Re: BUG: unable to handle kernel paging request in bpf_check

2021-04-12 Thread Alexei Starovoitov 
On Mon, Apr 12, 2021 at 12:11 AM Hao Sun  wrote:
>
> Besides, another similar bug occurred while fault injection was enabled.
> 
> BUG: unable to handle kernel paging request in bpf_prog_alloc_no_stats
> 
> RAX: ffda RBX: 0059c080 RCX: 0047338d
> RDX: 0078 RSI: 2300 RDI: 0005
> RBP: 7f7e3c38fc90 R08:  R09: 
> R10:  R11: 0246 R12: 0004
> R13: 7ffed3a1dd6f R14: 7ffed3a1df10 R15: 7f7e3c38fdc0
> BUG: unable to handle page fault for address: 91f2077ed028
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> PGD 1810067 P4D 1810067 PUD 1915067 PMD 3b907067 PTE 0
> Oops: 0002 [#1] SMP
> CPU: 3 PID: 17344 Comm: executor Not tainted 5.12.0-rc6+ #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:bpf_prog_alloc_no_stats+0x251/0x6e0 kernel/bpf/core.c:94

Both crashes don't make much sense.
There are !null checks in both cases.
I suspect it's a kmsan bug.
Most likely kmsan_map_kernel_range_noflush is doing something wrong.
No idea where that function lives. I don't see it in the kernel sources.

Re: BUG: unable to handle kernel paging request in bpf_check

2021-04-12 Thread Hao Sun 
Besides, another similar bug occurred while fault injection was enabled.

BUG: unable to handle kernel paging request in bpf_prog_alloc_no_stats

RAX: ffda RBX: 0059c080 RCX: 0047338d
RDX: 0078 RSI: 2300 RDI: 0005
RBP: 7f7e3c38fc90 R08:  R09: 
R10:  R11: 0246 R12: 0004
R13: 7ffed3a1dd6f R14: 7ffed3a1df10 R15: 7f7e3c38fdc0
BUG: unable to handle page fault for address: 91f2077ed028
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1810067 P4D 1810067 PUD 1915067 PMD 3b907067 PTE 0
Oops: 0002 [#1] SMP
CPU: 3 PID: 17344 Comm: executor Not tainted 5.12.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:bpf_prog_alloc_no_stats+0x251/0x6e0 kernel/bpf/core.c:94
Code: 45 b0 4c 8d 78 28 4d 8b a5 20 03 00 00 41 8b 85 a8 0f 00 00 89
45 c8 48 83 7d a8 00 0f 85 2e 03 00 00 4c 89 ff e8 4f 18 60 00 <4c> 89
20 4d 85 e4 0f 85 27 03 00 00 49 89 1f 4d 85 e4 74 0c 49 f7
RSP: 0018:89f2077cfaa8 EFLAGS: 00010286
RAX: 91f2077ed028 RBX: 096680024de8 RCX: 91f2077ed028
RDX: 99f2077ed028 RSI: 0008 RDI: 89f2077ed028
RBP: 89f2077cfb28 R08: d7eb800f R09: 888b7ffd3000
R10: 037a R11:  R12: 
R13: 888b1465aad8 R14: 04c3 R15: 89f2077ed028
FS:  7f7e3c390700() GS:888b7fd0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 91f2077ed028 CR3: 44802004 CR4: 00770ee0
PKRU: 5554
Call Trace:
 bpf_prog_alloc+0x74/0x310 kernel/bpf/core.c:119
 bpf_prog_load kernel/bpf/syscall.c:2162 [inline]
 __do_sys_bpf+0x11af3/0x17290 kernel/bpf/syscall.c:4393
 __se_sys_bpf+0x8e/0xa0 kernel/bpf/syscall.c:4351
 __x64_sys_bpf+0x4a/0x70 kernel/bpf/syscall.c:4351
 do_syscall_64+0xa2/0x120 arch/x86/entry/common.c:48
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x47338d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:7f7e3c38fc58 EFLAGS: 0246 ORIG_RAX: 0141
RAX: ffda RBX: 0059c080 RCX: 0047338d
RDX: 0078 RSI: 2300 RDI: 0005
RBP: 7f7e3c38fc90 R08:  R09: 
R10:  R11: 0246 R12: 0004
R13: 7ffed3a1dd6f R14: 7ffed3a1df10 R15: 7f7e3c38fdc0
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: 91f2077ed028
---[ end trace bc1de9e0e1b51e8c ]---
RIP: 0010:bpf_prog_alloc_no_stats+0x251/0x6e0 kernel/bpf/core.c:94
Code: 45 b0 4c 8d 78 28 4d 8b a5 20 03 00 00 41 8b 85 a8 0f 00 00 89
45 c8 48 83 7d a8 00 0f 85 2e 03 00 00 4c 89 ff e8 4f 18 60 00 <4c> 89
20 4d 85 e4 0f 85 27 03 00 00 49 89 1f 4d 85 e4 74 0c 49 f7
RSP: 0018:89f2077cfaa8 EFLAGS: 00010286
RAX: 91f2077ed028 RBX: 096680024de8 RCX: 91f2077ed028
RDX: 99f2077ed028 RSI: 0008 RDI: 89f2077ed028
RBP: 89f2077cfb28 R08: d7eb800f R09: 888b7ffd3000
R10: 037a R11:  R12: 
R13: 888b1465aad8 R14: 04c3 R15: 89f2077ed028
FS:  7f7e3c390700() GS:888b7fd0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 91f2077ed028 CR3: 44802004 CR4: 00770ee0
PKRU: 5554

The following system call sequence (Syzlang format) can reproduce the crash:
# {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1
Slowdown:1 Sandbox:none Fault:true FaultCall:0 FaultNth:4 Leak:false
NetInjection:true NetDevices:true NetReset:true Cgroups:true
BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:true USB:true
VhciInjection:true Wifi:true IEEE802154:true Sysctl:true
UseTmpDir:true HandleSegv:true Repro:false Trace:false}

bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f000300)=@bpf_ext={0x1c,
0x8, &(0x7f0001c0)=@raw=[@initr0={0x18, 0x0, 0x0, 0x0,
0x4953b92f0467cc49, 0x0, 0x0, 0x0, 0xdbd689758db6b4a7}, @func={0x85,
0x0, 0x1, 0x0, 0x1}, @exit, @generic={0xd3c15618b9efaeff, 0x0, 0x0,
0x0, 0xc0fc52df13f3fbec}, @map_val={0x18, 0x0, 0x2, 0x0, 0x0, 0x0,
0x0, 0x0, 0xf7a72204b1b46d92}, @jmp], &(0x7f000200)='GPL\x00',
0x0, 0x0, 0x0, 0x0, 0x9, [], 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0,
0x0, 0x0, 0x0}, 0x78)

Using syz-execprog can run this reproduction program directly:
 ./syz-execprog -repeat 0 -procs 1 -slowdown 1 -fault_call 0
-fault_nth 4 -enable tun -enable netdev -enable resetnet -enable
cgroups -enable binfmt-misc -enable close_fds -enable devlinkpci
-enable usb -enable vhci -enable wifi -enable ieee802154 -enable
sysctl