1ffffffff1f5b295
> R10: dffffc0000000000 R11: ffffffffa0001f9c R12: ffffffff8998404e
> R13: dffffc0000000000 R14: ffffc90000ace030 R15: ffffc90000ace020
> FS: 0000555562a39380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000002aebd040 CR3: 0000000021bc0000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
> __bpf_prog_run include/linux/filter.h:691 [inline]
> bpf_prog_run include/linux/filter.h:698 [inline]
> bpf_test_run+0x409/0x910 net/bpf/test_run.c:425
> bpf_prog_test_run_skb+0xafa/0x13a0 net/bpf/test_run.c:1072
> bpf_prog_test_run+0x33a/0x3b0 kernel/bpf/syscall.c:4292
> __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5706
> __do_sys_bpf kernel/bpf/syscall.c:5795 [inline]
> __se_sys_bpf kernel/bpf/syscall.c:5793 [inline]
> __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5793
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fcd7dc9bbb9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffc1893ff98 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcd7dc9bbb9
> RDX: 000000000000004c RSI: 0000000020000240 RDI: 000000000000000a
> RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
> </TASK>
> Modules linked in:
> CR2: 000000002aebd040
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:bpf_prog_82ec301e76077160+0x5c/0xa0
> Code: 0a b8 02 00 00 00 41 5d 5b c9 c3 48 89 df 48 8b b7 d8 00 00 00 48 63 f6 48 8b 57 50 48 89 f0 48 83 c0 08 48 39 c2 77 02 eb dc <48> 0f b7 5e 00 4c 0f bf eb 48 81 fb 0f ff 07 00 74 00 48 c1 e3 20
> RSP: 0018:ffffc900031f7980 EFLAGS: 00010292
> RAX: 000000002aebd048 RBX: 0000000000000000 RCX: ffff888076a99e00
> RDX: ffff88802aebd050 RSI: 000000002aebd040 RDI: ffff8880226b4b40
> RBP: ffffc900031f7990 R08: ffffffff8183cf51 R09: 1ffffffff1f5b295
> R10: dffffc0000000000 R11: ffffffffa0001f9c R12: ffffffff8998404e
> R13: dffffc0000000000 R14: ffffc90000ace030 R15: ffffc90000ace020
> FS: 0000555562a39380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000002aebd040 CR3: 0000000021bc0000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
> 0: 0a b8 02 00 00 00 or 0x2(%rax),%bh
> 6: 41 5d pop %r13
> 8: 5b pop %rbx
> 9: c9 leave
> a: c3 ret
> b: 48 89 df mov %rbx,%rdi
> e: 48 8b b7 d8 00 00 00 mov 0xd8(%rdi),%rsi
> 15: 48 63 f6 movslq %esi,%rsi
> 18: 48 8b 57 50 mov 0x50(%rdi),%rdx
> 1c: 48 89 f0 mov %rsi,%rax
> 1f: 48 83 c0 08 add $0x8,%rax
> 23: 48 39 c2 cmp %rax,%rdx
> 26: 77 02 ja 0x2a
> 28: eb dc jmp 0x6
> * 2a: 48 0f b7 5e 00 movzwq 0x0(%rsi),%rbx <-- trapping instruction
> 2f: 4c 0f bf eb movswq %bx,%r13
> 33: 48 81 fb 0f ff 07 00 cmp $0x7ff0f,%rbx
> 3a: 74 00 je 0x3c
> 3c: 48 c1 e3 20 shl $0x20,%rbx
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
The failure is due to the following bpf code:
r2 = *(s32 *)(r1 + 76) /* __sk_buff->data */
r3 = *(u32 *)(r1 + 80) /* __sk_buff->data_end */
r0 = r2
r0 += 8
if r3 > r0 goto +1
After verification:
r2 = *(u64 *)(r1 +208)
r2 = (s32)r2 /* added in convert_ctx_accesses() */
r3 = *(u64 *)(r1 +80)
r0 = r2
r0 += 8
if r3 > r0 goto pc+1
The 'r2 = (s32)r2' will cause incorrect __sk_buff->data.
I will send a patch shortly.
Powered by blists - more mailing lists