From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E78DAC67861 for ; Tue, 9 Apr 2024 07:46:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2B9936B008A; Tue, 9 Apr 2024 03:46:02 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2696D6B008C; Tue, 9 Apr 2024 03:46:02 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 130F16B0092; Tue, 9 Apr 2024 03:46:02 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id EB8896B008A for ; Tue, 9 Apr 2024 03:46:01 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 80863A02F2 for ; Tue, 9 Apr 2024 07:46:01 +0000 (UTC) X-FDA: 81989209722.07.A8519F7 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by imf18.hostedemail.com (Postfix) with ESMTP id 9D7AB1C000D for ; Tue, 9 Apr 2024 07:45:59 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=I8Npwjpe; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf18.hostedemail.com: domain of puranjay12@gmail.com designates 209.85.221.49 as permitted sender) smtp.mailfrom=puranjay12@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1712648759; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=HYjf00jBH0Rb8lew+KMaX2TbsCfyE+4RpDstXxT0XI0=; b=rSU4/vjTuWsxohjf2LXJiueKRGVjbchoWJ5K8BPehdqEU/gJyab2vdObvcBtrbyhqn3xmE YbMt9I0oHB6rhl9fLwvljC9qRCmVrNB++zonsDI5Zj7LCVqI17ODvvLDDWzaBRMfS568EE e/isvwqBo3yVvXKUOSMUUP0iHBeKRCE= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=I8Npwjpe; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf18.hostedemail.com: domain of puranjay12@gmail.com designates 209.85.221.49 as permitted sender) smtp.mailfrom=puranjay12@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1712648759; a=rsa-sha256; cv=none; b=Yf0I+eYu4+ML81n+r7SN7lxtdBuj2hR4iiXE9uhizSdKn5e0p4jyQTogcTELIxzFIfRGE7 tsLmlRKV63YKwIGrORGxsKO0ENyr2iujlSlY0B8esHq961Qz1JLbV6hIoC1I1rkPp9dv2L chnUDRCuIv+XXmuRa9A7q0o7NU5bD6o= Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-34339f01cd2so3980693f8f.2 for ; Tue, 09 Apr 2024 00:45:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712648758; x=1713253558; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:from:to:cc:subject:date:message-id :reply-to; bh=HYjf00jBH0Rb8lew+KMaX2TbsCfyE+4RpDstXxT0XI0=; b=I8NpwjpegxoCJQUQRSvY3FU1DBbOpmElY/f/YR6MI5qpBxYUSE5OM0oJjDyZ2p9RX4 G8eZWzghFWmpynmvIwS040CoVJswbqoHYs89/nBQmaVYGewmpu3VyEyt1LNAMLnS/6M3 AlhgPvz79fe2qw58VFWh1kS8NQr1ofthO5QU+xviRDoW7b/SUHkW7C7I5APRvJsOv57u 08L5UufHLAM5FW9RRnsK4DZQG9BfTt/6Te1lhVk2cklZeRtbfBWgbv98U/vIFotRcqPq lz8Xgq19KVZpk4iE/0RGkRaz7y3yTjyf0CDfscoVSgsMmV6ulsnUO9FmsguP3QpYIRMt rtUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712648758; x=1713253558; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HYjf00jBH0Rb8lew+KMaX2TbsCfyE+4RpDstXxT0XI0=; b=GFDgJhiEESPK/LGWWOyHSbZiU8uc55Lsv+mSx3Fq8MDaaP1Wrz74pGkFAPBeKBu0zD M6i0GgeZ7glw4hseH7xpqYsq0PGB2WlmDdclL8F4sX4GFeCslnNrCgMolpWOdqHa3oGS sFFtdr2EpTIFDZGge0eZ+F2BD1vmVBNjBzl+D/wkQA/FMQgthsKOVaF+3N5XGFKpZ2Cp FVQqn4L74FiBIHbZLJRsmJWTmsFPEBqJFLXhbccHbo9MCQfn0pyZzu5vF4e06i1v/92o azI8SFrYFD7ZOiwjwu0GVA7sKu6Ab6Hy/OPuzTGqr9sg2JEbcg7baT8k3sUaHSFfZBvr EUWQ== X-Forwarded-Encrypted: i=1; AJvYcCUwujUZzK69rY9493OaOuevtxacFYXOYrCb2OstQr6IX0cDkos7/+SjDW4rER3gHGHV00Bz0kxRqh/xNEGjnxoDqFM= X-Gm-Message-State: AOJu0YyeQwcihl2UiJoUk857IZuCEze5EE5z6RDG5oUn2nBOaoIpn4Op 9kd3vjbHjarIPT1gAhxd+GEpm5CHd5yuIsWPdqjWPrK2xrYkoN6s X-Google-Smtp-Source: AGHT+IGa2PZeToYId1gdUUSd9DtmWBHX4GKe4xxDWC8xPGS7olJXLSXKKR6QKrnPUZaDKceg1VBH3Q== X-Received: by 2002:adf:f5cd:0:b0:33e:72f4:d6b5 with SMTP id k13-20020adff5cd000000b0033e72f4d6b5mr7049667wrp.66.1712648757690; Tue, 09 Apr 2024 00:45:57 -0700 (PDT) Received: from localhost (54-240-197-231.amazon.com. [54.240.197.231]) by smtp.gmail.com with ESMTPSA id m5-20020a5d56c5000000b00341ce80ea66sm10740263wrw.82.2024.04.09.00.45.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Apr 2024 00:45:57 -0700 (PDT) From: Puranjay Mohan To: "Russell King (Oracle)" , Andrii Nakryiko Cc: Alexei Starovoitov , Mark Rutland , Andrew Morton , linux-arm-kernel , syzbot , LKML , linux-mm , syzkaller-bugs , bpf Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) In-Reply-To: References: <000000000000e9a8d80615163f2a@google.com> <20240403184149.0847a9d614f11b249529fd02@linux-foundation.org> Date: Tue, 09 Apr 2024 07:45:54 +0000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 9D7AB1C000D X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: tux6brqp4tyxmmzkem7tnh6w3c83eoa1 X-HE-Tag: 1712648759-89867 X-HE-Meta: U2FsdGVkX19WQK/1MpNj1q5dSMHcwpTavxUphe4K0zx4PUqEAUqPbWUodXjyPG0VOXeHUcz3OupoJD800ZbaWB/fZyPEQjO+qUaGxa6yFNaCiQC9Qv+sqqnutzr+C3rHPmiCgPm9HfBheAx0gxV9FwIi8NjJIG/Zk4/fyPms7qWe97WhL6CzMTiUJ9z/r9SwMpugb0mnqqkvpceRs3bHi1PKJNBvqfCZ4wuV6l569HVNL8DM10AQ2sDLgluBsUpXGn9XNopbhR3GEglgnZp/xc2W3CDkdN2uOp1ln5k0K7craPwdNQofTFPewpEuwub+ln4g7khDDcm+zPX6Lt9VMEU0axWmvtyHl5WVvKhMtwTg1U6dAv7CGVlCs3DFqO2syOqWIYDSqqkcMciIrCpCyBT47wyfYDWy4l+Y2VjknAnRw93UhcxLjIkMOUlnassealOkiqkcOdfIZ68/knnRTHz7C1rh6P+nDWdakIyLQxJikewEIPICXK7YswhB7Vw1sZAsodcLSXjWL/xBddlbVksWTXMxg8Wyi0wbmOuhCf+YDcdA7TaCXonX0hEiH5TCT9ZYj/g7KK+DZHhV1oUSGIZE3fyIhbTNWIzbSdl2huv6qe4Y1b9+K0mANSYdGe5fEq+IkWalJJeDGwKyfKJ0hRPBLggZQnmIvyaF2zWAJBNZxPeuH9/SdtO/ub5D+wygbSqbLSvQtRhIuN452TDdZkKzxu00fbjkWzQupMGJCtsv+z6oMGovJBApcGA1yvEbP/RwwOEHGWe5erMQu5Me96nxiyNNr/YmfUsfSn5KI7aVo9FZr8ERGM+zWLmTdT2NT4+TibCk4/nQ/8X+DKas8EWxX7gCgpq7BQJJylVcEo1N2VI26hH3KiwkZcGsT0NtySMVAoGmPMCiITqGpdRSWiyleCcCTb2KAoBPkgmq2gWQdXDHRbzBM0r8NlPY3Bgs5rZY1NKqjMkpXrj/0J2 vXzuEd6V