[syzbot] [net?] [bpf?] BUG: unable to handle kernel NULL pointer dereference in dev_map_hash_update_elem
13 views
Skip to first unread message
syzbot
Feb 18, 2024, 5:22:18 PMFeb 18
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, da...@davemloft.net, hao...@google.com, ha...@kernel.org, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@google.com, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
Hello,
syzbot found the following issue on:
HEAD commit: 7e90b5c295ec Merge tag 'trace-tools-v6.8-rc4' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1460a080180000
kernel config: https://syzkaller.appspot.com/x/.config?x=f8ee3942159acc92
dashboard link: https://syzkaller.appspot.com/bug?extid=8cd36f6b65f3cafd400a
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-7e90b5c2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/79d91883bc70/vmlinux-7e90b5c2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0dcf5ad6b94a/zImage-7e90b5c2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8cd36f...@syzkaller.appspotmail.com
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000014 when read
[00000014] *pgd=85006003, *pmd=fe2d5003
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 7433 Comm: syz-executor.1 Not tainted 6.8.0-rc4-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __dev_map_hash_lookup_elem kernel/bpf/devmap.c:269 [inline]
PC is at __dev_map_hash_update_elem kernel/bpf/devmap.c:972 [inline]
PC is at dev_map_hash_update_elem+0x90/0x210 kernel/bpf/devmap.c:1010
LR is at get_lock_parent_ip include/linux/ftrace.h:977 [inline]
LR is at preempt_latency_start kernel/sched/core.c:5843 [inline]
LR is at preempt_count_add+0x12c/0x150 kernel/sched/core.c:5868
pc : [<803e5ed8>] lr : [<8027b2b4>] psr: 60000093
sp : dfaf1da8 ip : dfaf1d68 fp : dfaf1de4
r10: 00000001 r9 : 84658000 r8 : 84e58110
r7 : 00000001 r6 : a0000013 r5 : 84e58000 r4 : ffffffff
r3 : 00000001 r2 : 00000010 r1 : 00000000 r0 : a0000013
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
Control: 30c5387d Table: 83e1be00 DAC: 00000000
Register r0 information: non-slab/vmalloc memory
Register r1 information: NULL pointer
Register r2 information: zero-size pointer
Register r3 information: non-paged memory
Register r4 information: non-paged memory
Register r5 information: slab kmalloc-cg-512 start 84e58000 pointer offset 0 size 512
Register r6 information: non-slab/vmalloc memory
Register r7 information: non-paged memory
Register r8 information: slab kmalloc-cg-512 start 84e58000 pointer offset 272 size 512
Register r9 information: slab net_namespace start 84658000 pointer offset 0 size 3264
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdfaf0000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Register r12 information: 2-page vmalloc region starting at 0xdfaf0000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Process syz-executor.1 (pid: 7433, stack limit = 0xdfaf0000)
Stack: (0xdfaf1da8 to 0xdfaf2000)
1da0: dfaf1dc4 ffffffff 00000000 caa92d0f dfaf1de4 84e58000
1dc0: 824aeaf0 86a45440 86a45c80 84f14000 00000004 84e58000 dfaf1e14 dfaf1de8
1de0: 8038c070 803e5e54 00000001 00000000 80883e10 84e580b8 84f14001 84f14000
1e00: dfaf1ec8 86a45440 dfaf1e6c dfaf1e18 8038cff8 8038be80 00000001 00000000
1e20: 00000000 00000004 20000280 00000004 00000000 86a45c80 200002c0 00000000
1e40: dfaf1e6c 00000000 00000020 dfaf1ea0 00000002 200002c0 00000020 00000000
1e60: dfaf1f8c dfaf1e70 80392a58 8038cdb0 00000000 00000000 20000013 83f0d400
1e80: dfaf1ee0 dfaf1fb0 dfaf1ea4 dfaf1e98 80883e10 dfaf1ee0 dfaf1fb0 80200288
1ea0: 200002c0 00000000 00000008 00000000 00000008 8041ad38 00000000 00000000
1ec0: 00000000 00000000 00000003 00000000 20000240 00000000 20000280 00000000
1ee0: 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f40: 00000000 00000000 00000000 00000000 00000000 00000000 80203134 caa92d0f
1f60: 8261c978 00000000 00000000 0014c2c8 00000182 80200288 83f0d400 00000182
1f80: dfaf1fa4 dfaf1f90 80394e5c 803927e8 200002c0 00000000 00000000 dfaf1fa8
1fa0: 80200060 80394e3c 00000000 00000000 00000002 200002c0 00000020 00000000
1fc0: 00000000 00000000 0014c2c8 00000182 7ec5132e 7ec5132f 003d0f00 76b440fc
1fe0: 76b43f08 76b43ef8 000167e8 00050bb0 60000010 00000002 00000000 00000000
Backtrace:
[<803e5e48>] (dev_map_hash_update_elem) from [<8038c070>] (bpf_map_update_value+0x1fc/0x2d4 kernel/bpf/syscall.c:202)
r10:84e58000 r9:00000004 r8:84f14000 r7:86a45c80 r6:86a45440 r5:824aeaf0
r4:84e58000
[<8038be74>] (bpf_map_update_value) from [<8038cff8>] (map_update_elem+0x254/0x460 kernel/bpf/syscall.c:1553)
r8:86a45440 r7:dfaf1ec8 r6:84f14000 r5:84f14001 r4:84e580b8
[<8038cda4>] (map_update_elem) from [<80392a58>] (__sys_bpf+0x27c/0x2104 kernel/bpf/syscall.c:5445)
r10:00000000 r9:00000020 r8:200002c0 r7:00000002 r6:dfaf1ea0 r5:00000020
r4:00000000
[<803927dc>] (__sys_bpf) from [<80394e5c>] (__do_sys_bpf kernel/bpf/syscall.c:5561 [inline])
[<803927dc>] (__sys_bpf) from [<80394e5c>] (sys_bpf+0x2c/0x48 kernel/bpf/syscall.c:5559)
r10:00000182 r9:83f0d400 r8:80200288 r7:00000182 r6:0014c2c8 r5:00000000
r4:00000000
[<80394e30>] (sys_bpf) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdfaf1fa8 to 0xdfaf1ff0)
1fa0: 00000000 00000000 00000002 200002c0 00000020 00000000
1fc0: 00000000 00000000 0014c2c8 00000182 7ec5132e 7ec5132f 003d0f00 76b440fc
1fe0: 76b43f08 76b43ef8 000167e8 00050bb0
Code: e595210c e1a06000 e2433001 e003300a (e7924103)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: e595210c ldr r2, [r5, #268] @ 0x10c
4: e1a06000 mov r6, r0
8: e2433001 sub r3, r3, #1
c: e003300a and r3, r3, sl
* 10: e7924103 ldr r4, [r2, r3, lsl #2] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 7e90b5c295ec Merge tag 'trace-tools-v6.8-rc4' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1460a080180000
kernel config: https://syzkaller.appspot.com/x/.config?x=f8ee3942159acc92
dashboard link: https://syzkaller.appspot.com/bug?extid=8cd36f6b65f3cafd400a
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-7e90b5c2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/79d91883bc70/vmlinux-7e90b5c2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0dcf5ad6b94a/zImage-7e90b5c2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8cd36f...@syzkaller.appspotmail.com
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000014 when read
[00000014] *pgd=85006003, *pmd=fe2d5003
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 7433 Comm: syz-executor.1 Not tainted 6.8.0-rc4-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at __dev_map_hash_lookup_elem kernel/bpf/devmap.c:269 [inline]
PC is at __dev_map_hash_update_elem kernel/bpf/devmap.c:972 [inline]
PC is at dev_map_hash_update_elem+0x90/0x210 kernel/bpf/devmap.c:1010
LR is at get_lock_parent_ip include/linux/ftrace.h:977 [inline]
LR is at preempt_latency_start kernel/sched/core.c:5843 [inline]
LR is at preempt_count_add+0x12c/0x150 kernel/sched/core.c:5868
pc : [<803e5ed8>] lr : [<8027b2b4>] psr: 60000093
sp : dfaf1da8 ip : dfaf1d68 fp : dfaf1de4
r10: 00000001 r9 : 84658000 r8 : 84e58110
r7 : 00000001 r6 : a0000013 r5 : 84e58000 r4 : ffffffff
r3 : 00000001 r2 : 00000010 r1 : 00000000 r0 : a0000013
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
Control: 30c5387d Table: 83e1be00 DAC: 00000000
Register r0 information: non-slab/vmalloc memory
Register r1 information: NULL pointer
Register r2 information: zero-size pointer
Register r3 information: non-paged memory
Register r4 information: non-paged memory
Register r5 information: slab kmalloc-cg-512 start 84e58000 pointer offset 0 size 512
Register r6 information: non-slab/vmalloc memory
Register r7 information: non-paged memory
Register r8 information: slab kmalloc-cg-512 start 84e58000 pointer offset 272 size 512
Register r9 information: slab net_namespace start 84658000 pointer offset 0 size 3264
Register r10 information: non-paged memory
Register r11 information: 2-page vmalloc region starting at 0xdfaf0000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Register r12 information: 2-page vmalloc region starting at 0xdfaf0000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Process syz-executor.1 (pid: 7433, stack limit = 0xdfaf0000)
Stack: (0xdfaf1da8 to 0xdfaf2000)
1da0: dfaf1dc4 ffffffff 00000000 caa92d0f dfaf1de4 84e58000
1dc0: 824aeaf0 86a45440 86a45c80 84f14000 00000004 84e58000 dfaf1e14 dfaf1de8
1de0: 8038c070 803e5e54 00000001 00000000 80883e10 84e580b8 84f14001 84f14000
1e00: dfaf1ec8 86a45440 dfaf1e6c dfaf1e18 8038cff8 8038be80 00000001 00000000
1e20: 00000000 00000004 20000280 00000004 00000000 86a45c80 200002c0 00000000
1e40: dfaf1e6c 00000000 00000020 dfaf1ea0 00000002 200002c0 00000020 00000000
1e60: dfaf1f8c dfaf1e70 80392a58 8038cdb0 00000000 00000000 20000013 83f0d400
1e80: dfaf1ee0 dfaf1fb0 dfaf1ea4 dfaf1e98 80883e10 dfaf1ee0 dfaf1fb0 80200288
1ea0: 200002c0 00000000 00000008 00000000 00000008 8041ad38 00000000 00000000
1ec0: 00000000 00000000 00000003 00000000 20000240 00000000 20000280 00000000
1ee0: 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1f40: 00000000 00000000 00000000 00000000 00000000 00000000 80203134 caa92d0f
1f60: 8261c978 00000000 00000000 0014c2c8 00000182 80200288 83f0d400 00000182
1f80: dfaf1fa4 dfaf1f90 80394e5c 803927e8 200002c0 00000000 00000000 dfaf1fa8
1fa0: 80200060 80394e3c 00000000 00000000 00000002 200002c0 00000020 00000000
1fc0: 00000000 00000000 0014c2c8 00000182 7ec5132e 7ec5132f 003d0f00 76b440fc
1fe0: 76b43f08 76b43ef8 000167e8 00050bb0 60000010 00000002 00000000 00000000
Backtrace:
[<803e5e48>] (dev_map_hash_update_elem) from [<8038c070>] (bpf_map_update_value+0x1fc/0x2d4 kernel/bpf/syscall.c:202)
r10:84e58000 r9:00000004 r8:84f14000 r7:86a45c80 r6:86a45440 r5:824aeaf0
r4:84e58000
[<8038be74>] (bpf_map_update_value) from [<8038cff8>] (map_update_elem+0x254/0x460 kernel/bpf/syscall.c:1553)
r8:86a45440 r7:dfaf1ec8 r6:84f14000 r5:84f14001 r4:84e580b8
[<8038cda4>] (map_update_elem) from [<80392a58>] (__sys_bpf+0x27c/0x2104 kernel/bpf/syscall.c:5445)
r10:00000000 r9:00000020 r8:200002c0 r7:00000002 r6:dfaf1ea0 r5:00000020
r4:00000000
[<803927dc>] (__sys_bpf) from [<80394e5c>] (__do_sys_bpf kernel/bpf/syscall.c:5561 [inline])
[<803927dc>] (__sys_bpf) from [<80394e5c>] (sys_bpf+0x2c/0x48 kernel/bpf/syscall.c:5559)
r10:00000182 r9:83f0d400 r8:80200288 r7:00000182 r6:0014c2c8 r5:00000000
r4:00000000
[<80394e30>] (sys_bpf) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdfaf1fa8 to 0xdfaf1ff0)
1fa0: 00000000 00000000 00000002 200002c0 00000020 00000000
1fc0: 00000000 00000000 0014c2c8 00000182 7ec5132e 7ec5132f 003d0f00 76b440fc
1fe0: 76b43f08 76b43ef8 000167e8 00050bb0
Code: e595210c e1a06000 e2433001 e003300a (e7924103)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: e595210c ldr r2, [r5, #268] @ 0x10c
4: e1a06000 mov r6, r0
8: e2433001 sub r3, r3, #1
c: e003300a and r3, r3, sl
* 10: e7924103 ldr r4, [r2, r3, lsl #2] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Feb 25, 2024, 10:49:16 PMFeb 25
to and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, da...@davemloft.net, hao...@google.com, ha...@kernel.org, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@google.com, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
syzbot has found a reproducer for the following issue on:
HEAD commit: 70ff1fe626a1 Merge tag 'docs-6.8-fixes3' of git://git.lwn...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1762045c180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4cf52b43f46d820d
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142f6d8c180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-70ff1fe6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bc398db9fd8c/vmlinux-70ff1fe6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6d3f8b72a671/zImage-70ff1fe6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8cd36f...@syzkaller.appspotmail.com
8<--- cut here ---
Unable to handle kernel NULL pointer dereference at virtual address 00000010 when read
[00000010] *pgd=8423f003, *pmd=fe0d5003
sp : df96dda8 ip : df96dd68 fp : df96dde4
r10: 00000000 r9 : 828f71c0 r8 : 8417bb10
r7 : 00000000 r6 : 20000013 r5 : 8417ba00 r4 : ffffffff
r3 : 00000000 r2 : 00000010 r1 : 00000000 r0 : 20000013
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
Control: 30c5387d Table: 84656480 DAC: fffffffd
Register r0 information: non-paged memory
Register r6 information: non-paged memory
Register r7 information: NULL pointer
Register r8 information: slab kmalloc-512 start 8417ba00 pointer offset 272 size 512
Register r9 information: non-slab/vmalloc memory
Register r10 information: NULL pointer
Register r11 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Register r12 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Process syz-executor360 (pid: 2983, stack limit = 0xdf96c000)
Stack: (0xdf96dda8 to 0xdf96e000)
dda0: df96ddc4 00000004 00000000 1b98af0a df96dde4 8417ba00
ddc0: 824aeaf0 843ef140 8442a040 8365a9c0 00000004 8417ba00 df96de14 df96dde8
dde0: 8038c0b8 803e5eb0 00000000 00000000 80884220 8417bab8 8365a9c0 8365a9c0
de00: df96dec8 843ef140 df96de6c df96de18 8038d040 8038bec8 00000000 00000000
de20: 8027b44c 00000004 20000140 00000004 00000000 8442a040 20000200 00000000
de40: df96de6c 00000000 00000020 df96dea0 00000002 20000200 00000020 00000000
de60: df96df8c df96de70 80392aa0 8038cdf8 8088300c 81856650 00000000 841ee000
de80: df96dee0 df96dfb0 df96dea4 df96de98 80884220 df96dee0 df96dfb0 80200288
dea0: 20000200 00000000 00000008 00000000 00000008 8041ad98 841ee000 ffffffff
dec0: df96df2c 80200b9c 00000003 00000000 200000c0 00000000 20000140 00000000
dee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df40: 00000000 00000000 00000000 00000000 00000000 00000000 df96df94 1b98af0a
df60: 8134e0a0 ffffffff 00000000 0008e058 00000182 80200288 841ee000 00000182
df80: df96dfa4 df96df90 80394ea4 80392830 20000200 00000000 00000000 df96dfa8
dfa0: 80200060 80394e84 ffffffff 00000000 00000002 20000200 00000020 00000000
dfc0: ffffffff 00000000 0008e058 00000182 000f4240 00000000 00000001 00003a97
dfe0: 7e973c70 7e973c60 000106cc 0002e810 00000010 00000002 00000000 00000000
Backtrace:
[<803e5ea4>] (dev_map_hash_update_elem) from [<8038c0b8>] (bpf_map_update_value+0x1fc/0x2d4 kernel/bpf/syscall.c:202)
r10:8417ba00 r9:00000004 r8:8365a9c0 r7:8442a040 r6:843ef140 r5:824aeaf0
r4:8417ba00
[<8038bebc>] (bpf_map_update_value) from [<8038d040>] (map_update_elem+0x254/0x460 kernel/bpf/syscall.c:1553)
r8:843ef140 r7:df96dec8 r6:8365a9c0 r5:8365a9c0 r4:8417bab8
[<8038cdec>] (map_update_elem) from [<80392aa0>] (__sys_bpf+0x27c/0x2104 kernel/bpf/syscall.c:5445)
r10:00000000 r9:00000020 r8:20000200 r7:00000002 r6:df96dea0 r5:00000020
r4:00000000
[<80392824>] (__sys_bpf) from [<80394ea4>] (__do_sys_bpf kernel/bpf/syscall.c:5561 [inline])
[<80392824>] (__sys_bpf) from [<80394ea4>] (sys_bpf+0x2c/0x48 kernel/bpf/syscall.c:5559)
r10:00000182 r9:841ee000 r8:80200288 r7:00000182 r6:0008e058 r5:00000000
r4:ffffffff
[<80394e78>] (sys_bpf) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdf96dfa8 to 0xdf96dff0)
dfa0: ffffffff 00000000 00000002 20000200 00000020 00000000
dfc0: ffffffff 00000000 0008e058 00000182 000f4240 00000000 00000001 00003a97
dfe0: 7e973c70 7e973c60 000106cc 0002e810
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 70ff1fe626a1 Merge tag 'docs-6.8-fixes3' of git://git.lwn...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1762045c180000
kernel config: https://syzkaller.appspot.com/x/.config?x=4cf52b43f46d820d
dashboard link: https://syzkaller.appspot.com/bug?extid=8cd36f6b65f3cafd400a
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110cf122180000
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142f6d8c180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-70ff1fe6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bc398db9fd8c/vmlinux-70ff1fe6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6d3f8b72a671/zImage-70ff1fe6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8cd36f...@syzkaller.appspotmail.com
8<--- cut here ---
[00000010] *pgd=8423f003, *pmd=fe0d5003
Internal error: Oops: 207 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 2983 Comm: syz-executor360 Not tainted 6.8.0-rc5-syzkaller #0
Modules linked in:
Hardware name: ARM-Versatile Express
PC is at __dev_map_hash_lookup_elem kernel/bpf/devmap.c:269 [inline]
PC is at __dev_map_hash_update_elem kernel/bpf/devmap.c:972 [inline]
PC is at dev_map_hash_update_elem+0x90/0x210 kernel/bpf/devmap.c:1010
LR is at get_lock_parent_ip include/linux/ftrace.h:977 [inline]
LR is at preempt_latency_start kernel/sched/core.c:5843 [inline]
LR is at preempt_count_add+0x12c/0x150 kernel/sched/core.c:5868
pc : [<803e5f34>] lr : [<8027b29c>] psr: 60000093
PC is at __dev_map_hash_lookup_elem kernel/bpf/devmap.c:269 [inline]
PC is at __dev_map_hash_update_elem kernel/bpf/devmap.c:972 [inline]
PC is at dev_map_hash_update_elem+0x90/0x210 kernel/bpf/devmap.c:1010
LR is at get_lock_parent_ip include/linux/ftrace.h:977 [inline]
LR is at preempt_latency_start kernel/sched/core.c:5843 [inline]
LR is at preempt_count_add+0x12c/0x150 kernel/sched/core.c:5868
sp : df96dda8 ip : df96dd68 fp : df96dde4
r10: 00000000 r9 : 828f71c0 r8 : 8417bb10
r7 : 00000000 r6 : 20000013 r5 : 8417ba00 r4 : ffffffff
r3 : 00000000 r2 : 00000010 r1 : 00000000 r0 : 20000013
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
Control: 30c5387d Table: 84656480 DAC: fffffffd
Register r0 information: non-paged memory
Register r1 information: NULL pointer
Register r2 information: zero-size pointer
Register r3 information: NULL pointer
Register r2 information: zero-size pointer
Register r4 information: non-paged memory
Register r5 information: slab kmalloc-512 start 8417ba00 pointer offset 0 size 512
Register r6 information: non-paged memory
Register r7 information: NULL pointer
Register r8 information: slab kmalloc-512 start 8417ba00 pointer offset 272 size 512
Register r9 information: non-slab/vmalloc memory
Register r10 information: NULL pointer
Register r11 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Register r12 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3c8 kernel/fork.c:2902
Process syz-executor360 (pid: 2983, stack limit = 0xdf96c000)
Stack: (0xdf96dda8 to 0xdf96e000)
dda0: df96ddc4 00000004 00000000 1b98af0a df96dde4 8417ba00
ddc0: 824aeaf0 843ef140 8442a040 8365a9c0 00000004 8417ba00 df96de14 df96dde8
dde0: 8038c0b8 803e5eb0 00000000 00000000 80884220 8417bab8 8365a9c0 8365a9c0
de00: df96dec8 843ef140 df96de6c df96de18 8038d040 8038bec8 00000000 00000000
de20: 8027b44c 00000004 20000140 00000004 00000000 8442a040 20000200 00000000
de40: df96de6c 00000000 00000020 df96dea0 00000002 20000200 00000020 00000000
de60: df96df8c df96de70 80392aa0 8038cdf8 8088300c 81856650 00000000 841ee000
de80: df96dee0 df96dfb0 df96dea4 df96de98 80884220 df96dee0 df96dfb0 80200288
dea0: 20000200 00000000 00000008 00000000 00000008 8041ad98 841ee000 ffffffff
dec0: df96df2c 80200b9c 00000003 00000000 200000c0 00000000 20000140 00000000
dee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df40: 00000000 00000000 00000000 00000000 00000000 00000000 df96df94 1b98af0a
df60: 8134e0a0 ffffffff 00000000 0008e058 00000182 80200288 841ee000 00000182
df80: df96dfa4 df96df90 80394ea4 80392830 20000200 00000000 00000000 df96dfa8
