Potential Linux Crash: WARNING in release_bp_slot in linux6.12.24(longterm maintenance)

Potential Linux Crash: WARNING in release_bp_slot in linux6.12.24(longterm maintenance)

[=?gb18030?B?ZmZoZ2Z2?=]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="gb18030", Size: 8610 bytes --]

Hello, I found a potential bug titled "  WARNING in release_bp_slot  " with modified syzkaller in the  Linux6.12.24(longterm maintenance, last updated on April 20, 2025).
If you fix this issue, please add the following tag to the commit:  Reported-by: Jianzhou Zhao <xnxc22xnxc22@qq.com>,    xingwei lee <xrivendell7@gmail.com>,Penglei Jiang <superman.xpt@gmail.com>
The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&amp;x=55f8591b98dd132
compiler: gcc version 11.4.0
The reproduction program written in C language is at the end.
------------[ cut here ]-----------------------------------------
 TITLE: WARNING in release_bp_slot
------------[ cut here ]------------
loop2: detected capacity change from 0 to 64
------------[ cut here ]------------
WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 __release_bp_slot kernel/events/hw_breakpoint.c:614 [inline]
WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 __release_bp_slot kernel/events/hw_breakpoint.c:607 [inline]
WARNING: CPU: 1 PID: 38650 at kernel/events/hw_breakpoint.c:614 release_bp_slot+0x6b/0x90 kernel/events/hw_breakpoint.c:621
Modules linked in:
CPU: 1 UID: 0 PID: 38650 Comm: syz.2.3497 Not tainted 6.12.24 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__release_bp_slot kernel/events/hw_breakpoint.c:614 [inline]
RIP: 0010:__release_bp_slot kernel/events/hw_breakpoint.c:607 [inline]
RIP: 0010:release_bp_slot+0x6b/0x90 kernel/events/hw_breakpoint.c:621
Code: e8 8a c1 ff ff 31 ff 89 c5 89 c6 e8 7f 95 ce ff 85 ed 75 10 e8 86 9a ce ff 4c 89 e7 5d 41 5c e9 7b b7 ff ff e8 76 9a ce ff 90 &lt;0f&gt; 0b 90 e8 6d 9a ce ff 4c 89 e7 5d 41 5c e9 62 b7 ff ff e8 3d c3
RSP: 0018:ffffc90006effc58 EFLAGS: 00010206
RAX: 0000000000000300 RBX: ffff888027788620 RCX: ffffc90010ce2000
RDX: 0000000000080000 RSI: ffffffff81bd948a RDI: 0000000000000005
RBP: 00000000fffffffe R08: 0000000000000001 R09: ffff88804cc82fd8
R10: 00000000fffffffe R11: 0000000000000000 R12: ffff88804cc83928
R13: ffff8880277886b8 R14: ffff888027788b98 R15: 00000000ffffffa1
FS:  00007ff310df6640(0000) GS:ffff88807ee00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2000b85150 CR3: 000000007ce38000 CR4: 0000000000752ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
 <task>
 __free_event+0x1d9/0x870 kernel/events/core.c:5330
 perf_event_alloc.part.0+0x1225/0x3620 kernel/events/core.c:12437
 perf_event_alloc kernel/events/core.c:12749 [inline]
 __do_sys_perf_event_open+0x4c9/0x2c40 kernel/events/core.c:12847
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff312fad5ad
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff310df5f98 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007ff3131e5fa0 RCX: 00007ff312fad5ad
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00002000000004c0
RBP: 00007ff313046d56 R08: 000000000000000a R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff3131e5fa0 R15: 00007ff310dd6000
 </task>
==================================================================
The following is the poc£º
--------------------------------------------------------------------------------------
#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys syscall.h="">
#include <sys types.h="">
#include <unistd.h>

#define BITMASK(bf_off, bf_len) (((1ull &lt;&lt; (bf_len)) - 1) &lt;&lt; (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)               \
  *(type*)(addr) =                                                             \
      htobe((htobe(*(type*)(addr)) &amp; ~BITMASK((bf_off), (bf_len))) |           \
            (((type)(val) &lt;&lt; (bf_off)) &amp; BITMASK((bf_off), (bf_len))))

int main(void)
{
  syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul,
          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
  const char* reason;
  (void)reason;
  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
  }
  *(uint32_t*)0x2000000004c0 = 5;
  *(uint32_t*)0x2000000004c4 = 0x80;
  *(uint8_t*)0x2000000004c8 = 8;
  *(uint8_t*)0x2000000004c9 = 0xaf;
  *(uint8_t*)0x2000000004ca = 0;
  *(uint8_t*)0x2000000004cb = 8;
  *(uint32_t*)0x2000000004cc = 0;
  *(uint64_t*)0x2000000004d0 = 4;
  *(uint64_t*)0x2000000004d8 = 0x402;
  *(uint64_t*)0x2000000004e0 = 0xc;
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 0, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 1, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 2, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 3, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 4, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 5, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 6, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 7, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 8, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 9, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 10, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 11, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 12, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 13, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 14, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 15, 2);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 17, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 18, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 19, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 20, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 21, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 22, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 23, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 24, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 25, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 26, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 27, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 28, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 29, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 30, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 31, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 32, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 33, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 34, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 35, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 1, 36, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 37, 1);
  STORE_BY_BITMASK(uint64_t, , 0x2000000004e8, 0, 38, 26);
  *(uint32_t*)0x2000000004f0 = 2;
  *(uint32_t*)0x2000000004f4 = 2;
  *(uint64_t*)0x2000000004f8 = 0x8000;
  *(uint64_t*)0x200000000500 = 2;
  *(uint64_t*)0x200000000508 = 0x100001;
  *(uint64_t*)0x200000000510 = 0x839;
  *(uint32_t*)0x200000000518 = 8;
  *(uint32_t*)0x20000000051c = 7;
  *(uint64_t*)0x200000000520 = 0x8000000000000000;
  *(uint32_t*)0x200000000528 = 0x5e4;
  *(uint16_t*)0x20000000052c = 0xfefd;
  *(uint16_t*)0x20000000052e = 0;
  *(uint32_t*)0x200000000530 = 0x10000004;
  *(uint32_t*)0x200000000534 = 0;
  *(uint64_t*)0x200000000538 = 0x40000000000002;
  syscall(__NR_perf_event_open, /*attr=*/0x2000000004c0ul, /*pid=*/0,
          /*cpu=*/0ul, /*group=*/(intptr_t)-1,
          /*flags=PERF_FLAG_FD_CLOEXEC|PERF_FLAG_FD_OUTPUT*/ 0xaul);
  return 0;
}



I hope it helps.
Best regards
Jianzhou Zhao</unistd.h></sys></sys></string.h></stdlib.h></stdio.h></stdint.h></endian.h></superman.xpt@gmail.com></xrivendell7@gmail.com></xnxc22xnxc22@qq.com>

Re: Potential Linux Crash: WARNING in release_bp_slot in linux6.12.24(longterm maintenance)

[Greg KH]

On Thu, Apr 24, 2025 at 03:50:53AM -0400, ffhgfv wrote:
> Hello, I found a potential bug titled "  WARNING in release_bp_slot  " with modified syzkaller in the  Linux6.12.24(longterm maintenance, last updated on April 20, 2025).
> If you fix this issue, please add the following tag to the commit:  Reported-by: Jianzhou Zhao <xnxc22xnxc22@qq.com>,    xingwei lee <xrivendell7@gmail.com>,Penglei Jiang <superman.xpt@gmail.com>

As you have a reproducer, you are in the best position to create a fix
for this as you can test it.  Please do so, such that you can get credit
for resolving the issue.

thanks,

greg k-h