[syzkaller] general protection fault in skb_release_data #104

cpaasch · 2020-10-28T15:44:47Z

TCP: request_sock_subflow: Possible SYN flooding on port 20000. Sending cookies.  Check SNMP counters.
general protection fault, probably for non-canonical address 0xdffffc0000044762: 0000 [#1] SMP KASAN
KASAN: probably user-memory-access in range [0x0000000000223b10-0x0000000000223b17]
CPU: 1 PID: 2183 Comm: kworker/1:3 Not tainted 5.10.0-rc6 #52
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:compound_head include/linux/page-flags.h:185 [inline]
RIP: 0010:put_page include/linux/mm.h:1180 [inline]
RIP: 0010:__skb_frag_unref include/linux/skbuff.h:3024 [inline]
RIP: 0010:skb_release_data+0x217/0x7c0 net/core/skbuff.c:609
Code: 8e ec 00 00 00 e8 29 3f d9 fe 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 bd 04 00 00 48 8b 2b 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 da 04 00 00 48 8b 45 08 31 ff 49 89 c4 48 89
RSP: 0018:ffffc90000140858 EFLAGS: 00010202
RAX: 0000000000044762 RBX: ffff88810431e8f0 RCX: ffffffff825be503
RDX: 0000000000000000 RSI: ffffffff825be577 RDI: 0000000000223b10
RBP: 0000000000223b08 R08: ffff888102074740 R09: ffffed1020863d1d
R10: ffff88810431e8e3 R11: ffffed1020863d1c R12: ffff88810431e8c0
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888023118dc0
FS:  0000000000000000(0000) GS:ffff88811b500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33422000 CR3: 000000010c873001 CR4: 0000000000170ee0
Call Trace:
 <IRQ>
 skb_release_all+0x46/0x60 net/core/skbuff.c:669
 __kfree_skb+0x11/0x20 net/core/skbuff.c:683
 tcp_data_queue+0x2505/0x4770 net/ipv4/tcp_input.c:4930
 tcp_rcv_established+0x851/0x1c80 net/ipv4/tcp_input.c:5870
 tcp_v4_do_rcv+0x602/0x8b0 net/ipv4/tcp_ipv4.c:1673
 tcp_v4_rcv+0x2533/0x2e60 net/ipv4/tcp_ipv4.c:2055
 ip_protocol_deliver_rcu+0x2b/0x200 net/ipv4/ip_input.c:204
 ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
 NF_HOOK include/linux/netfilter.h:409 [inline]
 ip_local_deliver+0x2da/0x390 net/ipv4/ip_input.c:252
 dst_input include/net/dst.h:447 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
 ip_rcv_finish net/ipv4/ip_input.c:414 [inline]
 NF_HOOK include/linux/netfilter.h:409 [inline]
 ip_rcv+0xef/0x140 net/ipv4/ip_input.c:539
 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5305
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5419
 process_backlog+0x1e5/0x6e0 net/core/dev.c:6309
 napi_poll net/core/dev.c:6787 [inline]
 net_rx_action+0x3fa/0xe30 net/core/dev.c:6870
 __do_softirq+0x187/0x585 kernel/softirq.c:298
 asm_call_irq_on_stack+0x12/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77
 do_softirq.part.0+0x26/0x30 kernel/softirq.c:343
 do_softirq arch/x86/include/asm/preempt.h:26 [inline]
 __local_bh_enable_ip+0x46/0x50 kernel/softirq.c:195
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
 ip_finish_output2+0x71e/0x17e0 net/ipv4/ip_output.c:231
 __ip_finish_output+0x516/0x880 net/ipv4/ip_output.c:308
 dst_output include/net/dst.h:441 [inline]
 ip_local_out+0x18a/0x1f0 net/ipv4/ip_output.c:126
 __ip_queue_xmit+0x77c/0x1500 net/ipv4/ip_output.c:532
 __tcp_transmit_skb+0x2bed/0x36a0 net/ipv4/tcp_output.c:1405
 __tcp_send_ack.part.0+0x3f0/0x660 net/ipv4/tcp_output.c:3971
 __tcp_send_ack net/ipv4/tcp_output.c:3977 [inline]
 tcp_send_ack+0x7d/0xa0 net/ipv4/tcp_output.c:3977
 mptcp_pm_nl_add_addr_send_ack+0x19c/0x330 net/mptcp/pm_netlink.c:428
 mptcp_pm_create_subflow_or_signal_addr+0xd42/0x1090 net/mptcp/pm_netlink.c:330
 pm_work net/mptcp/protocol.c:2181 [inline]
 mptcp_worker+0x1003/0x1560 net/mptcp/protocol.c:2277
 process_one_work+0x8d3/0x1200 kernel/workqueue.c:2272
 worker_thread+0x9c/0x1090 kernel/workqueue.c:2418
 kthread+0x303/0x410 kernel/kthread.c:292
 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 3ab598cf6b077bbe ]---
RIP: 0010:compound_head include/linux/page-flags.h:185 [inline]
RIP: 0010:put_page include/linux/mm.h:1180 [inline]
RIP: 0010:__skb_frag_unref include/linux/skbuff.h:3024 [inline]
RIP: 0010:skb_release_data+0x217/0x7c0 net/core/skbuff.c:609
Code: 8e ec 00 00 00 e8 29 3f d9 fe 48 89 d8 48 c1 e8 03 42 80 3c 30 00 0f 85 bd 04 00 00 48 8b 2b 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 da 04 00 00 48 8b 45 08 31 ff 49 89 c4 48 89
RSP: 0018:ffffc90000140858 EFLAGS: 00010202
RAX: 0000000000044762 RBX: ffff88810431e8f0 RCX: ffffffff825be503
RDX: 0000000000000000 RSI: ffffffff825be577 RDI: 0000000000223b10
RBP: 0000000000223b08 R08: ffff888102074740 R09: ffffed1020863d1d
R10: ffff88810431e8e3 R11: ffffed1020863d1c R12: ffff88810431e8c0
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff888023118dc0
FS:  0000000000000000(0000) GS:ffff88811b500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33422000 CR3: 000000010c873001 CR4: 0000000000170ee0

HEAD is at
05cb27b ("DO-NOT-MERGE: mptcp: enabled by default") (HEAD, tag: export/20201209T060936, mptcp_net-next/export) (12 hours ago)
525593c ("DO-NOT-MERGE: mptcp: add GitHub Actions") (12 hours ago)
6aa8731 ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (12 hours ago)
2227bfd ("mptcp: let MPTCP create max size skbs") (12 hours ago)
908c632 ("mptcp: pm: simplify select_local_address()") (12 hours ago)
a771b76 ("mptcp: parse and act on incoming FASTCLOSE option") (12 hours ago)
7dbc6b7 ("tcp: parse mptcp options contained in reset packets") (12 hours ago)
4598a67 ("mptcp: hold mptcp socket before calling tcp_done") (12 hours ago)
3630500 ("mptcp: use MPTCPOPT_HMAC_LEN macro") (12 hours ago)
905c00c ("selftests: mptcp: add the flush addrs testcase") (12 hours ago)
2d0de9b ("mptcp: remove address when netlink flushes addrs") (12 hours ago)
389cb8d ("mptcp: use the variable sk instead of open-coding") (12 hours ago)
62ad6da ("mptcp: rename add_addr_signal and mptcp_add_addr_status") (12 hours ago)
56607a9 ("mptcp: drop rm_addr_signal flag") (12 hours ago)
f561498 ("mptcp: print out port and ahmac when receiving ADD_ADDR") (12 hours ago)
faec918 ("mptcp: add port parameter for mptcp_pm_announce_addr") (12 hours ago)
1bab32f ("mptcp: send out dedicated packet for ADD_ADDR using port") (12 hours ago)
a7429bb ("mptcp: add the outgoing ADD_ADDR port support") (12 hours ago)
a8787a8 ("mptcp: use adding up size to get ADD_ADDR length") (12 hours ago)
1690597 ("mptcp: add port support for ADD_ADDR suboption writing") (12 hours ago)
4021cd8 ("mptcp: unify ADD_ADDR and ADD_ADDR6 suboptions writing") (12 hours ago)
0b86309 ("mptcp: unify ADD_ADDR and echo suboptions writing") (12 hours ago)
c855f89 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (12 hours ago)
0eaea54 ("bpf:selftests: add MPTCP test base") (12 hours ago)
eed59ab ("bpf: add 'bpf_mptcp_sock' structure and helper") (12 hours ago)
6dd1da9 ("mptcp: attach subflow socket to parent cgroup") (12 hours ago)
58a4d0c ("bpf: expose is_mptcp flag to bpf_tcp_sock") (12 hours ago)
d188dfe ("mptcp: be careful on subflows shutdown") (12 hours ago)
9910201 ("mptcp: plug subflow context memory leak") (12 hours ago)
ae1cd5e ("mptcp: link MPC subflow into msk only after accept") (12 hours ago)
afae3cc ("net: atheros: simplify the return expression of atl2_phy_setup_autoneg_adv()") (mptcp_net-next/net-next) (18 hours ago)

syzkaller reproducer:

# {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false}
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0)='mptcp_pm\x00')
sendmsg$MPTCP_PM_CMD_ADD_ADDR(r0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f00000002c0)={0x3c, r1, 0x1, 0x0, 0x0, {}, [@MPTCP_PM_ATTR_ADDR={0x28, 0x1, 0x0, 0x1, [@MPTCP_PM_ADDR_ATTR_ADDR6={0x14, 0x4, @private0={0xfc, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4]}}, @MPTCP_PM_ADDR_ATTR_FLAGS={0x8, 0x6, 0x5}, @MPTCP_PM_ADDR_ATTR_FAMILY={0x6, 0x1, 0xa}]}]}, 0x3c}}, 0x0)
r2 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r2, &(0x7f00000013c0)={0x2, 0x4e20}, 0x10)
listen(r2, 0x0)
r3 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r3, &(0x7f00000000c0)={0x2, 0x4e20, @local}, 0x10)

CONFIG-file attached.
CONFIG.txt

[UPDATE 12/11: Updated HEAD and CONFIG file]
[UPDATE 11/19: Updated HEAD and CONFIG file]
[UPDATE 11/02: Added syzkaller reproducer]
[UPDATE 11/02: Updated HEAD]

The text was updated successfully, but these errors were encountered:

geliangtang · 2020-12-04T04:18:03Z

@cpaasch @matttbe @pabeni Bugfix for this issue has been sent to ML, named "mptcp: avoid using the main socket to send ack"

geliangtang · 2020-12-15T05:50:52Z

@pabeni @cpaasch @matttbe New patch has been sent out.

This patch cleared use_ack and use_map when dropping other suboptions to fix the following syzkaller BUG: [ 15.223006] BUG: unable to handle page fault for address: 0000000000223b10 [ 15.223700] #PF: supervisor read access in kernel mode [ 15.224209] #PF: error_code(0x0000) - not-present page [ 15.224724] PGD b8d5067 P4D b8d5067 PUD c0a5067 PMD 0 [ 15.225237] Oops: 0000 [#1] SMP [ 15.225556] CPU: 0 PID: 7747 Comm: syz-executor Not tainted 5.10.0-rc6+ #24 [ 15.226281] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 15.227292] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.227816] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.229669] RSP: 0018:ffffc900019c7c08 EFLAGS: 00010293 [ 15.230188] RAX: ffff88800daad900 RBX: 0000000000223b08 RCX: 0000000000000006 [ 15.230895] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6dc700 [ 15.231593] RBP: ffff88807f71a4c0 R08: 0000000000000001 R09: 0000000000000001 [ 15.232299] R10: ffffc900019c7c18 R11: 0000000000000000 R12: ffff88807f71a4f0 [ 15.233007] R13: 0000000000000000 R14: ffff88807f6dc700 R15: 0000000000000002 [ 15.233714] FS: 00007f65d9b5f700(0000) GS:ffff88807c400000(0000) knlGS:0000000000000000 [ 15.234509] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 15.235081] CR2: 0000000000223b10 CR3: 000000000b883000 CR4: 00000000000006f0 [ 15.235788] Call Trace: [ 15.236042] skb_release_all+0x28/0x30 [ 15.236419] __kfree_skb+0x11/0x20 [ 15.236768] tcp_data_queue+0x270/0x1240 [ 15.237161] ? tcp_urg+0x50/0x2a0 [ 15.237496] tcp_rcv_established+0x39a/0x890 [ 15.237997] ? mark_held_locks+0x49/0x70 [ 15.238467] tcp_v4_do_rcv+0xb9/0x270 [ 15.238915] __release_sock+0x8a/0x160 [ 15.239365] release_sock+0x32/0xd0 [ 15.239793] __inet_stream_connect+0x1d2/0x400 [ 15.240313] ? do_wait_intr_irq+0x80/0x80 [ 15.240791] inet_stream_connect+0x36/0x50 [ 15.241275] mptcp_stream_connect+0x69/0x1b0 [ 15.241787] __sys_connect+0x122/0x140 [ 15.242236] ? syscall_enter_from_user_mode+0x17/0x50 [ 15.242836] ? lockdep_hardirqs_on_prepare+0xd4/0x170 [ 15.243436] __x64_sys_connect+0x1a/0x20 [ 15.243924] do_syscall_64+0x33/0x40 [ 15.244313] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 15.244821] RIP: 0033:0x7f65d946e469 [ 15.245183] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48 [ 15.247019] RSP: 002b:00007f65d9b5eda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 15.247770] RAX: ffffffffffffffda RBX: 000000000049bf00 RCX: 00007f65d946e469 [ 15.248471] RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000005 [ 15.249205] RBP: 000000000049bf00 R08: 0000000000000000 R09: 0000000000000000 [ 15.249908] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049bf0c [ 15.250603] R13: 00007fffe8a25cef R14: 00007f65d9b3f000 R15: 0000000000000003 [ 15.251312] Modules linked in: [ 15.251626] CR2: 0000000000223b10 [ 15.251965] BUG: kernel NULL pointer dereference, address: 0000000000000048 [ 15.252005] ---[ end trace f5c51fe19123c773 ]--- [ 15.252822] #PF: supervisor read access in kernel mode [ 15.252823] #PF: error_code(0x0000) - not-present page [ 15.252825] PGD c6c6067 P4D c6c6067 PUD c0d8067 [ 15.253294] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.253910] PMD 0 [ 15.253914] Oops: 0000 [#2] SMP [ 15.253917] CPU: 1 PID: 7746 Comm: syz-executor Tainted: G D 5.10.0-rc6+ #24 [ 15.253920] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 15.254435] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.254899] RIP: 0010:skb_release_data+0x89/0x1e0 [ 15.254902] Code: 5b 5d 41 5c 41 5d 41 5e 41 5f e9 02 06 8a ff e8 fd 05 8a ff 45 31 ed 80 7d 02 00 4c 8d 65 30 74 55 e8 eb 05 8a ff 49 8b 1c 24 <4c> 8b 7b 08 41 f6 c7 01 0f 85 18 01 00 00 e8 d4 05 8a ff 8b 43 34 [ 15.254905] RSP: 0018:ffffc900019bfc08 EFLAGS: 00010293 [ 15.255376] RSP: 0018:ffffc900019c7c08 EFLAGS: 00010293 [ 15.255580] [ 15.255583] RAX: ffff888004a7ac80 RBX: 0000000000000040 RCX: 0000000000000000 [ 15.255912] [ 15.256724] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6ddd00 [ 15.257620] RAX: ffff88800daad900 RBX: 0000000000223b08 RCX: 0000000000000006 [ 15.259817] RBP: ffff88800e9006c0 R08: 0000000000000000 R09: 0000000000000000 [ 15.259818] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800e9006f0 [ 15.259820] R13: 0000000000000000 R14: ffff88807f6ddd00 R15: 0000000000000002 [ 15.259822] FS: 00007fae4a60a700(0000) GS:ffff88807c500000(0000) knlGS:0000000000000000 [ 15.259826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 15.260296] RDX: 0000000000000000 RSI: ffffffff818e06c5 RDI: ffff88807f6dc700 [ 15.262514] CR2: 0000000000000048 CR3: 000000000b89c000 CR4: 00000000000006e0 [ 15.262515] Call Trace: [ 15.262519] skb_release_all+0x28/0x30 [ 15.262523] __kfree_skb+0x11/0x20 [ 15.263054] RBP: ffff88807f71a4c0 R08: 0000000000000001 R09: 0000000000000001 [ 15.263680] tcp_data_queue+0x270/0x1240 [ 15.263843] R10: ffffc900019c7c18 R11: 0000000000000000 R12: ffff88807f71a4f0 [ 15.264693] ? tcp_urg+0x50/0x2a0 [ 15.264856] R13: 0000000000000000 R14: ffff88807f6dc700 R15: 0000000000000002 [ 15.265720] tcp_rcv_established+0x39a/0x890 [ 15.266438] FS: 00007f65d9b5f700(0000) GS:ffff88807c400000(0000) knlGS:0000000000000000 [ 15.267283] ? __schedule+0x3fa/0x880 [ 15.267287] tcp_v4_do_rcv+0xb9/0x270 [ 15.267290] __release_sock+0x8a/0x160 [ 15.268049] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 15.268788] release_sock+0x32/0xd0 [ 15.268791] __inet_stream_connect+0x1d2/0x400 [ 15.268795] ? do_wait_intr_irq+0x80/0x80 [ 15.269593] CR2: 0000000000223b10 CR3: 000000000b883000 CR4: 00000000000006f0 [ 15.270246] inet_stream_connect+0x36/0x50 [ 15.270250] mptcp_stream_connect+0x69/0x1b0 [ 15.270253] __sys_connect+0x122/0x140 [ 15.271097] Kernel panic - not syncing: Fatal exception [ 15.271820] ? syscall_enter_from_user_mode+0x17/0x50 [ 15.283542] ? lockdep_hardirqs_on_prepare+0xd4/0x170 [ 15.284275] __x64_sys_connect+0x1a/0x20 [ 15.284853] do_syscall_64+0x33/0x40 [ 15.285369] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 15.286105] RIP: 0033:0x7fae49f19469 [ 15.286638] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48 [ 15.289295] RSP: 002b:00007fae4a609da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 15.290375] RAX: ffffffffffffffda RBX: 000000000049bf00 RCX: 00007fae49f19469 [ 15.291403] RDX: 0000000000000010 RSI: 00000000200000c0 RDI: 0000000000000005 [ 15.292437] RBP: 000000000049bf00 R08: 0000000000000000 R09: 0000000000000000 [ 15.293456] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000049bf0c [ 15.294473] R13: 00007fff0004b6bf R14: 00007fae4a5ea000 R15: 0000000000000003 [ 15.295492] Modules linked in: [ 15.295944] CR2: 0000000000000048 [ 15.296567] Kernel Offset: disabled [ 15.296941] ---[ end Kernel panic - not syncing: Fatal exception ]--- Reported-by: Christoph Paasch <[email protected]> Closes: #104 Fixes: 84dfe36 (mptcp: send out dedicated ADD_ADDR packet) Acked-by: Paolo Abeni <[email protected]> Signed-off-by: Geliang Tang <[email protected]>

Performing the following: ># echo 'wakeup_lat s32 pid; u64 delta; char wake_comm[]' > synthetic_events ># echo 'hist:keys=pid:__arg__1=common_timestamp.usecs' > events/sched/sched_waking/trigger ># echo 'hist:keys=next_pid:pid=next_pid,delta=common_timestamp.usecs-$__arg__1:onmatch(sched.sched_waking).trace(wakeup_lat,$pid,$delta,prev_comm)'\ > events/sched/sched_switch/trigger ># echo 1 > events/synthetic/enable Crashed the kernel: BUG: kernel NULL pointer dereference, address: 000000000000001b #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 7 PID: 0 Comm: swapper/7 Not tainted 5.13.0-rc5-test+ #104 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v03.03 07/14/2016 RIP: 0010:strlen+0x0/0x20 Code: f6 82 80 2b 0b bc 20 74 11 0f b6 50 01 48 83 c0 01 f6 82 80 2b 0b bc 20 75 ef c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 <80> 3f 00 74 10 48 89 f8 48 83 c0 01 80 38 9 f8 c3 31 RSP: 0018:ffffaa75000d79d0 EFLAGS: 00010046 RAX: 0000000000000002 RBX: ffff9cdb55575270 RCX: 0000000000000000 RDX: ffff9cdb58c7a320 RSI: ffffaa75000d7b40 RDI: 000000000000001b RBP: ffffaa75000d7b40 R08: ffff9cdb40a4f010 R09: ffffaa75000d7ab8 R10: ffff9cdb4398c700 R11: 0000000000000008 R12: ffff9cdb58c7a320 R13: ffff9cdb55575270 R14: ffff9cdb58c7a000 R15: 0000000000000018 FS: 0000000000000000(0000) GS:ffff9cdb5aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001b CR3: 00000000c0612006 CR4: 00000000001706e0 Call Trace: trace_event_raw_event_synth+0x90/0x1d0 action_trace+0x5b/0x70 event_hist_trigger+0x4bd/0x4e0 ? cpumask_next_and+0x20/0x30 ? update_sd_lb_stats.constprop.0+0xf6/0x840 ? __lock_acquire.constprop.0+0x125/0x550 ? find_held_lock+0x32/0x90 ? sched_clock_cpu+0xe/0xd0 ? lock_release+0x155/0x440 ? update_load_avg+0x8c/0x6f0 ? enqueue_entity+0x18a/0x920 ? __rb_reserve_next+0xe5/0x460 ? ring_buffer_lock_reserve+0x12a/0x3f0 event_triggers_call+0x52/0xe0 trace_event_buffer_commit+0x1ae/0x240 trace_event_raw_event_sched_switch+0x114/0x170 __traceiter_sched_switch+0x39/0x50 __schedule+0x431/0xb00 schedule_idle+0x28/0x40 do_idle+0x198/0x2e0 cpu_startup_entry+0x19/0x20 secondary_startup_64_no_verify+0xc2/0xcb The reason is that the dynamic events array keeps track of the field position of the fields array, via the field_pos variable in the synth_field structure. Unfortunately, that field is a boolean for some reason, which means any field_pos greater than 1 will be a bug (in this case it was 2). Link: https://lkml.kernel.org/r/[email protected] Cc: Masami Hiramatsu <[email protected]> Cc: Namhyung Kim <[email protected]> Cc: Ingo Molnar <[email protected]> Cc: Andrew Morton <[email protected]> Cc: [email protected] Fixes: bd82631 ("tracing: Add support for dynamic strings to synthetic events") Reviewed-by: Tom Zanussi <[email protected]> Signed-off-by: Steven Rostedt (VMware) <[email protected]>

Commit 6e44bd6 ("memblock: exclude NOMAP regions from kmemleak") breaks boot on EFI systems with kmemleak and VM_DEBUG enabled: efi: Processing EFI memory map: efi: 0x000090000000-0x000091ffffff [Conventional| | | | | | | | | | |WB|WT|WC|UC] efi: 0x000092000000-0x0000928fffff [Runtime Data|RUN| | | | | | | | | |WB|WT|WC|UC] ------------[ cut here ]------------ kernel BUG at mm/kmemleak.c:1140! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.0-rc6-next-20211019+ #104 pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kmemleak_free_part_phys+0x64/0x8c lr : kmemleak_free_part_phys+0x38/0x8c sp : ffff800011eafbc0 x29: ffff800011eafbc0 x28: 1fffff7fffb41c0d x27: fffffbfffda0e068 x26: 0000000092000000 x25: 1ffff000023d5f94 x24: ffff800011ed84d0 x23: ffff800011ed84c0 x22: ffff800011ed83d8 x21: 0000000000900000 x20: ffff800011782000 x19: 0000000092000000 x18: ffff800011ee0730 x17: 0000000000000000 x16: 0000000000000000 x15: 1ffff0000233252c x14: ffff800019a905a0 x13: 0000000000000001 x12: ffff7000023d5ed7 x11: 1ffff000023d5ed6 x10: ffff7000023d5ed6 x9 : dfff800000000000 x8 : ffff800011eaf6b7 x7 : 0000000000000001 x6 : ffff800011eaf6b0 x5 : 00008ffffdc2a12a x4 : ffff7000023d5ed7 x3 : 1ffff000023dbf99 x2 : 1ffff000022f0463 x1 : 0000000000000000 x0 : ffffffffffffffff Call trace: kmemleak_free_part_phys+0x64/0x8c memblock_mark_nomap+0x5c/0x78 reserve_regions+0x294/0x33c efi_init+0x2d0/0x490 setup_arch+0x80/0x138 start_kernel+0xa0/0x3ec __primary_switched+0xc0/0xc8 Code: 34000041 97d526e7 f9418e80 36000040 (d4210000) random: get_random_bytes called from print_oops_end_marker+0x34/0x80 with crng_init=0 ---[ end trace 0000000000000000 ]--- The crash happens because kmemleak_free_part_phys() tries to use __va() before memstart_addr is initialized and this triggers a VM_BUG_ON() in arch/arm64/include/asm/memory.h: Revert 6e44bd6 ("memblock: exclude NOMAP regions from kmemleak"), the issue it is fixing will be fixed differently. Reported-by: Qian Cai <[email protected]> Signed-off-by: Mike Rapoport <[email protected]> Acked-by: Catalin Marinas <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>

The BPF STX/LDX instruction uses offset relative to the FP to address stack space. Since the BPF_FP locates at the top of the frame, the offset is usually a negative number. However, arm64 str/ldr immediate instruction requires that offset be a positive number. Therefore, this patch tries to convert the offsets. The method is to find the negative offset furthest from the FP firstly. Then add it to the FP, calculate a bottom position, called FPB, and then adjust the offsets in other STR/LDX instructions relative to FPB. FPB is saved using the callee-saved register x27 of arm64 which is not used yet. Before adjusting the offset, the patch checks every instruction to ensure that the FP does not change in run-time. If the FP may change, no offset is adjusted. For example, for the following bpftrace command: bpftrace -e 'kprobe:do_sys_open { printf("opening: %s\n", str(arg1)); }' Without this patch, jited code(fragment): 0: bti c 4: stp x29, x30, [sp, #-16]! 8: mov x29, sp c: stp x19, x20, [sp, #-16]! 10: stp x21, x22, [sp, #-16]! 14: stp x25, x26, [sp, #-16]! 18: mov x25, sp 1c: mov x26, #0x0 // #0 20: bti j 24: sub sp, sp, #0x90 28: add x19, x0, #0x0 2c: mov x0, #0x0 // #0 30: mov x10, #0xffffffffffffff78 // #-136 34: str x0, [x25, x10] 38: mov x10, #0xffffffffffffff80 // #-128 3c: str x0, [x25, x10] 40: mov x10, #0xffffffffffffff88 // #-120 44: str x0, [x25, x10] 48: mov x10, #0xffffffffffffff90 // #-112 4c: str x0, [x25, x10] 50: mov x10, #0xffffffffffffff98 // #-104 54: str x0, [x25, x10] 58: mov x10, #0xffffffffffffffa0 // #-96 5c: str x0, [x25, x10] 60: mov x10, #0xffffffffffffffa8 // #-88 64: str x0, [x25, x10] 68: mov x10, #0xffffffffffffffb0 // #-80 6c: str x0, [x25, x10] 70: mov x10, #0xffffffffffffffb8 // #-72 74: str x0, [x25, x10] 78: mov x10, #0xffffffffffffffc0 // #-64 7c: str x0, [x25, x10] 80: mov x10, #0xffffffffffffffc8 // #-56 84: str x0, [x25, x10] 88: mov x10, #0xffffffffffffffd0 // #-48 8c: str x0, [x25, x10] 90: mov x10, #0xffffffffffffffd8 // #-40 94: str x0, [x25, x10] 98: mov x10, #0xffffffffffffffe0 // #-32 9c: str x0, [x25, x10] a0: mov x10, #0xffffffffffffffe8 // #-24 a4: str x0, [x25, x10] a8: mov x10, #0xfffffffffffffff0 // #-16 ac: str x0, [x25, x10] b0: mov x10, #0xfffffffffffffff8 // #-8 b4: str x0, [x25, x10] b8: mov x10, #0x8 // #8 bc: ldr x2, [x19, x10] [...] With this patch, jited code(fragment): 0: bti c 4: stp x29, x30, [sp, #-16]! 8: mov x29, sp c: stp x19, x20, [sp, #-16]! 10: stp x21, x22, [sp, #-16]! 14: stp x25, x26, [sp, #-16]! 18: stp x27, x28, [sp, #-16]! 1c: mov x25, sp 20: sub x27, x25, #0x88 24: mov x26, #0x0 // #0 28: bti j 2c: sub sp, sp, #0x90 30: add x19, x0, #0x0 34: mov x0, #0x0 // #0 38: str x0, [x27] 3c: str x0, [x27, #8] 40: str x0, [x27, #16] 44: str x0, [x27, #24] 48: str x0, [x27, #32] 4c: str x0, [x27, #40] 50: str x0, [x27, #48] 54: str x0, [x27, #56] 58: str x0, [x27, #64] 5c: str x0, [x27, #72] 60: str x0, [x27, #80] 64: str x0, [x27, #88] 68: str x0, [x27, #96] 6c: str x0, [x27, #104] 70: str x0, [x27, #112] 74: str x0, [x27, #120] 78: str x0, [x27, #128] 7c: ldr x2, [x19, #8] [...] Signed-off-by: Xu Kuohai <[email protected]> Signed-off-by: Daniel Borkmann <[email protected]> Link: https://lore.kernel.org/bpf/[email protected]

matttbe added bug syzkaller labels Oct 28, 2020

cpaasch mentioned this issue Nov 2, 2020

[syzkaller] BUG: Bad page state #106

Closed

geliangtang self-assigned this Dec 3, 2020

jenkins-tessares closed this as completed in 4e84da8 Dec 15, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[syzkaller] general protection fault in skb_release_data #104

[syzkaller] general protection fault in skb_release_data #104

cpaasch commented Oct 28, 2020 •

edited

Loading

geliangtang commented Dec 4, 2020

geliangtang commented Dec 15, 2020

[syzkaller] general protection fault in skb_release_data #104

[syzkaller] general protection fault in skb_release_data #104

Comments

cpaasch commented Oct 28, 2020 • edited Loading

geliangtang commented Dec 4, 2020

geliangtang commented Dec 15, 2020

cpaasch commented Oct 28, 2020 •

edited

Loading