* WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
@ 2023-12-11 8:12 xingwei lee
2023-12-11 11:29 ` Hou Tao
0 siblings, 1 reply; 8+ messages in thread
From: xingwei lee @ 2023-12-11 8:12 UTC (permalink / raw)
To: ast
Cc: daniel, andrii, martin.lau, song, yonghong.song, john.fastabend,
kpsingh, sdf, haoluo, jolsa, rostedt, mhiramat, mathieu.desnoyers,
bpf, linux-kernel, linux-trace-kernel
Sorry for containing HTML part, repeat the mail
Hello I found a bug in net/bpf in the lastest upstream linux and
lastest net tree.
WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
kernel: net 28a7cb045ab700de5554193a1642917602787784
Kernel config: https://github.com/google/syzkaller/commits/fc59b78e3174009510ed15f20665e7ab2435ebee
in the lastest net tree, the crash like:
[ 68.363836][ T8223] ------------[ cut here ]------------
[ 68.364967][ T8223] WARNING: CPU: 2 PID: 8223 at mm/util.c:632
kvmalloc_node+0x18a/0x1a0
[ 68.366527][ T8223] Modules linked in:
[ 68.367882][ T8223] CPU: 2 PID: 8223 Comm: 36d Not tainted
6.7.0-rc4-00146-g28a7cb045ab7 #2
[ 68.369260][ T8223] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/014
[ 68.370811][ T8223] RIP: 0010:kvmalloc_node+0x18a/0x1a0
[ 68.371689][ T8223] Code: dc 1c 00 eb aa e8 86 33 c6 ff 41 81 e4 00
20 00 00 31 ff 44 89 e6 e8 e5 20
[ 68.375001][ T8223] RSP: 0018:ffffc9001088fb68 EFLAGS: 00010293
[ 68.375989][ T8223] RAX: 0000000000000000 RBX: 00000037ffffcec8
RCX: ffffffff81c1a32b
[ 68.377154][ T8223] RDX: ffff88802cc00040 RSI: ffffffff81c1a339
RDI: 0000000000000005
[ 68.377950][ T8223] RBP: 0000000000000400 R08: 0000000000000005
R09: 0000000000000000
[ 68.378744][ T8223] R10: 0000000000000000 R11: 0000000000000000
R12: 0000000000000000
[ 68.379523][ T8223] R13: 00000000ffffffff R14: ffff888017eb4a28
R15: 0000000000000000
[ 68.380307][ T8223] FS: 0000000000827380(0000)
GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 68.381185][ T8223] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 68.381843][ T8223] CR2: 0000000020000140 CR3: 00000000204d2000
CR4: 0000000000750ef0
[ 68.382624][ T8223] PKRU: 55555554
[ 68.382978][ T8223] Call Trace:
[ 68.383312][ T8223] <TASK>
[ 68.383608][ T8223] ? show_regs+0x8f/0xa0
[ 68.384052][ T8223] ? __warn+0xe6/0x390
[ 68.384470][ T8223] ? kvmalloc_node+0x18a/0x1a0
[ 68.385111][ T8223] ? report_bug+0x3b9/0x580
[ 68.385585][ T8223] ? handle_bug+0x67/0x90
[ 68.386032][ T8223] ? exc_invalid_op+0x17/0x40
[ 68.386503][ T8223] ? asm_exc_invalid_op+0x1a/0x20
[ 68.387065][ T8223] ? kvmalloc_node+0x17b/0x1a0
[ 68.387551][ T8223] ? kvmalloc_node+0x189/0x1a0
[ 68.388051][ T8223] ? kvmalloc_node+0x18a/0x1a0
[ 68.388537][ T8223] ? kvmalloc_node+0x189/0x1a0
[ 68.389038][ T8223] bpf_uprobe_multi_link_attach+0x436/0xfb0
[ 68.389633][ T8223] ? __might_fault+0x13f/0x1a0
[ 68.390129][ T8223] ? bpf_kprobe_multi_link_attach+0x10/0x10
[ 68.390731][ T8223] ? __fget_light+0x1fc/0x260
[ 68.391206][ T8223] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 68.391812][ T8223] __sys_bpf+0x3ea0/0x4840
[ 68.392267][ T8223] ? slab_free_freelist_hook+0x114/0x1e0
[ 68.393032][ T8223] ? bpf_perf_link_attach+0x540/0x540
[ 68.393580][ T8223] ? putname+0x12e/0x170
[ 68.394015][ T8223] ? kmem_cache_free+0xf8/0x350
[ 68.394509][ T8223] ? putname+0x12e/0x170
[ 68.394948][ T8223] ? do_sys_openat2+0xb1/0x1e0
[ 68.395442][ T8223] ? __x64_sys_creat+0xcd/0x120
[ 68.395945][ T8223] __x64_sys_bpf+0x78/0xc0
[ 68.396393][ T8223] ? syscall_enter_from_user_mode+0x7f/0x120
[ 68.397040][ T8223] do_syscall_64+0x41/0x110
[ 68.397502][ T8223] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 68.398098][ T8223] RIP: 0033:0x410ead
[ 68.398498][ T8223] Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3
0f 1e fa 48 89 f8 48 89 f7 48 88
[ 68.400432][ T8223] RSP: 002b:00007ffdbabd7098 EFLAGS: 00000246
ORIG_RAX: 0000000000000141
[ 68.401271][ T8223] RAX: ffffffffffffffda RBX: 00007ffdbabd7298
RCX: 0000000000410ead
[ 68.402063][ T8223] RDX: 0000000000000040 RSI: 0000000020000340
RDI: 000000000000001c
[ 68.402864][ T8223] RBP: 00007ffdbabd70b0 R08: 0000000000000000
R09: 0000000000000000
[ 68.403649][ T8223] R10: 0000000000000000 R11: 0000000000000246
R12: 000000000049be68
[ 68.404786][ T8223] R13: 0000000000000001 R14: 0000000000000001
R15: 0000000000000001
[ 68.405574][ T8223] </TASK>
[ 68.405890][ T8223] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 68.406611][ T8223] CPU: 2 PID: 8223 Comm: 36d Not tainted
6.7.0-rc4-00146-g28a7cb045ab7 #2
[ 68.407453][ T8223] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.16.2-1.fc38 04/014
[ 68.408386][ T8223] Call Trace:
[ 68.408723][ T8223] <TASK>
[ 68.409023][ T8223] dump_stack_lvl+0xd3/0x1b0
[ 68.409484][ T8223] panic+0x6dc/0x790
[ 68.409884][ T8223] ? panic_smp_self_stop+0xa0/0xa0
[ 68.410408][ T8223] ? show_trace_log_lvl+0x363/0x4f0
[ 68.410947][ T8223] ? check_panic_on_warn+0x1f/0xb0
[ 68.411458][ T8223] ? kvmalloc_node+0x18a/0x1a0
[ 68.411955][ T8223] check_panic_on_warn+0xab/0xb0
[ 68.412453][ T8223] __warn+0xf2/0x390
[ 68.412855][ T8223] ? kvmalloc_node+0x18a/0x1a0
[ 68.413334][ T8223] report_bug+0x3b9/0x580
[ 68.413778][ T8223] handle_bug+0x67/0x90
[ 68.414195][ T8223] exc_invalid_op+0x17/0x40
[ 68.414651][ T8223] asm_exc_invalid_op+0x1a/0x20
[ 68.415150][ T8223] RIP: 0010:kvmalloc_node+0x18a/0x1a0
[ 68.415693][ T8223] Code: dc 1c 00 eb aa e8 86 33 c6 ff 41 81 e4 00
20 00 00 31 ff 44 89 e6 e8 e5 20
[ 68.417651][ T8223] RSP: 0018:ffffc9001088fb68 EFLAGS: 00010293
[ 68.418279][ T8223] RAX: 0000000000000000 RBX: 00000037ffffcec8
RCX: ffffffff81c1a32b
[ 68.419090][ T8223] RDX: ffff88802cc00040 RSI: ffffffff81c1a339
RDI: 0000000000000005
[ 68.419884][ T8223] RBP: 0000000000000400 R08: 0000000000000005
R09: 0000000000000000
[ 68.420678][ T8223] R10: 0000000000000000 R11: 0000000000000000
R12: 0000000000000000
[ 68.421474][ T8223] R13: 00000000ffffffff R14: ffff888017eb4a28
R15: 0000000000000000
[ 68.422287][ T8223] ? kvmalloc_node+0x17b/0x1a0
[ 68.422780][ T8223] ? kvmalloc_node+0x189/0x1a0
[ 68.423270][ T8223] ? kvmalloc_node+0x189/0x1a0
[ 68.423769][ T8223] bpf_uprobe_multi_link_attach+0x436/0xfb0
[ 68.424372][ T8223] ? __might_fault+0x13f/0x1a0
[ 68.424860][ T8223] ? bpf_kprobe_multi_link_attach+0x10/0x10
[ 68.425462][ T8223] ? __fget_light+0x1fc/0x260
[ 68.425951][ T8223] ? __sanitizer_cov_trace_switch+0x54/0x90
[ 68.426545][ T8223] __sys_bpf+0x3ea0/0x4840
[ 68.427005][ T8223] ? slab_free_freelist_hook+0x114/0x1e0
[ 68.427583][ T8223] ? bpf_perf_link_attach+0x540/0x540
[ 68.428133][ T8223] ? putname+0x12e/0x170
[ 68.428564][ T8223] ? kmem_cache_free+0xf8/0x350
[ 68.429079][ T8223] ? putname+0x12e/0x170
[ 68.429519][ T8223] ? do_sys_openat2+0xb1/0x1e0
[ 68.430029][ T8223] ? __x64_sys_creat+0xcd/0x120
[ 68.430536][ T8223] __x64_sys_bpf+0x78/0xc0
[ 68.431000][ T8223] ? syscall_enter_from_user_mode+0x7f/0x120
[ 68.431623][ T8223] do_syscall_64+0x41/0x110
[ 68.432099][ T8223] entry_SYSCALL_64_after_hwframe+0x63/0x6b
[ 68.432708][ T8223] RIP: 0033:0x410ead
[ 68.433117][ T8223] Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3
0f 1e fa 48 89 f8 48 89 f7 48 88
[ 68.435240][ T8223] RSP: 002b:00007ffdbabd7098 EFLAGS: 00000246
ORIG_RAX: 0000000000000141
[ 68.436087][ T8223] RAX: ffffffffffffffda RBX: 00007ffdbabd7298
RCX: 0000000000410ead
[ 68.436898][ T8223] RDX: 0000000000000040 RSI: 0000000020000340
RDI: 000000000000001c
[ 68.437697][ T8223] RBP: 00007ffdbabd70b0 R08: 0000000000000000
R09: 0000000000000000
[ 68.438499][ T8223] R10: 0000000000000000 R11: 0000000000000246
R12: 000000000049be68
[ 68.439305][ T8223] R13: 0000000000000001 R14: 0000000000000001
R15: 0000000000000001
[ 68.440115][ T8223] </TASK>
[ 68.440773][ T8223] Kernel Offset: disabled
[ 68.441251][ T8223] Rebooting in 86400 seconds..
=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
uint64_t r[1] = {0xffffffffffffffff};
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
intptr_t res = 0;
*(uint32_t*)0x20000140 = 2;
*(uint32_t*)0x20000144 = 3;
*(uint64_t*)0x20000148 = 0x20000200;
*(uint8_t*)0x20000200 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 4, 4);
*(uint16_t*)0x20000202 = 0;
*(uint32_t*)0x20000204 = 0;
*(uint8_t*)0x20000208 = 0;
*(uint8_t*)0x20000209 = 0;
*(uint16_t*)0x2000020a = 0;
*(uint32_t*)0x2000020c = 0;
*(uint8_t*)0x20000210 = 0x95;
*(uint8_t*)0x20000211 = 0;
*(uint16_t*)0x20000212 = 0;
*(uint32_t*)0x20000214 = 0;
*(uint64_t*)0x20000150 = 0x20000240;
memcpy((void*)0x20000240, "GPL\000", 4);
*(uint32_t*)0x20000158 = 0;
*(uint32_t*)0x2000015c = 0;
*(uint64_t*)0x20000160 = 0;
*(uint32_t*)0x20000168 = 0;
*(uint32_t*)0x2000016c = 0;
memset((void*)0x20000170, 0, 16);
*(uint32_t*)0x20000180 = 0;
*(uint32_t*)0x20000184 = 0x30;
*(uint32_t*)0x20000188 = 0;
*(uint32_t*)0x2000018c = 0;
*(uint64_t*)0x20000190 = 0;
*(uint32_t*)0x20000198 = 0;
*(uint32_t*)0x2000019c = 0;
*(uint64_t*)0x200001a0 = 0;
*(uint32_t*)0x200001a8 = 0;
*(uint32_t*)0x200001ac = 0;
*(uint32_t*)0x200001b0 = 0;
*(uint32_t*)0x200001b4 = 0;
*(uint64_t*)0x200001b8 = 0;
*(uint64_t*)0x200001c0 = 0;
*(uint32_t*)0x200001c8 = 0;
*(uint32_t*)0x200001cc = 0;
res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000140ul, /*size=*/0x90ul);
if (res != -1) r[0] = res;
memcpy((void*)0x20000000, "./file0\000", 8);
syscall(__NR_creat, /*file=*/0x20000000ul, /*mode=*/0ul);
*(uint32_t*)0x20000340 = r[0];
*(uint32_t*)0x20000344 = 0;
*(uint32_t*)0x20000348 = 0x30;
*(uint32_t*)0x2000034c = 0;
*(uint64_t*)0x20000350 = 0x20000080;
memcpy((void*)0x20000080, "./file0\000", 8);
*(uint64_t*)0x20000358 = 0x200000c0;
*(uint64_t*)0x200000c0 = 0;
*(uint64_t*)0x20000360 = 0;
*(uint64_t*)0x20000368 = 0;
*(uint32_t*)0x20000370 = 0xffffff1f;
*(uint32_t*)0x20000374 = 0;
*(uint32_t*)0x20000378 = 0;
syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x20000340ul, /*size=*/0x40ul);
return 0;
}
=* repro.txt =*
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3,
&(0x7f0000000200)=@framed, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0,
0x0, 0x0, '\x00', 0x0, 0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
creat(&(0x7f0000000000)='./file0\x00', 0x0)
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r0, 0x0, 0x30, 0x0,
@val=@uprobe_multi={&(0x7f0000000080)='./file0\x00',
&(0x7f00000000c0)=[0x0], 0x0, 0x0, 0xffffff1f}}, 0x40)
See aslo https://gist.github.com/xrivendell7/15d43946c73aa13247b4b20b68798aaa
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
[not found] <CABOYnLz2e+_0P88RgoDy6epWz9xrM2zhfMQdVrcjNiPqrFcBeQ@mail.gmail.com>
@ 2023-12-11 11:22 ` Masami Hiramatsu
0 siblings, 0 replies; 8+ messages in thread
From: Masami Hiramatsu @ 2023-12-11 11:22 UTC (permalink / raw)
To: xingwei lee, Jiri Olsa
Cc: ast, daniel, andrii, martin.lau, song, yonghong.song,
john.fastabend, kpsingh, sdf, haoluo, jolsa, rostedt, mhiramat,
mathieu.desnoyers, bpf, linux-kernel, linux-trace-kernel
On Mon, 11 Dec 2023 16:10:32 +0800
xingwei lee <xrivendell7@gmail.com> wrote:
> Hello I found a bug in net/bpf in the lastest upstream linux and lastest
> net tree.
> WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
Hmm, uprobe_multi is recently introduced and it seems a normal
uprobes unlike kprobe_multi (which uses fprobe instead of kprobe).
The warning warns that the required size is bigger than INT_MAX. Maybe
too many links or uprobes were going to be allocated?
Thanks,
>
> kernel: net 28a7cb045ab700de5554193a1642917602787784
> Kernel config:
> https://github.com/google/syzkaller/commits/fc59b78e3174009510ed15f20665e7ab2435ebee
>
> in the lastestcrash like:
>
> [ 68.363836][ T8223] ------------[ cut here ]------------
> [ 68.364967][ T8223] WARNING: CPU: 2 PID: 8223 at mm/util.c:632
> kvmalloc_node+0x18a/0x1a0
> [ 68.366527][ T8223] Modules linked in:
> [ 68.367882][ T8223] CPU: 2 PID: 8223 Comm: 36d Not tainted
> 6.7.0-rc4-00146-g28a7cb045ab7 #2
> [ 68.369260][ T8223] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.16.2-1.fc38 04/014
> [ 68.370811][ T8223] RIP: 0010:kvmalloc_node+0x18a/0x1a0
> [ 68.371689][ T8223] Code: dc 1c 00 eb aa e8 86 33 c6 ff 41 81 e4 00 20
> 00 00 31 ff 44 89 e6 e8 e5 20
> [ 68.375001][ T8223] RSP: 0018:ffffc9001088fb68 EFLAGS: 00010293
> [ 68.375989][ T8223] RAX: 0000000000000000 RBX: 00000037ffffcec8 RCX:
> ffffffff81c1a32b
> [ 68.377154][ T8223] RDX: ffff88802cc00040 RSI: ffffffff81c1a339 RDI:
> 0000000000000005
> [ 68.377950][ T8223] RBP: 0000000000000400 R08: 0000000000000005 R09:
> 0000000000000000
> [ 68.378744][ T8223] R10: 0000000000000000 R11: 0000000000000000 R12:
> 0000000000000000
> [ 68.379523][ T8223] R13: 00000000ffffffff R14: ffff888017eb4a28 R15:
> 0000000000000000
> [ 68.380307][ T8223] FS: 0000000000827380(0000)
> GS:ffff8880b9900000(0000) knlGS:0000000000000000
> [ 68.381185][ T8223] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 68.381843][ T8223] CR2: 0000000020000140 CR3: 00000000204d2000 CR4:
> 0000000000750ef0
> [ 68.382624][ T8223] PKRU: 55555554
> [ 68.382978][ T8223] Call Trace:
> [ 68.383312][ T8223] <TASK>
> [ 68.383608][ T8223] ? show_regs+0x8f/0xa0
> [ 68.384052][ T8223] ? __warn+0xe6/0x390
> [ 68.384470][ T8223] ? kvmalloc_node+0x18a/0x1a0
> [ 68.385111][ T8223] ? report_bug+0x3b9/0x580
> [ 68.385585][ T8223] ? handle_bug+0x67/0x90
> [ 68.386032][ T8223] ? exc_invalid_op+0x17/0x40
> [ 68.386503][ T8223] ? asm_exc_invalid_op+0x1a/0x20
> [ 68.387065][ T8223] ? kvmalloc_node+0x17b/0x1a0
> [ 68.387551][ T8223] ? kvmalloc_node+0x189/0x1a0
> [ 68.388051][ T8223] ? kvmalloc_node+0x18a/0x1a0
> [ 68.388537][ T8223] ? kvmalloc_node+0x189/0x1a0
> [ 68.389038][ T8223] bpf_uprobe_multi_link_attach+0x436/0xfb0
> [ 68.389633][ T8223] ? __might_fault+0x13f/0x1a0
> [ 68.390129][ T8223] ? bpf_kprobe_multi_link_attach+0x10/0x10
> [ 68.390731][ T8223] ? __fget_light+0x1fc/0x260
> [ 68.391206][ T8223] ? __sanitizer_cov_trace_switch+0x54/0x90
> [ 68.391812][ T8223] __sys_bpf+0x3ea0/0x4840
> [ 68.392267][ T8223] ? slab_free_freelist_hook+0x114/0x1e0
> [ 68.393032][ T8223] ? bpf_perf_link_attach+0x540/0x540
> [ 68.393580][ T8223] ? putname+0x12e/0x170
> [ 68.394015][ T8223] ? kmem_cache_free+0xf8/0x350
> [ 68.394509][ T8223] ? putname+0x12e/0x170
> [ 68.394948][ T8223] ? do_sys_openat2+0xb1/0x1e0
> [ 68.395442][ T8223] ? __x64_sys_creat+0xcd/0x120
> [ 68.395945][ T8223] __x64_sys_bpf+0x78/0xc0
> [ 68.396393][ T8223] ? syscall_enter_from_user_mode+0x7f/0x120
> [ 68.397040][ T8223] do_syscall_64+0x41/0x110
> [ 68.397502][ T8223] entry_SYSCALL_64_after_hwframe+0x63/0x6b
> [ 68.398098][ T8223] RIP: 0033:0x410ead
> [ 68.398498][ T8223] Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f
> 1e fa 48 89 f8 48 89 f7 48 88
> [ 68.400432][ T8223] RSP: 002b:00007ffdbabd7098 EFLAGS: 00000246
> ORIG_RAX: 0000000000000141
> [ 68.401271][ T8223] RAX: ffffffffffffffda RBX: 00007ffdbabd7298 RCX:
> 0000000000410ead
> [ 68.402063][ T8223] RDX: 0000000000000040 RSI: 0000000020000340 RDI:
> 000000000000001c
> [ 68.402864][ T8223] RBP: 00007ffdbabd70b0 R08: 0000000000000000 R09:
> 0000000000000000
> [ 68.403649][ T8223] R10: 0000000000000000 R11: 0000000000000246 R12:
> 000000000049be68
> [ 68.404786][ T8223] R13: 0000000000000001 R14: 0000000000000001 R15:
> 0000000000000001
> [ 68.405574][ T8223] </TASK>
> [ 68.405890][ T8223] Kernel panic - not syncing: kernel: panic_on_warn
> set ...
