[Syzkaller & bisect] There is "_copy_from_iter" WARNING in v6.2 kernel in guest
From: Pengfei Xu
Date: Tue Feb 21 2023 - 03:39:01 EST
Hi Al Viro,
Greeting!
It's a soft remind, there is "_copy_from_iter" WARNING in v6.2 guest as follow.
Reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/230220_162054__copy_from_iter/repro.c
Kconfig: https://github.com/xupengfe/syzkaller_logs/blob/main/230220_162054__copy_from_iter/kconfig_origin
v6.2 problem dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/230220_162054__copy_from_iter/c9c3395d5e3dcc6daee66c6908354d47bf98cb0c_dmesg.log
Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/230220_162054__copy_from_iter/bisect_info.log
All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/230220_162054__copy_from_iter
[ 28.628154] ------------[ cut here ]------------
[ 28.628394] WARNING: CPU: 0 PID: 550 at lib/iov_iter.c:629 _copy_from_iter+0x130/0xa60
[ 28.628778] Modules linked in:
[ 28.628940] CPU: 0 PID: 550 Comm: repro Not tainted 6.2.0-c9c3395d5e3d #1
[ 28.629300] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 28.629849] RIP: 0010:_copy_from_iter+0x130/0xa60
[ 28.630090] Code: 41 5e 41 5f 5d c3 cc cc cc cc e8 2b e6 57 ff be 79 02 00 00 48 c7 c7 4d f3 92 83 e8 ca ec 79 ff e9 3f ff ff ff e8 10 e6 57 ff <0f> 0b 31 db 5
[ 28.630968] RSP: 0018:ffffc900010079a8 EFLAGS: 00010246
[ 28.631234] RAX: 0000000000000000 RBX: 00000000000000c3 RCX: ffffffff81d43a43
[ 28.631584] RDX: 0000000000000000 RSI: ffff88800c4f8000 RDI: 0000000000000002
[ 28.631932] RBP: ffffc90001007a38 R08: 0000000000000000 R09: 000000000000ffff
[ 28.632278] R10: ffffc90001007c28 R11: 0000000000000000 R12: ffffc90001007af0
[ 28.632623] R13: 0000000000000000 R14: ffffea0000314200 R15: 0000000000000000
[ 28.632971] FS: 00007f264dd6b740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 28.633377] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 28.633662] CR2: 0000000020000041 CR3: 000000000a360004 CR4: 0000000000770ef0
[ 28.634030] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 28.634377] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
[ 28.634725] PKRU: 55555554
[ 28.634868] Call Trace:
[ 28.634996] <TASK>
[ 28.635113] ? __sanitizer_cov_trace_pc+0x25/0x60
[ 28.635356] ? bio_add_hw_page+0x234/0x2e0
[ 28.635576] ? write_comp_data+0x2f/0x90
[ 28.635782] copy_page_from_iter+0x1aa/0x370
[ 28.636001] ? write_comp_data+0x2f/0x90
[ 28.636211] blk_rq_map_user_iov+0x531/0xa70
[ 28.636446] blk_rq_map_user+0x86/0xc0
[ 28.636645] blk_rq_map_user_io+0xbe/0xd0
[ 28.636855] sg_common_write.isra.22+0x5fd/0xb10
[ 28.637113] sg_new_write.isra.23+0x24d/0x460
[ 28.637342] ? __this_cpu_preempt_check+0x20/0x30
[ 28.637589] ? lock_is_held_type+0xe6/0x140
[ 28.637815] ? write_comp_data+0x2f/0x90
[ 28.638017] ? __sanitizer_cov_trace_pc+0x25/0x60
[ 28.638258] ? scsi_block_when_processing_errors+0x152/0x190
[ 28.638547] ? write_comp_data+0x2f/0x90
[ 28.638752] sg_ioctl+0xc2f/0x1340
[ 28.638934] ? __sanitizer_cov_trace_pc+0x25/0x60
[ 28.639175] ? __sanitizer_cov_trace_pc+0x25/0x60
[ 28.639414] ? write_comp_data+0x2f/0x90
[ 28.639620] __x64_sys_ioctl+0x10e/0x160
[ 28.639824] ? __pfx_sg_ioctl+0x10/0x10
[ 28.640025] do_syscall_64+0x3b/0x90
[ 28.640321] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 28.640839] RIP: 0033:0x7f264de9059d
[ 28.641073] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 8
[ 28.641990] RSP: 002b:00007fff4573c498 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 28.642432] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f264de9059d
[ 28.642843] RDX: 0000000020000240 RSI: 0000000000002285 RDI: 0000000000000003
[ 28.643217] RBP: 00007fff4573c4b0 R08: 002367732f766564 R09: 00007fff4573c590
[ 28.643607] R10: 000000000000001f R11: 0000000000000202 R12: 00000000004010a0
[ 28.644018] R13: 00007fff4573c590 R14: 0000000000000000 R15: 0000000000000000
[ 28.644372] </TASK>
[ 28.644489] irq event stamp: 4933
[ 28.644660] hardirqs last enabled at (4941): [<ffffffff811d4a61>] __up_console_sem+0x91/0xb0
[ 28.645094] hardirqs last disabled at (4950): [<ffffffff811d4a46>] __up_console_sem+0x76/0xb0
[ 28.645514] softirqs last enabled at (4850): [<ffffffff82f9c233>] __do_softirq+0x323/0x48a
[ 28.645924] softirqs last disabled at (4845): [<ffffffff81123152>] irq_exit_rcu+0xd2/0x100
[ 28.646327] ---[ end trace 0000000000000000 ]---
Bisected and found the first bad commit is:
a41dad905e5a388f88435a517de102e9b2c8e43d
iov_iter: saner checks for attempt to copy to/from iterator
After reverted above commit on top of v6.2, this issue was gone.
I didn't saw "_copy_from_iter" problem recored in
https://syzkaller.appspot.com/upstream
And I hope it's useful.
---
If you don't need an environment to reproduce the problem or if you already
have one, please ignore the following information.
How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh // it needs qemu-system-x86_64 and I used v7.1.0
// start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
// You could change the bzImage_xxx as you want
In vm and login with root, there is no password for root.
After login vm successfully, you could transfer reproduced binary to the VM by below way, and reproduce the problem:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@localhost:/root/
Get the bzImage for target kernel:
Please use the target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage //x should equal or less than cpu num your pc has
Fill the bzImage file into above start3.sh to load the target kernel vm.
Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl
make
make install
Thanks!
BR.