* [syzbot] WARNING: ODEBUG bug in htab_map_alloc
@ 2022-09-09 22:48 syzbot
2022-09-10 15:07 ` [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc() Tetsuo Handa
[not found] ` <20220910020633.2620505-1-eadavis@sina.com>
0 siblings, 2 replies; 6+ messages in thread
From: syzbot @ 2022-09-09 22:48 UTC (permalink / raw)
To: andrii, ast, bpf, daniel, haoluo, john.fastabend, jolsa, kpsingh,
linux-kernel, martin.lau, netdev, sdf, song, syzkaller-bugs, yhs
Hello,
syzbot found the following issue on:
HEAD commit: 274052a2b0ab Merge branch 'bpf-allocator'
git tree: bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11a26bcd080000
kernel config: https://syzkaller.appspot.com/x/.config?x=924833c12349a8c0
dashboard link: https://syzkaller.appspot.com/bug?extid=5d1da78b375c3b5e6c2b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114109f5080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b3b56d080000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/be8eff3df48b/disk-274052a2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cd3150e84ddd/vmlinux-274052a2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5d1da78b375c3b5e6c2b@syzkaller.appspotmail.com
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: percpu_counter hint: 0x0
WARNING: CPU: 0 PID: 3624 at lib/debugobjects.c:502 debug_print_object+0x16e/0x250 lib/debugobjects.c:502
Modules linked in:
CPU: 0 PID: 3624 Comm: syz-executor257 Not tainted 5.19.0-syzkaller-14117-g274052a2b0ab #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:502
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 60 0c 49 8a 4c 89 ee 48 c7 c7 00 00 49 8a e8 df f1 38 05 <0f> 0b 83 05 65 86 dd 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffc90003edfa90 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff8880773cbb00 RSI: ffffffff8161f148 RDI: fffff520007dbf44
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffffffff8a4b90c0
R13: ffffffff8a490520 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007f0136485700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200004c0 CR3: 0000000072b25000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__debug_check_no_obj_freed lib/debugobjects.c:989 [inline]
debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1020
slab_free_hook mm/slub.c:1729 [inline]
slab_free_freelist_hook+0xeb/0x1c0 mm/slub.c:1780
slab_free mm/slub.c:3534 [inline]
kfree+0xe2/0x580 mm/slub.c:4562
kvfree+0x42/0x50 mm/util.c:655
htab_map_alloc+0xc76/0x1620 kernel/bpf/hashtab.c:632
find_and_alloc_map kernel/bpf/syscall.c:131 [inline]
map_create kernel/bpf/syscall.c:1105 [inline]
__sys_bpf+0xa82/0x5f80 kernel/bpf/syscall.c:4938
__do_sys_bpf kernel/bpf/syscall.c:5060 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5058 [inline]
__x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5058
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f01364d3919
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0136485318 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f013655b3e8 RCX: 00007f01364d3919
RDX: 0000000000000048 RSI: 00000000200004c0 RDI: 0000000000000000
RBP: 00007f013655b3e0 R08: 00007f0136485700 R09: 0000000000000000
R10: 00007f0136485700 R11: 0000000000000246 R12: 00007f013655b3ec
R13: 00007ffee9a220af R14: 00007f0136485400 R15: 0000000000022000
</TASK>
irq event stamp: 19441
hardirqs last enabled at (19445): [<ffffffff816188e8>] __down_trylock_console_sem+0x108/0x120 kernel/printk/printk.c:247
hardirqs last disabled at (19448): [<ffffffff816188ca>] __down_trylock_console_sem+0xea/0x120 kernel/printk/printk.c:245
softirqs last enabled at (19350): [<ffffffff814914c3>] invoke_softirq kernel/softirq.c:445 [inline]
softirqs last enabled at (19350): [<ffffffff814914c3>] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
softirqs last disabled at (19341): [<ffffffff814914c3>] invoke_softirq kernel/softirq.c:445 [inline]
softirqs last disabled at (19341): [<ffffffff814914c3>] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc()
2022-09-09 22:48 [syzbot] WARNING: ODEBUG bug in htab_map_alloc syzbot
@ 2022-09-10 15:07 ` Tetsuo Handa
2022-09-10 20:16 ` sdf
` (2 more replies)
[not found] ` <20220910020633.2620505-1-eadavis@sina.com>
1 sibling, 3 replies; 6+ messages in thread
From: Tetsuo Handa @ 2022-09-10 15:07 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Kumar Kartikeya Dwivedi
Cc: syzbot, syzkaller-bugs, bpf, netdev
syzbot is reporting ODEBUG bug in htab_map_alloc() [1], for
commit 86fe28f7692d96d2 ("bpf: Optimize element count in non-preallocated
hash map.") added percpu_counter_init() to htab_map_alloc() but forgot to
add percpu_counter_destroy() to the error path.