dfa0: 80200060 80394e84 ffffffff 00000000 00000002 20000200 00000020 00000000
dfc0: ffffffff 00000000 0008e058 00000182 000f4240 00000000 00000001 00003a97
dfe0: 7e973c70 7e973c60 000106cc 0002e810 00000010 00000002 00000000 00000000
Backtrace:
[<803e5ea4>] (dev_map_hash_update_elem) from [<8038c0b8>] (bpf_map_update_value+0x1fc/0x2d4 kernel/bpf/syscall.c:202)
r10:8417ba00 r9:00000004 r8:8365a9c0 r7:8442a040 r6:843ef140 r5:824aeaf0
r4:8417ba00
[<8038bebc>] (bpf_map_update_value) from [<8038d040>] (map_update_elem+0x254/0x460 kernel/bpf/syscall.c:1553)
r8:843ef140 r7:df96dec8 r6:8365a9c0 r5:8365a9c0 r4:8417bab8
[<8038cdec>] (map_update_elem) from [<80392aa0>] (__sys_bpf+0x27c/0x2104 kernel/bpf/syscall.c:5445)
r10:00000000 r9:00000020 r8:20000200 r7:00000002 r6:df96dea0 r5:00000020
r4:00000000
[<80392824>] (__sys_bpf) from [<80394ea4>] (__do_sys_bpf kernel/bpf/syscall.c:5561 [inline])
[<80392824>] (__sys_bpf) from [<80394ea4>] (sys_bpf+0x2c/0x48 kernel/bpf/syscall.c:5559)
r10:00000182 r9:841ee000 r8:80200288 r7:00000182 r6:0008e058 r5:00000000
r4:ffffffff
[<80394e78>] (sys_bpf) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdf96dfa8 to 0xdf96dff0)
dfa0: ffffffff 00000000 00000002 20000200 00000020 00000000
dfc0: ffffffff 00000000 0008e058 00000182 000f4240 00000000 00000001 00003a97
dfe0: 7e973c70 7e973c60 000106cc 0002e810
Code: e595210c e1a06000 e2433001 e003300a (e7924103)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: e595210c ldr r2, [r5, #268] @ 0x10c
4: e1a06000 mov r6, r0
8: e2433001 sub r3, r3, #1
c: e003300a and r3, r3, sl
* 10: e7924103 ldr r4, [r2, r3, lsl #2] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: e595210c ldr r2, [r5, #268] @ 0x10c
4: e1a06000 mov r6, r0
8: e2433001 sub r3, r3, #1
c: e003300a and r3, r3, sl
* 10: e7924103 ldr r4, [r2, r3, lsl #2] <-- trapping instruction
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
John Fastabend
Feb 26, 2024, 4:49:19 PMFeb 26
to syzbot, and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, da...@davemloft.net, hao...@google.com, ha...@kernel.org, john.fa...@gmail.com, jo...@kernel.org, kps...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@google.com, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 70ff1fe626a1 Merge tag 'docs-6.8-fixes3' of git://git.lwn...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1762045c180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4cf52b43f46d820d
> dashboard link: https://syzkaller.appspot.com/bug?extid=8cd36f6b65f3cafd400a
> compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110cf122180000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142f6d8c180000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-70ff1fe6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/bc398db9fd8c/vmlinux-70ff1fe6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/6d3f8b72a671/zImage-70ff1fe6.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8cd36f...@syzkaller.appspotmail.com
>
I'll take a look this week if no one beats me to it. Looks like there is
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 70ff1fe626a1 Merge tag 'docs-6.8-fixes3' of git://git.lwn...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1762045c180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4cf52b43f46d820d
> dashboard link: https://syzkaller.appspot.com/bug?extid=8cd36f6b65f3cafd400a
> compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110cf122180000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142f6d8c180000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-70ff1fe6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/bc398db9fd8c/vmlinux-70ff1fe6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/6d3f8b72a671/zImage-70ff1fe6.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8cd36f...@syzkaller.appspotmail.com
>
a reproducer so should be able to sort it out.
syzbot
Feb 27, 2024, 8:52:26 AMFeb 27
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in dev_map_hash_update_elem
Author: to...@kernel.org
#syz test
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index a936c704d4e7..9b2286f9c6da 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -130,13 +130,11 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)
bpf_map_init_from_attr(&dtab->map, attr);
if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
- dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries);
-
- if (!dtab->n_buckets) /* Overflow check */
+ if (dtab->map.max_entries > U32_MAX / 2)
return -EINVAL;
- }
- if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
+ dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries);
+
dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets,
dtab->map.numa_node);
if (!dtab->dev_index_head)
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Re: [syzbot] [bpf?] [net?] BUG: unable to handle kernel NULL pointer dereference in dev_map_hash_update_elem
Author: to...@kernel.org
#syz test
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index a936c704d4e7..9b2286f9c6da 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -130,13 +130,11 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr)
bpf_map_init_from_attr(&dtab->map, attr);
if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
- dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries);
-
- if (!dtab->n_buckets) /* Overflow check */
+ if (dtab->map.max_entries > U32_MAX / 2)
return -EINVAL;
- }
- if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) {
+ dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries);
+
dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets,
dtab->map.numa_node);
if (!dtab->dev_index_head)
Toke Høiland-Jørgensen
Feb 27, 2024, 8:55:02 AMFeb 27
to John Fastabend, syzbot, and...@kernel.org, a...@kernel.org, b...@vger.kernel.org, dan...@iogearbox.net, da...@davemloft.net, hao...@google.com, ha...@kernel.org, jo...@kernel.org, kps...@kernel.org, ku...@kernel.org, linux-...@vger.kernel.org, marti...@linux.dev, net...@vger.kernel.org, s...@google.com, so...@kernel.org, syzkall...@googlegroups.com, yongho...@linux.dev
max_entries=0x80000202, which means the rounding up of the number of
hash buckets overflows, and somehow the overflow check (for 0) is not
working on a 32-bit machine? I guess because the roundup_power_of_two()
ends up doing a (1UL << 32), which is undefined behaviour when an
unsigned long is four bytes.
I'll send a patch to check the value before the rounding up instead of
after.
-Toke
syzbot
Feb 27, 2024, 9:16:04 AMFeb 27
to linux-...@vger.kernel.org, syzkall...@googlegroups.com, to...@kernel.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+8cd36f...@syzkaller.appspotmail.com
Tested on:
commit: 45ec2f5f Merge tag 'mtd/fixes-for-6.8-rc7' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1561a106180000
kernel config: https://syzkaller.appspot.com/x/.config?x=732e53182a46d9d9
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+8cd36f...@syzkaller.appspotmail.com
Tested on:
commit: 45ec2f5f Merge tag 'mtd/fixes-for-6.8-rc7' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1561a106180000
kernel config: https://syzkaller.appspot.com/x/.config?x=732e53182a46d9d9
dashboard link: https://syzkaller.appspot.com/bug?extid=8cd36f6b65f3cafd400a
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
patch: https://syzkaller.appspot.com/x/patch.diff?x=1387f502180000
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages