Re: [arm64] kernel BUG at kernel/seccomp.c:1309!
Jann Horn writes: > On Mon, Nov 23, 2020 at 2:45 PM Arnd Bergmann wrote: >> On Mon, Nov 23, 2020 at 12:15 PM Naresh Kamboju >> wrote: >> > >> > While booting arm64 kernel the following kernel BUG noticed on several >> > arm64 >> > devices running linux next 20201123 tag kernel. >> > >> > >> > $ git log --oneline next-20201120..next-20201123 -- kernel/seccomp.c >> > 5c5c5fa055ea Merge remote-tracking branch 'seccomp/for-next/seccomp' >> > bce6a8cba7bf Merge branch 'linus' >> > 7ef95e3dbcee Merge branch 'for-linus/seccomp' into for-next/seccomp >> > fab686eb0307 seccomp: Remove bogus __user annotations >> > 0d831528 seccomp/cache: Report cache data through >> > /proc/pid/seccomp_cache >> > 8e01b51a31a1 seccomp/cache: Add "emulator" to check if filter is constant >> > allow >> > f9d480b6ffbe seccomp/cache: Lookup syscall allowlist bitmap for fast path >> > 23d67a54857a seccomp: Migrate to use SYSCALL_WORK flag >> > >> > >> > Please find these easy steps to reproduce the kernel build and boot. >> >> Adding Gabriel Krisman Bertazi to Cc, as the last patch (23d67a54857a) here >> seems suspicious: it changes >> >> diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h >> index 02aef2844c38..47763f3999f7 100644 >> --- a/include/linux/seccomp.h >> +++ b/include/linux/seccomp.h >> @@ -42,7 +42,7 @@ struct seccomp { >> extern int __secure_computing(const struct seccomp_data *sd); >> static inline int secure_computing(void) >> { >> - if (unlikely(test_thread_flag(TIF_SECCOMP))) >> + if (unlikely(test_syscall_work(SECCOMP))) >> return __secure_computing(NULL); >> return 0; >> } >> >> which is in the call chain directly before >> >> int __secure_computing(const struct seccomp_data *sd) >> { >>int mode = current->seccomp.mode; >> >> ... >> switch (mode) { >> case SECCOMP_MODE_STRICT: >> __secure_computing_strict(this_syscall); /* may call >> do_exit */ >> return 0; >> case SECCOMP_MODE_FILTER: >> return __seccomp_filter(this_syscall, sd, false); >> default: >> BUG(); >> } >> } >> >> Clearly, current->seccomp.mode is set to something other >> than SECCOMP_MODE_STRICT or SECCOMP_MODE_FILTER >> while the test_syscall_work(SECCOMP) returns true, and this >> must have not been the case earlier. > > Ah, I think the problem is actually in > 3136b93c3fb2b7c19e853e049203ff8f2b9dd2cd ("entry: Expose helpers to > migrate TIF to SYSCALL_WORK flag"). In the !GENERIC_ENTRY case, it > adds this code: > > +#define set_syscall_work(fl) \ > + set_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) > +#define test_syscall_work(fl) \ > + test_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) > +#define clear_syscall_work(fl) \ > + clear_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) > + > +#define set_task_syscall_work(t, fl) \ > + set_ti_thread_flag(task_thread_info(t), TIF_##fl) > +#define test_task_syscall_work(t, fl) \ > + test_ti_thread_flag(task_thread_info(t), TIF_##fl) > +#define clear_task_syscall_work(t, fl) \ > + clear_ti_thread_flag(task_thread_info(t), TIF_##fl) > > but the SYSCALL_WORK_FLAGS are not valid on !GENERIC_ENTRY, we'll mix > up (on arm64) SYSCALL_WORK_BIT_SECCOMP (==0) and TIF_SIGPENDING (==0). > > As part of fixing this, it might be a good idea to put "enum > syscall_work_bit" behind a "#ifdef CONFIG_GENERIC_ENTRY" to avoid > future accidents like this? Hi Jan, Arnd, That is correct. This is a copy pasta mistake. My apologies. I didn't have a !GENERIC_ENTRY device to test, but just the ifdef would have caught it. -- Gabriel Krisman Bertazi
Re: [arm64] kernel BUG at kernel/seccomp.c:1309!
On Mon, Nov 23, 2020 at 2:45 PM Arnd Bergmann wrote: > On Mon, Nov 23, 2020 at 12:15 PM Naresh Kamboju > wrote: > > > > While booting arm64 kernel the following kernel BUG noticed on several arm64 > > devices running linux next 20201123 tag kernel. > > > > > > $ git log --oneline next-20201120..next-20201123 -- kernel/seccomp.c > > 5c5c5fa055ea Merge remote-tracking branch 'seccomp/for-next/seccomp' > > bce6a8cba7bf Merge branch 'linus' > > 7ef95e3dbcee Merge branch 'for-linus/seccomp' into for-next/seccomp > > fab686eb0307 seccomp: Remove bogus __user annotations > > 0d831528 seccomp/cache: Report cache data through > > /proc/pid/seccomp_cache > > 8e01b51a31a1 seccomp/cache: Add "emulator" to check if filter is constant > > allow > > f9d480b6ffbe seccomp/cache: Lookup syscall allowlist bitmap for fast path > > 23d67a54857a seccomp: Migrate to use SYSCALL_WORK flag > > > > > > Please find these easy steps to reproduce the kernel build and boot. > > Adding Gabriel Krisman Bertazi to Cc, as the last patch (23d67a54857a) here > seems suspicious: it changes > > diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h > index 02aef2844c38..47763f3999f7 100644 > --- a/include/linux/seccomp.h > +++ b/include/linux/seccomp.h > @@ -42,7 +42,7 @@ struct seccomp { > extern int __secure_computing(const struct seccomp_data *sd); > static inline int secure_computing(void) > { > - if (unlikely(test_thread_flag(TIF_SECCOMP))) > + if (unlikely(test_syscall_work(SECCOMP))) > return __secure_computing(NULL); > return 0; > } > > which is in the call chain directly before > > int __secure_computing(const struct seccomp_data *sd) > { >int mode = current->seccomp.mode; > > ... > switch (mode) { > case SECCOMP_MODE_STRICT: > __secure_computing_strict(this_syscall); /* may call do_exit > */ > return 0; > case SECCOMP_MODE_FILTER: > return __seccomp_filter(this_syscall, sd, false); > default: > BUG(); > } > } > > Clearly, current->seccomp.mode is set to something other > than SECCOMP_MODE_STRICT or SECCOMP_MODE_FILTER > while the test_syscall_work(SECCOMP) returns true, and this > must have not been the case earlier. Ah, I think the problem is actually in 3136b93c3fb2b7c19e853e049203ff8f2b9dd2cd ("entry: Expose helpers to migrate TIF to SYSCALL_WORK flag"). In the !GENERIC_ENTRY case, it adds this code: +#define set_syscall_work(fl) \ + set_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) +#define test_syscall_work(fl) \ + test_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) +#define clear_syscall_work(fl) \ + clear_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) + +#define set_task_syscall_work(t, fl) \ + set_ti_thread_flag(task_thread_info(t), TIF_##fl) +#define test_task_syscall_work(t, fl) \ + test_ti_thread_flag(task_thread_info(t), TIF_##fl) +#define clear_task_syscall_work(t, fl) \ + clear_ti_thread_flag(task_thread_info(t), TIF_##fl) but the SYSCALL_WORK_FLAGS are not valid on !GENERIC_ENTRY, we'll mix up (on arm64) SYSCALL_WORK_BIT_SECCOMP (==0) and TIF_SIGPENDING (==0). As part of fixing this, it might be a good idea to put "enum syscall_work_bit" behind a "#ifdef CONFIG_GENERIC_ENTRY" to avoid future accidents like this?
Re: [arm64] kernel BUG at kernel/seccomp.c:1309!
