BUG: unable to handle kernel paging request in bpf_int_jit_compile

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 5e2204832b20 Merge tag 'powerpc-4.18-2' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=148b5a90400000
kernel config: https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0
dashboard link: https://syzkaller.appspot.com/bug?extid=a4eb8c7766952a1ca872
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=10ee22d4400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a4eb8c...@syzkaller.appspotmail.com

RAX: ffffffffffffffda RBX: 0000000001429914 RCX: 0000000000455a99
RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023
BUG: unable to handle kernel paging request at ffffffffa0008002
PGD 8e6d067 P4D 8e6d067 PUD 8e6e063 PMD 1b4528067 PTE 1d433d161
Oops: 0003 [#1] SMP KASAN
CPU: 1 PID: 4811 Comm: syz-executor0 Not tainted 4.18.0-rc1+ #114
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:703 [inline]
RIP: 0010:bpf_int_jit_compile+0xc36/0xf30 arch/x86/net/bpf_jit_comp.c:1168
Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 04 02 4c 89 f2 83 e2 07
38 d0 7f 08 84 c0 0f 85 a0 02 00 00 48 8b 85 00 ff ff ff <80> 60 02 fe e9
c7 fb ff ff e8 ac 00 36 00 48 8b 8d 30 ff ff ff 48
RSP: 0018:ffff8801cfca7998 EFLAGS: 00010246
RAX: ffffffffa0008000 RBX: 0000000000000046 RCX: ffffffff81460e4a
RDX: 0000000000000002 RSI: ffffffff81460e58 RDI: 0000000000000005
RBP: ffff8801cfca7ab8 R08: ffff8801aa2121c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001938002
R13: ffff8801cfca7a90 R14: ffffffffa0008002 R15: 00000000fffffff4
FS: 0000000001429940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa0008002 CR3: 00000001d2c40000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
bpf_prog_select_runtime+0x7db/0xa60 kernel/bpf/core.c:1505
bpf_prog_load+0x1194/0x1c60 kernel/bpf/syscall.c:1356
__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd396676f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000001429914 RCX: 0000000000455a99
RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: ffffffffa0008002
---[ end trace fa548fc30dca8c15 ]---
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:703 [inline]
RIP: 0010:bpf_int_jit_compile+0xc36/0xf30 arch/x86/net/bpf_jit_comp.c:1168
Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 04 02 4c 89 f2 83 e2 07
38 d0 7f 08 84 c0 0f 85 a0 02 00 00 48 8b 85 00 ff ff ff <80> 60 02 fe e9
c7 fb ff ff e8 ac 00 36 00 48 8b 8d 30 ff ff ff 48
RSP: 0018:ffff8801cfca7998 EFLAGS: 00010246
RAX: ffffffffa0008000 RBX: 0000000000000046 RCX: ffffffff81460e4a
RDX: 0000000000000002 RSI: ffffffff81460e58 RDI: 0000000000000005
RBP: ffff8801cfca7ab8 R08: ffff8801aa2121c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001938002
R13: ffff8801cfca7a90 R14: ffffffffa0008002 R15: 00000000fffffff4
FS: 0000000001429940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa0008002 CR3: 00000001d2c40000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Thomas Gleixner]

On Sat, 23 Jun 2018, syzbot wrote:
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a4eb8c...@syzkaller.appspotmail.com
>
> RAX: ffffffffffffffda RBX: 0000000001429914 RCX: 0000000000455a99
> RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
> RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
> R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023
> BUG: unable to handle kernel paging request at ffffffffa0008002
> PGD 8e6d067 P4D 8e6d067 PUD 8e6e063 PMD 1b4528067 PTE 1d433d161
> Oops: 0003 [#1] SMP KASAN
> CPU: 1 PID: 4811 Comm: syz-executor0 Not tainted 4.18.0-rc1+ #114
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
> 01/01/2011
> RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:703 [inline]
> RIP: 0010:bpf_int_jit_compile+0xc36/0xf30 arch/x86/net/bpf_jit_comp.c:1168

static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
{
WARN_ON_ONCE(set_memory_ro((unsigned long)hdr, hdr->pages));
}

Qualitee. set_memory_ro() has legitimate reasons to fail, but sure it does
not most of the time.

So instead of implementing proper error handling, this adds complete bogus
wrappers. Hell, set_memory_*() have stub functions which return 0 for the
CONFIG_ARCH_HAS_SET_MEMORY=n case.

The unlock function is even more hilarious:

static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)
{
if (fp->locked) {
WARN_ON_ONCE(set_memory_rw((unsigned long)fp, fp->pages));
/* In case set_memory_rw() fails, we want to be the first
* to crash here instead of some random place later on.
*/
fp->locked = 0;
}
}

Great approach for a facility, which deals with untrusted user space
stuff. Yeah. I know. The BPF mantra is: "Performance first"

I'm really tempted to make the BPF config switch depend on BROKEN.

Thanks,

tglx

[David Miller]

From: Thomas Gleixner <tg...@linutronix.de>
Date: Sun, 24 Jun 2018 09:09:09 +0200 (CEST)

> I'm really tempted to make the BPF config switch depend on BROKEN.

This really isn't necessary Thomas.

Whoever wrote the code didn't understand that set ro can legitimately
fail.

So let's correct that instead of flaming a feature.

Thank you.

[Ingo Molnar]

* David Miller <da...@davemloft.net> wrote:

> From: Thomas Gleixner <tg...@linutronix.de>
> Date: Sun, 24 Jun 2018 09:09:09 +0200 (CEST)
>
> > I'm really tempted to make the BPF config switch depend on BROKEN.
>
> This really isn't necessary Thomas.
>
> Whoever wrote the code didn't understand that set ro can legitimately
> fail.

No, that's *NOT* the only thing that happened, according to the Git history.

The first use of set_memory_ro() in include/linux/filter.h was added by
this commit almost four years ago:

# 2014/09
60a3b2253c41 ("net: bpf: make eBPF interpreter images read-only")

... and yes, that commit didn't anticipate the (in hindsight) obvious property of
a function that changes global kernel mappings that if it is used after bootup
without locking it 'may fail'. So that commit slipping through is 'shit happens'
and I don't think we ever complained about such things slipping through.

But what happened after that is not so good:

A bit over two years later a crash was found:

Eric and Willem reported that they recently saw random crashes when
JIT was in use and bisected this to 74451e66d516 ("bpf: make jited
programs visible in traces"). Issue was that the consolidation part
added bpf_jit_binary_unlock_ro() that would unlock previously made
read-only memory back to read-write.

... but instead of fixing it for real, it was only tinkered with:

# 2017//02
9d876e79df6a ("bpf: fix unlocking of jited image when module ronx not set")

... but the problems persisted:

Improve bpf_{prog,jit_binary}_{un,}lock_ro() by throwing a
one-time warning in case of an error when the image couldn't
be set read-only, and also mark struct bpf_prog as locked when
bpf_prog_lock_ro() was called.

... so the warnings Thomas complained about here were then added a month later:

# 2017/03
65869a47f348 ("bpf: improve read-only handling")

It 'improved' nothing of the sort, and the warnings and 'debug code' shows that
the author was aware that these functions could actually fail. To quote the fine
code, introduced a year ago:

WARN_ON_ONCE(set_memory_rw((unsigned long)fp, fp->pages));
/* In case set_memory_rw() fails, we want to be the first

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* to crash here instead of some random place later on.
*/
fp->locked = 0;

... and then, this month, it was tweaked *YET ANOTHER TIME*:

bpf: reject any prog that failed read-only lock

We currently lock any JITed image as read-only via bpf_jit_binary_lock_ro()
as well as the BPF image as read-only through bpf_prog_lock_ro(). In
the case any of these would fail we throw a WARN_ON_ONCE() in order to
yell loudly to the log. Perhaps, to some extend, this may be comparable
to an allocation where __GFP_NOWARN is explicitly not set.

# 2018/06
9facc336876f ("bpf: reject any prog that failed read-only lock")

The tone of uncertainty of the changelog, combined with the unfixed typo in it,
suggests that this commit too was just waved through to upstream without any real
review and without much design thinking behind it.

And yes, this was still not the right fix, as the fuzzer crash reported in this
thread outlines - we'll probably need a 5th commit?

> So let's correct that instead of flaming a feature.

So accusing Thomas of 'flaming a feature' is a really unfair attack in light of
all the details above.

Thanks,

Ingo

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
BUG: unable to handle kernel paging request in bpf_int_jit_compile

RAX: ffffffffffffffda RBX: 00007f9ba6c766d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

BUG: unable to handle kernel paging request at ffffffffa0028002
PGD 8e6d067 P4D 8e6d067 PUD 8e6e063 PMD 1c56b7067 PTE 1bb75c161

Oops: 0003 [#1] SMP KASAN

CPU: 1 PID: 6947 Comm: syz-executor6 Not tainted 4.18.0-rc2+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:705 [inline]

RIP: 0010:bpf_int_jit_compile+0xc36/0xf30 arch/x86/net/bpf_jit_comp.c:1168

Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 04 02 4c 89 f2 83 e2 07
38 d0 7f 08 84 c0 0f 85 a0 02 00 00 48 8b 85 00 ff ff ff <80> 60 02 fe e9

c7 fb ff ff e8 9c fd 35 00 48 8b 8d 30 ff ff ff 48
RSP: 0018:ffff8801d9217998 EFLAGS: 00010246
RAX: ffffffffa0028000 RBX: 0000000000000046 RCX: ffffffff81460e8a
RDX: 0000000000000002 RSI: ffffffff81460e98 RDI: 0000000000000005
RBP: ffff8801d9217ab8 R08: ffff8801d7682100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001a7e002
R13: ffff8801d9217a90 R14: ffffffffa0028002 R15: 00000000fffffff4
FS: 00007f9ba6c76700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: ffffffffa0028002 CR3: 00000001d646e000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
bpf_prog_select_runtime+0x7db/0xa60 kernel/bpf/core.c:1505

bpf_prog_load+0x11b3/0x1c90 kernel/bpf/syscall.c:1356

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f9ba6c75c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f9ba6c766d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)

CR2: ffffffffa0028002
---[ end trace 42da1956259c1fcc ]---
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:705 [inline]

RIP: 0010:bpf_int_jit_compile+0xc36/0xf30 arch/x86/net/bpf_jit_comp.c:1168

Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 04 02 4c 89 f2 83 e2 07
38 d0 7f 08 84 c0 0f 85 a0 02 00 00 48 8b 85 00 ff ff ff <80> 60 02 fe e9

c7 fb ff ff e8 9c fd 35 00 48 8b 8d 30 ff ff ff 48
RSP: 0018:ffff8801d9217998 EFLAGS: 00010246
RAX: ffffffffa0028000 RBX: 0000000000000046 RCX: ffffffff81460e8a
RDX: 0000000000000002 RSI: ffffffff81460e98 RDI: 0000000000000005
RBP: ffff8801d9217ab8 R08: ffff8801d7682100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001a7e002
R13: ffff8801d9217a90 R14: ffffffffa0028002 R15: 00000000fffffff4
FS: 00007f9ba6c76700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: ffffffffa0028002 CR3: 00000001d646e000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 6f0d349d922b Merge git://git.kernel.org/pub/scm/linux/kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13a16c88400000
kernel config: https://syzkaller.appspot.com/x/.config?x=a63be0c83e84d370

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:

WARNING in bpf_int_jit_compile

RAX: ffffffffffffffda RBX: 00007f30cfbd26d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

WARNING: CPU: 1 PID: 6876 at include/linux/filter.h:695
bpf_jit_binary_lock_ro include/linux/filter.h:695 [inline]
WARNING: CPU: 1 PID: 6876 at include/linux/filter.h:695
bpf_int_jit_compile+0xbd4/0xeb2 arch/x86/net/bpf_jit_comp.c:1168
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 6876 Comm: syz-executor2 Not tainted 4.18.0-rc1+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
panic+0x238/0x4e7 kernel/panic.c:184
__warn.cold.8+0x163/0x1ba kernel/panic.c:536
report_bug+0x252/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:695 [inline]
RIP: 0010:bpf_int_jit_compile+0xbd4/0xeb2 arch/x86/net/bpf_jit_comp.c:1168
Code: 8b 85 00 ff ff ff 8b 30 48 89 c7 e8 06 e7 f0 ff 31 ff 41 89 c6 89 c6
e8 ba 01 36 00 45 85 f6 0f 84 37 fc ff ff e8 9c 00 36 00 <0f> 0b e9 2b fc
ff ff e8 90 00 36 00 48 8b 8d 30 ff ff ff 48 39 8d
RSP: 0018:ffff8801b32f79a0 EFLAGS: 00010293
RAX: ffff8801cfa22080 RBX: 0000000000000046 RCX: ffffffff81460e16
RDX: 0000000000000000 RSI: ffffffff81460e24 RDI: 0000000000000005
RBP: ffff8801b32f7ac0 R08: ffff8801cfa22080 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001930002
R13: ffff8801b32f7a98 R14: 00000000fffffff4 R15: 0000000000000002
bpf_prog_select_runtime+0x131/0x640 kernel/bpf/core.c:1476
bpf_prog_load+0x1685/0x1ca0 kernel/bpf/syscall.c:1358
__do_sys_bpf kernel/bpf/syscall.c:2362 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2324 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2324

do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f30cfbd1c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f30cfbd26d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

CPU: 0 PID: 6905 Comm: syz-executor7 Not tainted 4.18.0-rc1+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149
__should_failslab+0x124/0x180 mm/failslab.c:32
should_failslab+0x9/0x14 mm/slab_common.c:1553
slab_pre_alloc_hook mm/slab.h:423 [inline]
slab_alloc_node mm/slab.c:3299 [inline]
kmem_cache_alloc_node_trace+0x26f/0x770 mm/slab.c:3661
__do_kmalloc_node mm/slab.c:3681 [inline]
__kmalloc_node+0x33/0x70 mm/slab.c:3689
kmalloc_node include/linux/slab.h:555 [inline]
__vmalloc_area_node mm/vmalloc.c:1673 [inline]
__vmalloc_node_range+0x1ed/0x760 mm/vmalloc.c:1746
kasan_module_alloc+0x65/0xa0 mm/kasan/kasan.c:632
module_alloc+0x8d/0xb0 arch/x86/kernel/module.c:92
bpf_jit_binary_alloc+0x3a/0x100 kernel/bpf/core.c:593
bpf_int_jit_compile+0x488/0xeb2 arch/x86/net/bpf_jit_comp.c:1152
bpf_prog_select_runtime+0x131/0x640 kernel/bpf/core.c:1476
bpf_prog_load+0x1685/0x1ca0 kernel/bpf/syscall.c:1358
__do_sys_bpf kernel/bpf/syscall.c:2362 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2324 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2324

do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007f7852bbdc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f7852bbe6d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

Dumping ftrace buffer:
(ftrace buffer empty)

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 2cc8af0103b4 Revert "bpf: reject any prog that failed read..
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-test
console output: https://syzkaller.appspot.com/x/log.txt?x=14ad771f800000
kernel config: https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+a4eb8c...@syzkaller.appspotmail.com

Tested on:

commit: e61b016605ba bpf: remove warn
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-test

kernel config: https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

Note: testing is done by a robot and is best-effort only.

[syzbot]

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

received bad handshake from VM: ""


Tested on:

commit: 3241c05fab10 debug

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
WARNING in bpf_int_jit_compile

RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005

2*128kB

R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

BPF area was not writeable!!!!
WARNING: CPU: 1 PID: 6958 at include/linux/filter.h:719
bpf_jit_binary_lock_ro include/linux/filter.h:718 [inline]
WARNING: CPU: 1 PID: 6958 at include/linux/filter.h:719
bpf_int_jit_compile.cold.6+0x131/0x30a arch/x86/net/bpf_jit_comp.c:1168
(M)

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 6958 Comm: syz-executor2 Not tainted 4.18.0-rc1+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:

1*256kB

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
panic+0x238/0x4e7 kernel/panic.c:184

(M)
3*512kB
__warn.cold.8+0x163/0x1ba kernel/panic.c:536
(M)

report_bug+0x252/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296

4*1024kB
(M)
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
2*2048kB
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:718 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0x131/0x30a
arch/x86/net/bpf_jit_comp.c:1168
(M)
Code: e9 d5 f2 ff ff
705*4096kB
e8 f9 cf 73 00 e9
(M)
1e ff ff ff e8 ef
= 2898232kB
cf 73 00 e9 4f ff ff
Node 0
ff e8 85 fc 35 00 48
Normal:
c7 c7 40 9a e8 87
786*4kB
e8 1d f1 1c 00
(UME)
<0f> 0b 48 8b 8d c0
754*8kB
fe ff ff b8 ff ff 37 00
(UME)
48 c1 e0 2a 48 89
3194*16kB
ca 48
RSP: 0018:ffff8801ab0478e8 EFLAGS: 00010282
(UME)
RAX: 000000000000001e RBX: 0000000000000046 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81631a71 RDI: ffff8801ab0475e0
RBP: ffff8801ab047a50 R08: ffff8801bd012040 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000195a004
1593*32kB
R13: ffff8801ab047a28 R14: ffffffffa0028002 R15: ffff8801ab047968
(UME)
86*64kB
(UME)
bpf_prog_select_runtime+0x8d6/0xbf0 kernel/bpf/core.c:1505
12*128kB
(UME)
bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356
4*256kB
(UE)
107*512kB

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322

(UME)
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
62*1024kB
(ME)
7*2048kB
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
(ME)

Code: 1d ba fb ff c3 66 2e

646*4096kB

0f 1f 84 00 00 00 00

(M)

00 66 90 48 89 f8 48

= 2897944kB

89 f7 48 89 d6 48 89

Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0
hugepages_size=2048kB

ca 4d 89 c2 4d 89 c8

23267 total pagecache pages

4c 8b 4c 24 08 0f 05

0 pages in swap cache

<48> 3d 01 f0 ff ff 0f

Swap cache stats: add 0, delete 0, find 0/0

83 eb b9 fb ff c3 66

Free swap = 0kB

2e 0f 1f 84 00 00 00

Total swap = 0kB
00
RSP: 002b:00007f5ad2895c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f5ad28966d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005

1965969 pages RAM

R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Tested on:

commit: 3241c05fab10 debug
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-test

console output: https://syzkaller.appspot.com/x/log.txt?x=10a8fed4400000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+a4eb8c...@syzkaller.appspotmail.com

Tested on:

commit: d044b1a95d8d debug2
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-test

kernel config: https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:

kernel BUG at include/linux/filter.h:LINE!

1965969 pages RAM
BPF area was writeable after setting rw ret:0
BPF ... purposely crashing now.
------------[ cut here ]------------
0 pages HighMem/MovableOnly
kernel BUG at include/linux/filter.h:742!
invalid opcode: 0000 [#1] SMP KASAN
340011 pages reserved
CPU: 0 PID: 6928 Comm: syz-executor7 Not tainted 4.18.0-rc1+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:741 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0x1fe/0x37c
arch/x86/net/bpf_jit_comp.c:1168
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 0
Code:
CPU: 1 PID: 6950 Comm: syz-executor6 Not tainted 4.18.0-rc1+ #1
e0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

07
Call Trace:
83 c0

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113

01
38

fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149

d0
7c
08
84
d2
0f
85
58
01
00
00
48
should_fail_alloc_page mm/page_alloc.c:3057 [inline]
prepare_alloc_pages mm/page_alloc.c:4325 [inline]
__alloc_pages_nodemask+0x36e/0xdb0 mm/page_alloc.c:4363
8b
85
c0 fe
ff ff
48
c7
c7 60
9b
e8
87
66
alloc_pages_current+0x10c/0x210 mm/mempolicy.c:2093
alloc_pages include/linux/gfp.h:492 [inline]
__vmalloc_area_node mm/vmalloc.c:1686 [inline]
__vmalloc_node_range+0x498/0x760 mm/vmalloc.c:1746
c7
40 02
kasan_module_alloc+0x65/0xa0 mm/kasan/kasan.c:632
00
00
module_alloc+0x8d/0xb0 arch/x86/kernel/module.c:92
e8
bpf_jit_binary_alloc+0x3b/0x140 kernel/bpf/core.c:593
c2
bpf_int_jit_compile+0x49e/0x1030 arch/x86/net/bpf_jit_comp.c:1152
f0 1c
00
<0f>
0b
4c
89
bpf_prog_select_runtime+0x8d9/0xbf0 kernel/bpf/core.c:1505
95
a0
fe
ff
ff
bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356
41
83
c7
01
e8
0c
fc
35
00

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322

48
8b 85
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
f0
RSP: 0018:ffff8801aff578e8 EFLAGS: 00010282
RAX: 000000000000001f RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81631ae1 RDI: 0000000000000001
RBP: ffff8801aff57a50 R08: ffff8801d8ca60c0 R09: ffffed003b5c3ec2
entry_SYSCALL_64_after_hwframe+0x49/0xbe
R10: ffffed003b5c3ec2 R11: ffff8801dae1f617 R12: ffffc900019a4004
RIP: 0033:0x455a99
R13: ffff8801aff57a28 R14: ffffffffa0008002 R15: ffff8801aff57968
Code:
FS: 00007f5012f8e700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
1d

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

ba fb
CR2: 00007f50675a0000 CR3: 00000001d3d70000 CR4: 00000000001406f0
ff

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

c3

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

66
Call Trace:

2e
0f
1f
84
00
00 00

bpf_prog_select_runtime+0x8d9/0xbf0 kernel/bpf/core.c:1505

00
00
66
90
48

bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356

89
f8
48
89
f7
48

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322

89
d6
48
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
89

ca
4d
89
c2
4d

entry_SYSCALL_64_after_hwframe+0x49/0xbe
89
RIP: 0033:0x455a99
c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f
1f 84 00 00 00 00
RSP: 002b:00007f253b63ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f253b63b6d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005

R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

syz-executor6: vmalloc: allocation failure, allocated 0 of 4096 bytes,
mode:0x6080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
syz-executor6 cpuset=syz6 mems_allowed=0
CPU: 1 PID: 6950 Comm: syz-executor6 Not tainted 4.18.0-rc1+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:

__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113

warn_alloc.cold.117+0xb7/0x1bd mm/page_alloc.c:3426
__vmalloc_area_node mm/vmalloc.c:1705 [inline]
__vmalloc_node_range+0x527/0x760 mm/vmalloc.c:1746

kasan_module_alloc+0x65/0xa0 mm/kasan/kasan.c:632
module_alloc+0x8d/0xb0 arch/x86/kernel/module.c:92

bpf_jit_binary_alloc+0x3b/0x140 kernel/bpf/core.c:593
bpf_int_jit_compile+0x49e/0x1030 arch/x86/net/bpf_jit_comp.c:1152
bpf_prog_select_runtime+0x8d9/0xbf0 kernel/bpf/core.c:1505
bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322

do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99

Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48
Code:
89 d6
1d
48
ba
89
fb
ca
ff
4d
c3
89
66
c2
2e
4d
0f
89
1f
c8
84
4c
00
8b
00 00
4c
00
24
00
08
66
0f
90
05
48
<48>
89
3d
f8 48
01
89
f0
f7
ff
48
ff
89
0f
d6
83
48
eb
89
b9
ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9
fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5012f8dc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f5012f8e6d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005

R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

Modules linked in:

Dumping ftrace buffer:
(ftrace buffer empty)

---[ end trace 8cd718223df1dec3 ]---
fb ff c3 66 2e 0f 1f 84 00 00
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:741 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0x1fe/0x37c
arch/x86/net/bpf_jit_comp.c:1168
00 00
RSP: 002b:00007f253b63ac68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
Code:
RAX: ffffffffffffffda RBX: 00007f253b63b6d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000

e0

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005

R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

warn_alloc_show_mem: 1 callbacks suppressed
Mem-Info:
07 83
active_anon:7935 inactive_anon:334 isolated_anon:0
active_file:6208 inactive_file:16674 isolated_file:0
unevictable:0 dirty:6414 writeback:0 unstable:0
slab_reclaimable:8716 slab_unreclaimable:105019
mapped:8193 shmem:345 pagetables:465 bounce:0
free:1454075 free_pcp:441 free_cma:0
c0 01
Node 0 active_anon:31740kB inactive_anon:1336kB active_file:24832kB
inactive_file:66696kB unevictable:0kB isolated(anon):0kB isolated(file):0kB
mapped:32772kB dirty:25656kB writeback:0kB shmem:1380kB shmem_thp: 0kB
shmem_pmdmapped: 0kB anon_thp: 16384kB writeback_tmp:0kB unstable:0kB
all_unreclaimable? no
38 d0
Node 0
7c 08
DMA free:15908kB min:164kB low:204kB high:244kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:15992kB managed:15908kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB
84 d2
lowmem_reserve[]:
0f 85
0
58 01
2827
00 00
6331
48 8b
6331
85 c0
fe ff
Node 0
ff 48 c7
DMA32 free:2898232kB min:30100kB low:37624kB high:45148kB active_anon:0kB
inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:3129292kB managed:2898916kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:684kB local_pcp:620kB
free_cma:0kB
c7 60
lowmem_reserve[]:
9b e8
0
87 66
0 3504 3504
Node 0
c7 40
Normal free:2902160kB min:37316kB low:46644kB high:55972kB
active_anon:31740kB inactive_anon:1336kB active_file:24832kB
inactive_file:66696kB unevictable:0kB writepending:25656kB
present:4718592kB managed:3589008kB mlocked:0kB kernel_stack:5280kB
pagetables:1860kB bounce:0kB free_pcp:1080kB local_pcp:464kB free_cma:0kB
02 00
lowmem_reserve[]:
00 e8
0
c2 f0
0
1c
0
00 <0f>
0
0b 4c
Node 0
89 95
DMA:
a0 fe
1*4kB
ff ff
(U)
41 83
0*8kB
c7 01
0*16kB
e8 0c
1*32kB
fc 35
(U)
00 48
2*64kB
8b 85
(U)
f0
1*128kB
RSP: 0018:ffff8801aff578e8 EFLAGS: 00010282
(U)
RAX: 000000000000001f RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81631ae1 RDI: 0000000000000001
1*256kB
RBP: ffff8801aff57a50 R08: ffff8801d8ca60c0 R09: ffffed003b5c3ec2
R10: ffffed003b5c3ec2 R11: ffff8801dae1f617 R12: ffffc900019a4004
(U)
R13: ffff8801aff57a28 R14: ffffffffa0008002 R15: ffff8801aff57968
FS: 00007f5012f8e700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
0*512kB

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f50675a0000 CR3: 00000001d3d70000 CR4: 00000000001406f0
1*1024kB

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

(U)

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 5d1a22263c89 debug2
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-test
console output: https://syzkaller.appspot.com/x/log.txt?x=11e20cb0400000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
kernel BUG at include/linux/filter.h:LINE!

BPF area was writeable after setting rw ret:0

Node 0

BPF ... purposely crashing now.
------------[ cut here ]------------

DMA32 free:2898228kB min:30100kB low:37624kB high:45148kB active_anon:0kB

inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB

writepending:0kB present:3129292kB managed:2898912kB mlocked:0kB
kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:684kB local_pcp:0kB
free_cma:0kB
kernel BUG at include/linux/filter.h:751!

invalid opcode: 0000 [#1] SMP KASAN

lowmem_reserve[]:
CPU: 0 PID: 6910 Comm: syz-executor4 Not tainted 4.18.0-rc1+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:750 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0xda/0x36e
arch/x86/net/bpf_jit_comp.c:1168
Code:
0
4c 89 f0 83 e0 07
0
83 c0 01 38 d0 7c 04
3504
84 d2 75 5b 48 8b 85 c0 fe
3504
ff ff 48 c7 c7 20
9c e8 87 66 c7 40 02
Node 0
00 00 e8 d8 f1 1c 00
Normal free:2908760kB min:37316kB low:46644kB high:55972kB
active_anon:19580kB inactive_anon:1336kB active_file:24820kB
inactive_file:66616kB unevictable:0kB writepending:25528kB
present:4718592kB managed:3589008kB mlocked:0kB kernel_stack:4992kB
pagetables:1580kB bounce:0kB free_pcp:1028kB local_pcp:332kB free_cma:0kB
<0f> 0b e8 2d fd 35
lowmem_reserve[]:
00 44 89 e2 89 de 48
0
c7 c7 40 99 e8 87 e8
0
c0 f1
RSP: 0018:ffff8801af0d78e0 EFLAGS: 00010286

RAX: 000000000000001f RBX: 0000000000000000 RCX: 0000000000000000

0
RDX: 0000000000000000 RSI: ffffffff81631c21 RDI: ffff8801af0d75d8
RBP: ffff8801af0d7a50 R08: ffff8801d74ac0c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001964004
R13: ffff8801af0d7a28 R14: ffffffffa0010002 R15: ffff8801af0d7968
0
FS: 00007f06f1545700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000000072c029 CR3: 00000001d8b76000 CR4: 00000000001406f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Call Trace:
Node 0
DMA:
bpf_prog_select_runtime+0x8d4/0xc30 kernel/bpf/core.c:1505
1*4kB
(U)
bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356
0*8kB
0*16kB
1*32kB

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322

(U)
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
2*64kB
(U)
1*128kB
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
(U)

Code: 1d ba fb ff

1*256kB

c3 66 2e 0f 1f 84 00 00

(U)

00 00 00 66 90 48 89

0*512kB
f8 48 89 f7 48 89 d6
1*1024kB
48 89 ca 4d 89 c2 4d 89
(U)

c8 4c 8b 4c 24 08 0f 05

1*2048kB

<48> 3d 01 f0 ff ff 0f 83 eb

(M)

b9 fb ff c3 66 2e

3*4096kB

0f 1f 84 00 00 00 00

RSP: 002b:00007f06f1544c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f06f15456d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005

(M)

RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023
Modules linked in:

= 15908kB

Dumping ftrace buffer:
(ftrace buffer empty)

Node 0
---[ end trace d6510978548e0c8d ]---
DMA32:
RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:750 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0xda/0x36e
arch/x86/net/bpf_jit_comp.c:1168
Code:
3*4kB
4c 89
(M)
f0 83
5*8kB
e0 07
(M)
83
4*16kB
c0 01
(M)
38 d0
4*32kB
7c
(M)
04 84
1*64kB
d2 75
(M)
5b 48
2*128kB
8b
(M)
85 c0
1*256kB (M)
fe
3*512kB
ff
(M)
ff
4*1024kB
48 c7
(M)
c7 20
2*2048kB
9c
(M) 705*4096kB
e8
(M) = 2898228kB
87
Node 0
66 c7
Normal:
40 02
1174*4kB
00
(UME)
00
1275*8kB
e8 d8
(UME)
f1 1c
3094*16kB
00 <0f>
(UME) 1629*32kB
0b e8
(UME)
2d fd
58*64kB
35 00
(UME)
44 89
11*128kB
e2 89
(UME)
de 48
13*256kB
c7 c7
(UME)
40 99
117*512kB
e8 87
(UM)
e8 c0
54*1024kB
f1
(UME)
RSP: 0018:ffff8801af0d78e0 EFLAGS: 00010286
5*2048kB

RAX: 000000000000001f RBX: 0000000000000000 RCX: 0000000000000000

RDX: 0000000000000000 RSI: ffffffff81631c21 RDI: ffff8801af0d75d8
(UME)
RBP: ffff8801af0d7a50 R08: ffff8801d74ac0c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90001964004
649*4096kB
R13: ffff8801af0d7a28 R14: ffffffffa0010002 R15: ffff8801af0d7968
FS: 00007f06f1545700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
(M)

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000000072c029 CR3: 00000001d8b76000 CR4: 00000000001406f0
= 2908720kB

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0
hugepages_size=2048kB

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: dc6a0209f099 debug2
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-test
console output: https://syzkaller.appspot.com/x/log.txt?x=14ec85d4400000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
kernel BUG at include/linux/filter.h:LINE!

2*128kB (M)

BPF area was writeable after setting rw ret:0

BPF ... purposely crashing now.
------------[ cut here ]------------

1*256kB

kernel BUG at include/linux/filter.h:751!
invalid opcode: 0000 [#1] SMP KASAN

(M)
CPU: 0 PID: 6994 Comm: syz-executor4 Not tainted 4.18.0-rc1+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

3*512kB

RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:750 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0xda/0x36e
arch/x86/net/bpf_jit_comp.c:1168
Code:

(M)

4c 89 f0 83 e0

4*1024kB
07 83 c0 01 38
(M)
d0 7c 04 84 d2
2*2048kB

75 5b 48 8b 85

(M)

c0 fe ff ff 48

705*4096kB
c7 c7 a0 9e e8
(M)

87 66 c7 40 02

= 2898228kB

00 00 e8 d8 f1

Node 0
1c 00 <0f> 0b e8
Normal:
2d fd 35 00 44
802*4kB

89 e2 89 de 48

(UME)
c7 c7 c0 9b e8
920*8kB
87 e8 c0 f1
RSP: 0018:ffff8801d8a378e0 EFLAGS: 00010286
(UME)

RAX: 000000000000001f RBX: 0000000000000000 RCX: 0000000000000000

RDX: 0000000000000000 RSI: ffffffff81631d61 RDI: ffff8801d8a375d8
RBP: ffff8801d8a37a50 R08: ffff8801d7da6040 R09: 0000000000000000
3088*16kB
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000193a004
R13: ffff8801d8a37a28 R14: ffffffffa0018002 R15: ffff8801d8a37968
FS: 00007f68ef7e3700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
(UME)

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: ffffffffa0018002 CR3: 00000001d9bb0000 CR4: 00000000001406f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

1686*32kB

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

(UME)
84*64kB
(UME)
bpf_prog_select_runtime+0x8d4/0xc30 kernel/bpf/core.c:1505
11*128kB
(UME)
bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356
2*256kB
(UE)
115*512kB

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322

(ME)
55*1024kB
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
(UME)
11*2048kB
(ME)
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
646*4096kB
Code: 1d ba fb
(M)

ff c3 66 2e 0f

= 2904968kB
1f 84 00 00 00 00 00

Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0
hugepages_size=2048kB

66 90 48 89 f8

23269 total pagecache pages

48 89 f7 48 89

0 pages in swap cache

d6 48 89 ca 4d

Swap cache stats: add 0, delete 0, find 0/0

89 c2 4d 89 c8

Free swap = 0kB

4c 8b 4c 24 08 0f

Total swap = 0kB

05 <48> 3d 01 f0

1965969 pages RAM

ff ff 0f 83 eb

0 pages HighMem/MovableOnly

b9 fb ff c3 66

340012 pages reserved
2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f68ef7e2c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f68ef7e36d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005

RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023
Modules linked in:

Dumping ftrace buffer:
(ftrace buffer empty)

---[ end trace df6b2ca3619d10b3 ]---

RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:750 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0xda/0x36e
arch/x86/net/bpf_jit_comp.c:1168

FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 0

Code: 4c 89 f0 83
CPU: 1 PID: 7012 Comm: syz-executor7 Tainted: G D

4.18.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

e0

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113

07

fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold.4+0xa/0x1a lib/fault-inject.c:149

83
c0
01
38
d0

should_fail_alloc_page mm/page_alloc.c:3057 [inline]
prepare_alloc_pages mm/page_alloc.c:4325 [inline]
__alloc_pages_nodemask+0x36e/0xdb0 mm/page_alloc.c:4363

7c
04
84
d2
75
alloc_pages_current+0x10c/0x210 mm/mempolicy.c:2093
5b

alloc_pages include/linux/gfp.h:492 [inline]
__vmalloc_area_node mm/vmalloc.c:1686 [inline]
__vmalloc_node_range+0x498/0x760 mm/vmalloc.c:1746

48

kasan_module_alloc+0x65/0xa0 mm/kasan/kasan.c:632
module_alloc+0x8d/0xb0 arch/x86/kernel/module.c:92

8b
bpf_jit_binary_alloc+0x3b/0x140 kernel/bpf/core.c:593
bpf_int_jit_compile+0x49e/0x117e arch/x86/net/bpf_jit_comp.c:1152
85
c0
fe
bpf_prog_select_runtime+0x8d4/0xc30 kernel/bpf/core.c:1505
ff
ff
48
bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356
c7
c7
a0
9e

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322

e8
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
87
66
c7
entry_SYSCALL_64_after_hwframe+0x49/0xbe
40

RIP: 0033:0x455a99
Code: 1d

02
ba fb ff c3 66 2e
00

0f 1f 84 00 00 00 00

00
00 66 90 48 89 f8 48 89
e8

f7 48 89 d6 48 89

d8
ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f1
f0 ff ff 0f 83 eb b9
1c
fb ff c3 66 2e 0f
00

1f 84 00 00 00 00

<0f>
RSP: 002b:00007fdf2b2e8c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fdf2b2e96d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005

0b

RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023

e8
syz-executor7: vmalloc: allocation failure, allocated 0 of 4096 bytes,
mode:0x6080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
2d
syz-executor7 cpuset=syz7
fd
mems_allowed=0
35
CPU: 1 PID: 7012 Comm: syz-executor7 Tainted: G D
4.18.0-rc1+ #1
00

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113

44
89
warn_alloc.cold.117+0xb7/0x1bd mm/page_alloc.c:3426
e2
89

__vmalloc_area_node mm/vmalloc.c:1705 [inline]
__vmalloc_node_range+0x527/0x760 mm/vmalloc.c:1746

de
kasan_module_alloc+0x65/0xa0 mm/kasan/kasan.c:632
48

module_alloc+0x8d/0xb0 arch/x86/kernel/module.c:92
bpf_jit_binary_alloc+0x3b/0x140 kernel/bpf/core.c:593

c7
bpf_int_jit_compile+0x49e/0x117e arch/x86/net/bpf_jit_comp.c:1152
c7
c0
9b
bpf_prog_select_runtime+0x8d4/0xc30 kernel/bpf/core.c:1505
e8
87
bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356
e8
c0
f1

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322

do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
RSP: 0018:ffff8801d8a378e0 EFLAGS: 00010286

RAX: 000000000000001f RBX: 0000000000000000 RCX: 0000000000000000

RDX: 0000000000000000 RSI: ffffffff81631d61 RDI: ffff8801d8a375d8
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RBP: ffff8801d8a37a50 R08: ffff8801d7da6040 R09: 0000000000000000

RIP: 0033:0x455a99
Code: 1d

R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000193a004
ba fb ff c3 66 2e
R13: ffff8801d8a37a28 R14: ffffffffa0018002 R15: ffff8801d8a37968

0f 1f 84 00 00 00

FS: 00007f68ef7e3700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000

00 00 66 90 48 89

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

f8 48 89 f7 48 89

CR2: ffffffffa0018002 CR3: 00000001d9bb0000 CR4: 00000000001406f0
d6 48 89 ca 4d 89

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

c2 4d 89 c8 4c 8b 4c

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

24 08 0f 05 <48> 3d

Tested on:

commit: 6420b646e604 debug2
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-test
console output: https://syzkaller.appspot.com/x/log.txt?x=158d30df800000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
kernel BUG at include/linux/filter.h:LINE!

XXX __change_page_attr return with -12 numpages 1

BPF area was writeable after setting rw ret:0
BPF ... purposely crashing now.
------------[ cut here ]------------

XXX cpa_process_alias:1355 return with -12

kernel BUG at include/linux/filter.h:751!
invalid opcode: 0000 [#1] SMP KASAN

XXX cpa_process_alias return with -12 numpages 1
CPU: 0 PID: 6940 Comm: syz-executor1 Not tainted 4.18.0-rc1+ #1

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:750 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0xda/0x36e
arch/x86/net/bpf_jit_comp.c:1168

XXX error __change_page_attr_set_clr ret:-12 flush:1
Code: 4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 04 84 d2 75 5b 48 8b 85 c0 fe ff
ff 48 c7 c7 20 a0 e8 87 66 c7 40 02 00 00 e8 d8 f1 1c 00 <0f> 0b e8 2d fd
35 00 44 89 e2 89 de 48 c7 c7 40 9d e8 87 e8 c0 f1
RSP: 0018:ffff8801abc778e0 EFLAGS: 00010286

RAX: 000000000000001f RBX: 0000000000000000 RCX: 0000000000000000

RDX: 0000000000000000 RSI: ffffffff81631ee1 RDI: 0000000000000001
RBP: ffff8801abc77a50 R08: ffff8801d863c0c0 R09: ffffed003b5c3ec2
R10: ffffed003b5c3ec2 R11: ffff8801dae1f617 R12: ffffc90001958004
R13: ffff8801abc77a28 R14: ffffffffa0010002 R15: ffff8801abc77968
FS: 00007fbbc6084700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000000072c029 CR3: 00000001d7f0b000 CR4: 00000000001406f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

bpf_prog_select_runtime+0x8d4/0xc30 kernel/bpf/core.c:1505
bpf_prog_load+0x119e/0x1cc0 kernel/bpf/syscall.c:1356

__do_sys_bpf kernel/bpf/syscall.c:2360 [inline]
__se_sys_bpf kernel/bpf/syscall.c:2322 [inline]
__x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2322
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290

entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fbbc6083c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fbbc60846d4 RCX: 0000000000455a99

RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 00000000004bb7d5 R14: 00000000004c8508 R15: 0000000000000023
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)

XXX probing area (# pages: 1): 18446744072099037184 - 18446744072099041280
---[ end trace d0f0d7bf1e573878 ]---
XXX probing sub-area: 18446744072099037184 - 18446744072099041280: ret:-14

RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:750 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0xda/0x36e
arch/x86/net/bpf_jit_comp.c:1168
Code:

BPF area was not writeable!!!! ret:-14
4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 04 84 d2 75 5b 48 8b 85 c0 fe ff ff 48
c7 c7 20 a0 e8 87 66 c7 40 02 00 00 e8 d8 f1 1c 00 <0f> 0b e8 2d fd 35 00
44 89 e2 89 de 48 c7 c7 40 9d e8 87 e8 c0 f1
RSP: 0018:ffff8801abc778e0 EFLAGS: 00010286

RAX: 000000000000001f RBX: 0000000000000000 RCX: 0000000000000000

RDX: 0000000000000000 RSI: ffffffff81631ee1 RDI: 0000000000000001
RBP: ffff8801abc77a50 R08: ffff8801d863c0c0 R09: ffffed003b5c3ec2
R10: ffffed003b5c3ec2 R11: ffff8801dae1f617 R12: ffffc90001958004

BPF area was writeable after setting rw ret:0
BPF ... purposely crashing now.
------------[ cut here ]------------

R13: ffff8801abc77a28 R14: ffffffffa0010002 R15: ffff8801abc77968

kernel BUG at include/linux/filter.h:751!

invalid opcode: 0000 [#2] SMP KASAN
FS: 00007fbbc6084700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CPU: 1 PID: 6951 Comm: syz-executor7 Tainted: G D

4.18.0-rc1+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:750 [inline]
RIP: 0010:bpf_int_jit_compile.cold.6+0xda/0x36e
arch/x86/net/bpf_jit_comp.c:1168
Code:

CR2: 000000000072c029 CR3: 00000001d7f0b000 CR4: 00000000001406f0
4c 89 f0 83

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

e0 07 83 c0 01 38 d0

DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

7c 04 84 d2 75

Tested on:

commit: 7d4e940d07bc debug2
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-test
console output: https://syzkaller.appspot.com/x/log.txt?x=124bca88400000

[Daniel Borkmann]

On 06/24/2018 12:02 PM, Ingo Molnar wrote:
> * David Miller <da...@davemloft.net> wrote:
>> From: Thomas Gleixner <tg...@linutronix.de>
>> Date: Sun, 24 Jun 2018 09:09:09 +0200 (CEST)
>>
>>> I'm really tempted to make the BPF config switch depend on BROKEN.
>>
>> This really isn't necessary Thomas.
>>
>> Whoever wrote the code didn't understand that set ro can legitimately
>> fail.
>
> No, that's *NOT* the only thing that happened, according to the Git history.
>
> The first use of set_memory_ro() in include/linux/filter.h was added by
> this commit almost four years ago:
>
> # 2014/09
> 60a3b2253c41 ("net: bpf: make eBPF interpreter images read-only")
>
> ... and yes, that commit didn't anticipate the (in hindsight) obvious property of
> a function that changes global kernel mappings that if it is used after bootup
> without locking it 'may fail'. So that commit slipping through is 'shit happens'
> and I don't think we ever complained about such things slipping through.

Hmm, back then I adapted the code similar from 314beb9bcabf ("x86: bpf_jit_comp:
secure bpf jit against spraying attacks") for interpreter images as well, and
from grepping through the kernel code none of the callers of set_memory_{ro,rw}()
at that time (& now except bpf) did check for the return code (e.g. module_enable_ro()
and module_disable_ro() as one example which could happen late after bootup has
finished when pulling in modules on the fly).

I did made the mistake in 9facc336876f ("bpf: reject any prog that failed read-only
lock") assuming that after the set_memory_ro() call it would either succeed or
it would not, but not leaving us in a state in the middle. That was silly assumption
and I'll fix this up in bpf, very sorry about that! I've been debugging the syzkaller
BUG at [1] and noticed that even though set_memory_ro() failed with an error, doing
a probe_kernel_write() on it afterwards failed with EFAULT, meaning the module_alloc()
memory was however set to read-only at that point triggering later the BUG when
attempting to change its memory (at least on the virtual mem). From debugging output,
it was a single 4k page and on x86_64 in the __change_page_attr_set_clr() we failed
in the cpa_process_alias() where the syzkaller fault injection happened. So latter
failure from cpa_process_alias() came from call to __change_page_attr_set_clr() with
primary to 0, where it tried to split a large page in __change_page_attr() but failed
in alloc_pages() thus returning the -ENOMEM from there. Testing subsequent undoing
via set_memory_rw() made it writable again, though.

In any case, for pairs like set_memory_ro() + set_memory_rw() that are also used
outside of bpf e.g. STRICT_MODULE_RWX and friends which are mostly default these
days for some archs, is the choice to not check errors from there by design or from
historical context that it originated from 'debugging code' in that sense (DEBUG_RODATA /
DEBUG_SET_MODULE_RONX) earlier? Also if no-one checks for errors (and if that would
infact be the recommendation it is agreed upon) should the API be changed to void,
or generally should actual error checking occur on these + potential rollback; but
then question is what about restoring part from prior set_memory_ro() via set_memory_rw()?
Kees/others, do you happen to have some more context on recommended use around this
by any chance? (Would probably also help if we add some doc around assumptions into
include/linux/set_memory.h for future users.)

Thanks a lot,
Daniel

[1] https://syzkaller.appspot.com/bug?extid=a4eb8c7766952a1ca872

[Kees Cook]

On Tue, Jun 26, 2018 at 3:53 PM, Daniel Borkmann <dan...@iogearbox.net> wrote:
> In any case, for pairs like set_memory_ro() + set_memory_rw() that are also used
> outside of bpf e.g. STRICT_MODULE_RWX and friends which are mostly default these
> days for some archs, is the choice to not check errors from there by design or from
> historical context that it originated from 'debugging code' in that sense (DEBUG_RODATA /
> DEBUG_SET_MODULE_RONX) earlier? Also if no-one checks for errors (and if that would
> infact be the recommendation it is agreed upon) should the API be changed to void,
> or generally should actual error checking occur on these + potential rollback; but
> then question is what about restoring part from prior set_memory_ro() via set_memory_rw()?
> Kees/others, do you happen to have some more context on recommended use around this
> by any chance? (Would probably also help if we add some doc around assumptions into
> include/linux/set_memory.h for future users.)

If set_memory_* can fail, I think it needs to be __must_check, and all
the callers need to deal with it gracefully. Those markings aren't
"advisory": they're expected to actually do what they say.

-Kees

--
Kees Cook
Pixel Security

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+a4eb8c...@syzkaller.appspotmail.com

Tested on:

commit: 66b2a7e1c7aa bpf: undo prog rejection on read-only lock fa..
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-jit-ro-fixes

kernel config: https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0
compiler: gcc (GCC) 8.0.1 20180413 (experimental)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+a4eb8c...@syzkaller.appspotmail.com

Tested on:

commit: 8f8addab3679 bpf: undo prog rejection on read-only lock fa..
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/dborkman/bpf.git/bpf-jit-ro-fixes2

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger
crash:

Reported-and-tested-by:
syzbot+a4eb8c...@syzkaller.appspotmail.com

Tested on:

commit: ca09cb04af90 Merge branch 'bpf-fixes'
git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/master

[Daniel Borkmann]

On 06/24/2018 06:09 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    5e2204832b20 Merge tag 'powerpc-4.18-2' of git://git.kerne..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=148b5a90400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0
> dashboard link: https://syzkaller.appspot.com/bug?extid=a4eb8c7766952a1ca872
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=10ee22d4400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a4eb8c...@syzkaller.appspotmail.com

#syz fix: bpf: undo prog rejection on read-only lock failure

[Ingo Molnar]

Yes - but there's probably a few exceptions like early init code where the calls
not succeeding are signs of bugs - so any error return should probably be
WARN_ON()ed about.

Thanks,

Ingo