From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BBD6C67861 for ; Fri, 5 Apr 2024 17:50:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B47106B009B; Fri, 5 Apr 2024 13:50:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AF6F86B009C; Fri, 5 Apr 2024 13:50:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9BE7E6B009D; Fri, 5 Apr 2024 13:50:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 764386B009B for ; Fri, 5 Apr 2024 13:50:47 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 2CF2E1C15C6 for ; Fri, 5 Apr 2024 17:50:47 +0000 (UTC) X-FDA: 81976218534.11.B0CB726 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by imf11.hostedemail.com (Postfix) with ESMTP id 64E0440005 for ; Fri, 5 Apr 2024 17:50:44 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=PxAttfHq; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf11.hostedemail.com: domain of andrii.nakryiko@gmail.com designates 209.85.216.49 as permitted sender) smtp.mailfrom=andrii.nakryiko@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1712339444; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=0NSsPU5M48s4rI658F1csJu8k2YCO+6QQmL+k7+e88M=; b=LCDiIGpwBeBS8X680jkwsXlkavCNLN3SJqTaUz4NHXerBJ/cK4RjHXgaIfpcT7Q5VoZEva DO677rbS5mSCddcN3nk1mNRAJgo4gyLhXbWsbqtHkumBMgkjNCXoTAfgEEB4q8DnOABI/X sVJIcGSe7hgZmIJflYEem8hRLq5xeoA= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=PxAttfHq; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf11.hostedemail.com: domain of andrii.nakryiko@gmail.com designates 209.85.216.49 as permitted sender) smtp.mailfrom=andrii.nakryiko@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1712339444; a=rsa-sha256; cv=none; b=c2sOSmKcicqFUrdOwM1oJFrhUZS6B4hcpWFhzUhk3Fbyp6soq6U4kHLsEgRKLBnjQ61oo1 WvWfrTi1B0lSt5I+IPN7vC0SnE34wm0qEP9QtHEdtt6g4x3spD2a25Ug5GulSw/kabfeO4 7Zuv7hYsIYRoOeKIvCcQ4W72lZigK2w= Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-2a49bce83baso39956a91.1 for ; Fri, 05 Apr 2024 10:50:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712339443; x=1712944243; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=0NSsPU5M48s4rI658F1csJu8k2YCO+6QQmL+k7+e88M=; b=PxAttfHqkEvpgMnQhOHUM0uughSjZeUE1Apwc8q9deZxHrMJB9mlpDKzVmjMSDtK9+ uigfJPJvCuUWLhhGiOzDtjZE1TaYWQt1CxckL67sBv57Koyji6yzOSEoigbitMh/iuTI 9sSqsNEzOCgnx13ffVVRXV9Ha0cFkTAx2Ar82jDVDVGUsDAMryFWUjJSCM7+LwlM+GLT bXqD5a3AehBSjNTa75iVBsZG9ScWy+JLDgSw5Fjqx3mBNVc9/Ugflie6xWGWQarhkMHo 5NhuYyOKBoLP8Qk9UEbZEl1iWBJADDLV+pNrHCwJ78gzgkEMrAdHw5730Hbzai30eIPM siCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712339443; x=1712944243; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0NSsPU5M48s4rI658F1csJu8k2YCO+6QQmL+k7+e88M=; b=ph/0FLoesa0XLPxr1KoxzbtnCg58L/eO6pP5PN7Uf/ZfWpUsQCU2juWFE3FQmPUT3L /kkaTJcZF7NSkutTyJtwtNOd/froj/eCUpw8g9oy/PR4EZFm7eWfR+VDqiqH+XGmZaBs LlybR/bv9IATAeHWPDqJqynjI5Kx0aPOQFHw+OQ+ZAnNBqQlqR5s+g8QDi/GW+nldJUf kRMMqq+K57x/xpwDgxieZJjQS+v/2QbWeU3IMEsZktwmCeWKRxL2hCLhGUbdqi5rrb11 J33m1lZA5xfvg7p/7QvQ48QUqn2FS2LUkE0v9g+jJP8IuY03sR5iroabZEF0+CF/i2qD