From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F6C4C67861 for ; Fri, 5 Apr 2024 16:12:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9BF3D6B0085; Fri, 5 Apr 2024 12:12:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 96F836B0087; Fri, 5 Apr 2024 12:12:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 836AA6B0088; Fri, 5 Apr 2024 12:12:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 61B576B0085 for ; Fri, 5 Apr 2024 12:12:51 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 76CBC140238 for ; Fri, 5 Apr 2024 16:12:48 +0000 (UTC) X-FDA: 81975971616.02.76E5773 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by imf09.hostedemail.com (Postfix) with ESMTP id 5203E14005A for ; Fri, 5 Apr 2024 16:12:44 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=i2FEa1a4; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf09.hostedemail.com: domain of alexei.starovoitov@gmail.com designates 209.85.128.42 as permitted sender) smtp.mailfrom=alexei.starovoitov@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1712333564; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=CUFHJXNP6ohiRivChPDINRMxOHKnXBAWCJDuEaDGAZE=; b=nwpeEAlW2lFaSi6bkoGJXmbIRkbfYMSMuXbgLQSOffgC1RFvutiICtjLqgVZPJ+B/nyMkO T7Vt2+etAAgmcTaFcZT7d35ipARVT74NoFqesS18HTVQpPk2jX4H5Y0U/Tp0JO6FvTF0ng MjjCOGdyGPh/Ikow096STsizm52MUKs= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=i2FEa1a4; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf09.hostedemail.com: domain of alexei.starovoitov@gmail.com designates 209.85.128.42 as permitted sender) smtp.mailfrom=alexei.starovoitov@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1712333564; a=rsa-sha256; cv=none; b=y6pmChEOkZlQ9esrZZHfMGyd5s56Vf1+5ik/gY+pNHbSQa9ibdXR4wAaVLjuWo4sly8x8p XgOaJIF7kaZcyaT15RIfB3n6hEmYbea/QxhMQ7vjJTD9feFbcTQIhGlFp9FCnZUou798dq dGI42lkfE/RRDvouvAPRuHYMaBfRHbA= Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-416317f5346so3905285e9.1 for ; Fri, 05 Apr 2024 09:12:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712333563; x=1712938363; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=CUFHJXNP6ohiRivChPDINRMxOHKnXBAWCJDuEaDGAZE=; b=i2FEa1a4ss1FiSLIw4F4SG+5+3wtrrvL+Fc0qoOyZ04ZPis2l4s4X3Qe+ycpt7MEIn YZP9W/ekZopbsmVNp3ZyhPRQmFJ/oFFvGTHH4sToFbyfYbIHTQ8dAtjf55AvBzpk1GXU ocPL8pqTZmENgEiekBm3efKgMPIgGjvMny4+uZ6QyTwFqtfMSiG61F/gtf8gNFJJj2V1 UILRdbslEPjaIWsG1ZnTAjPM2FxU/Li3ibL59QWUQIBDzqfuIVtbZqdXSSyGLrVXm/GR wXQJWoPdW0b5UaW2oPWHouZC562H6trA3xEGKVtwhGBdgLPOR0d6sICIRpdgq/K+82eq am6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712333563; x=1712938363; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CUFHJXNP6ohiRivChPDINRMxOHKnXBAWCJDuEaDGAZE=; b=gkRe0Nz1r4UcN0bNhRi80ssIoJ/06CehRIt7Ca2uw9nUAuW60GsebzBGOs/TSg/2hG 4UCr0yLGU1A2pIxjSGttoN9opBC2m4PF7S3JPH3tU1EutSzxJCRktYfMzy7IDM4LP4o0 DiYuI1epdw4OQr+2VnfZ6W0wlV0GJ7q/J7K+oUAqABIay1MSRzKCY6DS+qzdAPfeGwCm h/nSxNTE9+bjwCqAs9vdyEEbgyMDsgjxGN83ui7Ci3Z1MB1H4vOOZ5p4UNodXng85dxH PsYkWhh6OlgW4AUH7PTuJyMe1WAwJ6cuegFdS2sEVgQdiarF+rSDssjXSatWPL4WfYxE Uzig== X-Forwarded-Encrypted: i=1; AJvYcCXBT3/tC2TivD8Evofyxa2iwF8iaimBD5e2z7ku75ToC0WGL/rElloYGD2VAGe9Qii7wkTn9qr61cLQvF+68vK33Wo= X-Gm-Message-State: AOJu0YyUpAFspmTTsBxjYAJN/rkYhWmTtAthP3BGMCX90nqcaRA84Hn2 mZje5yUrrVRSAhjC8pdbS4mlh0RAtIk98va3w052XTq4M2hPPVG8YGd5/0dKTBp7K/6cncoOQfI wD8p0ZLeQ1FumsY57X3T4x8j/Ea8= X-Google-Smtp-Source: AGHT+IHDzXqsB0ENEHKgEDGCUOYAAZXEOJWZIaAYbWlqfC+cN0ZrmyRYp5VZr8mACDNm8TQInLyYUsp8d7YaYFFkrXo= X-Received: by 2002:a5d:5225:0:b0:341:ba31:b8ba with SMTP id i5-20020a5d5225000000b00341ba31b8bamr1464775wra.57.1712333562610; Fri, 05 Apr 2024 09:12:42 -0700 (PDT) MIME-Version: 1.0 References: <000000000000e9a8d80615163f2a@google.com> <20240403184149.0847a9d614f11b249529fd02@linux-foundation.org> In-Reply-To: From: Alexei Starovoitov Date: Fri, 5 Apr 2024 09:12:31 -0700 Message-ID: Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) To: "Russell King (Oracle)" , Puranjay Mohan Cc: Mark Rutland , Andrew Morton , linux-arm-kernel , syzbot , LKML , linux-mm , syzkaller-bugs , bpf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 5203E14005A X-Stat-Signature: 98ewawt8kmco4oi5ez17yur68mxy3ib6 X-HE-Tag: 1712333564-551481 X-HE-Meta: U2FsdGVkX189i6p+TO32q26lbyQXnpkssgeGhRFBfjbjm5Ba7yYmZhXaFfscCmezj5yCtybhuzu2LLJIoB8oWen0Kf+PRZQgTjEyaP9Zoyog8gHowBgsyZT51Y7RAh0KDJcQcQvtcmmhloML1dg8gpdTBkK9XPVDw3Kq+CuowaHQ4I/fWpHTt1fpI0SecED8KQ8Tn0aqrkV8Vdf2W0VFEwKdrPIqk7Hxmdo1ztmxtM9kYWx8QAG8wqCMhHe3vpJBZDxVGI6zXgBjUboob+yHzdKHG5WeFR6FnyQu9dhxFjleXjSxVp1fU3tkBYNjqmWonu3G5ZMM2ci8OUarJ6ByN8vG+bAvMGyxmKSF6/1k1g9rzoeWWFUZrsuc/Sl17VKUG6EsvZz+t2OsOQV3hEzxYyfK4O/b/GCnBDWto3a0fJ5byayBBdeFnt5RuK1jnTw75pmZlbh74P74aApgzQYmmKPmzb2SzcimquzA1eoHpgtoGmSu9F/55wpRfJbE2CZ+UQ1dWEWtjNY4fxwDlgE3IYHM9CNhWXddsCIBNSEYJvaXC6m7KOQhVJ5SryTNQLik8bvtoPla3j1nmoUU2UtscKoDIFB/EfJP6r0G+7mHmom3hd2WoQ/ftbZMiB7FdawnrTqa9//bkAxZsjCSKin0BdUT4jLy+lZekeomNyTMhM9u62cs0kF14UqRz+DcCtz0A0MiYWsppKtkl0DGY8JiA8JU/FWh0afp70tI0fsAWrW4sJXW/LGk2/pboFAwkjs9PTLbQNkXM7JVExFAAXlAhrcHxh41PmTkchzQarmQciIaubjwrX7b0xqdh/UqeJ9p0N4HzbdvLImTcJ9BOWZD2g42Ch1Dn0Co58r1KFlSVLgQyA6eBDAWfiaMdrrJEtdd0bRhncKw7mk2r50i2HGS3VADH2ISLEpCqQc7ohFypeiaZ1UbnK7IcrYXS4BiPC3wnzmUPliE2jz3h7As4Wf TkrosmNH RxnX/Ff1S4hOjgHDb6iirzBpw89txMMertsGawQsrS1cCIq7pb4RxfNGtY+smRbqP4H09nNg5+S41FWE6i/fu+pdgb3JoPZD+dRaf1nznzinrw2+yD0JNTYt9O8jBd9eS9p8H321aR02l2zx9opDqzR+GBG5ATzbe8r/wfOCDMPdluMLn4iylkodl0b7xgQaslqnCeQrtlEAH52A07NfI2uBi2NtVuOnrkV2x21k4jTSeYi+0ojL5JWk9CluyiAnFKny1v1L73e6dg4VwajbqgaupxJF6qkZa3xqtgNDWcI5N32WcwxwttXEZ3JgFkG9ctzXXPP5HkbKT9fUKdb0Yj2x5bnICDzbtSCkCAyDkiYuJlLqIvT6mgKx2Facupfl4Eh79SxVKRaKAd866CihAp1v7dXUHlq2jwzEUGfDl51xs7rd2DJA54GTulfgp9CMkv2qrSUWkbkEUthBDIu/As70D6nmZp8YHuPm6e9gE1k8lO5wh9IpIE77EqBsZ3BrwVOxxrUI+TtEvx4zZ1WBHvaQ7H3OjUBFbzRFPmN2/n84wTrFAbbQGUUpxBMIOQ8nW2iH4DmjLszTPbi7+OSmMegHg0fjGx4JrGF5QmSpEoBl5R+ZPbnGJVJ9N1K36dAlY+sVu8VXnoSO/RE4+YaOci4PAm8dlfn4BK+2EVjXGGqobusgUqid4HoFyLIQ2j7nlKYgvHgCxKdj+F6TDPtV/O+o8TQhk6pG/iyW1xMmg0+XR1vynjsI0Eigusg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.011672, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Apr 5, 2024 at 4:36=E2=80=AFAM Russell King (Oracle) wrote: > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote: > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote: > > > On Wed, Apr 3, 2024 at 6:56=E2=80=AFPM Andrew Morton wrote: > > > > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot wrote: > > > > > > > > > Hello, > > > > > > > > Thanks. Cc: bpf@vger.kernel.org > > > > > > I suspect the issue is not on bpf side. > > > Looks like the bug is somewhere in arm32 bits. > > > copy_from_kernel_nofault() is called from lots of places. > > > bpf is just one user that is easy for syzbot to fuzz. > > > Interestingly arm defines copy_from_kernel_nofault_allowed() > > > that should have filtered out user addresses. > > > In this case ffffffe9 is probably a kernel address? > > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL). > > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL. > > > > > But the kernel is doing a write? > > > Which makes no sense, since copy_from_kernel_nofault is probe reading= . > > > > It makes perfect sense; the read from 'src' happened, then the kernel t= ries to > > write the result to 'dst', and that aligns with the disassembly in the = report > > below, which I beleive is: > > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault = fixup is elsewhere > > c: e3530000 cmp r3, #0 > > * 10: e5852000 str r2, [r5] <-- Write to 'dst' > > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL). > > > > Are you certain that BPF is passing a sane value for 'dst'? Where does = that > > come from in the first place? > > It looks to me like it gets passed in from the BPF program, and the > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that > means for validation purposes, I've no idea, I'm not a BPF hacker. > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed > an arbitary destination address, that would be a huge security hole. If that's the case that's indeed a giant security hole, but I doubt it. We would be crashing other archs as well. I cannot really tell whether arm32 JIT is on. If it is, it's likely a bug there. Puranjay, could you please take a look.