[syzbot] unexpected kernel reboot (5)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 7ac3a1c1 Merge tag 'mtd/fixes-for-5.13-rc4' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b43813d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=266cda122a0b56c
dashboard link: https://syzkaller.appspot.com/bug?extid=6fb8ff5211d3e821398f

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6fb8ff...@syzkaller.appspotmail.com

output_len: 0x000000000e7f5b68
kernel_total_size: 0x000000000fc26000
needed_size: 0x000000000fe00000
trampoline_32bit: 0x000000000009d000
Decompressing Linux... Parsing ELF... done.
Booting the kernel.


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 7ac3a1c1 Merge tag 'mtd/fixes-for-5.13-rc4' of git://git.k..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=174ba76fd00000

kernel config: https://syzkaller.appspot.com/x/.config?x=266cda122a0b56c
dashboard link: https://syzkaller.appspot.com/bug?extid=6fb8ff5211d3e821398f

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10772527d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1072f98dd00000

[Dmitry Vyukov]

The reproducer writes into /sys/power/state. I assume this is an
intentional way to reboot a machine and we can't let the fuzzer mess
with all sysfs files with:

openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*"]], flags
flags[open_flags], mode flags[open_mode]) fd

+Joey, how do you deal with this?

[Tetsuo Handa]

On 2021/05/27 15:40, Dmitry Vyukov wrote:
> The reproducer writes into /sys/power/state. I assume this is an
> intentional way to reboot a machine and we can't let the fuzzer mess
> with all sysfs files with:
>
> openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*"]], flags
> flags[open_flags], mode flags[open_mode]) fd
>
> +Joey, how do you deal with this?
>

I have CaitSith LSM module ( https://caitsith.osdn.jp/#5.2 ).
Maybe we could invent a simple LSM module for excluding access to specific pseudo files?

[syzbot]

syzbot has bisected this issue to:

commit f2d6c2708bd84ca953fa6b6ca5717e79eb0140c7
Author: Christoph Hellwig <h...@lst.de>
Date: Wed Jan 20 20:46:31 2021 +0000

kernfs: wire up ->splice_read and ->splice_write

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=144ee113d00000
start commit: 7ac3a1c1 Merge tag 'mtd/fixes-for-5.13-rc4' of git://git.k..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=164ee113d00000
console output: https://syzkaller.appspot.com/x/log.txt?x=124ee113d00000

kernel config: https://syzkaller.appspot.com/x/.config?x=266cda122a0b56c
dashboard link: https://syzkaller.appspot.com/bug?extid=6fb8ff5211d3e821398f

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=154e8703d00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171382d3d00000

Reported-by: syzbot+6fb8ff...@syzkaller.appspotmail.com
Fixes: f2d6c2708bd8 ("kernfs: wire up ->splice_read and ->splice_write")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[joey.jiaojg]

I tested on qemu and Android device, not found the reboot.

Any kernel version different?

And so my previous implementation has a blacklist to exclude any situation I don't want.

---- Replied Message ----

From	Dmitry Vyukov<dvy...@google.com>
Date	05/27/2021 14:40
To	syzbot<syzbot+6fb8ff...@syzkaller.appspotmail.com>, Joey Jiao<joey....@gmail.com>, Tetsuo Handa<penguin...@i-love.sakura.ne.jp>
Cc	LKML<linux-...@vger.kernel.org>, syzkaller-bugs<syzkall...@googlegroups.com>
Subject	Re: [syzbot] unexpected kernel reboot (5)

[joey.jiaojg]

Or we can add glob code like

/sys/**/*:-/sys/power/state to exclude.

---- Replied Message ----

From	joey.jiaojg<joey....@gmail.com>
Date	05/27/2021 20:15
To	Dmitry Vyukov<dvy...@google.com>
Cc	syzbot<syzbot+6fb8ff...@syzkaller.appspotmail.com>, Tetsuo Handa<penguin...@i-love.sakura.ne.jp>,

[Tetsuo Handa]

On 2021/05/27 21:15, joey.jiaojg wrote:
> I tested on qemu and Android device, not found the reboot.
> Any kernel version different?

Kernel version needs to be v5.11-rc5+ because this reproducer
depends on commit f2d6c2708bd8 ("kernfs: wire up ->splice_read
and ->splice_write"). Also, this reproducer depends on contents
of /sys/power/state file.

----------
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/sendfile.h>

int main(int argc, char *argv[])
{
const int fd = open("/sys/power/state", O_RDWR);
off_t offset = 7;

/* Assumes that 3 bytes from offset 7 in /sys/power/state are "mem". */
sendfile(fd, fd, &offset, 3);
return 0;
}
----------

On 2021/05/27 21:19, joey.jiaojg wrote:
> Or we can add glob code like
> /sys/**/*:-/sys/power/state to exclude.

Well, since /sys/ includes mount points for other filesystems such as
securityfs ( /sys/kernel/security/ ), debugfs ( /sys/kernel/debug/ )
and cgroup ( /sys/fs/cgroup/ ), just excluding this specific file is not
sufficient. I think we have to start from removing glob["/sys/**/*"] .

[Dmitry Vyukov]

FTR, Joey is working on support for excluding specific patterns from globs:
https://github.com/google/syzkaller/pull/2602

I agree /sys/**/* may be too broad. On my machine /sys contains 82501
files. But it's also hard for me to tell what exactly should be
included/excluded. Do we know any definitely bad files/dirs?
Or alternatively, we can just wait for more reports from syzbot when
it opens something we don't want it to open. The benefit of working on
testing :)

[Tetsuo Handa]

On 2021/05/31 17:50, Dmitry Vyukov wrote:
>> On 2021/05/27 21:19, joey.jiaojg wrote:
>>> Or we can add glob code like
>>> /sys/**/*:-/sys/power/state to exclude.
>>
>> Well, since /sys/ includes mount points for other filesystems such as
>> securityfs ( /sys/kernel/security/ ), debugfs ( /sys/kernel/debug/ )
>> and cgroup ( /sys/fs/cgroup/ ), just excluding this specific file is not
>> sufficient. I think we have to start from removing glob["/sys/**/*"] .
>
> FTR, Joey is working on support for excluding specific patterns from globs:
> https://github.com/google/syzkaller/pull/2602
>
> I agree /sys/**/* may be too broad. On my machine /sys contains 82501
> files. But it's also hard for me to tell what exactly should be
> included/excluded. Do we know any definitely bad files/dirs?
> Or alternatively, we can just wait for more reports from syzbot when
> it opens something we don't want it to open. The benefit of working on
> testing :)

Despite commit 0740de696b19a870 ("all: support exclude globs in descriptor") was
already merged, this problem is still happening and now became 8th top crasher.

(From https://syzkaller.appspot.com/text?tag=CrashLog&x=16335400300000 on 2021/06/23 12:33)

12:33:16 executing program 4:
r0 = openat$sysfs(0xffffff9c, &(0x7f0000000080)='/sys/power/state', 0x2, 0x0)
socket$inet_tcp(0x2, 0x1, 0x0)
r1 = openat$uinput(0xffffffffffffff9c, &(0x7f00000000c0), 0x805, 0x0)
write$uinput_user_dev(0xffffffffffffffff, &(0x7f0000000d00)={'syz0\x00'}, 0x45c)
ioctl$UI_DEV_SETUP(r1, 0x5501, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_LEASE(r0, 0xc01864c6, &(0x7f0000000140)={0x0, 0x0, 0x80000})
sendfile(r0, r0, &(0x7f0000000000)=0x7, 0xe)

12:33:17 executing program 3:
r0 = openat(0xffffffffffffff9c, &(0x7f0000000000)='/proc/self/exe\x00', 0x0, 0x0)
mmap(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1800003, 0x12, r0, 0x0)
preadv(r0, &(0x7f0000000280), 0x18, 0xd9f, 0x0)
openat(0xffffffffffffff9c, 0x0, 0x0, 0x0)
r1 = openat$sysfs(0xffffff9c, &(0x7f0000000080)='/sys/power/state', 0x2, 0x0)
sendfile(r1, r1, &(0x7f0000000000)=0x7, 0x3)

[ 567.403517][T24642] Freezing user space processes ... (elapsed 0.005 seconds) done.
[ 567.417787][T24642] OOM killer disabled.
[ 567.421866][T24642] Freezing remaining freezable tasks ... (elapsed 0.003 seconds) done.
[ 567.435178][T24642] printk: Suspending console(s) (use no_console_suspend to debug)

Why is openat$sysfs still opening /sys/power/state ? I think we are missing something...

[Joey Jiao]

Hi Tetsuo,
I use the code in pkg/host/machine_info_linux.go and add a main
function in test_glob.go to test.

Verified on an arm64 device which has /sys/power/state.

$ ./test_glob "/sys/**/*:-/sys/power/state" > out.log

There is no /sys/power/state in the output log.

And I verified both go version 1.16.2 and 1.14.2 works.

Tetsuo Handa <penguin...@i-love.sakura.ne.jp> 于2021年6月23日周三 下午9:53写道：

--
-Joey Jiao

[Tetsuo Handa]

Dmitry, can we try (I mean, temporarily apply to syzkaller git tree)

----------
diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt
index 5a8732085..84cbdf0ab 100644
--- a/sys/linux/sys.txt
+++ b/sys/linux/sys.txt
@@ -79,7 +79,7 @@ type signalnoptr intptr[0:65]
syz_execute_func(text ptr[in, text[target]])

# Exclude /sys/power/state as reported in https://lkml.org/lkml/2021/5/27/653
-openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd
+openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/kernel/*"]], flags flags[open_flags], mode flags[open_mode]) fd

open(file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd
# Just so that we have something that creates fd_dir resources.
----------

xor

----------
diff --git a/sys/linux/sys.txt b/sys/linux/sys.txt
index 5a8732085..8cf6bec01 100644
--- a/sys/linux/sys.txt
+++ b/sys/linux/sys.txt
@@ -79,7 +79,7 @@ type signalnoptr intptr[0:65]
syz_execute_func(text ptr[in, text[target]])

# Exclude /sys/power/state as reported in https://lkml.org/lkml/2021/5/27/653
-openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd
+openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/kernel/*:-/sys/power/state"]], flags flags[open_flags], mode flags[open_mode]) fd

open(file ptr[in, filename], flags flags[open_flags], mode flags[open_mode]) fd
# Just so that we have something that creates fd_dir resources.
----------

respectively for a few days in order to verify that neither patch causes openat$sysfs to access /sys/power/state ?

[Dmitry Vyukov]

I think the problem is that syzbot has already accumulated programs
with /sys/power/state in the corpus.
So while the new glob["/sys/kernel/*:-/sys/power/state"] does not list
/sys/power/state, the old programs are not filtered against this new
filter.

The first thing that comes to mind is to filter all existing programs
against the new set of values returned by the glob. Any other ideas?
I will look into how easy it is to implement and where/when exactly it
should happen.

[Tetsuo Handa]

On 2021/06/25 23:12, Dmitry Vyukov wrote:
> I think the problem is that syzbot has already accumulated programs
> with /sys/power/state in the corpus.
> So while the new glob["/sys/kernel/*:-/sys/power/state"] does not list
> /sys/power/state, the old programs are not filtered against this new
> filter.

Oh, that's a pitfall.

>
> The first thing that comes to mind is to filter all existing programs
> against the new set of values returned by the glob. Any other ideas?

No idea, except discarding existing programs.

> I will look into how easy it is to implement and where/when exactly it
> should happen.

Since the result of glob extraction would depend on kernel version/config
and hardware, it might be difficult to apply some filter.

[Dmitry Vyukov]

I've merged a change that should filter out old stale file names:
https://github.com/google/syzkaller/commit/9d2ab5dfe7727dfea4b9b279f4edf731acb386ef
It should be deployed soon.

[Tetsuo Handa]

On 2021/06/26 14:13, Dmitry Vyukov wrote:
> I've merged a change that should filter out old stale file names:
> https://github.com/google/syzkaller/commit/9d2ab5dfe7727dfea4b9b279f4edf731acb386ef
> It should be deployed soon.
>

Working for 7 hours without problems. Thank you.

#syz invalid