u2DA== X-Forwarded-Encrypted: i=1; AJvYcCUwox2Z7czyy9od0UBUmS7sTmhtTxMEBmQsL/LEypJdBynOAIE66bb5x0eBkJ9LgP+ahfoWG8t5IdHhVeIqFh1oGGk= X-Gm-Message-State: AOJu0YzX1meOws/Rcug8u9ZrPVZS6nSwmxY6+sGJfb9e0CqGSYyT3a29 4Mv7NIlUqF8w7QCgmdNtyPTnkVS1uhJRNM4tDheIbWl9x+b7fkYPaA0X/o6U0go8eRQnsV2TLCY QxdGmCyuCbGBXz9RzBoA2wyx0SYY= X-Google-Smtp-Source: AGHT+IHKQ+e01QOfkUkTera7rsG656oXJGAD0wnuG6VEuN3Uejzja8J1dcKtLGIYjOdUs+eEZNSEyCxHzHghnqJZ6D4= X-Received: by 2002:a17:90a:eacf:b0:2a0:39e8:91b5 with SMTP id ev15-20020a17090aeacf00b002a039e891b5mr2134652pjb.33.1712339443199; Fri, 05 Apr 2024 10:50:43 -0700 (PDT) MIME-Version: 1.0 References: <000000000000e9a8d80615163f2a@google.com> <20240403184149.0847a9d614f11b249529fd02@linux-foundation.org> In-Reply-To: From: Andrii Nakryiko Date: Fri, 5 Apr 2024 10:50:30 -0700 Message-ID: Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) To: Alexei Starovoitov Cc: "Russell King (Oracle)" , Puranjay Mohan , Mark Rutland , Andrew Morton , linux-arm-kernel , syzbot , LKML , linux-mm , syzkaller-bugs , bpf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 64E0440005 X-Stat-Signature: srr8s4z1jetid5z78i16f7i3ixseriso X-Rspam-User: X-HE-Tag: 1712339444-213793 X-HE-Meta: U2FsdGVkX18rvTfhGmEj4tf11QLEzibivyYd7NIAzh+Sv2RKrhPDJbTLqI33LYRxHDN+9Zv77qJS9o0BLk06If2DgDEFl1oNxkYNV2nP/SQs9AumCEogj1IOch1ko7i3FFq5wgRMdi16FflSu5WnAcRmTdJWGsAGawwypqV33oDe8SNdal+aN/Yo8RjdNwA7pCNyfsH3InY4vWwPnmFs32HN23RVYIpCpllMws2p4MH6wtThUUPZhaDRfVe9W8BBgz48IGPiDsK7B9ksBX3i52+ccTlkzZDgy2LkeTu/Km3nGitvsDaqrdBPzI4RwIzp7ML3UIn7F0DYDxeIm4koxPrP/gkfCOAhifbVQqy/BC7W8ky4uoH9wmlm3xMoDI34gQ5FYC2FjZS1BvCtAuA/9o4aBAGwosEsyay2OSbGDF+6RVL82rtiJXFJe02VFVUtNaNbuqPavso1/D1Yz8GBo4TSieFRg5luUsXz4cYSVXPMYL0yVj/FAHf1nJPh7nGYfy8daDyT4tpQLjaUyYf2k9Yu5tP7uuNyLRjdcmVgZIDPxlk27DlptDequIn981YzTd0oBJJkMLBUccx65aVtfPdnmmpRJ5JmgZRrJNFqzSWirUttRsJqSMya1ilKFZO4suoVxrsbIeg2JWk3iPeFbtvaU/xvkHgf9Yd7voH2H0Mm6qLIBj8C/R1b3Ov9hNZMEk3cp23zrMJTPYGqXMtcdjVkRxAkZ/ahp1yFxsXhnxh8AjYktcdtpDJ3QZkOoezGV7OeoqCN2ZtEx2iUdIlwEaC93SxRT7SZHaXlxFuMJIRUp4ajwI8ErVWBBVv8yVh+JzoDhheEgPxpcLZUkllcUEF/uDint/Fb27dUuVmuYarDy16UDsXCiH+5hhJD7Str0sHso2iV+WzFNCmYkezf5KuyqYTW/+VBFz3tIL2Ws9bTec/S7TZ9uHJ5LKGi3XHzg61BsZwONw5npz1zfVw rj2txQtn 36shbH0IrtJeMhu8k4aNVcvw+pN2+ebZxGfflr4gI9RqRHDr/oiaJjuoCRiHH+cUI8sxZB8leED6S/W5VYKzhUI7woMjZX68pyO6k3e9ILZaA1xCsI+oXQNaz+NaigF4evPE5IKE84b8II3y6nsE42ShYYDYumsJ4KBcytEgSG5YelptFi0KIAGw23UNwyELzb9MGY+Ue5ar2VtcskKAGL03nJj+giaC7yBeGPIwBIjJzmFLFUobePZBhlRIRoUwGgoDQ9+q4/X5jMO9gun2I0yGBVfjqByFdGlWoUtDs70lelDtJLPYmlTYTXQD1fJ9psZPdq93INdQJkUmeas9yucnVq11J6J23eYBk8NgWM7Ai8jEcY2NaeJzhqR1SYr3zi0zEQW804pHQLa/IQ1d/NH8Bpojytkc8xjcdmMzTSEaQ3oWpRk4tuaMW3RkWwwuXj0wV9ivuj6EpUMLTyOLbd0L2gQiV7ahwRzIPxc5CQRUrD2g88XYqrm2+R//xogFerFXJV7DeTInNPeqcn2R3LPeNupxU0hEPj8s62DB/MvUIkHjE4RrtrGcqCg8li2jeyggV+PmlqdXEWTmJgCDVbFsGF0qt9svrwQulyjThkEv9D7IXnvi84C6Afx29NUrPkZAE3Z8vpSR9dbAOnR/Ak68z6R5xcf+OyvhHr0u387Bov/aeGNvRt8prIdOR3lkBlM4B5UIrSL/eE9jHOc79vWEMVgvs7v4VxDh97TLD6Bl7EieYUyd5K264T8An7EZy4bUGm91eSxh73W8= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000004, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Apr 5, 2024 at 9:30=E2=80=AFAM Alexei Starovoitov wrote: > > On Fri, Apr 5, 2024 at 4:36=E2=80=AFAM Russell King (Oracle) > wrote: > > > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote: > > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote: > > > > On Wed, Apr 3, 2024 at 6:56=E2=80=AFPM Andrew Morton wrote: > > > > > > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot wrote: > > > > > > > > > > > Hello, > > > > > > > > > > Thanks. Cc: bpf@vger.kernel.org > > > > > > > > I suspect the issue is not on bpf side. > > > > Looks like the bug is somewhere in arm32 bits. > > > > copy_from_kernel_nofault() is called from lots of places. > > > > bpf is just one user that is easy for syzbot to fuzz. > > > > Interestingly arm defines copy_from_kernel_nofault_allowed() > > > > that should have filtered out user addresses. > > > > In this case ffffffe9 is probably a kernel address? > > > > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL). > > > > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL. > > > > > > > But the kernel is doing a write? > > > > Which makes no sense, since copy_from_kernel_nofault is probe readi= ng. > > > > > > It makes perfect sense; the read from 'src' happened, then the kernel= tries to > > > write the result to 'dst', and that aligns with the disassembly in th= e report > > > below, which I beleive is: > > > > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', faul= t fixup is elsewhere > > > c: e3530000 cmp r3, #0 > > > * 10: e5852000 str r2, [r5] <-- Write to 'dst' > > > > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL). > > > > > > Are you certain that BPF is passing a sane value for 'dst'? Where doe= s that > > > come from in the first place? > > > > It looks to me like it gets passed in from the BPF program, and the > > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that > > means for validation purposes, I've no idea, I'm not a BPF hacker. > > > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed > > an arbitary destination address, that would be a huge security hole. > > If that's the case that's indeed a giant security hole, > but I doubt it. We would be crashing other archs as well. > I cannot really tell whether arm32 JIT is on. > If it is, it's likely a bug there. > Puranjay, > could you please take a look. > I dumped the BPF program that repro.c is loading, it works on x86-64 and there is nothing special there. We are probe-reading 5 bytes from somewhere into the stack. Everything is unaligned here, but stays within a well-defined memory slot. Note the r3 =3D (s8)r1, that's a new-ish thing, maybe bug is somewhere there (but then it would be JIT, not verifier itself) 0: (7a) *(u64 *)(r10 -8) =3D 896542069 1: (bf) r1 =3D r10 2: (07) r1 +=3D -7 3: (b7) r2 =3D 5 4: (bf) r3 =3D (s8)r1 5: (85) call bpf_probe_read_kernel#-72390 6: (b7) r0 =3D 0 7: (95) exit