> [ 68.406611][ T8223] CPU: 2 PID: 8223 Comm: 36d Not tainted
> 6.7.0-rc4-00146-g28a7cb045ab7 #2
> [ 68.407453][ T8223] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.16.2-1.fc38 04/014
> [ 68.408386][ T8223] Call Trace:
> [ 68.408723][ T8223] <TASK>
> [ 68.409023][ T8223] dump_stack_lvl+0xd3/0x1b0
> [ 68.409484][ T8223] panic+0x6dc/0x790
> [ 68.409884][ T8223] ? panic_smp_self_stop+0xa0/0xa0
> [ 68.410408][ T8223] ? show_trace_log_lvl+0x363/0x4f0
> [ 68.410947][ T8223] ? check_panic_on_warn+0x1f/0xb0
> [ 68.411458][ T8223] ? kvmalloc_node+0x18a/0x1a0
> [ 68.411955][ T8223] check_panic_on_warn+0xab/0xb0
> [ 68.412453][ T8223] __warn+0xf2/0x390
> [ 68.412855][ T8223] ? kvmalloc_node+0x18a/0x1a0
> [ 68.413334][ T8223] report_bug+0x3b9/0x580
> [ 68.413778][ T8223] handle_bug+0x67/0x90
> [ 68.414195][ T8223] exc_invalid_op+0x17/0x40
> [ 68.414651][ T8223] asm_exc_invalid_op+0x1a/0x20
> [ 68.415150][ T8223] RIP: 0010:kvmalloc_node+0x18a/0x1a0
> [ 68.415693][ T8223] Code: dc 1c 00 eb aa e8 86 33 c6 ff 41 81 e4 00 20
> 00 00 31 ff 44 89 e6 e8 e5 20
> [ 68.417651][ T8223] RSP: 0018:ffffc9001088fb68 EFLAGS: 00010293
> [ 68.418279][ T8223] RAX: 0000000000000000 RBX: 00000037ffffcec8 RCX:
> ffffffff81c1a32b
> [ 68.419090][ T8223] RDX: ffff88802cc00040 RSI: ffffffff81c1a339 RDI:
> 0000000000000005
> [ 68.419884][ T8223] RBP: 0000000000000400 R08: 0000000000000005 R09:
> 0000000000000000
> [ 68.420678][ T8223] R10: 0000000000000000 R11: 0000000000000000 R12:
> 0000000000000000
> [ 68.421474][ T8223] R13: 00000000ffffffff R14: ffff888017eb4a28 R15:
> 0000000000000000
> [ 68.422287][ T8223] ? kvmalloc_node+0x17b/0x1a0
> [ 68.422780][ T8223] ? kvmalloc_node+0x189/0x1a0
> [ 68.423270][ T8223] ? kvmalloc_node+0x189/0x1a0
> [ 68.423769][ T8223] bpf_uprobe_multi_link_attach+0x436/0xfb0
> [ 68.424372][ T8223] ? __might_fault+0x13f/0x1a0
> [ 68.424860][ T8223] ? bpf_kprobe_multi_link_attach+0x10/0x10
> [ 68.425462][ T8223] ? __fget_light+0x1fc/0x260
> [ 68.425951][ T8223] ? __sanitizer_cov_trace_switch+0x54/0x90
> [ 68.426545][ T8223] __sys_bpf+0x3ea0/0x4840
> [ 68.427005][ T8223] ? slab_free_freelist_hook+0x114/0x1e0
> [ 68.427583][ T8223] ? bpf_perf_link_attach+0x540/0x540
> [ 68.428133][ T8223] ? putname+0x12e/0x170
> [ 68.428564][ T8223] ? kmem_cache_free+0xf8/0x350
> [ 68.429079][ T8223] ? putname+0x12e/0x170
> [ 68.429519][ T8223] ? do_sys_openat2+0xb1/0x1e0
> [ 68.430029][ T8223] ? __x64_sys_creat+0xcd/0x120
> [ 68.430536][ T8223] __x64_sys_bpf+0x78/0xc0
> [ 68.431000][ T8223] ? syscall_enter_from_user_mode+0x7f/0x120
> [ 68.431623][ T8223] do_syscall_64+0x41/0x110
> [ 68.432099][ T8223] entry_SYSCALL_64_after_hwframe+0x63/0x6b
> [ 68.432708][ T8223] RIP: 0033:0x410ead
> [ 68.433117][ T8223] Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f
> 1e fa 48 89 f8 48 89 f7 48 88
> [ 68.435240][ T8223] RSP: 002b:00007ffdbabd7098 EFLAGS: 00000246
> ORIG_RAX: 0000000000000141
> [ 68.436087][ T8223] RAX: ffffffffffffffda RBX: 00007ffdbabd7298 RCX:
> 0000000000410ead
> [ 68.436898][ T8223] RDX: 0000000000000040 RSI: 0000000020000340 RDI:
> 000000000000001c
> [ 68.437697][ T8223] RBP: 00007ffdbabd70b0 R08: 0000000000000000 R09:
> 0000000000000000
> [ 68.438499][ T8223] R10: 0000000000000000 R11: 0000000000000246 R12:
> 000000000049be68
> [ 68.439305][ T8223] R13: 0000000000000001 R14: 0000000000000001 R15:
> 0000000000000001
> [ 68.440115][ T8223] </TASK>
> [ 68.440773][ T8223] Kernel Offset: disabled
> [ 68.441251][ T8223] Rebooting in 86400 seconds..
>
> =* repro.c =*
> // autogenerated by syzkaller (https://github.com/google/syzkaller)
>
> #define _GNU_SOURCE
>
> #include <endian.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> #ifndef __NR_bpf
> #define __NR_bpf 321
> #endif
>
> #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
> #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
> *(type*)(addr) = \
> htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
> (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
>
> uint64_t r[1] = {0xffffffffffffffff};
>
> int main(void) {
> syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
> /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
> syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
> /*prot=*/7ul,
> /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
> syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
> /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
> intptr_t res = 0;
> *(uint32_t*)0x20000140 = 2;
> *(uint32_t*)0x20000144 = 3;
> *(uint64_t*)0x20000148 = 0x20000200;
> *(uint8_t*)0x20000200 = 0x18;
> STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 0, 4);
> STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 4, 4);
> *(uint16_t*)0x20000202 = 0;
> *(uint32_t*)0x20000204 = 0;
> *(uint8_t*)0x20000208 = 0;
> *(uint8_t*)0x20000209 = 0;
> *(uint16_t*)0x2000020a = 0;
> *(uint32_t*)0x2000020c = 0;
> *(uint8_t*)0x20000210 = 0x95;
> *(uint8_t*)0x20000211 = 0;
> *(uint16_t*)0x20000212 = 0;
> *(uint32_t*)0x20000214 = 0;
> *(uint64_t*)0x20000150 = 0x20000240;
> memcpy((void*)0x20000240, "GPL\000", 4);
> *(uint32_t*)0x20000158 = 0;
> *(uint32_t*)0x2000015c = 0;
> *(uint64_t*)0x20000160 = 0;
> *(uint32_t*)0x20000168 = 0;
> *(uint32_t*)0x2000016c = 0;
> memset((void*)0x20000170, 0, 16);
> *(uint32_t*)0x20000180 = 0;
> *(uint32_t*)0x20000184 = 0x30;
> *(uint32_t*)0x20000188 = 0;
> *(uint32_t*)0x2000018c = 0;
> *(uint64_t*)0x20000190 = 0;
> *(uint32_t*)0x20000198 = 0;
> *(uint32_t*)0x2000019c = 0;
> *(uint64_t*)0x200001a0 = 0;
> *(uint32_t*)0x200001a8 = 0;
> *(uint32_t*)0x200001ac = 0;
> *(uint32_t*)0x200001b0 = 0;
> *(uint32_t*)0x200001b4 = 0;
> *(uint64_t*)0x200001b8 = 0;
> *(uint64_t*)0x200001c0 = 0;
> *(uint32_t*)0x200001c8 = 0;
> *(uint32_t*)0x200001cc = 0;
> res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000140ul,
> /*size=*/0x90ul);
> if (res != -1) r[0] = res;
> memcpy((void*)0x20000000, "./file0\000", 8);
> syscall(__NR_creat, /*file=*/0x20000000ul, /*mode=*/0ul);
> *(uint32_t*)0x20000340 = r[0];
> *(uint32_t*)0x20000344 = 0;
> *(uint32_t*)0x20000348 = 0x30;
> *(uint32_t*)0x2000034c = 0;
> *(uint64_t*)0x20000350 = 0x20000080;
> memcpy((void*)0x20000080, "./file0\000", 8);
> *(uint64_t*)0x20000358 = 0x200000c0;
> *(uint64_t*)0x200000c0 = 0;
> *(uint64_t*)0x20000360 = 0;
> *(uint64_t*)0x20000368 = 0;
> *(uint32_t*)0x20000370 = 0xffffff1f;
> *(uint32_t*)0x20000374 = 0;
> *(uint32_t*)0x20000378 = 0;
> syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x20000340ul, /*size=*/0x40ul);
> return 0;
> }
>
> =* repro.txt =*
> r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3,
> &(0x7f0000000200)=@framed, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0,
> 0x0, '\x00', 0x0, 0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
> 0x0, 0x0, 0x0}, 0x90)
> creat(&(0x7f0000000000)='./file0\x00', 0x0)
> bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r0, 0x0, 0x30, 0x0,
> @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00',
> &(0x7f00000000c0)=[0x0], 0x0, 0x0, 0xffffff1f}}, 0x40)
>
>
> See aslo
> https://gist.github.com/xrivendell7/15d43946c73aa13247b4b20b68798aaa
--
Masami Hiramatsu (Google) <mhiramat@kernel.org>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
2023-12-11 8:12 WARNING: kmalloc bug in bpf_uprobe_multi_link_attach xingwei lee
@ 2023-12-11 11:29 ` Hou Tao
2023-12-11 13:01 ` Jiri Olsa
0 siblings, 1 reply; 8+ messages in thread
From: Hou Tao @ 2023-12-11 11:29 UTC (permalink / raw)
To: xingwei lee, ast
Cc: daniel, andrii, martin.lau, song, yonghong.song, john.fastabend,
kpsingh, sdf, haoluo, jolsa, rostedt, mhiramat, mathieu.desnoyers,
bpf, linux-kernel, linux-trace-kernel
Hi,
On 12/11/2023 4:12 PM, xingwei lee wrote:
> Sorry for containing HTML part, repeat the mail
> Hello I found a bug in net/bpf in the lastest upstream linux and
> lastest net tree.
> WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
>
> kernel: net 28a7cb045ab700de5554193a1642917602787784
> Kernel config: https://github.com/google/syzkaller/commits/fc59b78e3174009510ed15f20665e7ab2435ebee
>
> in the lastest net tree, the crash like:
>
> [ 68.363836][ T8223] ------------[ cut here ]------------
> [ 68.364967][ T8223] WARNING: CPU: 2 PID: 8223 at mm/util.c:632
> kvmalloc_node+0x18a/0x1a0
> [ 68.366527][ T8223] Modules linked in:
> [ 68.367882][ T8223] CPU: 2 PID: 8223 Comm: 36d Not tainted
> 6.7.0-rc4-00146-g28a7cb045ab7 #2
> [ 68.369260][ T8223] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.16.2-1.fc38 04/014
> [ 68.370811][ T8223] RIP: 0010:kvmalloc_node+0x18a/0x1a0
> [ 68.371689][ T8223] Code: dc 1c 00 eb aa e8 86 33 c6 ff 41 81 e4 00
> 20 00 00 31 ff 44 89 e6 e8 e5 20
> [ 68.375001][ T8223] RSP: 0018:ffffc9001088fb68 EFLAGS: 00010293
> [ 68.375989][ T8223] RAX: 0000000000000000 RBX: 00000037ffffcec8
> RCX: ffffffff81c1a32b
> [ 68.377154][ T8223] RDX: ffff88802cc00040 RSI: ffffffff81c1a339
> RDI: 0000000000000005
> [ 68.377950][ T8223] RBP: 0000000000000400 R08: 0000000000000005
> R09: 0000000000000000
> [ 68.378744][ T8223] R10: 0000000000000000 R11: 0000000000000000
> R12: 0000000000000000
> [ 68.379523][ T8223] R13: 00000000ffffffff R14: ffff888017eb4a28
> R15: 0000000000000000
> [ 68.380307][ T8223] FS: 0000000000827380(0000)
> GS:ffff8880b9900000(0000) knlGS:0000000000000000
> [ 68.381185][ T8223] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 68.381843][ T8223] CR2: 0000000020000140 CR3: 00000000204d2000
> CR4: 0000000000750ef0
> [ 68.382624][ T8223] PKRU: 55555554
> [ 68.382978][ T8223] Call Trace:
> [ 68.383312][ T8223] <TASK>
> [ 68.383608][ T8223] ? show_regs+0x8f/0xa0
> [ 68.384052][ T8223] ? __warn+0xe6/0x390
> [ 68.384470][ T8223] ? kvmalloc_node+0x18a/0x1a0
> [ 68.385111][ T8223] ? report_bug+0x3b9/0x580
> [ 68.385585][ T8223] ? handle_bug+0x67/0x90
> [ 68.386032][ T8223] ? exc_invalid_op+0x17/0x40
> [ 68.386503][ T8223] ? asm_exc_invalid_op+0x1a/0x20
> [ 68.387065][ T8223] ? kvmalloc_node+0x17b/0x1a0
> [ 68.387551][ T8223] ? kvmalloc_node+0x189/0x1a0
> [ 68.388051][ T8223] ? kvmalloc_node+0x18a/0x1a0
> [ 68.388537][ T8223] ? kvmalloc_node+0x189/0x1a0
> [ 68.389038][ T8223] bpf_uprobe_multi_link_attach+0x436/0xfb0
It seems a big attr->link_create.uprobe_multi.cnt is passed to
bpf_uprobe_multi_link_attach(). Could you please try the first patch in
the following patch set ?
https://lore.kernel.org/bpf/20231211112843.4147157-1-houtao@huaweicloud.com/T/#t
> [ 68.389633][ T8223] ? __might_fault+0x13f/0x1a0
> [ 68.390129][ T8223] ? bpf_kprobe_multi_link_attach+0x10/0x10
SNIP
> res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000140ul, /*size=*/0x90ul);
> if (res != -1) r[0] = res;
> memcpy((void*)0x20000000, "./file0\000", 8);
> syscall(__NR_creat, /*file=*/0x20000000ul, /*mode=*/0ul);
> *(uint32_t*)0x20000340 = r[0];
> *(uint32_t*)0x20000344 = 0;
> *(uint32_t*)0x20000348 = 0x30;
> *(uint32_t*)0x2000034c = 0;
> *(uint64_t*)0x20000350 = 0x20000080;
> memcpy((void*)0x20000080, "./file0\000", 8);
0x20000350 is the address of attr->link_create.uprobe_multi.path.
> *(uint64_t*)0x20000358 = 0x200000c0;
> *(uint64_t*)0x200000c0 = 0;
> *(uint64_t*)0x20000360 = 0;
> *(uint64_t*)0x20000368 = 0;
> *(uint32_t*)0x20000370 = 0xffffff1f;
The value of attr->link_create.uprobe_multi.cnt is 0xffffff1f, so
0xffffff1f * sizeof(bpf_uprobe) will be greater than INT_MAX, and
triggers the warning in mm/util.c:
/* Don't even allow crazy sizes */
if (unlikely(size > INT_MAX)) {
WARN_ON_ONCE(!(flags & __GFP_NOWARN));
return NULL;
}
Adding __GFP_NOWARN when doing kvcalloc() can fix the warning.
> *(uint32_t*)0x20000374 = 0;
> *(uint32_t*)0x20000378 = 0;
> syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x20000340ul, /*size=*/0x40ul);
> return 0;
> }
>
> =* repro.txt =*
> r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3,
> &(0x7f0000000200)=@framed, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0,
> 0x0, 0x0, '\x00', 0x0, 0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
> 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
> creat(&(0x7f0000000000)='./file0\x00', 0x0)
> bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r0, 0x0, 0x30, 0x0,
> @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00',
> &(0x7f00000000c0)=[0x0], 0x0, 0x0, 0xffffff1f}}, 0x40
>
>
> See aslo https://gist.github.com/xrivendell7/15d43946c73aa13247b4b20b68798aaa
>
> .
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
2023-12-11 11:29 ` Hou Tao
@ 2023-12-11 13:01 ` Jiri Olsa
2023-12-11 14:34 ` Jiri Olsa
0 siblings, 1 reply; 8+ messages in thread
From: Jiri Olsa @ 2023-12-11 13:01 UTC (permalink / raw)
To: Hou Tao, mhiramat
Cc: xingwei lee, ast, daniel, andrii, martin.lau, song, yonghong.song,
john.fastabend, kpsingh, sdf, haoluo, rostedt, mathieu.desnoyers,
bpf, linux-kernel, linux-trace-kernel
On Mon, Dec 11, 2023 at 07:29:40PM +0800, Hou Tao wrote:
SNIP
>
> It seems a big attr->link_create.uprobe_multi.cnt is passed to
> bpf_uprobe_multi_link_attach(). Could you please try the first patch in
> the following patch set ?
>
> https://lore.kernel.org/bpf/20231211112843.4147157-1-houtao@huaweicloud.com/T/#t
> > [ 68.389633][ T8223] ? __might_fault+0x13f/0x1a0
> > [ 68.390129][ T8223] ? bpf_kprobe_multi_link_attach+0x10/0x10
>
> SNIP
> > res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000140ul, /*size=*/0x90ul);
> > if (res != -1) r[0] = res;
> > memcpy((void*)0x20000000, "./file0\000", 8);
> > syscall(__NR_creat, /*file=*/0x20000000ul, /*mode=*/0ul);
> > *(uint32_t*)0x20000340 = r[0];
> > *(uint32_t*)0x20000344 = 0;
> > *(uint32_t*)0x20000348 = 0x30;
> > *(uint32_t*)0x2000034c = 0;
> > *(uint64_t*)0x20000350 = 0x20000080;
> > memcpy((void*)0x20000080, "./file0\000", 8);
>
> 0x20000350 is the address of attr->link_create.uprobe_multi.path.
> > *(uint64_t*)0x20000358 = 0x200000c0;
> > *(uint64_t*)0x200000c0 = 0;
> > *(uint64_t*)0x20000360 = 0;
> > *(uint64_t*)0x20000368 = 0;
> > *(uint32_t*)0x20000370 = 0xffffff1f;
>
> The value of attr->link_create.uprobe_multi.cnt is 0xffffff1f, so
> 0xffffff1f * sizeof(bpf_uprobe) will be greater than INT_MAX, and
> triggers the warning in mm/util.c:
>
> /* Don't even allow crazy sizes */
> if (unlikely(size > INT_MAX)) {
> WARN_ON_ONCE(!(flags & __GFP_NOWARN));
> return NULL;
> }
>
> Adding __GFP_NOWARN when doing kvcalloc() can fix the warning.
hi,
looks like that's the case.. thanks for fixing that
btw while checking on that I found kprobe_multi bench attach test
takes forever on latest bpf-next/master
test_kprobe_multi_bench_attach:PASS:bpf_program__attach_kprobe_multi_opts 0 nsec
test_kprobe_multi_bench_attach: found 56140 functions
test_kprobe_multi_bench_attach: attached in 89.174s
test_kprobe_multi_bench_attach: detached in 13.245s
#113/1 kprobe_multi_bench_attach/kernel:OK
Masami,
any idea of any change on fprobe/ftrace side recently? I'm going to check ;-)
thanks,
jirka
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
2023-12-11 13:01 ` Jiri Olsa
@ 2023-12-11 14:34 ` Jiri Olsa
0 siblings, 0 replies; 8+ messages in thread
From: Jiri Olsa @ 2023-12-11 14:34 UTC (permalink / raw)
To: Jiri Olsa
Cc: Hou Tao, mhiramat, xingwei lee, ast, daniel, andrii, martin.lau,
song, yonghong.song, john.fastabend, kpsingh, sdf, haoluo,
rostedt, mathieu.desnoyers, bpf, linux-kernel, linux-trace-kernel
On Mon, Dec 11, 2023 at 02:01:43PM +0100, Jiri Olsa wrote:
> On Mon, Dec 11, 2023 at 07:29:40PM +0800, Hou Tao wrote:
>
> SNIP
>
> >
> > It seems a big attr->link_create.uprobe_multi.cnt is passed to
> > bpf_uprobe_multi_link_attach(). Could you please try the first patch in
> > the following patch set ?
> >
> > https://lore.kernel.org/bpf/20231211112843.4147157-1-houtao@huaweicloud.com/T/#t
> > > [ 68.389633][ T8223] ? __might_fault+0x13f/0x1a0
> > > [ 68.390129][ T8223] ? bpf_kprobe_multi_link_attach+0x10/0x10
> >
> > SNIP
> > > res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000140ul, /*size=*/0x90ul);
> > > if (res != -1) r[0] = res;
> > > memcpy((void*)0x20000000, "./file0\000", 8);
> > > syscall(__NR_creat, /*file=*/0x20000000ul, /*mode=*/0ul);
> > > *(uint32_t*)0x20000340 = r[0];
> > > *(uint32_t*)0x20000344 = 0;
> > > *(uint32_t*)0x20000348 = 0x30;
> > > *(uint32_t*)0x2000034c = 0;
> > > *(uint64_t*)0x20000350 = 0x20000080;
> > > memcpy((void*)0x20000080, "./file0\000", 8);
> >
> > 0x20000350 is the address of attr->link_create.uprobe_multi.path.
> > > *(uint64_t*)0x20000358 = 0x200000c0;
> > > *(uint64_t*)0x200000c0 = 0;
> > > *(uint64_t*)0x20000360 = 0;
> > > *(uint64_t*)0x20000368 = 0;
> > > *(uint32_t*)0x20000370 = 0xffffff1f;
> >
> > The value of attr->link_create.uprobe_multi.cnt is 0xffffff1f, so
> > 0xffffff1f * sizeof(bpf_uprobe) will be greater than INT_MAX, and
> > triggers the warning in mm/util.c:
> >
> > /* Don't even allow crazy sizes */
> > if (unlikely(size > INT_MAX)) {
> > WARN_ON_ONCE(!(flags & __GFP_NOWARN));
> > return NULL;
> > }
> >
> > Adding __GFP_NOWARN when doing kvcalloc() can fix the warning.
>
> hi,
> looks like that's the case.. thanks for fixing that
>
> btw while checking on that I found kprobe_multi bench attach test
> takes forever on latest bpf-next/master
>
> test_kprobe_multi_bench_attach:PASS:bpf_program__attach_kprobe_multi_opts 0 nsec
> test_kprobe_multi_bench_attach: found 56140 functions
> test_kprobe_multi_bench_attach: attached in 89.174s
> test_kprobe_multi_bench_attach: detached in 13.245s
> #113/1 kprobe_multi_bench_attach/kernel:OK
>
> Masami,
> any idea of any change on fprobe/ftrace side recently? I'm going to check ;-)
nah sry, I had IBT enabled.. forgot the reason, but it's slow ;-)
jirka
^ permalink raw reply [flat|nested] 8+ messages in thread
* WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
@ 2024-05-14 7:27 Ubisectech Sirius
2024-05-15 21:30 ` Alexei Starovoitov
0 siblings, 1 reply; 8+ messages in thread
From: Ubisectech Sirius @ 2024-05-14 7:27 UTC (permalink / raw)
To: linux-trace-kernel, linux-kernel; +Cc: ast, daniel, andrii
[-- Attachment #1: Type: text/plain, Size: 2911 bytes --]
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
loop3: detected capacity change from 0 to 8
MTD: Attempt to mount non-MTD device "/dev/loop3"
------------[ cut here ]------------
WARNING: CPU: 1 PID: 10075 at mm/util.c:632 kvmalloc_node+0x199/0x1b0 mm/util.c:632
Modules linked in:
CPU: 1 PID: 10075 Comm: syz-executor.3 Not tainted 6.7.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:kvmalloc_node+0x199/0x1b0 mm/util.c:632
Code: 02 1d 00 eb aa e8 a7 49 c6 ff 41 81 e5 00 20 00 00 31 ff 44 89 ee e8 36 45 c6 ff 45 85 ed 0f 85 1b ff ff ff e8 88 49 c6 ff 90 <0f> 0b 90 e9 dd fe ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
RSP: 0018:ffffc90002007b60 EFLAGS: 00010212
RAX: 00000000000023e4 RBX: 0000000000000400 RCX: ffffc90003aaa000
RDX: 0000000000040000 RSI: ffffffff81c3acc8 RDI: 0000000000000005
RBP: 00000037ffffcec8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88805ff6e1b8
FS: 00007fc62205f640(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e026000 CR3: 000000005f338000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
kvmalloc include/linux/slab.h:738 [inline]
kvmalloc_array include/linux/slab.h:756 [inline]
kvcalloc include/linux/slab.h:761 [inline]
bpf_uprobe_multi_link_attach+0x3fe/0xf60 kernel/trace/bpf_trace.c:3239
link_create kernel/bpf/syscall.c:5012 [inline]
__sys_bpf+0x2e85/0x4e00 kernel/bpf/syscall.c:5453
__do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5485
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fc62128fd6d
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc62205f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fc6213cbf80 RCX: 00007fc62128fd6d
RDX: 0000000000000040 RSI: 00000000200001c0 RDI: 000000000000001c
RBP: 00007fc6212f14cd R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fc6213cbf80 R15: 00007fc62203f000
</TASK>
Thank you for taking the time to read this email and we look forward to working with you further.
[-- Attachment #2: poc.c --]
[-- Type: application/octet-stream, Size: 18890 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <setjmp.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/loop.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static unsigned long long procid;
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
//% This code is derived from puff.{c,h}, found in the zlib development. The
//% original files come with the following copyright notice:
//% Copyright (C) 2002-2013 Mark Adler, all rights reserved
//% version 2.3, 21 Jan 2013
//% This software is provided 'as-is', without any express or implied
//% warranty. In no event will the author be held liable for any damages
//% arising from the use of this software.
//% Permission is granted to anyone to use this software for any purpose,
//% including commercial applications, and to alter it and redistribute it
//% freely, subject to the following restrictions:
//% 1. The origin of this software must not be misrepresented; you must not
//% claim that you wrote the original software. If you use this software
//% in a product, an acknowledgment in the product documentation would be
//% appreciated but is not required.
//% 2. Altered source versions must be plainly marked as such, and must not be
//% misrepresented as being the original software.
//% 3. This notice may not be removed or altered from any source distribution.
//% Mark Adler madler@alumni.caltech.edu
//% BEGIN CODE DERIVED FROM puff.{c,h}
#define MAXBITS 15
#define MAXLCODES 286
#define MAXDCODES 30
#define MAXCODES (MAXLCODES + MAXDCODES)
#define FIXLCODES 288
struct puff_state {
unsigned char* out;
unsigned long outlen;
unsigned long outcnt;
const unsigned char* in;
unsigned long inlen;
unsigned long incnt;
int bitbuf;
int bitcnt;
jmp_buf env;
};
static int puff_bits(struct puff_state* s, int need)
{
long val = s->bitbuf;
while (s->bitcnt < need) {
if (s->incnt == s->inlen)
longjmp(s->env, 1);
val |= (long)(s->in[s->incnt++]) << s->bitcnt;
s->bitcnt += 8;
}
s->bitbuf = (int)(val >> need);
s->bitcnt -= need;
return (int)(val & ((1L << need) - 1));
}
static int puff_stored(struct puff_state* s)
{
s->bitbuf = 0;
s->bitcnt = 0;
if (s->incnt + 4 > s->inlen)
return 2;
unsigned len = s->in[s->incnt++];
len |= s->in[s->incnt++] << 8;
if (s->in[s->incnt++] != (~len & 0xff) ||
s->in[s->incnt++] != ((~len >> 8) & 0xff))
return -2;
if (s->incnt + len > s->inlen)
return 2;
if (s->outcnt + len > s->outlen)
return 1;
for (; len--; s->outcnt++, s->incnt++) {
if (s->in[s->incnt])
s->out[s->outcnt] = s->in[s->incnt];
}
return 0;
}
struct puff_huffman {
short* count;
short* symbol;
};
static int puff_decode(struct puff_state* s, const struct puff_huffman* h)
{
int first = 0;
int index = 0;
int bitbuf = s->bitbuf;
int left = s->bitcnt;
int code = first = index = 0;
int len = 1;
short* next = h->count + 1;
while (1) {
while (left--) {
code |= bitbuf & 1;
bitbuf >>= 1;
int count = *next++;
if (code - count < first) {
s->bitbuf = bitbuf;
s->bitcnt = (s->bitcnt - len) & 7;
return h->symbol[index + (code - first)];
}
index += count;
first += count;
first <<= 1;
code <<= 1;
len++;
}
left = (MAXBITS + 1) - len;
if (left == 0)
break;
if (s->incnt == s->inlen)
longjmp(s->env, 1);
bitbuf = s->in[s->incnt++];
if (left > 8)
left = 8;
}
return -10;
}
static int puff_construct(struct puff_huffman* h, const short* length, int n)
{
int len;
for (len = 0; len <= MAXBITS; len++)
h->count[len] = 0;
int symbol;
for (symbol = 0; symbol < n; symbol++)
(h->count[length[symbol]])++;
if (h->count[0] == n)
return 0;
int left = 1;
for (len = 1; len <= MAXBITS; len++) {
left <<= 1;
left -= h->count[len];
if (left < 0)
return left;
}
short offs[MAXBITS + 1];
offs[1] = 0;
for (len = 1; len < MAXBITS; len++)
offs[len + 1] = offs[len] + h->count[len];
for (symbol = 0; symbol < n; symbol++)
if (length[symbol] != 0)
h->symbol[offs[length[symbol]]++] = symbol;
return left;
}
static int puff_codes(struct puff_state* s, const struct puff_huffman* lencode,
const struct puff_huffman* distcode)
{
static const short lens[29] = {3, 4, 5, 6, 7, 8, 9, 10, 11, 13,
15, 17, 19, 23, 27, 31, 35, 43, 51, 59,
67, 83, 99, 115, 131, 163, 195, 227, 258};
static const short lext[29] = {0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2,
2, 3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0};
static const short dists[30] = {
1, 2, 3, 4, 5, 7, 9, 13, 17, 25,
33, 49, 65, 97, 129, 193, 257, 385, 513, 769,
1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
static const short dext[30] = {0, 0, 0, 0, 1, 1, 2, 2, 3, 3,
4, 4, 5, 5, 6, 6, 7, 7, 8, 8,
9, 9, 10, 10, 11, 11, 12, 12, 13, 13};
int symbol;
do {
symbol = puff_decode(s, lencode);
if (symbol < 0)
return symbol;
if (symbol < 256) {
if (s->outcnt == s->outlen)
return 1;
if (symbol)
s->out[s->outcnt] = symbol;
s->outcnt++;
} else if (symbol > 256) {
symbol -= 257;
if (symbol >= 29)
return -10;
int len = lens[symbol] + puff_bits(s, lext[symbol]);
symbol = puff_decode(s, distcode);
if (symbol < 0)
return symbol;
unsigned dist = dists[symbol] + puff_bits(s, dext[symbol]);
if (dist > s->outcnt)
return -11;
if (s->outcnt + len > s->outlen)
return 1;
while (len--) {
if (dist <= s->outcnt && s->out[s->outcnt - dist])
s->out[s->outcnt] = s->out[s->outcnt - dist];
s->outcnt++;
}
}
} while (symbol != 256);
return 0;
}
static int puff_fixed(struct puff_state* s)
{
static int virgin = 1;
static short lencnt[MAXBITS + 1], lensym[FIXLCODES];
static short distcnt[MAXBITS + 1], distsym[MAXDCODES];
static struct puff_huffman lencode, distcode;
if (virgin) {
lencode.count = lencnt;
lencode.symbol = lensym;
distcode.count = distcnt;
distcode.symbol = distsym;
short lengths[FIXLCODES];
int symbol;
for (symbol = 0; symbol < 144; symbol++)
lengths[symbol] = 8;
for (; symbol < 256; symbol++)
lengths[symbol] = 9;
for (; symbol < 280; symbol++)
lengths[symbol] = 7;
for (; symbol < FIXLCODES; symbol++)
lengths[symbol] = 8;
puff_construct(&lencode, lengths, FIXLCODES);
for (symbol = 0; symbol < MAXDCODES; symbol++)
lengths[symbol] = 5;
puff_construct(&distcode, lengths, MAXDCODES);
virgin = 0;
}
return puff_codes(s, &lencode, &distcode);
}
static int puff_dynamic(struct puff_state* s)
{
static const short order[19] = {16, 17, 18, 0, 8, 7, 9, 6, 10, 5,
11, 4, 12, 3, 13, 2, 14, 1, 15};
int nlen = puff_bits(s, 5) + 257;
int ndist = puff_bits(s, 5) + 1;
int ncode = puff_bits(s, 4) + 4;
if (nlen > MAXLCODES || ndist > MAXDCODES)
return -3;
short lengths[MAXCODES];
int index;
for (index = 0; index < ncode; index++)
lengths[order[index]] = puff_bits(s, 3);
for (; index < 19; index++)
lengths[order[index]] = 0;
short lencnt[MAXBITS + 1], lensym[MAXLCODES];
struct puff_huffman lencode = {lencnt, lensym};
int err = puff_construct(&lencode, lengths, 19);
if (err != 0)
return -4;
index = 0;
while (index < nlen + ndist) {
int symbol;
int len;
symbol = puff_decode(s, &lencode);
if (symbol < 0)
return symbol;
if (symbol < 16)
lengths[index++] = symbol;
else {
len = 0;
if (symbol == 16) {
if (index == 0)
return -5;
len = lengths[index - 1];
symbol = 3 + puff_bits(s, 2);
} else if (symbol == 17)
symbol = 3 + puff_bits(s, 3);
else
symbol = 11 + puff_bits(s, 7);
if (index + symbol > nlen + ndist)
return -6;
while (symbol--)
lengths[index++] = len;
}
}
if (lengths[256] == 0)
return -9;
err = puff_construct(&lencode, lengths, nlen);
if (err && (err < 0 || nlen != lencode.count[0] + lencode.count[1]))
return -7;
short distcnt[MAXBITS + 1], distsym[MAXDCODES];
struct puff_huffman distcode = {distcnt, distsym};
err = puff_construct(&distcode, lengths + nlen, ndist);
if (err && (err < 0 || ndist != distcode.count[0] + distcode.count[1]))
return -8;
return puff_codes(s, &lencode, &distcode);
}
static int puff(unsigned char* dest, unsigned long* destlen,
const unsigned char* source, unsigned long sourcelen)
{
struct puff_state s = {
.out = dest,
.outlen = *destlen,
.outcnt = 0,
.in = source,
.inlen = sourcelen,
.incnt = 0,
.bitbuf = 0,
.bitcnt = 0,
};
int err;
if (setjmp(s.env) != 0)
err = 2;
else {
int last;
do {
last = puff_bits(&s, 1);
int type = puff_bits(&s, 2);
err = type == 0 ? puff_stored(&s)
: (type == 1 ? puff_fixed(&s)
: (type == 2 ? puff_dynamic(&s) : -1));
if (err != 0)
break;
} while (!last);
}
*destlen = s.outcnt;
return err;
}
//% END CODE DERIVED FROM puff.{c,h}
#define ZLIB_HEADER_WIDTH 2
static int puff_zlib_to_file(const unsigned char* source,
unsigned long sourcelen, int dest_fd)
{
if (sourcelen < ZLIB_HEADER_WIDTH)
return 0;
source += ZLIB_HEADER_WIDTH;
sourcelen -= ZLIB_HEADER_WIDTH;
const unsigned long max_destlen = 132 << 20;
void* ret = mmap(0, max_destlen, PROT_WRITE | PROT_READ,
MAP_PRIVATE | MAP_ANON, -1, 0);
if (ret == MAP_FAILED)
return -1;
unsigned char* dest = (unsigned char*)ret;
unsigned long destlen = max_destlen;
int err = puff(dest, &destlen, source, sourcelen);
if (err) {
munmap(dest, max_destlen);
errno = -err;
return -1;
}
if (write(dest_fd, dest, destlen) != (ssize_t)destlen) {
munmap(dest, max_destlen);
return -1;
}
return munmap(dest, max_destlen);
}
static int setup_loop_device(unsigned char* data, unsigned long size,
const char* loopname, int* loopfd_p)
{
int err = 0, loopfd = -1;
int memfd = syscall(__NR_memfd_create, "syzkaller", 0);
if (memfd == -1) {
err = errno;
goto error;
}
if (puff_zlib_to_file(data, size, memfd)) {
err = errno;
goto error_close_memfd;
}
loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
err = errno;
goto error_close_memfd;
}
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
if (errno != EBUSY) {
err = errno;
goto error_close_loop;
}
ioctl(loopfd, LOOP_CLR_FD, 0);
usleep(1000);
if (ioctl(loopfd, LOOP_SET_FD, memfd)) {
err = errno;
goto error_close_loop;
}
}
close(memfd);
*loopfd_p = loopfd;
return 0;
error_close_loop:
close(loopfd);
error_close_memfd:
close(memfd);
error:
errno = err;
return -1;
}
static void reset_loop_device(const char* loopname)
{
int loopfd = open(loopname, O_RDWR);
if (loopfd == -1) {
return;
}
if (ioctl(loopfd, LOOP_CLR_FD, 0)) {
}
close(loopfd);
}
static long syz_mount_image(volatile long fsarg, volatile long dir,
volatile long flags, volatile long optsarg,
volatile long change_dir,
volatile unsigned long size, volatile long image)
{
unsigned char* data = (unsigned char*)image;
int res = -1, err = 0, need_loop_device = !!size;
char* mount_opts = (char*)optsarg;
char* target = (char*)dir;
char* fs = (char*)fsarg;
char* source = NULL;
char loopname[64];
if (need_loop_device) {
int loopfd;
memset(loopname, 0, sizeof(loopname));
snprintf(loopname, sizeof(loopname), "/dev/loop%llu", procid);
if (setup_loop_device(data, size, loopname, &loopfd) == -1)
return -1;
close(loopfd);
source = loopname;
}
mkdir(target, 0777);
char opts[256];
memset(opts, 0, sizeof(opts));
if (strlen(mount_opts) > (sizeof(opts) - 32)) {
}
strncpy(opts, mount_opts, sizeof(opts) - 32);
if (strcmp(fs, "iso9660") == 0) {
flags |= MS_RDONLY;
} else if (strncmp(fs, "ext", 3) == 0) {
bool has_remount_ro = false;
char* remount_ro_start = strstr(opts, "errors=remount-ro");
if (remount_ro_start != NULL) {
char after = *(remount_ro_start + strlen("errors=remount-ro"));
char before = remount_ro_start == opts ? '\0' : *(remount_ro_start - 1);
has_remount_ro = ((before == '\0' || before == ',') &&
(after == '\0' || after == ','));
}
if (strstr(opts, "errors=panic") || !has_remount_ro)
strcat(opts, ",errors=continue");
} else if (strcmp(fs, "xfs") == 0) {
strcat(opts, ",nouuid");
}
res = mount(source, target, fs, flags, opts);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
res = open(target, O_RDONLY | O_DIRECTORY);
if (res == -1) {
err = errno;
goto error_clear_loop;
}
if (change_dir) {
res = chdir(target);
if (res == -1) {
err = errno;
}
}
error_clear_loop:
if (need_loop_device)
reset_loop_device(loopname);
errno = err;
return res;
}
uint64_t r[1] = {0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1,
/*offset=*/0ul);
intptr_t res = 0;
memcpy((void*)0x20000140, "cramfs\000", 7);
memcpy((void*)0x20000180, "./file0\000", 8);
memcpy(
(void*)0x20000400,
"\x78\x9c\xec\xd0\xbf\x6b\x1a\x61\x1c\xc7\xf1\xf7\xa3\x56\xed\x4f\x2d\xb5"
"\xd0\x16\x5a\x0b\x1d\x7a\x28\xe2\x79\x62\xb7\x0e\x5a\x2a\x3d\xa8\x3d\x68"
"\xb7\x4e\x82\x5e\x69\xc1\x1f\x25\x42\xc8\x18\x03\xd9\x32\xe4\x0f\x70\x88"
"\x09\x64\x12\x87\x90\x31\x43\x62\x26\x13\x85\x60\xfe\x8d\x1c\x64\x0b\x64"
"\x31\x3c\x77\x47\xe2\x9c\xf9\x79\x2d\x77\xf7\xfd\x7c\xf9\x1c\xcf\xf3\xf5"
"\xf3\x54\x23\x0e\x41\x3c\x5f\xda\xcd\xff\x4b\x76\xa7\x63\xd7\xdf\xff\xb4"
"\x2a\xe5\x5f\x7b\xfb\x07\xcf\x48\x42\x04\x88\xfa\xf9\xf5\xdc\x23\xf7\x0f"
"\x8b\xf0\x57\x3e\x43\xe0\x74\xa1\x0e\x1c\x3f\xf4\xcb\x6a\xed\x86\xfc\x76"
"\x8a\xa0\x01\xa5\xc7\xf0\xe7\x5f\xc3\xd6\xf1\x76\x1f\xc9\x59\x82\x5b\x72"
"\xa6\x7d\x80\xd1\x4b\x6f\xcf\x80\x80\xd3\x25\xca\xc2\x2c\xef\xef\xbd\x09"
"\xcd\x29\xc5\xee\xfa\xe6\x7d\xf8\x28\xfb\x9e\x7b\xb3\x9c\xf0\x4b\x7b\xe9"
"\xe1\xe0\xe4\xc7\x24\x60\x66\x52\xbb\x6f\x83\xac\x9b\xe9\xe4\x0b\x01\x2b"
"\xfe\x7c\x6c\x66\x52\xef\xec\x0d\xa3\xfc\x5a\x2e\xb7\xfa\xb0\x4d\xc9\xcd"
"\xcf\xb3\xe3\xcc\x59\x76\x38\x98\x4d\x27\x95\xef\x56\xc5\x9a\xe6\x0d\xe3"
"\x53\x5e\xcf\xe9\x7a\x61\x66\x9d\x4e\xcc\xc2\xea\x26\xa1\x6f\x4f\x96\xe1"
"\xb7\xd7\x17\xf6\xff\x98\x0a\x73\xe1\xbe\xac\x09\xe8\x09\x18\xb8\xb9\x73"
"\x24\x9e\x02\xa3\xad\x2b\xab\x89\x90\xc7\xbe\x6c\xc5\x41\xb8\x89\xbc\x5b"
"\x37\x89\x45\x16\x93\x5a\xf5\xd5\x83\x9d\x6a\x22\x1e\x20\xa8\x21\x50\x14"
"\x45\x51\x14\x45\x51\x14\x45\x51\x94\x7b\xba\x09\x00\x00\xff\xff\x86\xf5"
"\x68\x06",
344);
syz_mount_image(/*fs=*/0x20000140, /*dir=*/0x20000180, /*flags=*/0,
/*opts=*/0x20000340, /*chdir=*/1, /*size=*/0x158,
/*img=*/0x20000400);
memcpy((void*)0x20000040, "./file0\000", 8);
syscall(__NR_chdir, /*dir=*/0x20000040ul);
*(uint32_t*)0x20000680 = 2;
*(uint32_t*)0x20000684 = 3;
*(uint64_t*)0x20000688 = 0x20000080;
*(uint8_t*)0x20000080 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x20000081, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x20000081, 0, 4, 4);
*(uint16_t*)0x20000082 = 0;
*(uint32_t*)0x20000084 = 0;
*(uint8_t*)0x20000088 = 0;
*(uint8_t*)0x20000089 = 0;
*(uint16_t*)0x2000008a = 0;
*(uint32_t*)0x2000008c = 0;
*(uint8_t*)0x20000090 = 0x95;
*(uint8_t*)0x20000091 = 0;
*(uint16_t*)0x20000092 = 0;
*(uint32_t*)0x20000094 = 0;
*(uint64_t*)0x20000690 = 0x20000000;
memcpy((void*)0x20000000, "syzkaller\000", 10);
*(uint32_t*)0x20000698 = 0;
*(uint32_t*)0x2000069c = 0;
*(uint64_t*)0x200006a0 = 0;
*(uint32_t*)0x200006a8 = 0;
*(uint32_t*)0x200006ac = 0;
memset((void*)0x200006b0, 0, 16);
*(uint32_t*)0x200006c0 = 0;
*(uint32_t*)0x200006c4 = 0x30;
*(uint32_t*)0x200006c8 = 0;
*(uint32_t*)0x200006cc = 0;
*(uint64_t*)0x200006d0 = 0;
*(uint32_t*)0x200006d8 = 0;
*(uint32_t*)0x200006dc = 0;
*(uint64_t*)0x200006e0 = 0;
*(uint32_t*)0x200006e8 = 0;
*(uint32_t*)0x200006ec = 0;
*(uint32_t*)0x200006f0 = 0;
*(uint32_t*)0x200006f4 = 0;
*(uint64_t*)0x200006f8 = 0;
*(uint64_t*)0x20000700 = 0;
*(uint32_t*)0x20000708 = 0;
*(uint32_t*)0x2000070c = 0;
res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000680ul, /*size=*/0x90ul);
if (res != -1)
r[0] = res;
*(uint32_t*)0x200001c0 = r[0];
*(uint32_t*)0x200001c4 = 0;
*(uint32_t*)0x200001c8 = 0x30;
*(uint32_t*)0x200001cc = 0;
*(uint64_t*)0x200001d0 = 0x20000040;
memcpy((void*)0x20000040, "./file0\000", 8);
*(uint64_t*)0x200001d8 = 0x200000c0;
*(uint64_t*)0x200000c0 = 0;
*(uint64_t*)0x200001e0 = 0;
*(uint64_t*)0x200001e8 = 0;
*(uint32_t*)0x200001f0 = 0xffffff1f;
*(uint32_t*)0x200001f4 = 1;
*(uint32_t*)0x200001f8 = 0;
syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x200001c0ul, /*size=*/0x40ul);
return 0;
}
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
2024-05-14 7:27 Ubisectech Sirius
@ 2024-05-15 21:30 ` Alexei Starovoitov
2024-05-15 21:47 ` Jiri Olsa
0 siblings, 1 reply; 8+ messages in thread
From: Alexei Starovoitov @ 2024-05-15 21:30 UTC (permalink / raw)
To: Ubisectech Sirius, Jiri Olsa
Cc: linux-trace-kernel, linux-kernel, ast, daniel, andrii
On Tue, May 14, 2024 at 12:33 AM Ubisectech Sirius
<bugreport@ubisectech.com> wrote:
>
> Hello.
> We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Jiri,
please take a look.
> Stack dump:
>
> loop3: detected capacity change from 0 to 8
> MTD: Attempt to mount non-MTD device "/dev/loop3"
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 10075 at mm/util.c:632 kvmalloc_node+0x199/0x1b0 mm/util.c:632
> Modules linked in:
> CPU: 1 PID: 10075 Comm: syz-executor.3 Not tainted 6.7.0 #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:kvmalloc_node+0x199/0x1b0 mm/util.c:632
> Code: 02 1d 00 eb aa e8 a7 49 c6 ff 41 81 e5 00 20 00 00 31 ff 44 89 ee e8 36 45 c6 ff 45 85 ed 0f 85 1b ff ff ff e8 88 49 c6 ff 90 <0f> 0b 90 e9 dd fe ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
> RSP: 0018:ffffc90002007b60 EFLAGS: 00010212
> RAX: 00000000000023e4 RBX: 0000000000000400 RCX: ffffc90003aaa000
> RDX: 0000000000040000 RSI: ffffffff81c3acc8 RDI: 0000000000000005
> RBP: 00000037ffffcec8 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88805ff6e1b8
> FS: 00007fc62205f640(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b2e026000 CR3: 000000005f338000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <TASK>
> kvmalloc include/linux/slab.h:738 [inline]
> kvmalloc_array include/linux/slab.h:756 [inline]
> kvcalloc include/linux/slab.h:761 [inline]
> bpf_uprobe_multi_link_attach+0x3fe/0xf60 kernel/trace/bpf_trace.c:3239
> link_create kernel/bpf/syscall.c:5012 [inline]
> __sys_bpf+0x2e85/0x4e00 kernel/bpf/syscall.c:5453
> __do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
> __se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
> __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5485
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x6f/0x77
> RIP: 0033:0x7fc62128fd6d
> Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fc62205f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> RAX: ffffffffffffffda RBX: 00007fc6213cbf80 RCX: 00007fc62128fd6d
> RDX: 0000000000000040 RSI: 00000000200001c0 RDI: 000000000000001c
> RBP: 00007fc6212f14cd R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 000000000000000b R14: 00007fc6213cbf80 R15: 00007fc62203f000
> </TASK>
>
> Thank you for taking the time to read this email and we look forward to working with you further.
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: WARNING: kmalloc bug in bpf_uprobe_multi_link_attach
2024-05-15 21:30 ` Alexei Starovoitov
@ 2024-05-15 21:47 ` Jiri Olsa
0 siblings, 0 replies; 8+ messages in thread
From: Jiri Olsa @ 2024-05-15 21:47 UTC (permalink / raw)
To: Alexei Starovoitov
Cc: Ubisectech Sirius, linux-trace-kernel, linux-kernel, ast, daniel,
andrii
On Wed, May 15, 2024 at 02:30:37PM -0700, Alexei Starovoitov wrote:
> On Tue, May 14, 2024 at 12:33 AM Ubisectech Sirius
> <bugreport@ubisectech.com> wrote:
> >
> > Hello.
> > We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
>
> Jiri,
>
> please take a look.
>
> > Stack dump:
> >
> > loop3: detected capacity change from 0 to 8
> > MTD: Attempt to mount non-MTD device "/dev/loop3"
> > ------------[ cut here ]------------
> > WARNING: CPU: 1 PID: 10075 at mm/util.c:632 kvmalloc_node+0x199/0x1b0 mm/util.c:632
hi,
this should be already fixed via:
https://lore.kernel.org/bpf/20231215100708.2265609-2-houtao@huaweicloud.com/
original report was in here:
https://lore.kernel.org/bpf/CABOYnLwwJY=yFAGie59LFsUsBAgHfroVqbzZ5edAXbFE3YiNVA@mail.gmail.com/
the fix should be in v6.7, can you check if your kernel has:
8b2efe51ba85 bpf: Limit the number of uprobes when attaching program to multiple uprobes
thanks,
jirka
> > Modules linked in:
> > CPU: 1 PID: 10075 Comm: syz-executor.3 Not tainted 6.7.0 #2
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > RIP: 0010:kvmalloc_node+0x199/0x1b0 mm/util.c:632
> > Code: 02 1d 00 eb aa e8 a7 49 c6 ff 41 81 e5 00 20 00 00 31 ff 44 89 ee e8 36 45 c6 ff 45 85 ed 0f 85 1b ff ff ff e8 88 49 c6 ff 90 <0f> 0b 90 e9 dd fe ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
> > RSP: 0018:ffffc90002007b60 EFLAGS: 00010212
> > RAX: 00000000000023e4 RBX: 0000000000000400 RCX: ffffc90003aaa000
> > RDX: 0000000000040000 RSI: ffffffff81c3acc8 RDI: 0000000000000005
> > RBP: 00000037ffffcec8 R08: 0000000000000005 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: 0000000000000000 R14: 00000000ffffffff R15: ffff88805ff6e1b8
> > FS: 00007fc62205f640(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000001b2e026000 CR3: 000000005f338000 CR4: 0000000000750ef0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > PKRU: 55555554
> > Call Trace:
> > <TASK>
> > kvmalloc include/linux/slab.h:738 [inline]
> > kvmalloc_array include/linux/slab.h:756 [inline]
> > kvcalloc include/linux/slab.h:761 [inline]
> > bpf_uprobe_multi_link_attach+0x3fe/0xf60 kernel/trace/bpf_trace.c:3239
> > link_create kernel/bpf/syscall.c:5012 [inline]
> > __sys_bpf+0x2e85/0x4e00 kernel/bpf/syscall.c:5453
> > __do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
> > __se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
> > __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5485
> > do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83
> > entry_SYSCALL_64_after_hwframe+0x6f/0x77
> > RIP: 0033:0x7fc62128fd6d
> > Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007fc62205f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> > RAX: ffffffffffffffda RBX: 00007fc6213cbf80 RCX: 00007fc62128fd6d
> > RDX: 0000000000000040 RSI: 00000000200001c0 RDI: 000000000000001c
> > RBP: 00007fc6212f14cd R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > R13: 000000000000000b R14: 00007fc6213cbf80 R15: 00007fc62203f000
> > </TASK>
> >
> > Thank you for taking the time to read this email and we look forward to working with you further.
> >
> >
> >
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-05-15 21:47 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-11 8:12 WARNING: kmalloc bug in bpf_uprobe_multi_link_attach xingwei lee
2023-12-11 11:29 ` Hou Tao
2023-12-11 13:01 ` Jiri Olsa
2023-12-11 14:34 ` Jiri Olsa
[not found] <CABOYnLz2e+_0P88RgoDy6epWz9xrM2zhfMQdVrcjNiPqrFcBeQ@mail.gmail.com>
2023-12-11 11:22 ` Masami Hiramatsu
-- strict thread matches above, loose matches on Subject: below --
2024-05-14 7:27 Ubisectech Sirius
2024-05-15 21:30 ` Alexei Starovoitov
2024-05-15 21:47 ` Jiri Olsa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).