On Mon, Nov 23, 2020 at 12:15 PM Naresh Kamboju wrote: > > While booting arm64 kernel the following kernel BUG noticed on several arm64 > devices running linux next 20201123 tag kernel. > > > $ git log --oneline next-20201120..next-20201123 -- kernel/seccomp.c > 5c5c5fa055ea Merge remote-tracking branch 'seccomp/for-next/seccomp' > bce6a8cba7bf Merge branch 'linus' > 7ef95e3dbcee Merge branch 'for-linus/seccomp' into for-next/seccomp > fab686eb0307 seccomp: Remove bogus __user annotations > 0d831528 seccomp/cache: Report cache data through /proc/pid/seccomp_cache > 8e01b51a31a1 seccomp/cache: Add "emulator" to check if filter is constant > allow > f9d480b6ffbe seccomp/cache: Lookup syscall allowlist bitmap for fast path > 23d67a54857a seccomp: Migrate to use SYSCALL_WORK flag > > > Please find these easy steps to reproduce the kernel build and boot. Adding Gabriel Krisman Bertazi to Cc, as the last patch (23d67a54857a) here seems suspicious: it changes diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 02aef2844c38..47763f3999f7 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -42,7 +42,7 @@ struct seccomp { extern int __secure_computing(const struct seccomp_data *sd); static inline int secure_computing(void) { - if (unlikely(test_thread_flag(TIF_SECCOMP))) + if (unlikely(test_syscall_work(SECCOMP))) return __secure_computing(NULL); return 0; } which is in the call chain directly before int __secure_computing(const struct seccomp_data *sd) { int mode = current->seccomp.mode; ... switch (mode) { case SECCOMP_MODE_STRICT: __secure_computing_strict(this_syscall); /* may call do_exit */ return 0; case SECCOMP_MODE_FILTER: return __seccomp_filter(this_syscall, sd, false); default: BUG(); } } Clearly, current->seccomp.mode is set to something other than SECCOMP_MODE_STRICT or SECCOMP_MODE_FILTER while the test_syscall_work(SECCOMP) returns true, and this must have not been the case earlier. Arnd > > step to reproduce: > # please install tuxmake > # sudo pip3 install -U tuxmake > # cd linux-next > # tuxmake --runtime docker --target-arch arm --toolchain gcc-9 > --kconfig defconfig --kconfig-add > https://builds.tuxbuild.com/1kgWN61pS5M35vjnVfDSvOOPd38/config > > # Boot the arm64 on any arm64 devices. > # you will notice the below BUG > > crash log details: > --- > [6.941012] [ cut here ] > Found device /dev/ttyAMA3. > [6.947587] lima f408.gpu: mod rate = 5 > [6.955422] kernel BUG at kernel/seccomp.c:1309! > [6.955430] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP > [6.955437] Modules linked in: cec rfkill wlcore_sdio(+) kirin_drm > dw_drm_dsi lima(+) drm_kms_helper gpu_sched drm fuse > [6.955481] CPU: 2 PID: 291 Comm: systemd-udevd Not tainted > 5.10.0-rc4-next-20201123 #2 > [6.955485] Hardware name: HiKey Development Board (DT) > [6.955493] pstate: 8005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) > [6.955510] pc : __secure_computing+0xe0/0xe8 > [6.958171] mmc_host mmc2: Bus speed (slot 0) = 2480Hz (slot > req 40Hz, actual 40HZ div = 31) > [6.965975] [drm] Initialized lima 1.1.0 20191231 for f408.gpu on > minor 0 > [6.970176] lr : syscall_trace_enter+0x1cc/0x218 > [6.970181] sp : 800012d8be10 > [6.970185] x29: 800012d8be10 x28: 0092cb00 > [6.970195] x27: x26: > [6.970203] x25: x24: > [6.970210] x23: 6000 x22: 0202 > [7.011614] mmc_host mmc2: Bus speed (slot 0) = 2480Hz (slot > req 2500Hz, actual 2480HZ div = 0) > [7.016457] > [7.016461] x21: 0200 x20: 0092cb00 > [7.016470] x19: 800012d8bec0 x18: > [7.016478] x17: x16: > [7.016485] x15: x14: > [7.054116] mmc_host mmc2: Bus speed (slot 0) = 2480Hz (slot > req 40Hz, actual 40HZ div = 31) > [7.056715] > [7.103444] mmc_host mmc2: Bus speed (slot 0) = 2480Hz (slot > req 2500Hz, actual 2480HZ div = 0) > [7.105105] x13: x12: > [7.125849] x11: x10: > [7.125858] x9 : 80001001bcbc x8 : > [7.125865] x7 : x6 : > [7.125871] x5 : x4 : > [7.125879] x3 : x2 : 0092cb00 > [7.125886] x1 : x0 : 0116 > [7.125896] Call trace: > ] Found device /dev/ttyAMA2. > [7.125908] __secure_computing+0xe0/0xe8 > [7.125918] syscall_trace_enter+0x1cc/0x218 > [7.125927] el0_svc_common.constprop.0+0x19c/0x1b8 > [
[arm64] kernel BUG at kernel/seccomp.c:1309!
