Re: [syzbot] [bpf?] [trace?] WARNING in get_bpf_raw_tp_regs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tao Chen <chen.dylane@gmail.com>
To: syzbot <syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com>,
	andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
	daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com,
	john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
	linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
	martin.lau@linux.dev, mathieu.desnoyers@efficios.com,
	mattbobrowski@google.com, mhiramat@kernel.org,
	rostedt@goodmis.org, sdf@fomichev.me, song@kernel.org,
	syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] [trace?] WARNING in get_bpf_raw_tp_regs
Date: Mon, 12 May 2025 21:13:02 +0800	[thread overview]
Message-ID: <8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com> (raw)
In-Reply-To: <6821716e.050a0220.f2294.004a.GAE@google.com>

在 2025/5/12 11:56, syzbot 写道:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    707df3375124 Merge tag 'media/v6.15-2' of git://git.kernel..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15010768580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b39cb28b0a399ed3
> dashboard link: https://syzkaller.appspot.com/bug?extid=45b0c89a0fc7ae8dbadc
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b28670580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=159698f4580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-707df337.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/f71d162685b9/vmlinux-707df337.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/940cb473e515/bzImage-707df337.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
> Modules linked in:
> CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
> Code: 48 83 fb 03 77 64 48 8d 04 9b 48 8d 04 83 48 8d 5c c5 00 e8 7e 76 f4 ff 48 89 d8 5b 5d 41 5c c3 cc cc cc cc e8 6d 76 f4 ff 90 <0f> 0b 90 65 ff 0d b2 5b de 11 e8 5d 76 f4 ff 48 c7 c3 f0 ff ff ff
> RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c
> RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005
> RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003
> R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004
> R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900
> FS:  0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <TASK>
>   ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]
>   bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931
>   bpf_prog_ec3b2eefa702d8d3+0x43/0x47
>   bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
>   __bpf_prog_run include/linux/filter.h:718 [inline]
>   bpf_prog_run include/linux/filter.h:725 [inline]
>   __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
>   bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
>   __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
>   __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
>   __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
>   __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
>   mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
>   stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
>   __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
>   ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
>   bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
>   ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
>   bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
>   bpf_prog_ec3b2eefa702d8d3+0x43/0x47
>   bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
>   __bpf_prog_run include/linux/filter.h:718 [inline]
>   bpf_prog_run include/linux/filter.h:725 [inline]
>   __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
>   bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
>   __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
>   __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
>   __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
>   __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
>   mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
>   stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
>   __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
>   ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
>   bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
>   ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
>   bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
>   bpf_prog_ec3b2eefa702d8d3+0x43/0x47
>   bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
>   __bpf_prog_run include/linux/filter.h:718 [inline]
>   bpf_prog_run include/linux/filter.h:725 [inline]
>   __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
>   bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
>   __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
>   __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
>   __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
>   __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
>   mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
>   stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
>   __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
>   ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
>   bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
>   ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
>   bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
>   bpf_prog_ec3b2eefa702d8d3+0x43/0x47
>   bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
>   __bpf_prog_run include/linux/filter.h:718 [inline]
>   bpf_prog_run include/linux/filter.h:725 [inline]
>   __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
>   bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
>   __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
>   __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
>   __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
>   __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
>   __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
>   mmap_read_lock include/linux/mmap_lock.h:185 [inline]
>   exit_mm kernel/exit.c:565 [inline]
>   do_exit+0xf72/0x2c30 kernel/exit.c:940
>   do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
>   __do_sys_exit_group kernel/exit.c:1113 [inline]
>   __se_sys_exit_group kernel/exit.c:1111 [inline]
>   __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1111
>   x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f7baed8cfb9
> Code: 90 49 c7 c0 b8 ff ff ff be e7 00 00 00 ba 3c 00 00 00 eb 12 0f 1f 44 00 00 89 d0 0f 05 48 3d 00 f0 ff ff 77 1c f4 89 f0 0f 05 <48> 3d 00 f0 ff ff 76 e7 f7 d8 64 41 89 00 eb df 0f 1f 80 00 00 00
> RSP: 002b:00007ffd9d933998 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7baed8cfb9
> RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
> RBP: 00007f7baee082b0 R08: ffffffffffffffb8 R09: 0000000000000000
> R10: 0000000000000012 R11: 0000000000000246 R12: 00007f7baee082b0
> R13: 0000000000000000 R14: 00007f7baee08d20 R15: 00007f7baed5e160
>   </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 

Hi，

The issue seems to arise because a bpf_prog is used to trace the 
trace_mmap_lock_acquire_returned tracepoint. Within this BPF program, 
the bpf_get_stack function is called. If it collects user-space call 
stacks, it will go here:
       if (user_build_id)
                 stack_map_get_build_id_offset(buf, trace_nr, user, 
may_fault);

and in stack_map_get_build_id_offset, it will call mmap_read_trylock, 
which will call trace_mmap_lock_acquire_returned again.

So can we replace mmap_read_trylock with 
down_read_trylock(&mm->mmap_lock) to avoid calling 
__mmap_lock_trace_acquire_returned

-- 
Best Regards
Tao Chen

     prev parent reply	other threads:[~2025-05-12 13:13 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-12  3:56 [syzbot] [bpf?] [trace?] WARNING in get_bpf_raw_tp_regs syzbot
2025-05-12 13:13 ` Tao Chen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com \
    --to=chen.dylane@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=mattbobrowski@google.com \
    --cc=mhiramat@kernel.org \
    --cc=rostedt@goodmis.org \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.