bh+on97o4H4j89WqkwWdPNIj2I1Xz3ZNRQSSFwx52M8ZPwEuC4U0gExViSiO7nO2kCF9qczmMdY9ahHpFn4nTWASu9JZczyJXtCsxREWC3SYeUVtZEa6/91/38beKpYzrVgPbfIHPp/SuJvsrM5qZjA+08uip6OV+rNUVewXt/YqnlC7DeJ/6F4ABui7CJZVby6lVSK/MReKEUIGKCSVzp1zNataslTeBBV5jNiCY6zdIjheq+pwyR3RsxRKB+z7+2fxa5NyFhLYdoeC3ZmRG51i+J+8EEafF0gCMMMpdCVakg2701tdpIyyfVachnVG1I3YSpnXRZmNNUnWZpYd+JG3uRDYGTBKo75/rbSN/k2LgpmyIGohqkFykmGP2AjIbsP5484B1BF6KWs0S/M2ruohDJi3vWj0Q5AIp1OrFVvMcQIQvFX1B6vsZtU/xCq/Pn+vebDKzLhJid39GPA18V0FFzeX1isF/N/UDO2Fvzt6B8u4UkCHy6YiqivDhiCnZt7xvZTVDakoE24mz2j0IIMR+Zy7LRBDxJb0+mhX0z3QwD18bMk+VaY56l48wSW1ynDvos0tabc33QNCtH2dMEr3+bqgdP5uSjqFuDPNbr06G9dOZMD3gb7UwKXb+8/vax71LrAJtdaRsZquB6EZ1CknU7qzPxsGjberwS84WX2TVXHkNntx/PnUcdtyMD3mdxBNV90XHmjmhQ984p/2YllmYISlADI5GCcWiqCXOkRIDhHcI4jsDgSA370QMHbGv7j+dfxzmdwoEfYxmRcb0Yn3RhfuswFn6+Plruwi0b1Y2BCkpebZneILj0tL5noXOJJ5aihqC3bnaWtyX2UD1ZzhLaBIOA1lIgVgRi77EjpEQJPuKKLBYnWWGPw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000002, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: "Russell King (Oracle)" writes: > On Fri, Apr 05, 2024 at 10:50:30AM -0700, Andrii Nakryiko wrote: >> On Fri, Apr 5, 2024 at 9:30=E2=80=AFAM Alexei Starovoitov >> wrote: >> > >> > On Fri, Apr 5, 2024 at 4:36=E2=80=AFAM Russell King (Oracle) >> > wrote: >> > > >> > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote: >> > > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote: >> > > > > On Wed, Apr 3, 2024 at 6:56=E2=80=AFPM Andrew Morton wrote: >> > > > > > >> > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot wrote: >> > > > > > >> > > > > > > Hello, >> > > > > > >> > > > > > Thanks. Cc: bpf@vger.kernel.org >> > > > > >> > > > > I suspect the issue is not on bpf side. >> > > > > Looks like the bug is somewhere in arm32 bits. >> > > > > copy_from_kernel_nofault() is called from lots of places. >> > > > > bpf is just one user that is easy for syzbot to fuzz. >> > > > > Interestingly arm defines copy_from_kernel_nofault_allowed() >> > > > > that should have filtered out user addresses. >> > > > > In this case ffffffe9 is probably a kernel address? >> > > > >> > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL). >> > > > >> > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL. >> > > > >> > > > > But the kernel is doing a write? >> > > > > Which makes no sense, since copy_from_kernel_nofault is probe re= ading. >> > > > >> > > > It makes perfect sense; the read from 'src' happened, then the ker= nel tries to >> > > > write the result to 'dst', and that aligns with the disassembly in= the report >> > > > below, which I beleive is: >> > > > >> > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', f= ault fixup is elsewhere >> > > > c: e3530000 cmp r3, #0 >> > > > * 10: e5852000 str r2, [r5] <-- Write to 'dst' >> > > > >> > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL). >> > > > >> > > > Are you certain that BPF is passing a sane value for 'dst'? Where = does that >> > > > come from in the first place? >> > > >> > > It looks to me like it gets passed in from the BPF program, and the >> > > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that >> > > means for validation purposes, I've no idea, I'm not a BPF hacker. >> > > >> > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed >> > > an arbitary destination address, that would be a huge security hole. >> > >> > If that's the case that's indeed a giant security hole, >> > but I doubt it. We would be crashing other archs as well. >> > I cannot really tell whether arm32 JIT is on. >> > If it is, it's likely a bug there. >> > Puranjay, >> > could you please take a look. >> > >>=20 >> I dumped the BPF program that repro.c is loading, it works on x86-64 >> and there is nothing special there. We are probe-reading 5 bytes from >> somewhere into the stack. Everything is unaligned here, but stays >> within a well-defined memory slot. >>=20 >> Note the r3 =3D (s8)r1, that's a new-ish thing, maybe bug is somewhere >> there (but then it would be JIT, not verifier itself) >>=20 >> 0: (7a) *(u64 *)(r10 -8) =3D 896542069 >> 1: (bf) r1 =3D r10 >> 2: (07) r1 +=3D -7 >> 3: (b7) r2 =3D 5 >> 4: (bf) r3 =3D (s8)r1 >> 5: (85) call bpf_probe_read_kernel#-72390 > I have started looking into this, the issue only reproduces when the JIT is enabled. With the interpreter, it works fine. I used GDB to dump the JITed BPF program: 0xbf00012c: push {r4, r5, r6, r7, r8, r9, r11, lr} 0xbf000130: mov r11, sp 0xbf000134: mov r3, #0 0xbf000138: sub r2, sp, #80 @ 0x50 0xbf00013c: sub sp, sp, #88 @ 0x58 0xbf000140: strd r2, [r11, #-64] @ 0xffffffc0 0xbf000144: mov r2, #0 0xbf000148: strd r2, [r11, #-72] @ 0xffffffb8 0xbf00014c: mov r2, r0 0xbf000150: movw r8, #9589 @ 0x2575 0xbf000154: movt r8, #13680 @ 0x3570 0xbf000158: mov r9, #0 0xbf00015c: ldr r6, [r11, #-64] @ 0xffffffc0 0xbf000160: str r8, [r6, #-8] 0xbf000164: str r9, [r6, #-4] 0xbf000168: ldrd r2, [r11, #-64] @ 0xffffffc0 0xbf00016c: movw r8, #65529 @ 0xfff9 0xbf000170: movt r8, #65535 @ 0xffff 0xbf000174: movw r9, #65535 @ 0xffff 0xbf000178: movt r9, #65535 @ 0xffff 0xbf00017c: adds r2, r2, r8 0xbf000180: adc r3, r3, r9 0xbf000184: mov r6, #5 0xbf000188: mov r7, #0 0xbf00018c: strd r6, [r11, #-8] 0xbf000190: ldrd r6, [r11, #-16] 0xbf000194: lsl r2, r2, #24 0xbf000198: asr r2, r2, #24 0xbf00019c: str r2, [r11, #-16] 0xbf0001a0: asr r7, r6, #31 0xbf0001a4: mov r1, r3 0xbf0001a8: mov r0, r2 0xbf0001ac: ldrd r2, [r11, #-8] 0xbf0001b0: ldrd r8, [r11, #-32] @ 0xffffffe0 0xbf0001b4: push {r8, r9} 0xbf0001b8: ldrd r8, [r11, #-24] @ 0xffffffe8 0xbf0001bc: push {r8, r9} 0xbf0001c0: ldrd r8, [r11, #-16] 0xbf0001c4: push {r8, r9} 0xbf0001c8: movw r6, #40536 @ 0x9e58 0xbf0001cc: movt r6, #49223 @ 0xc047 0xbf0001d0: blx r6 0xbf0001d4: add sp, sp, #24 0xbf0001d8: mov r0, #0 0xbf0001dc: mov r1, #0 0xbf0001e0: mov sp, r11 0xbf0001e4: pop {r4, r5, r6, r7, r8, r9, r11, pc} Thanks, Puranjay