Link: https://syzkaller.appspot.com/bug?extid=5d1da78b375c3b5e6c2b [1]
Reported-by: syzbot <syzbot+5d1da78b375c3b5e6c2b@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: 86fe28f7692d96d2 ("bpf: Optimize element count in non-preallocated hash map.")
---
kernel/bpf/hashtab.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 0fe3f136cbbe..86aec20c22d0 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -622,6 +622,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
free_prealloc:
prealloc_destroy(htab);
free_map_locked:
+ if (htab->use_percpu_counter)
+ percpu_counter_destroy(&htab->pcount);
for (i = 0; i < HASHTAB_MAP_LOCK_COUNT; i++)
free_percpu(htab->map_locked[i]);
bpf_map_area_free(htab->buckets);
--
2.18.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc()
2022-09-10 15:07 ` [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc() Tetsuo Handa
@ 2022-09-10 20:16 ` sdf
2022-09-10 23:11 ` Alexei Starovoitov
2022-09-10 23:20 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 6+ messages in thread
From: sdf @ 2022-09-10 20:16 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Kumar Kartikeya Dwivedi, syzbot, syzkaller-bugs, bpf, netdev
On 09/11, Tetsuo Handa wrote:
> syzbot is reporting ODEBUG bug in htab_map_alloc() [1], for
> commit 86fe28f7692d96d2 ("bpf: Optimize element count in non-preallocated
> hash map.") added percpu_counter_init() to htab_map_alloc() but forgot to
> add percpu_counter_destroy() to the error path.
> Link: https://syzkaller.appspot.com/bug?extid=5d1da78b375c3b5e6c2b [1]
> Reported-by: syzbot
> <syzbot+5d1da78b375c3b5e6c2b@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Thanks!
Reviewed-by: Stanislav Fomichev <sdf@google.com>
> Fixes: 86fe28f7692d96d2 ("bpf: Optimize element count in non-preallocated
> hash map.")
> ---
> kernel/bpf/hashtab.c | 2 ++
> 1 file changed, 2 insertions(+)
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 0fe3f136cbbe..86aec20c22d0 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -622,6 +622,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr
> *attr)
> free_prealloc:
> prealloc_destroy(htab);
> free_map_locked:
> + if (htab->use_percpu_counter)
> + percpu_counter_destroy(&htab->pcount);
> for (i = 0; i < HASHTAB_MAP_LOCK_COUNT; i++)
> free_percpu(htab->map_locked[i]);
> bpf_map_area_free(htab->buckets);
> --
> 2.18.4
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] kernel/bpf: htab_map_alloc() exit by free_map_locked logic issue
[not found] ` <20220910020633.2620505-1-eadavis@sina.com>
@ 2022-09-10 20:29 ` Stanislav Fomichev
0 siblings, 0 replies; 6+ messages in thread
From: Stanislav Fomichev @ 2022-09-10 20:29 UTC (permalink / raw)
To: eadavis
Cc: syzbot+5d1da78b375c3b5e6c2b, andrii, ast, bpf, daniel, haoluo,
john.fastabend, jolsa, kpsingh, linux-kernel, martin.lau, netdev,
song, syzkaller-bugs, yhs, eadivs
On Fri, Sep 9, 2022 at 7:07 PM <eadavis@sina.com> wrote:
>
> From: eadivs <eadivs@sina.com>
>
> syzbot is reporting WARNING: ODEBUG bug in htab_map_alloc(), the
> loop exits without reaching length HASHTAB_MAP_LOCK_COUNT, and
> the loop continues HASHTAB_MAP_LOCK_COUNT times in label
> free_map_locked.
Please use [PATCH bpf] vs [PATCH bpf-next] in subject to indicate
which tree you're targeting.
Also, it seems your email hasn't reached the mailing list for some reason.
Are you sure that the issue is due to HASHTAB_MAP_LOCK_COUNT? The code
seems fine as is; unconditionally calling free on NULL shouldn't be an
issue.
htab_map_alloc+0xc76/0x1620 kernel/bpf/hashtab.c:632
Which, if I'm looking at the function is:
bpf_map_area_free(htab);
?
