Re: NULL pointer deref when running BPF monitor program (6.11.0-rc1)

[Jiri Olsa <olsajiri@gmail.com>]

On Mon, Aug 05, 2024 at 11:20:11AM +0200, Juri Lelli wrote:

SNIP

> [  154.566882] BUG: kernel NULL pointer dereference, address: 000000000000040c
> [  154.573844] #PF: supervisor read access in kernel mode
> [  154.578982] #PF: error_code(0x0000) - not-present page
> [  154.584122] PGD 146fff067 P4D 146fff067 PUD 10fc00067 PMD 0
> [  154.589780] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
> [  154.594659] CPU: 28 UID: 0 PID: 2234 Comm: thread0-13 Kdump: loaded Not tainted 6.11.0-rc1 #8
> [  154.603179] Hardware name: Dell Inc. PowerEdge R740/04FC42, BIOS 2.10.2 02/24/2021
> [  154.610744] RIP: 0010:bpf_prog_ec8173ca2868eb50_handle__sched_pi_setprio+0x22/0xd7
> [  154.618310] Code: cc cc cc cc cc cc cc cc 0f 1f 44 00 00 66 90 55 48 89 e5 48 81 ec 30 00 00 00 53 41 55 41 56 48 89 fb 4c 8b 6b 00 4c 8b 73 08 <41> 8b be 0c 04 00 00 48 83 ff 06 0f 85 9b 00 00 00 41 8b be c0 09
> [  154.637052] RSP: 0018:ffffabac60aebbc0 EFLAGS: 00010086
> [  154.642278] RAX: ffffffffc03fba5c RBX: ffffabac60aebc28 RCX: 000000000000001f
> [  154.649411] RDX: ffff95a90b4e4180 RSI: ffffabac4e639048 RDI: ffffabac60aebc28
> [  154.656544] RBP: ffffabac60aebc08 R08: 00000023fce7674a R09: ffff95a91d85af38
> [  154.663674] R10: ffff95a91d85a0c0 R11: 000000003357e518 R12: 0000000000000000
> [  154.670807] R13: ffff95a90b4e4180 R14: 0000000000000000 R15: 0000000000000001
> [  154.677939] FS:  00007ffa6d600640(0000) GS:ffff95c01bf00000(0000) knlGS:0000000000000000
> [  154.686026] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  154.691769] CR2: 000000000000040c CR3: 000000014b9f2005 CR4: 00000000007706f0
> [  154.698903] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [  154.706035] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [  154.713168] PKRU: 55555554
> [  154.715879] Call Trace:
> [  154.718332]  <TASK>
> [  154.720439]  ? __die+0x20/0x70
> [  154.723498]  ? page_fault_oops+0x75/0x170
> [  154.727508]  ? sysvec_irq_work+0xb/0x90
> [  154.731348]  ? exc_page_fault+0x64/0x140
> [  154.735275]  ? asm_exc_page_fault+0x22/0x30
> [  154.739461]  ? 0xffffffffc03fba5c
> [  154.742780]  ? bpf_prog_ec8173ca2868eb50_handle__sched_pi_setprio+0x22/0xd7

hi,
reproduced.. AFAICS looks like the bpf program somehow lost the booster != NULL
check and just load the policy field without it and crash when booster is rubbish

int handle__sched_pi_setprio(u64 * ctx):
; int handle__sched_pi_setprio(u64 *ctx)
   0: (bf) r6 = r1
; struct task_struct *boosted = (void *) ctx[0];
   1: (79) r7 = *(u64 *)(r6 +0)
; struct task_struct *booster = (void *) ctx[1];
   2: (79) r8 = *(u64 *)(r6 +8)
; if (booster->policy != SCHED_DEADLINE)

curious why the check disappeared, because object file has it, so I guess verifier
took it out for some reason, will check

jirka


> [  154.749737]  bpf_trace_run2+0x71/0xf0
> [  154.753405]  ? raw_spin_rq_lock_nested+0x19/0x80
> [  154.758023]  rt_mutex_setprio+0x1bf/0x3d0
> [  154.762035]  ? hrtimer_nanosleep+0xb1/0x190
> [  154.766221]  ? rseq_get_rseq_cs+0x1d/0x220
> [  154.770320]  mark_wakeup_next_waiter+0x85/0xd0
> [  154.774765]  __rt_mutex_futex_unlock+0x1c/0x40
> [  154.779211]  futex_unlock_pi+0x240/0x310
> [  154.783137]  do_futex+0x149/0x1d0
> [  154.786457]  __x64_sys_futex+0x73/0x1d0
> [  154.790294]  do_syscall_64+0x79/0x150
> [  154.793962]  ? update_process_times+0x8c/0xa0
> [  154.798319]  ? timerqueue_add+0x9b/0xc0
> [  154.802158]  ? enqueue_hrtimer+0x35/0x90
> [  154.806085]  ? __hrtimer_run_queues+0x141/0x2a0
> [  154.810616]  ? ktime_get+0x34/0xc0
> [  154.814021]  ? clockevents_program_event+0x92/0x100
> [  154.818901]  ? hrtimer_interrupt+0x129/0x240
> [  154.823174]  ? sched_clock+0xc/0x30
> [  154.826666]  ? sched_clock_cpu+0xb/0x190
> [  154.830591]  ? irqtime_account_irq+0x41/0xc0
> [  154.834865]  ? clear_bhb_loop+0x45/0xa0
> [  154.838702]  ? clear_bhb_loop+0x45/0xa0
> [  154.842542]  ? clear_bhb_loop+0x45/0xa0
> [  154.846381]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [  154.851434] RIP: 0033:0x7ffa75a8e956
> [  154.855011] Code: 0f 86 26 fe ff ff 83 c0 16 83 e0 f7 0f 85 2d ff ff ff e9 15 fe ff ff 40 80 f6 87 45 31 d2 31 d2 4c 89 c7 b8 ca 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 86 5b fd ff ff 83 f8 92 0f 84 52 fd ff ff 83
> [  154.873757] RSP: 002b:00007ffa6d5ffb98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> [  154.881321] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffa75a8e956
> [  154.888454] RDX: 0000000000000000 RSI: 0000000000000087 RDI: 000000003357e518
> [  154.895587] RBP: 0000000000000002 R08: 000000003357e518 R09: 0000000000000000
> [  154.902718] R10: 0000000000000000 R11: 0000000000000246 R12: 000000003357e518
> [  154.909852] R13: 000000003357e510 R14: 0000000000000000 R15: 000000003357e8e8
> [  154.916983]  </TASK>
> [  154.919176] Modules linked in: qrtr rfkill vfat fat intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common skx_edac skx_edac_common nfit libnvdimm x86_pkg_temp_thermal coretemp ipmi_ssif rapl iTCO_wdt iTCO_vendor_support dell_pc intel_cstate dell_smbios platform_profile mei_me i2c_i801 acpi_power_meter dcdbas intel_uncore dell_wmi_descriptor wmi_bmof pcspkr ipmi_si mei i2c_smbus lpc_ich acpi_ipmi intel_pch_thermal ipmi_devintf ipmi_msghandler xfs libcrc32c sr_mod sd_mod cdrom sg uas usb_storage mgag200 drm_shmem_helper drm_kms_helper ahci crct10dif_pclmul libahci crc32_pclmul i40e drm igb crc32c_intel libata dca megaraid_sas ghash_clmulni_intel i2c_algo_bit libie wmi dm_mirror dm_region_hash dm_log dm_mod fuse
> [  154.984673] CR2: 000000000000040c
> --->8---
> 
> Apologies for the rather long report, but I tried to provide hopefully
> enough information already for whoever might have time to take a look at
> this. Please let me know if I'm either wrong in what I'm trying to do or
> how to proceed (if you need more info, etc.).
> 
> Thank you in advance!
> 
> Best,
> Juri
> 
>