[syzbot] [bpf?] BUG: unable to handle kernel paging request in bpf_prog_ADDR (2)
13 views
Skip to first unread message
syzbot
Apr 8, 2024, 11:53:28 PMApr 8
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, edd...@gmail.com, hao...@google.com, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, s...@google.com, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
Hello,
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12596223180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=838346b979830606c854
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134ecbb5180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141a8b3d180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f6c04726a2ae/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/09c26ce901ea/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/134acf7f5322/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+838346...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: 0000001000000112
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000002e7b1067 P4D 800000002e7b1067 PUD 0
Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 5060 Comm: syz-executor351 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:bpf_prog_a8e24a805b35c61b+0x19/0x1e
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 31 c0 48 8b 7f 18 <8b> 7f 00 c9 c3 cc cc cc cc cc cc 40 03 00 00 cc cc cc cc cc cc cc
RSP: 0018:ffffc90003b07b30 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ace048 RCX: ffff88802aa89e00
RDX: 0000000000000000 RSI: ffffc90000ace048 RDI: 0000001000000112
RBP: ffffc90003b07b30 R08: ffffffff81bf633c R09: 1ffffffff2595ca0
R10: dffffc0000000000 R11: ffffffffa000095c R12: ffffc90000ace030
R13: ffff88802ac3ae28 R14: dffffc0000000000 R15: ffff88802ac3ae28
FS: 000055558f759380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001000000112 CR3: 0000000077cfa000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
bpf_prog_run_array_cg kernel/bpf/cgroup.c:51 [inline]
__cgroup_bpf_run_filter_setsockopt+0x6fa/0x1040 kernel/bpf/cgroup.c:1830
do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fb234535cc9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd33db0138 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb234535cc9
RDX: 0000000000000010 RSI: 0000000000000112 RDI: 0000000000000007
RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000055558f759338
R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
CR2: 0000001000000112
---[ end trace 0000000000000000 ]---
RIP: 0010:bpf_prog_a8e24a805b35c61b+0x19/0x1e
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 31 c0 48 8b 7f 18 <8b> 7f 00 c9 c3 cc cc cc cc cc cc 40 03 00 00 cc cc cc cc cc cc cc
RSP: 0018:ffffc90003b07b30 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ace048 RCX: ffff88802aa89e00
RDX: 0000000000000000 RSI: ffffc90000ace048 RDI: 0000001000000112
RBP: ffffc90003b07b30 R08: ffffffff81bf633c R09: 1ffffffff2595ca0
R10: dffffc0000000000 R11: ffffffffa000095c R12: ffffc90000ace030
R13: ffff88802ac3ae28 R14: dffffc0000000000 R15: ffff88802ac3ae28
FS: 000055558f759380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001000000112 CR3: 0000000077cfa000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: cc int3
1: cc int3
2: cc int3
3: cc int3
4: cc int3
5: cc int3
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: cc int3
b: cc int3
c: cc int3
d: cc int3
e: cc int3
f: cc int3
10: cc int3
11: f3 0f 1e fa endbr64
15: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1a: 66 90 xchg %ax,%ax
1c: 55 push %rbp
1d: 48 89 e5 mov %rsp,%rbp
20: f3 0f 1e fa endbr64
24: 31 c0 xor %eax,%eax
26: 48 8b 7f 18 mov 0x18(%rdi),%rdi
* 2a: 8b 7f 00 mov 0x0(%rdi),%edi <-- trapping instruction
2d: c9 leave
2e: c3 ret
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: 40 03 00 rex add (%rax),%eax
38: 00 cc add %cl,%ah
3a: cc int3
3b: cc int3
3c: cc int3
3d: cc int3
3e: cc int3
3f: cc int3
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12596223180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d90a36f0cab495a
dashboard link: https://syzkaller.appspot.com/bug?extid=838346b979830606c854
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=134ecbb5180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141a8b3d180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f6c04726a2ae/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/09c26ce901ea/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/134acf7f5322/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+838346...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: 0000001000000112
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000002e7b1067 P4D 800000002e7b1067 PUD 0
Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 5060 Comm: syz-executor351 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:bpf_prog_a8e24a805b35c61b+0x19/0x1e
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 31 c0 48 8b 7f 18 <8b> 7f 00 c9 c3 cc cc cc cc cc cc 40 03 00 00 cc cc cc cc cc cc cc
RSP: 0018:ffffc90003b07b30 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ace048 RCX: ffff88802aa89e00
RDX: 0000000000000000 RSI: ffffc90000ace048 RDI: 0000001000000112
RBP: ffffc90003b07b30 R08: ffffffff81bf633c R09: 1ffffffff2595ca0
R10: dffffc0000000000 R11: ffffffffa000095c R12: ffffc90000ace030
R13: ffff88802ac3ae28 R14: dffffc0000000000 R15: ffff88802ac3ae28
FS: 000055558f759380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001000000112 CR3: 0000000077cfa000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
__bpf_prog_run include/linux/filter.h:657 [inline]
bpf_prog_run include/linux/filter.h:664 [inline]
bpf_prog_run_array_cg kernel/bpf/cgroup.c:51 [inline]
__cgroup_bpf_run_filter_setsockopt+0x6fa/0x1040 kernel/bpf/cgroup.c:1830
do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293
__sys_setsockopt+0x1ae/0x250 net/socket.c:2334
__do_sys_setsockopt net/socket.c:2343 [inline]
__se_sys_setsockopt net/socket.c:2340 [inline]
__x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340
do_syscall_64+0xfb/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fb234535cc9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd33db0138 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb234535cc9
RDX: 0000000000000010 RSI: 0000000000000112 RDI: 0000000000000007
RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000055558f759338
R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
CR2: 0000001000000112
---[ end trace 0000000000000000 ]---
RIP: 0010:bpf_prog_a8e24a805b35c61b+0x19/0x1e
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 31 c0 48 8b 7f 18 <8b> 7f 00 c9 c3 cc cc cc cc cc cc 40 03 00 00 cc cc cc cc cc cc cc
RSP: 0018:ffffc90003b07b30 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ace048 RCX: ffff88802aa89e00
RDX: 0000000000000000 RSI: ffffc90000ace048 RDI: 0000001000000112
RBP: ffffc90003b07b30 R08: ffffffff81bf633c R09: 1ffffffff2595ca0
R10: dffffc0000000000 R11: ffffffffa000095c R12: ffffc90000ace030
R13: ffff88802ac3ae28 R14: dffffc0000000000 R15: ffff88802ac3ae28
FS: 000055558f759380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001000000112 CR3: 0000000077cfa000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: cc int3
1: cc int3
2: cc int3
3: cc int3
4: cc int3
5: cc int3
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: cc int3
b: cc int3
c: cc int3
d: cc int3
e: cc int3
f: cc int3
10: cc int3
11: f3 0f 1e fa endbr64
15: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1a: 66 90 xchg %ax,%ax
1c: 55 push %rbp
1d: 48 89 e5 mov %rsp,%rbp
20: f3 0f 1e fa endbr64
24: 31 c0 xor %eax,%eax
26: 48 8b 7f 18 mov 0x18(%rdi),%rdi
* 2a: 8b 7f 00 mov 0x0(%rdi),%edi <-- trapping instruction
2d: c9 leave
2e: c3 ret
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: 40 03 00 rex add (%rax),%eax
38: 00 cc add %cl,%ah
3a: cc int3
3b: cc int3
3c: cc int3
3d: cc int3
3e: cc int3
3f: cc int3
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Alexei Starovoitov
Apr 19, 2024, 3:44:19 PM (11 days ago) Apr 19
to syzbot, Björn Töpel, Stanislav Fomichev, Andrii Nakryiko, Alexei Starovoitov, bpf, Daniel Borkmann, Eddy Z, Hao Luo, John Fastabend, Jiri Olsa, KP Singh, LKML, Martin KaFai Lau, Song Liu, syzkaller-bugs, Yonghong Song
But I cannot reproduce it.
Bjorn or Stan,
Could you take a look?
Probably a race in xdp dispatcher setup or the way cgroup-lsm
logic is doing it.
Stanislav Fomichev
Apr 19, 2024, 6:42:31 PM (11 days ago) Apr 19
to Alexei Starovoitov, syzbot, Björn Töpel, Andrii Nakryiko, Alexei Starovoitov, bpf, Daniel Borkmann, Eddy Z, Hao Luo, John Fastabend, Jiri Olsa, KP Singh, LKML, Martin KaFai Lau, Song Liu, syzkaller-bugs, Yonghong Song
to /sys/fs/cgroup instead of syzkallers custom path. Will try to
poke it a bit more..
Björn Töpel
Apr 22, 2024, 6:37:07 AM (8 days ago) Apr 22
to Stanislav Fomichev, Alexei Starovoitov, syzbot, Andrii Nakryiko, Alexei Starovoitov, bpf, Daniel Borkmann, Eddy Z, Hao Luo, John Fastabend, Jiri Olsa, KP Singh, LKML, Martin KaFai Lau, Song Liu, syzkaller-bugs, Yonghong Song
to reproduce the issue.
Cheers,
Björn
Stanislav Fomichev
Apr 22, 2024, 12:03:42 PM (8 days ago) Apr 22
to Björn Töpel, Alexei Starovoitov, syzbot, Andrii Nakryiko, Alexei Starovoitov, bpf, Daniel Borkmann, Eddy Z, Hao Luo, John Fastabend, Jiri Olsa, KP Singh, LKML, Martin KaFai Lau, Song Liu, syzkaller-bugs, Yonghong Song
cgroup_skb program to a cgroup_sockopt hook :-/. I'll try to send a
patch this week
to fix it (need to write a proper selftest as well).
> Cheers,
> Björn
Reply all
Reply to author
Forward
0 new messages