Re: BUG: unable to handle kernel paging request in bpf_check

From: Hao Sun
Date: Mon Apr 12 2021 - 03:11:27 EST

Next message: Primoz Fiser: "[PATCH] ARM: dts: imx6: phyFLEX: Fix UART hardware flow control"
Previous message: Eric Dumazet: "Re: [syzbot] KMSAN: uninit-value in INET_ECN_decapsulate (2)"
In reply to: Hao Sun: "BUG: unable to handle kernel paging request in bpf_check"
Next in thread: Alexei Starovoitov: "Re: BUG: unable to handle kernel paging request in bpf_check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Besides, another similar bug occurred while fault injection was enabled.
====
BUG: unable to handle kernel paging request in bpf_prog_alloc_no_stats
========================================================
RAX: ffffffffffffffda RBX: 000000000059c080 RCX: 000000000047338d
RDX: 0000000000000078 RSI: 0000000020000300 RDI: 0000000000000005
RBP: 00007f7e3c38fc90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 00007ffed3a1dd6f R14: 00007ffed3a1df10 R15: 00007f7e3c38fdc0
BUG: unable to handle page fault for address: ffff91f2077ed028
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1810067 P4D 1810067 PUD 1915067 PMD 3b907067 PTE 0
Oops: 0002 [#1] SMP
CPU: 3 PID: 17344 Comm: executor Not tainted 5.12.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:bpf_prog_alloc_no_stats+0x251/0x6e0 kernel/bpf/core.c:94
Code: 45 b0 4c 8d 78 28 4d 8b a5 20 03 00 00 41 8b 85 a8 0f 00 00 89
45 c8 48 83 7d a8 00 0f 85 2e 03 00 00 4c 89 ff e8 4f 18 60 00 <4c> 89
20 4d 85 e4 0f 85 27 03 00 00 49 89 1f 4d 85 e4 74 0c 49 f7
RSP: 0018:ffff89f2077cfaa8 EFLAGS: 00010286
RAX: ffff91f2077ed028 RBX: 0000096680024de8 RCX: ffff91f2077ed028
RDX: ffff99f2077ed028 RSI: 0000000000000008 RDI: ffff89f2077ed028
RBP: ffff89f2077cfb28 R08: ffffd7eb8000000f R09: ffff888b7ffd3000
R10: 000000000000037a R11: 0000000000000000 R12: 0000000000000000
R13: ffff888b1465aad8 R14: 0000000004c30000 R15: ffff89f2077ed028
FS: 00007f7e3c390700(0000) GS:ffff888b7fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff91f2077ed028 CR3: 0000000044802004 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
bpf_prog_alloc+0x74/0x310 kernel/bpf/core.c:119
bpf_prog_load kernel/bpf/syscall.c:2162 [inline]
__do_sys_bpf+0x11af3/0x17290 kernel/bpf/syscall.c:4393
__se_sys_bpf+0x8e/0xa0 kernel/bpf/syscall.c:4351
__x64_sys_bpf+0x4a/0x70 kernel/bpf/syscall.c:4351
do_syscall_64+0xa2/0x120 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x47338d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7e3c38fc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 000000000059c080 RCX: 000000000047338d
RDX: 0000000000000078 RSI: 0000000020000300 RDI: 0000000000000005
RBP: 00007f7e3c38fc90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
R13: 00007ffed3a1dd6f R14: 00007ffed3a1df10 R15: 00007f7e3c38fdc0
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: ffff91f2077ed028
---[ end trace bc1de9e0e1b51e8c ]---
RIP: 0010:bpf_prog_alloc_no_stats+0x251/0x6e0 kernel/bpf/core.c:94
Code: 45 b0 4c 8d 78 28 4d 8b a5 20 03 00 00 41 8b 85 a8 0f 00 00 89
45 c8 48 83 7d a8 00 0f 85 2e 03 00 00 4c 89 ff e8 4f 18 60 00 <4c> 89
20 4d 85 e4 0f 85 27 03 00 00 49 89 1f 4d 85 e4 74 0c 49 f7
RSP: 0018:ffff89f2077cfaa8 EFLAGS: 00010286
RAX: ffff91f2077ed028 RBX: 0000096680024de8 RCX: ffff91f2077ed028
RDX: ffff99f2077ed028 RSI: 0000000000000008 RDI: ffff89f2077ed028
RBP: ffff89f2077cfb28 R08: ffffd7eb8000000f R09: ffff888b7ffd3000
R10: 000000000000037a R11: 0000000000000000 R12: 0000000000000000
R13: ffff888b1465aad8 R14: 0000000004c30000 R15: ffff89f2077ed028
FS: 00007f7e3c390700(0000) GS:ffff888b7fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff91f2077ed028 CR3: 0000000044802004 CR4: 0000000000770ee0
PKRU: 55555554

The following system call sequence (Syzlang format) can reproduce the crash:
# {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1
Slowdown:1 Sandbox:none Fault:true FaultCall:0 FaultNth:4 Leak:false
NetInjection:true NetDevices:true NetReset:true Cgroups:true
BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:true USB:true
VhciInjection:true Wifi:true IEEE802154:true Sysctl:true
UseTmpDir:true HandleSegv:true Repro:false Trace:false}

bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000300)=@bpf_ext={0x1c,
0x8, &(0x7f00000001c0)=@raw=[@initr0={0x18, 0x0, 0x0, 0x0,
0x4953b92f0467cc49, 0x0, 0x0, 0x0, 0xdbd689758db6b4a7}, @func={0x85,
0x0, 0x1, 0x0, 0x1}, @exit, @generic={0xd3c15618b9efaeff, 0x0, 0x0,
0x0, 0xc0fc52df13f3fbec}, @map_val={0x18, 0x0, 0x2, 0x0, 0x0, 0x0,
0x0, 0x0, 0xf7a72204b1b46d92}, @jmp], &(0x7f0000000200)='GPL\x00',
0x0, 0x0, 0x0, 0x0, 0x9, [], 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0,
0x0, 0x0, 0x0}, 0x78)

Using syz-execprog can run this reproduction program directly:
./syz-execprog -repeat 0 -procs 1 -slowdown 1 -fault_call 0
-fault_nth 4 -enable tun -enable netdev -enable resetnet -enable
cgroups -enable binfmt-misc -enable close_fds -enable devlinkpci
-enable usb -enable vhci -enable wifi -enable ieee802154 -enable
sysctl repro.prog

Attachment: log
Description: Binary data

Next message: Primoz Fiser: "[PATCH] ARM: dts: imx6: phyFLEX: Fix UART hardware flow control"
Previous message: Eric Dumazet: "Re: [syzbot] KMSAN: uninit-value in INET_ECN_decapsulate (2)"
In reply to: Hao Sun: "BUG: unable to handle kernel paging request in bpf_check"
Next in thread: Alexei Starovoitov: "Re: BUG: unable to handle kernel paging request in bpf_check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]