BUG: assuming atomic context at kernel/seccomp.c:LINE
29 views
Skip to first unread message
syzbot
Feb 20, 2019, 4:32:04 AM2/20/19
to a...@kernel.org, dan...@iogearbox.net, ka...@fb.com, kees...@chromium.org, linux-...@vger.kernel.org, lu...@amacapital.net, net...@vger.kernel.org, songliu...@fb.com, syzkall...@googlegroups.com, w...@chromium.org, y...@fb.com
Hello,
syzbot found the following crash on:
HEAD commit: abf446c90405 Add linux-next specific files for 20190220
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17f250d8c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=463cb576ac40e350
dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8bf19e...@syzkaller.appspotmail.com
BUG: assuming atomic context at kernel/seccomp.c:271
in_atomic(): 0, irqs_disabled(): 0, pid: 12803, name: syz-executor.5
no locks held by syz-executor.5/12803.
CPU: 1 PID: 12803 Comm: syz-executor.5 Not tainted 5.0.0-rc7-next-20190220
#39
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__cant_sleep kernel/sched/core.c:6218 [inline]
__cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195
seccomp_run_filters kernel/seccomp.c:271 [inline]
__seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801
__secure_computing+0x101/0x360 kernel/seccomp.c:932
syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120
do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ac8a
Code: 25 18 00 00 00 00 74 01 f0 48 0f b1 3d df ba 5f 00 48 39 c2 75 da f3
c3 0f 1f 84 00 00 00 00 00 48 63 ff b8 e4 00 00 00 0f 05 <48> 3d 00 f0 ff
ff 77 06 f3 c3 0f 1f 40 00 48 c7 c2 d4 ff ff ff f7
RSP: 002b:00007f92ed7b2c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e4
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ac8a
RDX: 0000000000017230 RSI: 00007f92ed7b2c60 RDI: 0000000000000001
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004c4cd5 R14: 00000000004d8890 R15: 00000000ffffffff
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: abf446c90405 Add linux-next specific files for 20190220
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17f250d8c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=463cb576ac40e350
dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8bf19e...@syzkaller.appspotmail.com
BUG: assuming atomic context at kernel/seccomp.c:271
in_atomic(): 0, irqs_disabled(): 0, pid: 12803, name: syz-executor.5
no locks held by syz-executor.5/12803.
CPU: 1 PID: 12803 Comm: syz-executor.5 Not tainted 5.0.0-rc7-next-20190220
#39
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__cant_sleep kernel/sched/core.c:6218 [inline]
__cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195
seccomp_run_filters kernel/seccomp.c:271 [inline]
__seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801
__secure_computing+0x101/0x360 kernel/seccomp.c:932
syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120
do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ac8a
Code: 25 18 00 00 00 00 74 01 f0 48 0f b1 3d df ba 5f 00 48 39 c2 75 da f3
c3 0f 1f 84 00 00 00 00 00 48 63 ff b8 e4 00 00 00 0f 05 <48> 3d 00 f0 ff
ff 77 06 f3 c3 0f 1f 40 00 48 c7 c2 d4 ff ff ff f7
RSP: 002b:00007f92ed7b2c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e4
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ac8a
RDX: 0000000000017230 RSI: 00007f92ed7b2c60 RDI: 0000000000000001
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004c4cd5 R14: 00000000004d8890 R15: 00000000ffffffff
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Daniel Borkmann
Feb 20, 2019, 5:00:29 AM2/20/19
to syzbot, a...@kernel.org, ka...@fb.com, kees...@chromium.org, linux-...@vger.kernel.org, lu...@amacapital.net, net...@vger.kernel.org, songliu...@fb.com, syzkall...@googlegroups.com, w...@chromium.org, y...@fb.com
From d56547070162a105ff666f3324e558fa6492aedd Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <dan...@iogearbox.net>
Date: Wed, 20 Feb 2019 10:51:17 +0100
Subject: [PATCH bpf-next] bpf, seccomp: fix false positive preemption splat for
cbpf->ebpf progs
In 568f196756ad ("bpf: check that BPF programs run with preemption disabled")
a check was added for BPF_PROG_RUN() that for every invocation preemption is
disabled to not break eBPF assumptions (e.g. per-cpu map). Of course this does
not count for seccomp because only cBPF -> eBPF is loaded here and it does not
make use of any functionality that would require this assertion. Fix this false
positive by adding and using __BPF_PROG_RUN() variant that does not have the
cant_sleep(); check.
Fixes: 568f196756ad ("bpf: check that BPF programs run with preemption disabled")
Reported-by: syzbot+8bf19e...@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <dan...@iogearbox.net>
---
include/linux/filter.h | 9 ++++++++-
kernel/seccomp.c | 2 +-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index f32b3ec..2f3e29a 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -533,7 +533,14 @@ struct sk_filter {
struct bpf_prog *prog;
};
-#define BPF_PROG_RUN(filter, ctx) ({ cant_sleep(); (*(filter)->bpf_func)(ctx, (filter)->insnsi); })
+#define bpf_prog_run__non_preempt(prog, ctx) \
+ ({ cant_sleep(); __BPF_PROG_RUN(prog, ctx); })
+/* Native eBPF or cBPF -> eBPF transitions. Preemption must be disabled. */
+#define BPF_PROG_RUN(prog, ctx) \
+ bpf_prog_run__non_preempt(prog, ctx)
+/* cBPF -> eBPF only, but not for native eBPF. */
+#define __BPF_PROG_RUN(prog, ctx) \
+ (*(prog)->bpf_func)(ctx, (prog)->insnsi)
#define BPF_SKB_CB_LEN QDISC_CB_PRIV_LEN
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index e815781..826d4e4 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -268,7 +268,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
* value always takes priority (ignoring the DATA).
*/
for (; f; f = f->prev) {
- u32 cur_ret = BPF_PROG_RUN(f->prog, sd);
+ u32 cur_ret = __BPF_PROG_RUN(f->prog, sd);
if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
ret = cur_ret;
--
2.9.5
syzbot
Feb 20, 2019, 7:33:04 AM2/20/19
to a...@kernel.org, dan...@iogearbox.net, ka...@fb.com, kees...@chromium.org, linux-...@vger.kernel.org, lu...@amacapital.net, net...@vger.kernel.org, songliu...@fb.com, syzkall...@googlegroups.com, w...@chromium.org, y...@fb.com
syzbot has found a reproducer for the following crash on:
HEAD commit: abf446c90405 Add linux-next specific files for 20190220
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=101e7fb0c00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a1007cc00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8bf19e...@syzkaller.appspotmail.com
BUG: assuming atomic context at kernel/seccomp.c:271
in_atomic(): 0, irqs_disabled(): 0, pid: 7853, name: syz-executor140
no locks held by syz-executor140/7853.
CPU: 1 PID: 7853 Comm: syz-executor140 Not tainted 5.0.0-rc7-next-20190220
Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0
0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff
ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
RSP: 002b:00007ffc2d0b2f48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ec58
RDX: 0000000000000000 RSI: 0000000
HEAD commit: abf446c90405 Add linux-next specific files for 20190220
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=463cb576ac40e350
dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a52778c00000
dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a1007cc00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8bf19e...@syzkaller.appspotmail.com
BUG: assuming atomic context at kernel/seccomp.c:271
no locks held by syz-executor140/7853.
CPU: 1 PID: 7853 Comm: syz-executor140 Not tainted 5.0.0-rc7-next-20190220
#39
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__cant_sleep kernel/sched/core.c:6218 [inline]
__cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195
seccomp_run_filters kernel/seccomp.c:271 [inline]
__seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801
__secure_computing+0x101/0x360 kernel/seccomp.c:932
syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120
do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43ec58
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
__cant_sleep kernel/sched/core.c:6218 [inline]
__cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195
seccomp_run_filters kernel/seccomp.c:271 [inline]
__seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801
__secure_computing+0x101/0x360 kernel/seccomp.c:932
syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120
do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0
0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff
ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
RSP: 002b:00007ffc2d0b2f48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ec58
RDX: 0000000000000000 RSI: 0000000
Kees Cook
Feb 20, 2019, 1:23:24 PM2/20/19
to Daniel Borkmann, syzbot, Alexei Starovoitov, ka...@fb.com, LKML, Andy Lutomirski, Network Development, Song Liu, syzkaller-bugs, Will Drewry, Yonghong Song
Reply all
Reply to author
Forward
0 new messages