2022-04-12 23:37:08

by kernel test robot

[permalink] [raw]
Subject: [bpf] eb7c103fbf: BUG:KASAN:slab-out-of-bounds_in_bpf_prog_array_copy



Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: eb7c103fbf74710403742010eea56798063c1f0e ("[RFC PATCH bpf-next 1/2] bpf: tracing: Introduce prio field for bpf_prog")
url: https://github.com/intel-lab-lkp/linux/commits/Dmitrii-Dolgov/Priorities-for-bpf-progs-attached-to-the-same-tracepoint/20220404-000954
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git master
patch link: https://lore.kernel.org/bpf/[email protected]

in testcase: perf-event-tests
version: perf-event-tests-x86_64-bed0747-1_20220324
with following parameters:

paranoid: disallow_raw_tracepoint
ucode: 0x28

test-description: The Perf Event Testsuite.
test-url: https://github.com/deater/perf_event_tests


on test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz with 8G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


[ 69.992300][ T2174] BUG: KASAN: slab-out-of-bounds in bpf_prog_array_copy (kernel/bpf/core.c:2472)
[ 70.000150][ T2174] Write of size 8 at addr ffff88817807d3b8 by task ioctl_10_query_/2174
[ 70.008347][ T2174]
[ 70.010536][ T2174] CPU: 2 PID: 2174 Comm: ioctl_10_query_ Not tainted 5.17.0-13513-geb7c103fbf74 #1
[ 70.019691][ T2174] Hardware name: Dell Inc. OptiPlex 9020/0DNKMN, BIOS A05 12/05/2013
[ 70.027638][ T2174] Call Trace:
[ 70.030793][ T2174] <TASK>
[ 70.033603][ T2174] ? bpf_prog_array_copy (kernel/bpf/core.c:2472)
[ 70.038754][ T2174] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 70.043124][ T2174] print_address_description+0x1f/0x200
[ 70.049583][ T2174] ? bpf_prog_array_copy (kernel/bpf/core.c:2472)
[ 70.054744][ T2174] print_report.cold (mm/kasan/report.c:430)
[ 70.059460][ T2174] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 70.064787][ T2174] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 70.069069][ T2174] ? bpf_prog_array_copy (kernel/bpf/core.c:2472)
[ 70.074219][ T2174] bpf_prog_array_copy (kernel/bpf/core.c:2472)
[ 70.079195][ T2174] perf_event_attach_bpf_prog (kernel/trace/bpf_trace.c:1910)
[ 70.084785][ T2174] ? bpf_event_output (kernel/trace/bpf_trace.c:1881)
[ 70.089675][ T2174] ? __fget_light (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 fs/file.c:1032)
[ 70.094129][ T2174] _perf_ioctl (kernel/events/core.c:5756)
[ 70.098408][ T2174] ? perf_event_set_bpf_prog (kernel/events/core.c:5690)
[ 70.103906][ T2174] ? mutex_lock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:443 include/linux/atomic/atomic-instrumented.h:1781 kernel/locking/mutex.c:168 kernel/locking/mutex.c:282)
[ 70.108187][ T2174] ? __mutex_lock_slowpath (kernel/locking/mutex.c:279)
[ 70.113337][ T2174] ? perf_event_ctx_lock_nested+0x12c/0x200
[ 70.120139][ T2174] ? put_ctx (kernel/events/core.c:1374)
[ 70.124249][ T2174] ? handle_mm_fault (mm/memory.c:4857)
[ 70.129050][ T2174] ? handle_mm_fault (mm/memory.c:4834)
[ 70.133676][ T2174] perf_ioctl (kernel/events/core.c:1406 kernel/events/core.c:5817)
[ 70.137696][ T2174] __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856)
[ 70.142327][ T2174] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 70.146607][ T2174] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 70.152369][ T2174] RIP: 0033:0x7f844aea9427
[ 70.156653][ T2174] Code: 00 00 90 48 8b 05 69 aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 aa 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 00 add %al,(%rax)
2: 90 nop
3: 48 8b 05 69 aa 0c 00 mov 0xcaa69(%rip),%rax # 0xcaa73
a: 64 c7 00 26 00 00 00 movl $0x26,%fs:(%rax)
11: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
18: c3 retq
19: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
20: 00 00 00
23: b8 10 00 00 00 mov $0x10,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d 39 aa 0c 00 mov 0xcaa39(%rip),%rcx # 0xcaa73
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W

Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d 39 aa 0c 00 mov 0xcaa39(%rip),%rcx # 0xcaa49
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 70.176164][ T2174] RSP: 002b:00007ffd5ed71ef8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[ 70.184450][ T2174] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f844aea9427
[ 70.192300][ T2174] RDX: 000000000000000d RSI: 0000000040042408 RDI: 000000000000000c
[ 70.200147][ T2174] RBP: 00007ffd5ed76220 R08: 0000000000000000 R09: 0000000000000000
[ 70.207994][ T2174] R10: 00007ffd5ed71891 R11: 0000000000000202 R12: 0000555a3a2b7230
[ 70.215842][ T2174] R13: 00007ffd5ed76300 R14: 0000000000000000 R15: 0000000000000000
[ 70.223691][ T2174] </TASK>
[ 70.226577][ T2174]
[ 70.228767][ T2174] Allocated by task 2174:
[ 70.232960][ T2174] kasan_save_stack (mm/kasan/common.c:39)
[ 70.237501][ T2174] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524)
[ 70.241953][ T2174] bpf_prog_array_copy (kernel/bpf/core.c:2450)
[ 70.246931][ T2174] perf_event_attach_bpf_prog (kernel/trace/bpf_trace.c:1910)
[ 70.252518][ T2174] _perf_ioctl (kernel/events/core.c:5756)
[ 70.256799][ T2174] perf_ioctl (kernel/events/core.c:1406 kernel/events/core.c:5817)
[ 70.260817][ T2174] __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856)
[ 70.265446][ T2174] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 70.269726][ T2174] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 70.275488][ T2174]
[ 70.277677][ T2174] The buggy address belongs to the object at ffff88817807d300
[ 70.277677][ T2174] which belongs to the cache kmalloc-192 of size 192
[ 70.291618][ T2174] The buggy address is located 184 bytes inside of
[ 70.291618][ T2174] 192-byte region [ffff88817807d300, ffff88817807d3c0)
[ 70.304791][ T2174]
[ 70.306983][ T2174] The buggy address belongs to the physical page:
[ 70.313263][ T2174] page:000000004b26d25e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17807c
[ 70.323379][ T2174] head:000000004b26d25e order:1 compound_mapcount:0 compound_pincount:0
[ 70.331576][ T2174] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 70.339692][ T2174] raw: 0017ffffc0010200 0000000000000000 dead000000000122 ffff888100042a00
[ 70.348150][ T2174] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 70.356609][ T2174] page dumped because: kasan: bad access detected
[ 70.362891][ T2174]
[ 70.365080][ T2174] Memory state around the buggy address:
[ 70.370578][ T2174] ffff88817807d280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.378516][ T2174] ffff88817807d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 70.386450][ T2174] >ffff88817807d380: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[ 70.394384][ T2174] ^
[ 70.400142][ T2174] ffff88817807d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 70.408078][ T2174] ffff88817807d480: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.416013][ T2174] ==================================================================
[ 70.423993][ T2174] Disabling lock debugging due to kernel taint
[ 70.431400][ T353] Unexpected error No space left on device
[ 70.431407][ T353]
[ 70.431947][ T351] Testing PERF_EVENT_IOC_QUERY_BPF ioctl... FAILED
[ 70.439300][ T351]
[ 70.459754][ T351] + tests/ioctl/ioctl_11_modify_attributes
[ 70.459760][ T351]
[ 70.469052][ T351] Testing ioctl(PERF_EVENT_IOC_MODIFY_ATTRIBUTES)... PASSED
[ 70.469058][ T351]
[ 70.479482][ T351]
[ 70.479486][ T351]
[ 70.484445][ T351] * Checking perf_event prctl calls
[ 70.484451][ T351]
[ 70.492071][ T351] + tests/prctl/prctl
[ 70.492076][ T351]
[ 70.499496][ T351] Testing prctl()... PASSED
[ 70.499502][ T351]
[ 70.510358][ T351] + tests/prctl/prctl_child
[ 70.510363][ T351]
[ 72.466761][ T351] Testing if prctl() affects attached events... PASSED
[ 72.466769][ T351]
[ 72.477708][ T351] + tests/prctl/prctl_parent
[ 72.477714][ T351]
[ 73.469301][ T351] Testing if prctl() affects remote attached events... PASSED
[ 73.469309][ T351]
[ 73.480226][ T351] + tests/prctl/prctl_inherit
[ 73.480231][ T351]
[ 75.471799][ T351] Testing if prctl() affects inherited events... PASSED
[ 75.471807][ T351]
[ 75.482753][ T351] + tests/prctl/prctl_attach
[ 75.482759][ T351]
[ 75.490845][ T351] Testing if prctl() affects attached events... PASSED
[ 75.490852][ T351]
[ 75.501288][ T351]
[ 75.501302][ T351]
[ 75.506142][ T351] * Checking error returns
[ 75.506148][ T351]
[ 75.513155][ T351] + tests/error_returns/e2big
[ 75.513160][ T351]
[ 75.605546][ T351] Testing E2BIG errors... PASSED
[ 75.605556][ T351]
[ 75.616488][ T351] + tests/error_returns/eacces
[ 75.616493][ T351]
[ 75.624768][ T351] Testing EACCES generation... PASSED
[ 75.624774][ T351]
[ 75.635721][ T351] + tests/error_returns/ebadf
[ 75.635727][ T351]
[ 75.644113][ T351] Testing EBADF generation... PASSED
[ 75.644119][ T351]


To reproduce:

git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



--
0-DAY CI Kernel Test Service
https://01.org/lkp



Attachments:
(No filename) (10.94 kB)
config-5.17.0-13513-geb7c103fbf74 (169.84 kB)
job-script (5.87 kB)
dmesg.xz (32.41 kB)
perf-event-tests (60.82 kB)
job.yaml (4.82 kB)
reproduce (16.00 B)
Download all attachments