From: sdf@google.com
To: Bruno Goncalves <bgoncalv@redhat.com>
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
CKI Project <cki-project@redhat.com>, bpf <bpf@vger.kernel.org>
Subject: Re: [6.1.0][bpf] BUG: KASAN: slab-out-of-bounds in copy_array (kernel/bpf/verifier.c:1074)
Date: Mon, 19 Dec 2022 11:25:58 -0800 [thread overview]
Message-ID: <Y6C6xhAJ5w+j4NyU@google.com> (raw)
In-Reply-To: <CA+QYu4q_FhdnkdzTrzS9jhw-7CjEirWBtTKuB-cNozD1z2f8qg@mail.gmail.com>
On 12/19, Bruno Goncalves wrote:
> We recently started to hit the following issue on the mainline kernel
> [1], the call trace is from commit [2]. The first commit we noticed
> the problem is [3], although we don't know exactly when it was
> introduced.
Seems similar to
https://lore.kernel.org/bpf/Y6C1SFEj9MOOnAnb@google.com/T/#t ?
> ==================================================================
> [ 46.073262] BUG: KASAN: slab-out-of-bounds in copy_array
> (kernel/bpf/verifier.c:1074)
> [ 46.074131] Write of size 40 at addr ffff8880079cf840 by task systemd/1
> [ 46.075043]
> [ 46.076104] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
> [ 46.076926] Call Trace:
> [ 46.077331] <TASK>
> [ 46.077670] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
> [ 46.078240] print_report (mm/kasan/report.c:307 mm/kasan/report.c:417)
> [ 46.078769] ? __virt_addr_valid (./include/linux/mmzone.h:1783
> ./include/linux/mmzone.h:1879 arch/x86/mm/physaddr.c:65)
> [ 46.079389] ? copy_array (kernel/bpf/verifier.c:1074)
> [ 46.079885] kasan_report (mm/kasan/report.c:184 mm/kasan/report.c:519)
> [ 46.080430] ? copy_array (kernel/bpf/verifier.c:1074)
> [ 46.080929] ? kasan_check_range (mm/kasan/generic.c:190)
> [ 46.081556] ? memcpy (mm/kasan/shadow.c:65 (discriminator 1))
> [ 46.082006] ? copy_array (kernel/bpf/verifier.c:1074)
> [ 46.082571] ? copy_verifier_state (kernel/bpf/verifier.c:1250)
> [ 46.083231] ? pop_stack (kernel/bpf/verifier.c:1315)
> [ 46.083718] ? do_check_common (kernel/bpf/verifier.c:14031
> kernel/bpf/verifier.c:16289)
> [ 46.084364] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4383)
> [ 46.084979] ? __pfx_do_check_common (kernel/bpf/verifier.c:16225)
> [ 46.085644] ? __kmem_cache_free (mm/slub.c:3787 mm/slub.c:3800)
> [ 46.086244] ? check_cfg (kernel/bpf/verifier.c:12511)
> [ 46.086766] ? bpf_check (kernel/bpf/verifier.c:16352
> kernel/bpf/verifier.c:16936)
> [ 46.087313] ? __pfx_bpf_check (kernel/bpf/verifier.c:16819)
> [ 46.087878] ? __pfx___lock_acquire (kernel/locking/lockdep.c:4913)
> [ 46.088548] ? lock_is_held_type (kernel/locking/lockdep.c:466
> kernel/locking/lockdep.c:5712)
> [ 46.089122] ? find_held_lock (kernel/locking/lockdep.c:5179)
> [ 46.089697] ? lock_release (kernel/locking/lockdep.c:466
> kernel/locking/lockdep.c:5690)
> [ 46.090261] ? ktime_get_with_offset (./include/linux/seqlock.h:274
> kernel/time/timekeeping.c:889)
> [ 46.090921] ? __pfx_lock_release (kernel/locking/lockdep.c:5676)
> [ 46.091521] ? __might_fault (mm/memory.c:5647 mm/memory.c:5640)
> [ 46.092048] ? __might_resched (kernel/sched/core.c:9950)
> [ 46.092650] ? memset (mm/kasan/shadow.c:44)
> [ 46.093109] ? bpf_prog_load (kernel/bpf/syscall.c:2619)
> [ 46.093722] ? __pfx_bpf_prog_load (kernel/bpf/syscall.c:2478)
> [ 46.094357] ? lock_is_held_type (kernel/locking/lockdep.c:466
> kernel/locking/lockdep.c:5712)
> [ 46.094963] ? __sys_bpf (kernel/bpf/syscall.c:4979)
> [ 46.095496] ? __pfx___sys_bpf (kernel/bpf/syscall.c:4926)
> [ 46.096073] ? mark_held_locks (kernel/locking/lockdep.c:4224)
> [ 46.096658] ? __x64_sys_bpf (kernel/bpf/syscall.c:5081)
> [ 46.097187] ? do_syscall_64 (arch/x86/entry/common.c:50
> arch/x86/entry/common.c:80)
> [ 46.097753] ? entry_SYSCALL_64_after_hwframe
> (arch/x86/entry/entry_64.S:120)
> [ 46.098510] </TASK>
> [ 46.098830]
> [ 46.099066] Allocated by task 1:
> [ 46.099597] kasan_save_stack (mm/kasan/common.c:46)
> [ 46.100146] kasan_set_track (mm/kasan/common.c:52)
> [ 46.100705] __kasan_krealloc (mm/kasan/common.c:371
> mm/kasan/common.c:439)
> [ 46.101295] krealloc (./include/linux/kasan.h:231
> mm/slab_common.c:1361 mm/slab_common.c:1398)
> [ 46.101754] push_jmp_history (kernel/bpf/verifier.c:2593)
> [ 46.102334] do_check_common (kernel/bpf/verifier.c:13552
> kernel/bpf/verifier.c:13752 kernel/bpf/verifier.c:16289)
> [ 46.102908] bpf_check (kernel/bpf/verifier.c:16352
> kernel/bpf/verifier.c:16936)
> [ 46.103439] bpf_prog_load (kernel/bpf/syscall.c:2619)
> [ 46.103986] __sys_bpf (kernel/bpf/syscall.c:4979)
> [ 46.104512] __x64_sys_bpf (kernel/bpf/syscall.c:5081)
> [ 46.105012] do_syscall_64 (arch/x86/entry/common.c:50
> arch/x86/entry/common.c:80)
> [ 46.105613] entry_SYSCALL_64_after_hwframe
> (arch/x86/entry/entry_64.S:120)
> [ 46.106377]
> [ 46.106641] The buggy address belongs to the object at ffff8880079cf840
> [ 46.106641] which belongs to the cache kmalloc-64 of size 64
> [ 46.108316] The buggy address is located 0 bytes inside of
> [ 46.108316] 64-byte region [ffff8880079cf840, ffff8880079cf880)
> [ 46.109904]
> [ 46.110167] The buggy address belongs to the physical page:
> [ 46.110981] page:ffffea00001e73c0 refcount:1 mapcount:0
> mapping:0000000000000000 index:0xffff8880079cf040 pfn:0x79cf
> [ 46.112490] flags: 0xfffffc0000200(slab|node=0|zone=1|
> lastcpupid=0x1fffff)
> [ 46.113456] raw: 000fffffc0000200 ffff888100042900 ffffea00040605d0
> ffff8881000406c8
> [ 46.114534] raw: ffff8880079cf040 000000000010000a 00000001ffffffff
> 0000000000000000
> [ 46.115617] page dumped because: kasan: bad access detected
> [ 46.116394]
> [ 46.116632] Memory state around the buggy address:
> [ 46.117339] ffff8880079cf700: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 46.118303] ffff8880079cf780: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 46.119305] >ffff8880079cf800: fc fc fc fc fc fc fc fc 00 00 00 00
> fc fc fc fc
> [ 46.120328] ^
> [ 46.121235] ffff8880079cf880: fc fc fc fc fc fc fc fc fc fc fc fc
> fc fc fc fc
> [ 46.122299] ffff8880079cf900: fc fc fc fc fc fc fc fc fa fb fb fb
> fb fb fb fb
> [ 46.123316]
> ==================================================================
> kernel tarball:
> https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/725608072/publish%20x86_64%20debug/3491129543/artifacts/kernel-mainline.kernel.org-redhat_725608072_x86_64_debug.tar.gz
> kernel config:
> https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/725608072/build%20x86_64%20debug/3491129500/artifacts/kernel-mainline.kernel.org-redhat_725608072_x86_64_debug.config
> test logs: https://datawarehouse.cki-project.org/kcidb/tests/6444438
> cki issue tracker: https://datawarehouse.cki-project.org/issue/1770
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> [2] f9ff5644bcc04221bae56f922122f2b7f5d24d62
> [3] 93761c93e9da28d8a020777cee2a84133082b477
> Thank you,
> Bruno Goncalves
prev parent reply other threads:[~2022-12-19 19:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-19 10:49 [6.1.0][bpf] BUG: KASAN: slab-out-of-bounds in copy_array (kernel/bpf/verifier.c:1074) Bruno Goncalves
2022-12-19 19:25 ` sdf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y6C6xhAJ5w+j4NyU@google.com \
--to=sdf@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bgoncalv@redhat.com \
--cc=bpf@vger.kernel.org \
--cc=cki-project@redhat.com \
--cc=daniel@iogearbox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox