[syzbot] [perf?] WARNING in perf_event_open

[syzbot] [perf?] WARNING in perf_event_open

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    441c725ed592 selftests/bpf: Close cgrp fd before calling c..
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1444d11ae80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8b0f45da11b1/disk-441c725e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2a5034980240/vmlinux-441c725e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2daadb549a4c/bzImage-441c725e.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5193 at kernel/events/core.c:1950 perf_event_validate_size kernel/events/core.c:1950 [inline]
WARNING: CPU: 1 PID: 5193 at kernel/events/core.c:1950 __do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Modules linked in:
CPU: 1 PID: 5193 Comm: syz-executor.5 Not tainted 6.7.0-rc5-syzkaller-01532-g441c725ed592 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Code: ff 48 8d b8 a8 00 00 00 e8 85 0a cf 08 bf 01 00 00 00 89 c3 89 c6 e8 77 74 d5 ff 83 eb 01 0f 84 2d ed ff ff e8 f9 78 d5 ff 90 <0f> 0b 90 e9 1f ed ff ff e8 eb 78 d5 ff be 03 00 00 00 48 89 ef e8
RSP: 0018:ffffc90005187d90 EFLAGS: 00010246
RAX: 0000000000040000 RBX: 00000000ffffffff RCX: ffffc90003d11000
RDX: 0000000000040000 RSI: ffffffff81b224a7 RDI: 0000000000000005
RBP: ffff888077570000 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff915e51d0 R12: ffff8880291ffb00
R13: 1ffff92000a30fbd R14: ffff88807a94d940 R15: ffff888077570000
FS:  00007fa10795c6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000002a097000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fa106c7cbe9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa10795c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007fa106d9bf80 RCX: 00007fa106c7cbe9
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fa106cc847a R08: 0000000000000001 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fa106d9bf80 R15: 00007fff36da3b98
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [perf?] WARNING in perf_event_open

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree:       bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=122f1609e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14857e81e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1126ac36e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a270020a37dc/disk-5abde624.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6b0eb142c0ea/vmlinux-5abde624.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d6ceb3e9bf6a/bzImage-5abde624.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5061 at kernel/events/core.c:1950 perf_event_validate_size kernel/events/core.c:1950 [inline]
WARNING: CPU: 0 PID: 5061 at kernel/events/core.c:1950 __do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Modules linked in:
CPU: 0 PID: 5061 Comm: syz-executor128 Not tainted 6.7.0-rc5-syzkaller-01540-g5abde6246522 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:perf_event_validate_size kernel/events/core.c:1950 [inline]
RIP: 0010:__do_sys_perf_event_open+0x2748/0x2c70 kernel/events/core.c:12655
Code: ff 48 8d b8 a8 00 00 00 e8 55 07 cf 08 bf 01 00 00 00 89 c3 89 c6 e8 47 71 d5 ff 83 eb 01 0f 84 2d ed ff ff e8 c9 75 d5 ff 90 <0f> 0b 90 e9 1f ed ff ff e8 bb 75 d5 ff be 03 00 00 00 48 89 ef e8
RSP: 0018:ffffc9000398fd90 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff81b227c9
RDX: ffff8880794c3b80 RSI: ffffffff81b227d7 RDI: 0000000000000005
RBP: ffff888017e68608 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff915ec900 R12: ffff888024db5800
R13: 1ffff92000731fbd R14: ffff8880794c3b80 R15: ffff888017e68608
FS:  0000555555ca6380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000006c CR3: 0000000059a59000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fddcf7ef369
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7c42b4a8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007ffc7c42b688 RCX: 00007fddcf7ef369
RDX: 00000000ffffffff RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007fddcf862610 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc7c42b678 R14: 0000000000000001 R15: 0000000000000001
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [perf?] WARNING in perf_event_open

[Edward Adam Davis]

please test WARNING in perf_event_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git 441c725ed592

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9efd0d7775e7..e71e61b46416 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
 	event->id_header_size = size;
 }
 
+#define read_for_each_sibling_event(sibling, event)		\
+	if ((event)->group_leader == (event))			\
+		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
+
 /*
  * Check that adding an event to the group does not result in anybody
  * overflowing the 64k event limit imposed by the output buffer.
@@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
 	if (event == group_leader)
 		return true;
 
-	for_each_sibling_event(sibling, group_leader) {
+	read_for_each_sibling_event(sibling, group_leader) {
 		if (__perf_event_read_size(sibling->attr.read_format,
 					   group_leader->nr_siblings + 1) > 16*1024)
 			return false;

Re: [syzbot] [perf?] WARNING in perf_event_open

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com

Tested on:

commit:         441c725e selftests/bpf: Close cgrp fd before calling c..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=135a5231e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13bd1bd6e80000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [perf?] WARNING in perf_event_open

[syzbot]

syzbot has bisected this issue to:

commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Wed Nov 29 14:24:52 2023 +0000

    perf: Fix perf_event_validate_size()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=170e70cee80000
start commit:   5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree:       bpf-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=148e70cee80000
console output: https://syzkaller.appspot.com/x/log.txt?x=108e70cee80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14857e81e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1126ac36e80000

Reported-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[PATCH] perf: fix WARNING in perf_event_open

[Edward Adam Davis]

The new version of __perf_event_read_size() only has a read action and does not
require a mutex, so the mutex assertion in the original loop is removed.

Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 kernel/events/core.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 9efd0d7775e7..e71e61b46416 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
 	event->id_header_size = size;
 }
 
+#define read_for_each_sibling_event(sibling, event)		\
+	if ((event)->group_leader == (event))			\
+		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
+
 /*
  * Check that adding an event to the group does not result in anybody
  * overflowing the 64k event limit imposed by the output buffer.
@@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
 	if (event == group_leader)
 		return true;
 
-	for_each_sibling_event(sibling, group_leader) {
+	read_for_each_sibling_event(sibling, group_leader) {
 		if (__perf_event_read_size(sibling->attr.read_format,
 					   group_leader->nr_siblings + 1) > 16*1024)
 			return false;
-- 
2.43.0

Re: [PATCH] perf: fix WARNING in perf_event_open

[Jiri Olsa]

On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:
> The new version of __perf_event_read_size() only has a read action and does not
> require a mutex, so the mutex assertion in the original loop is removed.
> 
> Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>

hi,
Mark suggested another fix earlier [1], but I haven't seen the formal patch yet

jirka


[1] https://lore.kernel.org/linux-perf-users/ZXwubNIxKH9s7DWt@FVFF77S0Q05N/

> ---
>  kernel/events/core.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 9efd0d7775e7..e71e61b46416 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
>  	event->id_header_size = size;
>  }
>  
> +#define read_for_each_sibling_event(sibling, event)		\
> +	if ((event)->group_leader == (event))			\
> +		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
> +
>  /*
>   * Check that adding an event to the group does not result in anybody
>   * overflowing the 64k event limit imposed by the output buffer.
> @@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
>  	if (event == group_leader)
>  		return true;
>  
> -	for_each_sibling_event(sibling, group_leader) {
> +	read_for_each_sibling_event(sibling, group_leader) {
>  		if (__perf_event_read_size(sibling->attr.read_format,
>  					   group_leader->nr_siblings + 1) > 16*1024)
>  			return false;
> -- 
> 2.43.0
> 

Re: [PATCH] perf: fix WARNING in perf_event_open

[Mark Rutland]

On Wed, Dec 27, 2023 at 08:34:57AM +0100, Jiri Olsa wrote:
> On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:
> > The new version of __perf_event_read_size() only has a read action and does not
> > require a mutex, so the mutex assertion in the original loop is removed.
> > 
> > Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> > Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> 
> hi,
> Mark suggested another fix earlier [1], but I haven't seen the formal patch yet
> 
> jirka
> 
> 
> [1] https://lore.kernel.org/linux-perf-users/ZXwubNIxKH9s7DWt@FVFF77S0Q05N/

For the sake of the archive, that went out as:

  https://lore.kernel.org/lkml/20231215112450.3972309-1-mark.rutland@arm.com/

... was picked up in the tip branch:

  https://lore.kernel.org/lkml/170264057897.398.420625380438569608.tip-bot2@tip-bot2/

... was sent to Linus:

  https://lore.kernel.org/lkml/20231217202613.GAZX9ZZWMM%2FytA74VC@fat_crate.local/

... was merged in v6.7-rc6:
  
  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=177c2ffe69555dde28fad5ddb62a6d806982e53f

... and can be found at:

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=7e2c1e4b34f07d9aa8937fab88359d4a0fce468e

Mark.

> 
> > ---
> >  kernel/events/core.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/kernel/events/core.c b/kernel/events/core.c
> > index 9efd0d7775e7..e71e61b46416 100644
> > --- a/kernel/events/core.c
> > +++ b/kernel/events/core.c
> > @@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
> >  	event->id_header_size = size;
> >  }
> >  
> > +#define read_for_each_sibling_event(sibling, event)		\
> > +	if ((event)->group_leader == (event))			\
> > +		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
> > +
> >  /*
> >   * Check that adding an event to the group does not result in anybody
> >   * overflowing the 64k event limit imposed by the output buffer.
> > @@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
> >  	if (event == group_leader)
> >  		return true;
> >  
> > -	for_each_sibling_event(sibling, group_leader) {
> > +	read_for_each_sibling_event(sibling, group_leader) {
> >  		if (__perf_event_read_size(sibling->attr.read_format,
> >  					   group_leader->nr_siblings + 1) > 16*1024)
> >  			return false;
> > -- 
> > 2.43.0
> > 

Re: [PATCH] perf: fix WARNING in perf_event_open

[Mark Rutland]

On Tue, Dec 26, 2023 at 03:25:15PM +0800, Edward Adam Davis wrote:
> The new version of __perf_event_read_size() only has a read action and does not
> require a mutex, so the mutex assertion in the original loop is removed.
> 
> Fixes: 382c27f4ed28 ("perf: Fix perf_event_validate_size()")
> Reported-and-tested-by: syzbot+07144c543a5c002c7305@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>  kernel/events/core.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

Thanks for the patch; this should be fixed by:

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.7-rc6&id=7e2c1e4b34f07d9aa8937fab88359d4a0fce468e

... which is in v6.7-rc6.

Mark.

> 
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 9efd0d7775e7..e71e61b46416 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -1924,6 +1924,10 @@ static void perf_event__id_header_size(struct perf_event *event)
>  	event->id_header_size = size;
>  }
>  
> +#define read_for_each_sibling_event(sibling, event)		\
> +	if ((event)->group_leader == (event))			\
> +		list_for_each_entry((sibling), &(event)->sibling_list, sibling_list)
> +
>  /*
>   * Check that adding an event to the group does not result in anybody
>   * overflowing the 64k event limit imposed by the output buffer.
> @@ -1957,7 +1961,7 @@ static bool perf_event_validate_size(struct perf_event *event)
>  	if (event == group_leader)
>  		return true;
>  
> -	for_each_sibling_event(sibling, group_leader) {
> +	read_for_each_sibling_event(sibling, group_leader) {
>  		if (__perf_event_read_size(sibling->attr.read_format,
>  					   group_leader->nr_siblings + 1) > 16*1024)
>  			return false;
> -- 
> 2.43.0
> 

Re: [syzbot] [perf?] WARNING in perf_event_open

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Fri Dec 15 11:24:50 2023 +0000

    perf: Fix perf_event_validate_size() lockdep splat

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=157c509c180000
start commit:   5abde6246522 bpf: Avoid unnecessary use of comma operator ..
git tree:       bpf-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ba8929e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17be7265e80000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: perf: Fix perf_event_validate_size() lockdep splat

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [perf?] WARNING in perf_event_open

[Mark Rutland]

On Thu, Feb 22, 2024 at 07:58:02PM -0800, syzbot wrote:
> syzbot suspects this issue was fixed by commit:
> 
> commit 7e2c1e4b34f07d9aa8937fab88359d4a0fce468e
> Author: Mark Rutland <mark.rutland@arm.com>
> Date:   Fri Dec 15 11:24:50 2023 +0000
> 
>     perf: Fix perf_event_validate_size() lockdep splat
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=157c509c180000
> start commit:   5abde6246522 bpf: Avoid unnecessary use of comma operator ..
> git tree:       bpf-next
> kernel config:  https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
> dashboard link: https://syzkaller.appspot.com/bug?extid=07144c543a5c002c7305
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16ba8929e80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17be7265e80000
> 
> If the result looks correct, please mark the issue as fixed by replying with:
> 
> #syz fix: perf: Fix perf_event_validate_size() lockdep splat

I believe syzbot is correct; this is fixed by commit:

  7e2c1e4b34f07d9a ("perf: Fix perf_event_validate_size() lockdep splat")

... so:

#syz fix: perf: Fix perf_event_validate_size() lockdep splat

Mark.

Re: [syzbot] [perf?] WARNING in perf_event_open

[xingwei lee]

Hello, I reproduced this bug with repro.c and repro.txt with the same
configure in syzbot and comfiled this bug in the lastest
mainline/net/bpf

bpd-next kernel: 441c725ed592cb22f2a82f2827dccd045356cc81
kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
and I also notice it maybe the same bug as
https://lore.kernel.org/all/ZXpm6gQ%2Fd59jGsuW@xpf.sh.intel.com/

Anyway

=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

static uint64_t current_time_ms(void) {
 struct timespec ts;
 if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)     \
 *(type*)(addr) =                                                   \
     htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
           (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

static bool write_file(const char* file, const char* what, ...) {
 char buf[1024];
 va_list args;
 va_start(args, what);
 vsnprintf(buf, sizeof(buf), what, args);
 va_end(args);
 buf[sizeof(buf) - 1] = 0;
 int len = strlen(buf);
 int fd = open(file, O_WRONLY | O_CLOEXEC);
 if (fd == -1) return false;
 if (write(fd, buf, len) != len) {
   int err = errno;
   close(fd);
   errno = err;
   return false;
 }
 close(fd);
 return true;
}

static void kill_and_wait(int pid, int* status) {
 kill(-pid, SIGKILL);
 kill(pid, SIGKILL);
 for (int i = 0; i < 100; i++) {
   if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
   usleep(1000);
 }
 DIR* dir = opendir("/sys/fs/fuse/connections");
 if (dir) {
   for (;;) {
     struct dirent* ent = readdir(dir);
     if (!ent) break;
     if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
       continue;
     char abort[300];
     snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
              ent->d_name);
     int fd = open(abort, O_WRONLY);
     if (fd == -1) {
       continue;
     }
     if (write(fd, abort, 1) < 0) {
     }
     close(fd);
   }
   closedir(dir);
 } else {
 }
 while (waitpid(-1, status, __WALL) != pid) {
 }
}

static void setup_test() {
 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 setpgrp();
 write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
 int iter = 0;
 for (;; iter++) {
   int pid = fork();
   if (pid < 0) exit(1);
   if (pid == 0) {
     setup_test();
     execute_one();
     exit(0);
   }
   int status = 0;
   uint64_t start = current_time_ms();
   for (;;) {
     if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
     sleep_ms(1);
     if (current_time_ms() - start < 5000) continue;
     kill_and_wait(pid, &status);
     break;
   }
 }
}

void execute_one(void) {
 *(uint32_t*)0x2001d000 = 1;
 *(uint32_t*)0x2001d004 = 0x80;
 *(uint8_t*)0x2001d008 = 0;
 *(uint8_t*)0x2001d009 = 0;
 *(uint8_t*)0x2001d00a = 0;
 *(uint8_t*)0x2001d00b = 0;
 *(uint32_t*)0x2001d00c = 0;
 *(uint64_t*)0x2001d010 = 0x7f;
 *(uint64_t*)0x2001d018 = 0;
 *(uint64_t*)0x2001d020 = 0;
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
 *(uint32_t*)0x2001d030 = 0;
 *(uint32_t*)0x2001d034 = 0;
 *(uint64_t*)0x2001d038 = 0;
 *(uint64_t*)0x2001d040 = 0;
 *(uint64_t*)0x2001d048 = 0;
 *(uint64_t*)0x2001d050 = 0;
 *(uint32_t*)0x2001d058 = 0;
 *(uint32_t*)0x2001d05c = 0;
 *(uint64_t*)0x2001d060 = 0;
 *(uint32_t*)0x2001d068 = 0;
 *(uint16_t*)0x2001d06c = 0;
 *(uint16_t*)0x2001d06e = 0;
 *(uint32_t*)0x2001d070 = 0;
 *(uint32_t*)0x2001d074 = 0;
 *(uint64_t*)0x2001d078 = 0;
 syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0, /*cpu=*/-1,
         /*group=*/-1, /*flags=*/0ul);
}
int main(void) {
 syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 loop();
 return 0;
}

=* repro.txt =*
perf_event_open(&(0x7f000001d000)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0,
0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff,
0x0)

and also https://gist.github.com/xrivendell7/128e198d8ff27d003998b4f0cc19bb74

I hope it helps.
Thanks!
Best regards.
xingwei Lee

[syzbot] [crypto?] general protection fault in scatterwalk_copychunks (5)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    39676dfe5233 Add linux-next specific files for 20231222
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=172080a1e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f3761490b734dc96
dashboard link: https://syzkaller.appspot.com/bug?extid=3eff5e51bf1db122a16e
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=178f6e26e80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=15c399e9e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/360542c2ca67/disk-39676dfe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/900dfb21ca8a/vmlinux-39676dfe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c94a2a3ea0e0/bzImage-39676dfe.xz

The issue was bisected to:

commit 7bc134496bbbaacb0d4423b819da4eca850a839d
Author: Chengming Zhou <zhouchengming@bytedance.com>
Date:   Mon Dec 18 11:50:31 2023 +0000

    mm/zswap: change dstmem size to one page

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15f60c36e80000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=17f60c36e80000
console output: https://syzkaller.appspot.com/x/log.txt?x=13f60c36e80000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com
Fixes: 7bc134496bbb ("mm/zswap: change dstmem size to one page")

general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 5065 Comm: syz-executor140 Not tainted 6.7.0-rc6-next-20231222-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:63 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:83 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:72 [inline]
RIP: 0010:scatterwalk_copychunks+0x3e0/0x560 crypto/scatterwalk.c:50
Code: f0 48 c1 e8 03 80 3c 08 00 0f 85 81 01 00 00 49 8d 44 24 08 4d 89 26 48 bf 00 00 00 00 00 fc ff df 48 89 44 24 10 48 c1 e8 03 <0f> b6 04 38 84 c0 74 08 3c 03 0f 8e 47 01 00 00 48 8b 44 24 08 41
RSP: 0018:ffffc90003a8ecf0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: ffff88802785d940 RSI: ffffffff8465df74 RDI: dffffc0000000000
RBP: 0000000000001000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000002 R11: 82d8bd1b6060f805 R12: 0000000000000000
R13: 0000000000000014 R14: ffffc90003a8ed88 R15: 0000000000001000
FS:  00005555565c5380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000d5e538 CR3: 0000000079f3a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 scatterwalk_map_and_copy+0x151/0x1d0 crypto/scatterwalk.c:67
 scomp_acomp_comp_decomp+0x3a3/0x780 crypto/scompress.c:149
 crypto_acomp_compress include/crypto/acompress.h:302 [inline]
 zswap_store+0x98b/0x2430 mm/zswap.c:1666
 swap_writepage+0x8e/0x220 mm/page_io.c:198
 pageout+0x399/0x9e0 mm/vmscan.c:656
 shrink_folio_list+0x2f47/0x3ea0 mm/vmscan.c:1319
 reclaim_folio_list+0xe4/0x3a0 mm/vmscan.c:2104
 reclaim_pages+0x483/0x6a0 mm/vmscan.c:2140
 madvise_cold_or_pageout_pte_range+0x129e/0x1f70 mm/madvise.c:526
 walk_pmd_range mm/pagewalk.c:143 [inline]
 walk_pud_range mm/pagewalk.c:221 [inline]
 walk_p4d_range mm/pagewalk.c:256 [inline]
 walk_pgd_range+0xa48/0x1870 mm/pagewalk.c:293
 __walk_page_range+0x630/0x770 mm/pagewalk.c:395
 walk_page_range+0x626/0xa80 mm/pagewalk.c:521
 madvise_pageout_page_range mm/madvise.c:585 [inline]
 madvise_pageout+0x32c/0x820 mm/madvise.c:612
 madvise_vma_behavior+0x1cc/0x1b50 mm/madvise.c:1031
 madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1260
 do_madvise+0x333/0x660 mm/madvise.c:1440
 __do_sys_madvise mm/madvise.c:1453 [inline]
 __se_sys_madvise mm/madvise.c:1451 [inline]
 __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1451
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x62/0x6a
RIP: 0033:0x7f15a5e14b69
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffde7b4a5c8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f15a5e14b69
RDX: 0000000000000015 RSI: 0000000000c00304 RDI: 0000000020000000
RBP: 0000000000000000 R08: 00005555565c6610 R09: 00005555565c6610
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffde7b4a808 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:scatterwalk_start include/crypto/scatterwalk.h:63 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:83 [inline]
RIP: 0010:scatterwalk_pagedone include/crypto/scatterwalk.h:72 [inline]
RIP: 0010:scatterwalk_copychunks+0x3e0/0x560 crypto/scatterwalk.c:50
Code: f0 48 c1 e8 03 80 3c 08 00 0f 85 81 01 00 00 49 8d 44 24 08 4d 89 26 48 bf 00 00 00 00 00 fc ff df 48 89 44 24 10 48 c1 e8 03 <0f> b6 04 38 84 c0 74 08 3c 03 0f 8e 47 01 00 00 48 8b 44 24 08 41
RSP: 0018:ffffc90003a8ecf0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: ffff88802785d940 RSI: ffffffff8465df74 RDI: dffffc0000000000
RBP: 0000000000001000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000002 R11: 82d8bd1b6060f805 R12: 0000000000000000
R13: 0000000000000014 R14: ffffc90003a8ed88 R15: 0000000000001000
FS:  00005555565c5380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000d5e538 CR3: 0000000079f3a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	f0 48 c1 e8 03       	lock shr $0x3,%rax
   5:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1)
   9:	0f 85 81 01 00 00    	jne    0x190
   f:	49 8d 44 24 08       	lea    0x8(%r12),%rax
  14:	4d 89 26             	mov    %r12,(%r14)
  17:	48 bf 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdi
  1e:	fc ff df
  21:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	0f b6 04 38          	movzbl (%rax,%rdi,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	74 08                	je     0x3a
  32:	3c 03                	cmp    $0x3,%al
  34:	0f 8e 47 01 00 00    	jle    0x181
  3a:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  3f:	41                   	rex.B


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [perf?] WARNING in perf_event_open

[Edward Adam Davis]

please test WARNING in perf_event_open

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 39676dfe5233

diff --git a/mm/madvise.c b/mm/madvise.c
index 912155a94ed5..8fd3e00af243 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1405,6 +1405,9 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh
 	if (!madvise_behavior_valid(behavior))
 		return -EINVAL;
 
+	if (!start)
+		return -EINVAL;
+
 	if (!PAGE_ALIGNED(start))
 		return -EINVAL;
 	len = PAGE_ALIGN(len_in);