[syzbot] unexpected kernel reboot (5)

[syzbot] unexpected kernel reboot (5)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7ac3a1c1 Merge tag 'mtd/fixes-for-5.13-rc4' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b43813d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=266cda122a0b56c
dashboard link: https://syzkaller.appspot.com/bug?extid=6fb8ff5211d3e821398f

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6fb8ff5211d3e821398f@syzkaller.appspotmail.com

output_len: 0x000000000e7f5b68
kernel_total_size: 0x000000000fc26000
needed_size: 0x000000000fe00000
trampoline_32bit: 0x000000000009d000
Decompressing Linux... Parsing ELF... done.
Booting the kernel.


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] unexpected kernel reboot (5)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    7ac3a1c1 Merge tag 'mtd/fixes-for-5.13-rc4' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=174ba76fd00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=266cda122a0b56c
dashboard link: https://syzkaller.appspot.com/bug?extid=6fb8ff5211d3e821398f
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10772527d00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1072f98dd00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6fb8ff5211d3e821398f@syzkaller.appspotmail.com

output_len: 0x000000000e7f5b68
kernel_total_size: 0x000000000fc26000
needed_size: 0x000000000fe00000
trampoline_32bit: 0x000000000009d000
Decompressing Linux... Parsing ELF... done.
Booting the kernel.

Re: [syzbot] unexpected kernel reboot (5)

[Dmitry Vyukov]

On Thu, May 27, 2021 at 4:08 AM syzbot
<syzbot+6fb8ff5211d3e821398f@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:    7ac3a1c1 Merge tag 'mtd/fixes-for-5.13-rc4' of git://git.k..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=174ba76fd00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=266cda122a0b56c
> dashboard link: https://syzkaller.appspot.com/bug?extid=6fb8ff5211d3e821398f
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10772527d00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1072f98dd00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+6fb8ff5211d3e821398f@syzkaller.appspotmail.com
>
> output_len: 0x000000000e7f5b68
> kernel_total_size: 0x000000000fc26000
> needed_size: 0x000000000fe00000
> trampoline_32bit: 0x000000000009d000
> Decompressing Linux... Parsing ELF... done.
> Booting the kernel.


The reproducer writes into /sys/power/state. I assume this is an
intentional way to reboot a machine and we can't let the fuzzer mess
with all sysfs files with:

openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*"]], flags
flags[open_flags], mode flags[open_mode]) fd

+Joey, how do you deal with this?

Re: [syzbot] unexpected kernel reboot (5)

[Tetsuo Handa]

On 2021/05/27 15:40, Dmitry Vyukov wrote:
> The reproducer writes into /sys/power/state. I assume this is an
> intentional way to reboot a machine and we can't let the fuzzer mess
> with all sysfs files with:
> 
> openat$sysfs(fd const[AT_FDCWD], dir ptr[in, glob["/sys/**/*"]], flags
> flags[open_flags], mode flags[open_mode]) fd
> 
> +Joey, how do you deal with this?
> 

I have CaitSith LSM module ( https://caitsith.osdn.jp/#5.2 ).
Maybe we could invent a simple LSM module for excluding access to specific pseudo files?

Re: [syzbot] unexpected kernel reboot (5)

[Tetsuo Handa]

On 2021/05/27 21:15, joey.jiaojg wrote:
> I tested on qemu and Android device, not found the reboot.
> Any kernel version different?

Kernel version needs to be v5.11-rc5+ because this reproducer
depends on commit f2d6c2708bd8 ("kernfs: wire up ->splice_read
and ->splice_write"). Also, this reproducer depends on contents
of /sys/power/state file.

----------
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/sendfile.h>

int main(int argc, char *argv[])
{
        const int fd = open("/sys/power/state", O_RDWR);
        off_t offset = 7;

        /* Assumes that 3 bytes from offset 7 in /sys/power/state are "mem". */
        sendfile(fd, fd, &offset, 3);
        return 0;
}
----------

On 2021/05/27 21:19, joey.jiaojg wrote:
> Or we can add glob code like
> /sys/**/*:-/sys/power/state to exclude.

Well, since /sys/ includes mount points for other filesystems such as
securityfs ( /sys/kernel/security/ ), debugfs ( /sys/kernel/debug/ )
and cgroup ( /sys/fs/cgroup/ ), just excluding this specific file is not
sufficient. I think we have to start from removing glob["/sys/**/*"] .

Re: [syzbot] unexpected kernel reboot (5)

[Dmitry Vyukov]

On Thu, May 27, 2021 at 3:17 PM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> On 2021/05/27 21:15, joey.jiaojg wrote:
> > I tested on qemu and Android device, not found the reboot.
> > Any kernel version different?
>
> Kernel version needs to be v5.11-rc5+ because this reproducer
> depends on commit f2d6c2708bd8 ("kernfs: wire up ->splice_read
> and ->splice_write"). Also, this reproducer depends on contents
> of /sys/power/state file.
>
> ----------
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> #include <sys/sendfile.h>
>
> int main(int argc, char *argv[])
> {
>         const int fd = open("/sys/power/state", O_RDWR);
>         off_t offset = 7;
>
>         /* Assumes that 3 bytes from offset 7 in /sys/power/state are "mem". */
>         sendfile(fd, fd, &offset, 3);
>         return 0;
> }
> ----------
>
> On 2021/05/27 21:19, joey.jiaojg wrote:
> > Or we can add glob code like
> > /sys/**/*:-/sys/power/state to exclude.
>
> Well, since /sys/ includes mount points for other filesystems such as
> securityfs ( /sys/kernel/security/ ), debugfs ( /sys/kernel/debug/ )
> and cgroup ( /sys/fs/cgroup/ ), just excluding this specific file is not
> sufficient. I think we have to start from removing glob["/sys/**/*"] .

FTR, Joey is working on support for excluding specific patterns from globs:
https://github.com/google/syzkaller/pull/2602

I agree /sys/**/* may be too broad. On my machine /sys contains 82501
files. But it's also hard for me to tell what exactly should be
included/excluded. Do we know any definitely bad files/dirs?
Or alternatively, we can just wait for more reports from syzbot when
it opens something we don't want it to open. The benefit of working on
testing :)

Re: [syzbot] unexpected kernel reboot (5)

[syzbot]

syzbot has bisected this issue to:

commit f2d6c2708bd84ca953fa6b6ca5717e79eb0140c7
Author: Christoph Hellwig <hch@lst.de>
Date:   Wed Jan 20 20:46:31 2021 +0000

    kernfs: wire up ->splice_read and ->splice_write

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=144ee113d00000
start commit:   7ac3a1c1 Merge tag 'mtd/fixes-for-5.13-rc4' of git://git.k..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=164ee113d00000
console output: https://syzkaller.appspot.com/x/log.txt?x=124ee113d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=266cda122a0b56c
dashboard link: https://syzkaller.appspot.com/bug?extid=6fb8ff5211d3e821398f
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=154e8703d00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=171382d3d00000

Reported-by: syzbot+6fb8ff5211d3e821398f@syzkaller.appspotmail.com
Fixes: f2d6c2708bd8 ("kernfs: wire up ->splice_read and ->splice_write")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection