Re: WARNING in bpf_int_jit_compile

[Daniel Borkmann]

On 05/26/2018 11:29 AM, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
> 
> HEAD commit:ÂÂÂ 62d18ecfa641 Merge tag 'arm64-fixes' of git://git.kernel.o..
> git tree:ÂÂÂÂÂÂ upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14c6bf57800000
> kernel config:Â https://syzkaller.appspot.com/x/.config?x=982e2df1b9e60b02
> dashboard link: https://syzkaller.appspot.com/bug?extid=9e762b52dd17e616a7a5
> compiler:ÂÂÂÂÂÂ gcc (GCC) 8.0.1 20180413 (experimental)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=130e42b7800000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+9e762b52dd17e616a7a5@xxxxxxxxxxxxxxxxxxxxxxxxx
> 
> RAX: ffffffffffffffda RBX: 0000000002542914 RCX: 0000000000455a09
> RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
> RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
> R13: 0000000000000046 R14: 00000000006f4730 R15: 0000000000000023
> WARNING: CPU: 0 PID: 4752 at include/linux/filter.h:667 bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline]
> WARNING: CPU: 0 PID: 4752 at include/linux/filter.h:667 bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271
> Kernel panic - not syncing: panic_on_warn set ...
> 
> CPU: 0 PID: 4752 Comm: syz-executor0 Not tainted 4.17.0-rc6+ #67
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> Â__dump_stack lib/dump_stack.c:77 [inline]
> Âdump_stack+0x1b9/0x294 lib/dump_stack.c:113
> Âpanic+0x22f/0x4de kernel/panic.c:184
> Â__warn.cold.8+0x163/0x1b3 kernel/panic.c:536
> Âreport_bug+0x252/0x2d0 lib/bug.c:186
> Âfixup_bug arch/x86/kernel/traps.c:178 [inline]
> Âdo_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296
> Âdo_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> Âinvalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992
> RIP: 0010:bpf_jit_binary_lock_ro include/linux/filter.h:667 [inline]

Been looking into this last Friday already. What seems to happen here is that
there's fault injection from inside set_memory_ro(), meaning it will eventually
return an error there, and we throw a WARN_ON_ONCE() to bark that making the
memory read-only didn't work out. I'd be in preference to notify the user on
such issue rather than keeping completely silent about it so that there's
awareness that read-only protections are not in place / guaranteed.

> RIP: 0010:bpf_int_jit_compile+0xbf7/0xef7 arch/x86/net/bpf_jit_comp.c:1271
> RSP: 0018:ffff8801d85ff920 EFLAGS: 00010293
> RAX: ffff8801d78c40c0 RBX: 0000000000000046 RCX: ffffffff81445d89
> RDX: 0000000000000000 RSI: ffffffff81445d97 RDI: 0000000000000005
> RBP: ffff8801d85ffa40 R08: ffff8801d78c40c0 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000194e002
> R13: ffff8801d85ffa18 R14: 00000000fffffff4 R15: 0000000000000003
> Âbpf_prog_select_runtime+0x131/0x640 kernel/bpf/core.c:1541
> Âbpf_prog_load+0x16c2/0x2070 kernel/bpf/syscall.c:1333
> Â__do_sys_bpf kernel/bpf/syscall.c:2073 [inline]
> Â__se_sys_bpf kernel/bpf/syscall.c:2035 [inline]
> Â__x64_sys_bpf+0x389/0x4c0 kernel/bpf/syscall.c:2035
> Âdo_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> Âentry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x455a09
> RSP: 002b:00007ffec3da2868 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> RAX: ffffffffffffffda RBX: 0000000002542914 RCX: 0000000000455a09
> RDX: 0000000000000048 RSI: 0000000020000240 RDI: 0000000000000005
> RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
> R13: 0000000000000046 R14: 00000000006f4730 R15: 0000000000000023
> Dumping ftrace buffer:
> ÂÂ (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>