> Link: https://syzkaller.appspot.com/bug?extid=5d1da78b375c3b5e6c2b
> Reported-by: syzbot+5d1da78b375c3b5e6c2b@syzkaller.appspotmail.com
> Signed-off-by: eadivs <eadivs@sina.com>
> ---
> kernel/bpf/hashtab.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 65877967f414..f5381e1c00a6 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -473,7 +473,7 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
> bool percpu_lru = (attr->map_flags & BPF_F_NO_COMMON_LRU);
> bool prealloc = !(attr->map_flags & BPF_F_NO_PREALLOC);
> struct bpf_htab *htab;
> - int err, i;
> + int err, i, j = HASHTAB_MAP_LOCK_COUNT;
>
> htab = kzalloc(sizeof(*htab), GFP_USER | __GFP_ACCOUNT);
> if (!htab)
> @@ -523,8 +523,10 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
> sizeof(int),
> sizeof(int),
> GFP_USER);
> - if (!htab->map_locked[i])
> + if (!htab->map_locked[i]) {
> + j = i;
> goto free_map_locked;
> + }
> }
>
> if (htab->map.map_flags & BPF_F_ZERO_SEED)
> @@ -554,7 +556,7 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
> free_prealloc:
> prealloc_destroy(htab);
> free_map_locked:
> - for (i = 0; i < HASHTAB_MAP_LOCK_COUNT; i++)
> + for (i = 0; i < j; i++)
> free_percpu(htab->map_locked[i]);
> bpf_map_area_free(htab->buckets);
> free_htab:
> --
> 2.37.2
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc()
2022-09-10 15:07 ` [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc() Tetsuo Handa
2022-09-10 20:16 ` sdf
@ 2022-09-10 23:11 ` Alexei Starovoitov
2022-09-10 23:20 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 6+ messages in thread
From: Alexei Starovoitov @ 2022-09-10 23:11 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Kumar Kartikeya Dwivedi, syzbot, syzkaller-bugs, bpf,
Network Development
On Sat, Sep 10, 2022 at 8:08 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> syzbot is reporting ODEBUG bug in htab_map_alloc() [1], for
> commit 86fe28f7692d96d2 ("bpf: Optimize element count in non-preallocated
> hash map.") added percpu_counter_init() to htab_map_alloc() but forgot to
> add percpu_counter_destroy() to the error path.
>
> Link: https://syzkaller.appspot.com/bug?extid=5d1da78b375c3b5e6c2b [1]
> Reported-by: syzbot <syzbot+5d1da78b375c3b5e6c2b@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 86fe28f7692d96d2 ("bpf: Optimize element count in non-preallocated hash map.")
> ---
> kernel/bpf/hashtab.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
> index 0fe3f136cbbe..86aec20c22d0 100644
> --- a/kernel/bpf/hashtab.c
> +++ b/kernel/bpf/hashtab.c
> @@ -622,6 +622,8 @@ static struct bpf_map *htab_map_alloc(union bpf_attr *attr)
> free_prealloc:
> prealloc_destroy(htab);
> free_map_locked:
> + if (htab->use_percpu_counter)
> + percpu_counter_destroy(&htab->pcount);
Thank you for the fix! Applied
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc()
2022-09-10 15:07 ` [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc() Tetsuo Handa
2022-09-10 20:16 ` sdf
2022-09-10 23:11 ` Alexei Starovoitov
@ 2022-09-10 23:20 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-09-10 23:20 UTC (permalink / raw)
To: Tetsuo Handa
Cc: ast, daniel, andrii, memxor, syzbot+5d1da78b375c3b5e6c2b,
syzkaller-bugs, bpf, netdev
Hello:
This patch was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Sun, 11 Sep 2022 00:07:11 +0900 you wrote:
> syzbot is reporting ODEBUG bug in htab_map_alloc() [1], for
> commit 86fe28f7692d96d2 ("bpf: Optimize element count in non-preallocated
> hash map.") added percpu_counter_init() to htab_map_alloc() but forgot to
> add percpu_counter_destroy() to the error path.
>
> Link: https://syzkaller.appspot.com/bug?extid=5d1da78b375c3b5e6c2b [1]
> Reported-by: syzbot <syzbot+5d1da78b375c3b5e6c2b@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Fixes: 86fe28f7692d96d2 ("bpf: Optimize element count in non-preallocated hash map.")
>
> [...]
Here is the summary with links:
- bpf: add missing percpu_counter_destroy() in htab_map_alloc()
https://git.kernel.org/bpf/bpf-next/c/cf7de6a53600
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-09-10 23:20 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-09-09 22:48 [syzbot] WARNING: ODEBUG bug in htab_map_alloc syzbot
2022-09-10 15:07 ` [PATCH] bpf: add missing percpu_counter_destroy() in htab_map_alloc() Tetsuo Handa
2022-09-10 20:16 ` sdf
2022-09-10 23:11 ` Alexei Starovoitov
2022-09-10 23:20 ` patchwork-bot+netdevbpf
[not found] ` <20220910020633.2620505-1-eadavis@sina.com>
2022-09-10 20:29 ` [PATCH] kernel/bpf: htab_map_alloc() exit by free_map_locked logic issue Stanislav Fomichev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).