While booting arm64 kernel the following kernel BUG noticed on several arm64 devices running linux next 20201123 tag kernel. $ git log --oneline next-20201120..next-20201123 -- kernel/seccomp.c 5c5c5fa055ea Merge remote-tracking branch 'seccomp/for-next/seccomp' bce6a8cba7bf Merge branch 'linus' 7ef95e3dbcee Merge branch 'for-linus/seccomp' into for-next/seccomp fab686eb0307 seccomp: Remove bogus __user annotations 0d831528 seccomp/cache: Report cache data through /proc/pid/seccomp_cache 8e01b51a31a1 seccomp/cache: Add "emulator" to check if filter is constant allow f9d480b6ffbe seccomp/cache: Lookup syscall allowlist bitmap for fast path 23d67a54857a seccomp: Migrate to use SYSCALL_WORK flag Please find these easy steps to reproduce the kernel build and boot. step to reproduce: # please install tuxmake # sudo pip3 install -U tuxmake # cd linux-next # tuxmake --runtime docker --target-arch arm --toolchain gcc-9 --kconfig defconfig --kconfig-add https://builds.tuxbuild.com/1kgWN61pS5M35vjnVfDSvOOPd38/config # Boot the arm64 on any arm64 devices. # you will notice the below BUG crash log details: --- [6.941012] [ cut here ] Found device /dev/ttyAMA3. [6.947587] lima f408.gpu: mod rate = 5 [6.955422] kernel BUG at kernel/seccomp.c:1309! [6.955430] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [6.955437] Modules linked in: cec rfkill wlcore_sdio(+) kirin_drm dw_drm_dsi lima(+) drm_kms_helper gpu_sched drm fuse [6.955481] CPU: 2 PID: 291 Comm: systemd-udevd Not tainted 5.10.0-rc4-next-20201123 #2 [6.955485] Hardware name: HiKey Development Board (DT) [6.955493] pstate: 8005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) [6.955510] pc : __secure_computing+0xe0/0xe8 [6.958171] mmc_host mmc2: Bus speed (slot 0) = 2480Hz (slot req 40Hz, actual 40HZ div = 31) [6.965975] [drm] Initialized lima 1.1.0 20191231 for f408.gpu on minor 0 [6.970176] lr : syscall_trace_enter+0x1cc/0x218 [6.970181] sp : 800012d8be10 [6.970185] x29: 800012d8be10 x28: 0092cb00 [6.970195] x27: x26: [6.970203] x25: x24: [6.970210] x23: 6000 x22: 0202 [7.011614] mmc_host mmc2: Bus speed (slot 0) = 2480Hz (slot req 2500Hz, actual 2480HZ div = 0) [7.016457] [7.016461] x21: 0200 x20: 0092cb00 [7.016470] x19: 800012d8bec0 x18: [7.016478] x17: x16: [7.016485] x15: x14: [7.054116] mmc_host mmc2: Bus speed (slot 0) = 2480Hz (slot req 40Hz, actual 40HZ div = 31) [7.056715] [7.103444] mmc_host mmc2: Bus speed (slot 0) = 2480Hz (slot req 2500Hz, actual 2480HZ div = 0) [7.105105] x13: x12: [7.125849] x11: x10: [7.125858] x9 : 80001001bcbc x8 : [7.125865] x7 : x6 : [7.125871] x5 : x4 : [7.125879] x3 : x2 : 0092cb00 [7.125886] x1 : x0 : 0116 [7.125896] Call trace: ] Found device /dev/ttyAMA2. [7.125908] __secure_computing+0xe0/0xe8 [7.125918] syscall_trace_enter+0x1cc/0x218 [7.125927] el0_svc_common.constprop.0+0x19c/0x1b8 [7.125933] do_el0_svc+0x2c/0x98 [7.125940] el0_sync_handler+0x180/0x188 [7.125946] el0_sync+0x174/0x180 [7.125958] Code: d2800121 97ffd9a9 d2800120 97fbf1a9 (d421) [7.199584] ---[ end trace 463debbc21f0c7b5 ]--- [7.204205] note: systemd-udevd[291] exited with preempt_count 1 [7.210733] [ cut here ] [7.215451] WARNING: CPU: 2 PID: # 0 at kernel/rcu/tree.c:632 rcu_eqs_enter.isra.0+0x134/0x140 [7.223927] Modules linked in: cec rfkill wlcore_sdio kirin_drm dw_drm_dsi lima drm_kms_helper gpu_sched drm fuse [7.234295] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D 5.10.0-rc4-next-20201123 #2 [7.243252] Hardware name: HiKey Development Board (DT) [7.248561] pstate: 23c5 (nzCv DAIF -PAN -UAO -TCO BTYPE=--) [7.254638] pc : rcu_eqs_enter.isra.0+0x134/0x140 [7.259350] lr : rcu_idle_enter+0x18/0x28 [7.263362] sp : 8000128e3e80 [7.266678] x29: 8000128e3e80 x28: [7.272001] x27: x26: 01b79080 [7.277321] x25: x24: 0001adc9b310 [7.282641] x23: x22: 01b79080 [7.287970] x21: 77b24b00 x20: 01b79098 [7.287979] x19: 800011c7ab40 x18: 0010 [7.287986] x17: x16: [7.287993] x15: 0092cf98 x14: 0720072007200720 [7.288001] x13: 0720072007200720 x12: 03c6 [7.288008] x11: