Hello,
syzbot found the following issue on:
HEAD commit: 317c7bc0ef03 Merge tag 'mmc-v6.9-rc1' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1060bd41180000
kernel config: https://syzkaller.appspot.com/x/.config?x=43f1e0cbdb852271
dashboard link: https://syzkaller.appspot.com/bug?extid=186522670e6722692d86
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15751129180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10136341180000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-317c7bc0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/49458dc4ddf2/vmlinux-317c7bc0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/031f516e5544/zImage-317c7bc0.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
8<--- cut here ---
Unable to handle kernel paging request at virtual address ffffffe9 when write
[ffffffe9] *pgd=80000080007003, *pmd=deffd003, *pte=00000000
Internal error: Oops: a07 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 PID: 3001 Comm: syz-executor291 Not tainted 6.9.0-rc1-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at copy_from_kernel_nofault mm/maccess.c:38 [inline]
PC is at copy_from_kernel_nofault+0xb8/0x12c mm/maccess.c:24
LR is at copy_from_kernel_nofault+0x24/0x12c mm/maccess.c:31
pc : [<804361f0>] lr : [<8043615c>] psr: a0000013
sp : df96dc90 ip : df96dc90 fp : df96dcac
r10: 00000000 r9 : df96dd40 r8 : ffffffe9
r7 : 83d33c00 r6 : 00000005 r5 : ffffffe9 r4 : ffffffe9
r3 : fffffff2 r2 : 00000000 r1 : 00000005 r0 : 00000001
Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 30c5387d Table: 8434d080 DAC: 00000000
Register r0 information: non-paged memory
Register r1 information: non-paged memory
Register r2 information: NULL pointer
Register r3 information: non-paged memory
Register r4 information: non-paged memory
Register r5 information: non-paged memory
Register r6 information: non-paged memory
Register r7 information: slab task_struct start 83d33c00 pointer offset 0 size 3072
Register r8 information: non-paged memory
Register r9 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
Register r10 information: NULL pointer
Register r11 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
Register r12 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
Process syz-executor291 (pid: 3001, stack limit = 0xdf96c000)
Stack: (0xdf96dc90 to 0xdf96e000)
dc80: df96ddb8 ffffffe9 00000005 ffffffff
dca0: df96dccc df96dcb0 8037c428 80436144 df96ddb8 00000000 8037c40c ffffffff
dcc0: df96dd64 df96dcd0 7f011aa0 8037c418 ffffffe9 df96dd40 802ff648 81182b54
dce0: df96dd64 df96dd30 35702575 00000000 828c0a94 40000013 00000000 00000000
dd00: df96dcf0 00000000 df96dd74 df96dd18 df96dd2c df96dd20 81182b64 81898a78
dd20: df96dd64 df96dd30 802ff648 81182b54 ffffffe9 df96dd40 00000005 00000000
dd40: df96ddb8 00000000 df969000 842879c0 df969030 df96de30 df96ddfc df96dd68
dd60: 8149c734 7f011a00 804d0184 8089c164 00000000 83d33c00 804b4cdc 804d0124
dd80: 8260ca3c df96de30 00000001 df96de2c 80468494 00000000 df96ddb8 00000000
dda0: 00000001 00000000 19df2b20 00000014 00000000 00000000 df969000 00000000
ddc0: 00000000 00000000 84497800 f655f23e df96ddfc 842879c0 00000000 df96dec0
dde0: 83f79c00 84497800 00000000 0000000e df96de64 df96de00 8149d6a0 8149c5d0
de00: df96de30 00000000 00000000 df96de98 20000080 00000000 df969000 00000000
de20: 828ffe80 82fe0000 8051cdd4 00000000 00000000 f655f23e 80395130 df969000
de40: 00000028 df96de98 0000000a 20000080 00000028 00000000 df96df8c df96de68
de60: 8039c858 8149d388 81c66394 84342c0c fcd9275f 00a00000 20000000 83d33c00
de80: df96dee0 df96dfb0 df96dea4 df96de98 8089c348 df96dee0 20000080 00000000
dea0: 83d33c00 df96ded0 00000008 00000000 00000008 80426e10 df96deec df96dec8
dec0: 00000003 02000000 0000000e 00000055 20000140 00000000 20000380 00000000
dee0: 00000000 04000000 00000000 00000000 00000000 00000000 00000000 00000000
df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
df40: 00000000 00000000 00000000 00000000 00000000 00000000 20000000 f655f23e
df60: 80216078 ffffffff 00000000 0008e050 00000182 80200288 83d33c00 00000182
df80: df96dfa4 df96df90 8039dd98 8039b934 20000080 00000000 00000000 df96dfa8
dfa0: 80200060 8039dd78 ffffffff 00000000 0000000a 20000080 00000028 00000000
dfc0: ffffffff 00000000 0008e050 00000182 20000100 00000000 00000001 00003a97
dfe0: 7ec66c70 7ec66c60 00010748 0002e890 00000010 0000000a 00000000 00000000
Call trace:
[<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (bpf_probe_read_kernel_common include/linux/bpf.h:2909 [inline])
[<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (____bpf_probe_read_kernel kernel/trace/bpf_trace.c:240 [inline])
[<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (bpf_probe_read_kernel+0x1c/0x44 kernel/trace/bpf_trace.c:237)
r7:ffffffff r6:00000005 r5:ffffffe9 r4:df96ddb8
[<8037c40c>] (bpf_probe_read_kernel) from [<7f011aa0>] (bpf_prog_244768d4818575ac+0xac/0xc0)
r7:ffffffff r6:8037c40c r5:00000000 r4:df96ddb8
[<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline])
[<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (__bpf_prog_run include/linux/filter.h:657 [inline])
[<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_prog_run include/linux/filter.h:664 [inline])
[<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_test_run+0x170/0x388 net/bpf/test_run.c:425)
r9:df96de30 r8:df969030 r7:842879c0 r6:df969000 r5:00000000 r4:df96ddb8
[<8149c5c4>] (bpf_test_run) from [<8149d6a0>] (bpf_prog_test_run_skb+0x324/0x6cc net/bpf/test_run.c:1058)
r10:0000000e r9:00000000 r8:84497800 r7:83f79c00 r6:df96dec0 r5:00000000
r4:842879c0
[<8149d37c>] (bpf_prog_test_run_skb) from [<8039c858>] (bpf_prog_test_run kernel/bpf/syscall.c:4240 [inline])
[<8149d37c>] (bpf_prog_test_run_skb) from [<8039c858>] (__sys_bpf+0xf30/0x1ef0 kernel/bpf/syscall.c:5649)
r10:00000000 r9:00000028 r8:20000080 r7:0000000a r6:df96de98 r5:00000028
r4:df969000
[<8039b928>] (__sys_bpf) from [<8039dd98>] (__do_sys_bpf kernel/bpf/syscall.c:5738 [inline])
[<8039b928>] (__sys_bpf) from [<8039dd98>] (sys_bpf+0x2c/0x48 kernel/bpf/syscall.c:5736)
r10:00000182 r9:83d33c00 r8:80200288 r7:00000182 r6:0008e050 r5:00000000
r4:ffffffff
[<8039dd6c>] (sys_bpf) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
Exception stack(0xdf96dfa8 to 0xdf96dff0)
dfa0: ffffffff 00000000 0000000a 20000080 00000028 00000000
dfc0: ffffffff 00000000 0008e050 00000182 20000100 00000000 00000001 00003a97
dfe0: 7ec66c70 7ec66c60 00010748 0002e890
Code: 9a000007 e3a03000 e4942000 e3530000 (e5852000)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 9a000007 bls 0x24
4: e3a03000 mov r3, #0
8: e4942000 ldr r2, [r4], #0
c: e3530000 cmp r3, #0
* 10: e5852000 str r2, [r5] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
> Hello,
Thanks. Cc: [email protected]
> syzbot found the following issue on:
>
> HEAD commit: 317c7bc0ef03 Merge tag 'mmc-v6.9-rc1' of git://git.kernel...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1060bd41180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=43f1e0cbdb852271
> dashboard link: https://syzkaller.appspot.com/bug?extid=186522670e6722692d86
> compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15751129180000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10136341180000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-317c7bc0.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/49458dc4ddf2/vmlinux-317c7bc0.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/031f516e5544/zImage-317c7bc0.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> 8<--- cut here ---
> Unable to handle kernel paging request at virtual address ffffffe9 when write
> [ffffffe9] *pgd=80000080007003, *pmd=deffd003, *pte=00000000
> Internal error: Oops: a07 [#1] PREEMPT SMP ARM
> Modules linked in:
> CPU: 1 PID: 3001 Comm: syz-executor291 Not tainted 6.9.0-rc1-syzkaller #0
> Hardware name: ARM-Versatile Express
> PC is at copy_from_kernel_nofault mm/maccess.c:38 [inline]
> PC is at copy_from_kernel_nofault+0xb8/0x12c mm/maccess.c:24
> LR is at copy_from_kernel_nofault+0x24/0x12c mm/maccess.c:31
> pc : [<804361f0>] lr : [<8043615c>] psr: a0000013
> sp : df96dc90 ip : df96dc90 fp : df96dcac
> r10: 00000000 r9 : df96dd40 r8 : ffffffe9
> r7 : 83d33c00 r6 : 00000005 r5 : ffffffe9 r4 : ffffffe9
> r3 : fffffff2 r2 : 00000000 r1 : 00000005 r0 : 00000001
> Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 30c5387d Table: 8434d080 DAC: 00000000
> Register r0 information: non-paged memory
> Register r1 information: non-paged memory
> Register r2 information: NULL pointer
> Register r3 information: non-paged memory
> Register r4 information: non-paged memory
> Register r5 information: non-paged memory
> Register r6 information: non-paged memory
> Register r7 information: slab task_struct start 83d33c00 pointer offset 0 size 3072
> Register r8 information: non-paged memory
> Register r9 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> Register r10 information: NULL pointer
> Register r11 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> Register r12 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> Process syz-executor291 (pid: 3001, stack limit = 0xdf96c000)
> Stack: (0xdf96dc90 to 0xdf96e000)
> dc80: df96ddb8 ffffffe9 00000005 ffffffff
> dca0: df96dccc df96dcb0 8037c428 80436144 df96ddb8 00000000 8037c40c ffffffff
> dcc0: df96dd64 df96dcd0 7f011aa0 8037c418 ffffffe9 df96dd40 802ff648 81182b54
> dce0: df96dd64 df96dd30 35702575 00000000 828c0a94 40000013 00000000 00000000
> dd00: df96dcf0 00000000 df96dd74 df96dd18 df96dd2c df96dd20 81182b64 81898a78
> dd20: df96dd64 df96dd30 802ff648 81182b54 ffffffe9 df96dd40 00000005 00000000
> dd40: df96ddb8 00000000 df969000 842879c0 df969030 df96de30 df96ddfc df96dd68
> dd60: 8149c734 7f011a00 804d0184 8089c164 00000000 83d33c00 804b4cdc 804d0124
> dd80: 8260ca3c df96de30 00000001 df96de2c 80468494 00000000 df96ddb8 00000000
> dda0: 00000001 00000000 19df2b20 00000014 00000000 00000000 df969000 00000000
> ddc0: 00000000 00000000 84497800 f655f23e df96ddfc 842879c0 00000000 df96dec0
> dde0: 83f79c00 84497800 00000000 0000000e df96de64 df96de00 8149d6a0 8149c5d0
> de00: df96de30 00000000 00000000 df96de98 20000080 00000000 df969000 00000000
> de20: 828ffe80 82fe0000 8051cdd4 00000000 00000000 f655f23e 80395130 df969000
> de40: 00000028 df96de98 0000000a 20000080 00000028 00000000 df96df8c df96de68
> de60: 8039c858 8149d388 81c66394 84342c0c fcd9275f 00a00000 20000000 83d33c00
> de80: df96dee0 df96dfb0 df96dea4 df96de98 8089c348 df96dee0 20000080 00000000
> dea0: 83d33c00 df96ded0 00000008 00000000 00000008 80426e10 df96deec df96dec8
> dec0: 00000003 02000000 0000000e 00000055 20000140 00000000 20000380 00000000
> dee0: 00000000 04000000 00000000 00000000 00000000 00000000 00000000 00000000
> df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> df20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> df40: 00000000 00000000 00000000 00000000 00000000 00000000 20000000 f655f23e
> df60: 80216078 ffffffff 00000000 0008e050 00000182 80200288 83d33c00 00000182
> df80: df96dfa4 df96df90 8039dd98 8039b934 20000080 00000000 00000000 df96dfa8
> dfa0: 80200060 8039dd78 ffffffff 00000000 0000000a 20000080 00000028 00000000
> dfc0: ffffffff 00000000 0008e050 00000182 20000100 00000000 00000001 00003a97
> dfe0: 7ec66c70 7ec66c60 00010748 0002e890 00000010 0000000a 00000000 00000000
> Call trace:
> [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (bpf_probe_read_kernel_common include/linux/bpf.h:2909 [inline])
> [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (____bpf_probe_read_kernel kernel/trace/bpf_trace.c:240 [inline])
> [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (bpf_probe_read_kernel+0x1c/0x44 kernel/trace/bpf_trace.c:237)
> r7:ffffffff r6:00000005 r5:ffffffe9 r4:df96ddb8
> [<8037c40c>] (bpf_probe_read_kernel) from [<7f011aa0>] (bpf_prog_244768d4818575ac+0xac/0xc0)
> r7:ffffffff r6:8037c40c r5:00000000 r4:df96ddb8
> [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline])
> [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (__bpf_prog_run include/linux/filter.h:657 [inline])
> [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_prog_run include/linux/filter.h:664 [inline])
> [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_test_run+0x170/0x388 net/bpf/test_run.c:425)
> r9:df96de30 r8:df969030 r7:842879c0 r6:df969000 r5:00000000 r4:df96ddb8
> [<8149c5c4>] (bpf_test_run) from [<8149d6a0>] (bpf_prog_test_run_skb+0x324/0x6cc net/bpf/test_run.c:1058)
> r10:0000000e r9:00000000 r8:84497800 r7:83f79c00 r6:df96dec0 r5:00000000
> r4:842879c0
> [<8149d37c>] (bpf_prog_test_run_skb) from [<8039c858>] (bpf_prog_test_run kernel/bpf/syscall.c:4240 [inline])
> [<8149d37c>] (bpf_prog_test_run_skb) from [<8039c858>] (__sys_bpf+0xf30/0x1ef0 kernel/bpf/syscall.c:5649)
> r10:00000000 r9:00000028 r8:20000080 r7:0000000a r6:df96de98 r5:00000028
> r4:df969000
> [<8039b928>] (__sys_bpf) from [<8039dd98>] (__do_sys_bpf kernel/bpf/syscall.c:5738 [inline])
> [<8039b928>] (__sys_bpf) from [<8039dd98>] (sys_bpf+0x2c/0x48 kernel/bpf/syscall.c:5736)
> r10:00000182 r9:83d33c00 r8:80200288 r7:00000182 r6:0008e050 r5:00000000
> r4:ffffffff
> [<8039dd6c>] (sys_bpf) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
> Exception stack(0xdf96dfa8 to 0xdf96dff0)
> dfa0: ffffffff 00000000 0000000a 20000080 00000028 00000000
> dfc0: ffffffff 00000000 0008e050 00000182 20000100 00000000 00000001 00003a97
> dfe0: 7ec66c70 7ec66c60 00010748 0002e890
> Code: 9a000007 e3a03000 e4942000 e3530000 (e5852000)
> ---[ end trace 0000000000000000 ]---
> ----------------
> Code disassembly (best guess):
> 0: 9a000007 bls 0x24
> 4: e3a03000 mov r3, #0
> 8: e4942000 ldr r2, [r4], #0
> c: e3530000 cmp r3, #0
> * 10: e5852000 str r2, [r5] <-- trapping instruction
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at [email protected].
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
>
> On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
>
> > Hello,
>
> Thanks. Cc: [email protected]
I suspect the issue is not on bpf side.
Looks like the bug is somewhere in arm32 bits.
copy_from_kernel_nofault() is called from lots of places.
bpf is just one user that is easy for syzbot to fuzz.
Interestingly arm defines copy_from_kernel_nofault_allowed()
that should have filtered out user addresses.
In this case ffffffe9 is probably a kernel address?
But the kernel is doing a write?
Which makes no sense, since copy_from_kernel_nofault is probe reading.
arm folks,
pls take a look.
> > syzbot found the following issue on:
> >
> > HEAD commit: 317c7bc0ef03 Merge tag 'mmc-v6.9-rc1' of git://git.kernel...
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1060bd41180000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=43f1e0cbdb852271
> > dashboard link: https://syzkaller.appspot.com/bug?extid=186522670e6722692d86
> > compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > userspace arch: arm
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15751129180000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10136341180000
> >
> > Downloadable assets:
> > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-317c7bc0.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/49458dc4ddf2/vmlinux-317c7bc0.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/031f516e5544/zImage-317c7bc0.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > 8<--- cut here ---
> > Unable to handle kernel paging request at virtual address ffffffe9 when write
> > [ffffffe9] *pgd=80000080007003, *pmd=deffd003, *pte=00000000
> > Internal error: Oops: a07 [#1] PREEMPT SMP ARM
> > Modules linked in:
> > CPU: 1 PID: 3001 Comm: syz-executor291 Not tainted 6.9.0-rc1-syzkaller #0
> > Hardware name: ARM-Versatile Express
> > PC is at copy_from_kernel_nofault mm/maccess.c:38 [inline]
> > PC is at copy_from_kernel_nofault+0xb8/0x12c mm/maccess.c:24
> > LR is at copy_from_kernel_nofault+0x24/0x12c mm/maccess.c:31
> > pc : [<804361f0>] lr : [<8043615c>] psr: a0000013
> > sp : df96dc90 ip : df96dc90 fp : df96dcac
> > r10: 00000000 r9 : df96dd40 r8 : ffffffe9
> > r7 : 83d33c00 r6 : 00000005 r5 : ffffffe9 r4 : ffffffe9
> > r3 : fffffff2 r2 : 00000000 r1 : 00000005 r0 : 00000001
> > Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> > Control: 30c5387d Table: 8434d080 DAC: 00000000
> > Register r0 information: non-paged memory
> > Register r1 information: non-paged memory
> > Register r2 information: NULL pointer
> > Register r3 information: non-paged memory
> > Register r4 information: non-paged memory
> > Register r5 information: non-paged memory
> > Register r6 information: non-paged memory
> > Register r7 information: slab task_struct start 83d33c00 pointer offset 0 size 3072
> > Register r8 information: non-paged memory
> > Register r9 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> > Register r10 information: NULL pointer
> > Register r11 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> > Register r12 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> > Process syz-executor291 (pid: 3001, stack limit = 0xdf96c000)
> > Stack: (0xdf96dc90 to 0xdf96e000)
> > dc80: df96ddb8 ffffffe9 00000005 ffffffff
> > dca0: df96dccc df96dcb0 8037c428 80436144 df96ddb8 00000000 8037c40c ffffffff
> > dcc0: df96dd64 df96dcd0 7f011aa0 8037c418 ffffffe9 df96dd40 802ff648 81182b54
> > dce0: df96dd64 df96dd30 35702575 00000000 828c0a94 40000013 00000000 00000000
> > dd00: df96dcf0 00000000 df96dd74 df96dd18 df96dd2c df96dd20 81182b64 81898a78
> > dd20: df96dd64 df96dd30 802ff648 81182b54 ffffffe9 df96dd40 00000005 00000000
> > dd40: df96ddb8 00000000 df969000 842879c0 df969030 df96de30 df96ddfc df96dd68
> > dd60: 8149c734 7f011a00 804d0184 8089c164 00000000 83d33c00 804b4cdc 804d0124
> > dd80: 8260ca3c df96de30 00000001 df96de2c 80468494 00000000 df96ddb8 00000000
> > dda0: 00000001 00000000 19df2b20 00000014 00000000 00000000 df969000 00000000
> > ddc0: 00000000 00000000 84497800 f655f23e df96ddfc 842879c0 00000000 df96dec0
> > dde0: 83f79c00 84497800 00000000 0000000e df96de64 df96de00 8149d6a0 8149c5d0
> > de00: df96de30 00000000 00000000 df96de98 20000080 00000000 df969000 00000000
> > de20: 828ffe80 82fe0000 8051cdd4 00000000 00000000 f655f23e 80395130 df969000
> > de40: 00000028 df96de98 0000000a 20000080 00000028 00000000 df96df8c df96de68
> > de60: 8039c858 8149d388 81c66394 84342c0c fcd9275f 00a00000 20000000 83d33c00
> > de80: df96dee0 df96dfb0 df96dea4 df96de98 8089c348 df96dee0 20000080 00000000
> > dea0: 83d33c00 df96ded0 00000008 00000000 00000008 80426e10 df96deec df96dec8
> > dec0: 00000003 02000000 0000000e 00000055 20000140 00000000 20000380 00000000
> > dee0: 00000000 04000000 00000000 00000000 00000000 00000000 00000000 00000000
> > df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> > df20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> > df40: 00000000 00000000 00000000 00000000 00000000 00000000 20000000 f655f23e
> > df60: 80216078 ffffffff 00000000 0008e050 00000182 80200288 83d33c00 00000182
> > df80: df96dfa4 df96df90 8039dd98 8039b934 20000080 00000000 00000000 df96dfa8
> > dfa0: 80200060 8039dd78 ffffffff 00000000 0000000a 20000080 00000028 00000000
> > dfc0: ffffffff 00000000 0008e050 00000182 20000100 00000000 00000001 00003a97
> > dfe0: 7ec66c70 7ec66c60 00010748 0002e890 00000010 0000000a 00000000 00000000
> > Call trace:
> > [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (bpf_probe_read_kernel_common include/linux/bpf.h:2909 [inline])
> > [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (____bpf_probe_read_kernel kernel/trace/bpf_trace.c:240 [inline])
> > [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (bpf_probe_read_kernel+0x1c/0x44 kernel/trace/bpf_trace.c:237)
> > r7:ffffffff r6:00000005 r5:ffffffe9 r4:df96ddb8
> > [<8037c40c>] (bpf_probe_read_kernel) from [<7f011aa0>] (bpf_prog_244768d4818575ac+0xac/0xc0)
> > r7:ffffffff r6:8037c40c r5:00000000 r4:df96ddb8
> > [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline])
> > [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (__bpf_prog_run include/linux/filter.h:657 [inline])
> > [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_prog_run include/linux/filter.h:664 [inline])
> > [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_test_run+0x170/0x388 net/bpf/test_run.c:425)
> > r9:df96de30 r8:df969030 r7:842879c0 r6:df969000 r5:00000000 r4:df96ddb8
> > [<8149c5c4>] (bpf_test_run) from [<8149d6a0>] (bpf_prog_test_run_skb+0x324/0x6cc net/bpf/test_run.c:1058)
> > r10:0000000e r9:00000000 r8:84497800 r7:83f79c00 r6:df96dec0 r5:00000000
> > r4:842879c0
> > [<8149d37c>] (bpf_prog_test_run_skb) from [<8039c858>] (bpf_prog_test_run kernel/bpf/syscall.c:4240 [inline])
> > [<8149d37c>] (bpf_prog_test_run_skb) from [<8039c858>] (__sys_bpf+0xf30/0x1ef0 kernel/bpf/syscall.c:5649)
> > r10:00000000 r9:00000028 r8:20000080 r7:0000000a r6:df96de98 r5:00000028
> > r4:df969000
> > [<8039b928>] (__sys_bpf) from [<8039dd98>] (__do_sys_bpf kernel/bpf/syscall.c:5738 [inline])
> > [<8039b928>] (__sys_bpf) from [<8039dd98>] (sys_bpf+0x2c/0x48 kernel/bpf/syscall.c:5736)
> > r10:00000182 r9:83d33c00 r8:80200288 r7:00000182 r6:0008e050 r5:00000000
> > r4:ffffffff
> > [<8039dd6c>] (sys_bpf) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
> > Exception stack(0xdf96dfa8 to 0xdf96dff0)
> > dfa0: ffffffff 00000000 0000000a 20000080 00000028 00000000
> > dfc0: ffffffff 00000000 0008e050 00000182 20000100 00000000 00000001 00003a97
> > dfe0: 7ec66c70 7ec66c60 00010748 0002e890
> > Code: 9a000007 e3a03000 e4942000 e3530000 (e5852000)
> > ---[ end trace 0000000000000000 ]---
> > ----------------
> > Code disassembly (best guess):
> > 0: 9a000007 bls 0x24
> > 4: e3a03000 mov r3, #0
> > 8: e4942000 ldr r2, [r4], #0
> > c: e3530000 cmp r3, #0
> > * 10: e5852000 str r2, [r5] <-- trapping instruction
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at [email protected].
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before testing.
> >
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup
>
On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
> On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
> >
> > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
> >
> > > Hello,
> >
> > Thanks. Cc: [email protected]
>
> I suspect the issue is not on bpf side.
> Looks like the bug is somewhere in arm32 bits.
> copy_from_kernel_nofault() is called from lots of places.
> bpf is just one user that is easy for syzbot to fuzz.
> Interestingly arm defines copy_from_kernel_nofault_allowed()
> that should have filtered out user addresses.
> In this case ffffffe9 is probably a kernel address?
It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
0xffffffe9 is -0x16, which is -22, which is -EINVAL.
> But the kernel is doing a write?
> Which makes no sense, since copy_from_kernel_nofault is probe reading.
It makes perfect sense; the read from 'src' happened, then the kernel tries to
write the result to 'dst', and that aligns with the disassembly in the report
below, which I beleive is:
8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
c: e3530000 cmp r3, #0
* 10: e5852000 str r2, [r5] <-- Write to 'dst'
As above, it looks like 'dst' is ERR_PTR(-EINVAL).
Are you certain that BPF is passing a sane value for 'dst'? Where does that
come from in the first place?
Mark.
> arm folks,
> pls take a look.
>
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 317c7bc0ef03 Merge tag 'mmc-v6.9-rc1' of git://git.kernel...
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=1060bd41180000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=43f1e0cbdb852271
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=186522670e6722692d86
> > > compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > > userspace arch: arm
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15751129180000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10136341180000
> > >
> > > Downloadable assets:
> > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-317c7bc0.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/49458dc4ddf2/vmlinux-317c7bc0.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/031f516e5544/zImage-317c7bc0.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > >
> > > 8<--- cut here ---
> > > Unable to handle kernel paging request at virtual address ffffffe9 when write
> > > [ffffffe9] *pgd=80000080007003, *pmd=deffd003, *pte=00000000
> > > Internal error: Oops: a07 [#1] PREEMPT SMP ARM
> > > Modules linked in:
> > > CPU: 1 PID: 3001 Comm: syz-executor291 Not tainted 6.9.0-rc1-syzkaller #0
> > > Hardware name: ARM-Versatile Express
> > > PC is at copy_from_kernel_nofault mm/maccess.c:38 [inline]
> > > PC is at copy_from_kernel_nofault+0xb8/0x12c mm/maccess.c:24
> > > LR is at copy_from_kernel_nofault+0x24/0x12c mm/maccess.c:31
> > > pc : [<804361f0>] lr : [<8043615c>] psr: a0000013
> > > sp : df96dc90 ip : df96dc90 fp : df96dcac
> > > r10: 00000000 r9 : df96dd40 r8 : ffffffe9
> > > r7 : 83d33c00 r6 : 00000005 r5 : ffffffe9 r4 : ffffffe9
> > > r3 : fffffff2 r2 : 00000000 r1 : 00000005 r0 : 00000001
> > > Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> > > Control: 30c5387d Table: 8434d080 DAC: 00000000
> > > Register r0 information: non-paged memory
> > > Register r1 information: non-paged memory
> > > Register r2 information: NULL pointer
> > > Register r3 information: non-paged memory
> > > Register r4 information: non-paged memory
> > > Register r5 information: non-paged memory
> > > Register r6 information: non-paged memory
> > > Register r7 information: slab task_struct start 83d33c00 pointer offset 0 size 3072
> > > Register r8 information: non-paged memory
> > > Register r9 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> > > Register r10 information: NULL pointer
> > > Register r11 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> > > Register r12 information: 2-page vmalloc region starting at 0xdf96c000 allocated at kernel_clone+0xac/0x3cc kernel/fork.c:2796
> > > Process syz-executor291 (pid: 3001, stack limit = 0xdf96c000)
> > > Stack: (0xdf96dc90 to 0xdf96e000)
> > > dc80: df96ddb8 ffffffe9 00000005 ffffffff
> > > dca0: df96dccc df96dcb0 8037c428 80436144 df96ddb8 00000000 8037c40c ffffffff
> > > dcc0: df96dd64 df96dcd0 7f011aa0 8037c418 ffffffe9 df96dd40 802ff648 81182b54
> > > dce0: df96dd64 df96dd30 35702575 00000000 828c0a94 40000013 00000000 00000000
> > > dd00: df96dcf0 00000000 df96dd74 df96dd18 df96dd2c df96dd20 81182b64 81898a78
> > > dd20: df96dd64 df96dd30 802ff648 81182b54 ffffffe9 df96dd40 00000005 00000000
> > > dd40: df96ddb8 00000000 df969000 842879c0 df969030 df96de30 df96ddfc df96dd68
> > > dd60: 8149c734 7f011a00 804d0184 8089c164 00000000 83d33c00 804b4cdc 804d0124
> > > dd80: 8260ca3c df96de30 00000001 df96de2c 80468494 00000000 df96ddb8 00000000
> > > dda0: 00000001 00000000 19df2b20 00000014 00000000 00000000 df969000 00000000
> > > ddc0: 00000000 00000000 84497800 f655f23e df96ddfc 842879c0 00000000 df96dec0
> > > dde0: 83f79c00 84497800 00000000 0000000e df96de64 df96de00 8149d6a0 8149c5d0
> > > de00: df96de30 00000000 00000000 df96de98 20000080 00000000 df969000 00000000
> > > de20: 828ffe80 82fe0000 8051cdd4 00000000 00000000 f655f23e 80395130 df969000
> > > de40: 00000028 df96de98 0000000a 20000080 00000028 00000000 df96df8c df96de68
> > > de60: 8039c858 8149d388 81c66394 84342c0c fcd9275f 00a00000 20000000 83d33c00
> > > de80: df96dee0 df96dfb0 df96dea4 df96de98 8089c348 df96dee0 20000080 00000000
> > > dea0: 83d33c00 df96ded0 00000008 00000000 00000008 80426e10 df96deec df96dec8
> > > dec0: 00000003 02000000 0000000e 00000055 20000140 00000000 20000380 00000000
> > > dee0: 00000000 04000000 00000000 00000000 00000000 00000000 00000000 00000000
> > > df00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> > > df20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> > > df40: 00000000 00000000 00000000 00000000 00000000 00000000 20000000 f655f23e
> > > df60: 80216078 ffffffff 00000000 0008e050 00000182 80200288 83d33c00 00000182
> > > df80: df96dfa4 df96df90 8039dd98 8039b934 20000080 00000000 00000000 df96dfa8
> > > dfa0: 80200060 8039dd78 ffffffff 00000000 0000000a 20000080 00000028 00000000
> > > dfc0: ffffffff 00000000 0008e050 00000182 20000100 00000000 00000001 00003a97
> > > dfe0: 7ec66c70 7ec66c60 00010748 0002e890 00000010 0000000a 00000000 00000000
> > > Call trace:
> > > [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (bpf_probe_read_kernel_common include/linux/bpf.h:2909 [inline])
> > > [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (____bpf_probe_read_kernel kernel/trace/bpf_trace.c:240 [inline])
> > > [<80436138>] (copy_from_kernel_nofault) from [<8037c428>] (bpf_probe_read_kernel+0x1c/0x44 kernel/trace/bpf_trace.c:237)
> > > r7:ffffffff r6:00000005 r5:ffffffe9 r4:df96ddb8
> > > [<8037c40c>] (bpf_probe_read_kernel) from [<7f011aa0>] (bpf_prog_244768d4818575ac+0xac/0xc0)
> > > r7:ffffffff r6:8037c40c r5:00000000 r4:df96ddb8
> > > [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline])
> > > [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (__bpf_prog_run include/linux/filter.h:657 [inline])
> > > [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_prog_run include/linux/filter.h:664 [inline])
> > > [<7f0119f4>] (bpf_prog_244768d4818575ac) from [<8149c734>] (bpf_test_run+0x170/0x388 net/bpf/test_run.c:425)
> > > r9:df96de30 r8:df969030 r7:842879c0 r6:df969000 r5:00000000 r4:df96ddb8
> > > [<8149c5c4>] (bpf_test_run) from [<8149d6a0>] (bpf_prog_test_run_skb+0x324/0x6cc net/bpf/test_run.c:1058)
> > > r10:0000000e r9:00000000 r8:84497800 r7:83f79c00 r6:df96dec0 r5:00000000
> > > r4:842879c0
> > > [<8149d37c>] (bpf_prog_test_run_skb) from [<8039c858>] (bpf_prog_test_run kernel/bpf/syscall.c:4240 [inline])
> > > [<8149d37c>] (bpf_prog_test_run_skb) from [<8039c858>] (__sys_bpf+0xf30/0x1ef0 kernel/bpf/syscall.c:5649)
> > > r10:00000000 r9:00000028 r8:20000080 r7:0000000a r6:df96de98 r5:00000028
> > > r4:df969000
> > > [<8039b928>] (__sys_bpf) from [<8039dd98>] (__do_sys_bpf kernel/bpf/syscall.c:5738 [inline])
> > > [<8039b928>] (__sys_bpf) from [<8039dd98>] (sys_bpf+0x2c/0x48 kernel/bpf/syscall.c:5736)
> > > r10:00000182 r9:83d33c00 r8:80200288 r7:00000182 r6:0008e050 r5:00000000
> > > r4:ffffffff
> > > [<8039dd6c>] (sys_bpf) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66)
> > > Exception stack(0xdf96dfa8 to 0xdf96dff0)
> > > dfa0: ffffffff 00000000 0000000a 20000080 00000028 00000000
> > > dfc0: ffffffff 00000000 0008e050 00000182 20000100 00000000 00000001 00003a97
> > > dfe0: 7ec66c70 7ec66c60 00010748 0002e890
> > > Code: 9a000007 e3a03000 e4942000 e3530000 (e5852000)
> > > ---[ end trace 0000000000000000 ]---
> > > ----------------
> > > Code disassembly (best guess):
> > > 0: 9a000007 bls 0x24
> > > 4: e3a03000 mov r3, #0
> > > 8: e4942000 ldr r2, [r4], #0
> > > c: e3530000 cmp r3, #0
> > > * 10: e5852000 str r2, [r5] <-- trapping instruction
> > >
> > >
> > > ---
> > > This report is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at [email protected].
> > >
> > > syzbot will keep track of this issue. See:
> > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > >
> > > If the report is already addressed, let syzbot know by replying with:
> > > #syz fix: exact-commit-title
> > >
> > > If you want syzbot to run the reproducer, reply with:
> > > #syz test: git://repo/address.git branch-or-commit-hash
> > > If you attach or paste a git patch, syzbot will apply it before testing.
> > >
> > > If you want to overwrite report's subsystems, reply with:
> > > #syz set subsystems: new-subsystem
> > > (See the list of subsystem names on the web dashboard)
> > >
> > > If the report is a duplicate of another one, reply with:
> > > #syz dup: exact-subject-of-another-report
> > >
> > > If you want to undo deduplication, reply with:
> > > #syz undup
> >
>
On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
> On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
> > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
> > >
> > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
> > >
> > > > Hello,
> > >
> > > Thanks. Cc: [email protected]
> >
> > I suspect the issue is not on bpf side.
> > Looks like the bug is somewhere in arm32 bits.
> > copy_from_kernel_nofault() is called from lots of places.
> > bpf is just one user that is easy for syzbot to fuzz.
> > Interestingly arm defines copy_from_kernel_nofault_allowed()
> > that should have filtered out user addresses.
> > In this case ffffffe9 is probably a kernel address?
>
> It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
>
> 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
>
> > But the kernel is doing a write?
> > Which makes no sense, since copy_from_kernel_nofault is probe reading.
>
> It makes perfect sense; the read from 'src' happened, then the kernel tries to
> write the result to 'dst', and that aligns with the disassembly in the report
> below, which I beleive is:
>
> 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
> c: e3530000 cmp r3, #0
> * 10: e5852000 str r2, [r5] <-- Write to 'dst'
>
> As above, it looks like 'dst' is ERR_PTR(-EINVAL).
>
> Are you certain that BPF is passing a sane value for 'dst'? Where does that
> come from in the first place?
It looks to me like it gets passed in from the BPF program, and the
"type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
means for validation purposes, I've no idea, I'm not a BPF hacker.
Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
an arbitary destination address, that would be a huge security hole.
So I think BPF folk need to urgently state what checks are done on
the destination value for _any_ function that BPF can call which
writes to memory.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
On Fri, Apr 5, 2024 at 4:36 AM Russell King (Oracle)
<[email protected]> wrote:
>
> On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
> > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
> > > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
> > > >
> > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
> > > >
> > > > > Hello,
> > > >
> > > > Thanks. Cc: [email protected]
> > >
> > > I suspect the issue is not on bpf side.
> > > Looks like the bug is somewhere in arm32 bits.
> > > copy_from_kernel_nofault() is called from lots of places.
> > > bpf is just one user that is easy for syzbot to fuzz.
> > > Interestingly arm defines copy_from_kernel_nofault_allowed()
> > > that should have filtered out user addresses.
> > > In this case ffffffe9 is probably a kernel address?
> >
> > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
> >
> > 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
> >
> > > But the kernel is doing a write?
> > > Which makes no sense, since copy_from_kernel_nofault is probe reading.
> >
> > It makes perfect sense; the read from 'src' happened, then the kernel tries to
> > write the result to 'dst', and that aligns with the disassembly in the report
> > below, which I beleive is:
> >
> > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
> > c: e3530000 cmp r3, #0
> > * 10: e5852000 str r2, [r5] <-- Write to 'dst'
> >
> > As above, it looks like 'dst' is ERR_PTR(-EINVAL).
> >
> > Are you certain that BPF is passing a sane value for 'dst'? Where does that
> > come from in the first place?
>
> It looks to me like it gets passed in from the BPF program, and the
> "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
> means for validation purposes, I've no idea, I'm not a BPF hacker.
>
> Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
> an arbitary destination address, that would be a huge security hole.
If that's the case that's indeed a giant security hole,
but I doubt it. We would be crashing other archs as well.
I cannot really tell whether arm32 JIT is on.
If it is, it's likely a bug there.
Puranjay,
could you please take a look.
On Fri, Apr 5, 2024 at 9:30 AM Alexei Starovoitov
<[email protected]> wrote:
>
> On Fri, Apr 5, 2024 at 4:36 AM Russell King (Oracle)
> <[email protected]> wrote:
> >
> > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
> > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
> > > > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
> > > > >
> > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
> > > > >
> > > > > > Hello,
> > > > >
> > > > > Thanks. Cc: [email protected]
> > > >
> > > > I suspect the issue is not on bpf side.
> > > > Looks like the bug is somewhere in arm32 bits.
> > > > copy_from_kernel_nofault() is called from lots of places.
> > > > bpf is just one user that is easy for syzbot to fuzz.
> > > > Interestingly arm defines copy_from_kernel_nofault_allowed()
> > > > that should have filtered out user addresses.
> > > > In this case ffffffe9 is probably a kernel address?
> > >
> > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
> > >
> > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
> > >
> > > > But the kernel is doing a write?
> > > > Which makes no sense, since copy_from_kernel_nofault is probe reading.
> > >
> > > It makes perfect sense; the read from 'src' happened, then the kernel tries to
> > > write the result to 'dst', and that aligns with the disassembly in the report
> > > below, which I beleive is:
> > >
> > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
> > > c: e3530000 cmp r3, #0
> > > * 10: e5852000 str r2, [r5] <-- Write to 'dst'
> > >
> > > As above, it looks like 'dst' is ERR_PTR(-EINVAL).
> > >
> > > Are you certain that BPF is passing a sane value for 'dst'? Where does that
> > > come from in the first place?
> >
> > It looks to me like it gets passed in from the BPF program, and the
> > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
> > means for validation purposes, I've no idea, I'm not a BPF hacker.
> >
> > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
> > an arbitary destination address, that would be a huge security hole.
>
> If that's the case that's indeed a giant security hole,
> but I doubt it. We would be crashing other archs as well.
> I cannot really tell whether arm32 JIT is on.
> If it is, it's likely a bug there.
> Puranjay,
> could you please take a look.
>
I dumped the BPF program that repro.c is loading, it works on x86-64
and there is nothing special there. We are probe-reading 5 bytes from
somewhere into the stack. Everything is unaligned here, but stays
within a well-defined memory slot.
Note the r3 = (s8)r1, that's a new-ish thing, maybe bug is somewhere
there (but then it would be JIT, not verifier itself)
0: (7a) *(u64 *)(r10 -8) = 896542069
1: (bf) r1 = r10
2: (07) r1 += -7
3: (b7) r2 = 5
4: (bf) r3 = (s8)r1
5: (85) call bpf_probe_read_kernel#-72390
6: (b7) r0 = 0
7: (95) exit
On Fri, Apr 05, 2024 at 10:50:30AM -0700, Andrii Nakryiko wrote:
> On Fri, Apr 5, 2024 at 9:30 AM Alexei Starovoitov
> <[email protected]> wrote:
> >
> > On Fri, Apr 5, 2024 at 4:36 AM Russell King (Oracle)
> > <[email protected]> wrote:
> > >
> > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
> > > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
> > > > > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
> > > > > >
> > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
> > > > > >
> > > > > > > Hello,
> > > > > >
> > > > > > Thanks. Cc: [email protected]
> > > > >
> > > > > I suspect the issue is not on bpf side.
> > > > > Looks like the bug is somewhere in arm32 bits.
> > > > > copy_from_kernel_nofault() is called from lots of places.
> > > > > bpf is just one user that is easy for syzbot to fuzz.
> > > > > Interestingly arm defines copy_from_kernel_nofault_allowed()
> > > > > that should have filtered out user addresses.
> > > > > In this case ffffffe9 is probably a kernel address?
> > > >
> > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
> > > >
> > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
> > > >
> > > > > But the kernel is doing a write?
> > > > > Which makes no sense, since copy_from_kernel_nofault is probe reading.
> > > >
> > > > It makes perfect sense; the read from 'src' happened, then the kernel tries to
> > > > write the result to 'dst', and that aligns with the disassembly in the report
> > > > below, which I beleive is:
> > > >
> > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
> > > > c: e3530000 cmp r3, #0
> > > > * 10: e5852000 str r2, [r5] <-- Write to 'dst'
> > > >
> > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL).
> > > >
> > > > Are you certain that BPF is passing a sane value for 'dst'? Where does that
> > > > come from in the first place?
> > >
> > > It looks to me like it gets passed in from the BPF program, and the
> > > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
> > > means for validation purposes, I've no idea, I'm not a BPF hacker.
> > >
> > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
> > > an arbitary destination address, that would be a huge security hole.
> >
> > If that's the case that's indeed a giant security hole,
> > but I doubt it. We would be crashing other archs as well.
> > I cannot really tell whether arm32 JIT is on.
> > If it is, it's likely a bug there.
> > Puranjay,
> > could you please take a look.
> >
>
> I dumped the BPF program that repro.c is loading, it works on x86-64
> and there is nothing special there. We are probe-reading 5 bytes from
> somewhere into the stack. Everything is unaligned here, but stays
> within a well-defined memory slot.
>
> Note the r3 = (s8)r1, that's a new-ish thing, maybe bug is somewhere
> there (but then it would be JIT, not verifier itself)
>
> 0: (7a) *(u64 *)(r10 -8) = 896542069
> 1: (bf) r1 = r10
> 2: (07) r1 += -7
> 3: (b7) r2 = 5
> 4: (bf) r3 = (s8)r1
> 5: (85) call bpf_probe_read_kernel#-72390
Before jumping to conclusions, let's try to unravel what's going on
here.
We're calling bpf_probe_read_kernel(), and the arguments to this are:
void *dst ; r1
u32 size ; r2
const void *unsafe_ptr ; r3
The problem that has been reported is that the _store_ in
copy_from_kernel_nofault(). Thus it's the destination pointer that's
the proble, and thus that is the value that ends up in r1.
What we can also see in the dump is that the address being read from
is the same as the address being written, and these are both
0xffffffe9 or -22. This would mean that both r3 and r1 contain the
same value.
Unwinding the code further, r1 comes from r10 - 7. So r10 probably
was -15.
Neither of these are valid stack addresses on 32-bit ARM.
Now, to repeat the same question. Is the BPF JIT on for this test?
This is a crucial piece of information, because it tells us whether
we need to look at the JIT or whether there's a problem with the
BPF interpreter. Please answer this question.
The next question to BPF people is... what is r10? Is that supposed
to be the read-only frame pointer? If so, why is it called r10 and
not something more readable? I'm guessing that the definition is
BPF_REG_FP, but I'm grasping at straws here (BPF people, fix your
debug so people who don't know BPF inside out can understand it!)
If the BPF JIT is being used, I think the next thing which needs to
happen is that the BPF JIT debug needs to be enabled. If
/proc/sys/net/core/bpf_jit_enable contains a value greater than 1,
then the ARM assembly will be hexdumped. One of the annoying things
is going to be piecing the hexdump together, converting it into a
form that can then be turned into a binary file, to then be
disassembled by objdump.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
"Russell King (Oracle)" <[email protected]> writes:
> On Fri, Apr 05, 2024 at 10:50:30AM -0700, Andrii Nakryiko wrote:
>> On Fri, Apr 5, 2024 at 9:30 AM Alexei Starovoitov
>> <[email protected]> wrote:
>> >
>> > On Fri, Apr 5, 2024 at 4:36 AM Russell King (Oracle)
>> > <[email protected]> wrote:
>> > >
>> > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
>> > > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
>> > > > > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
>> > > > > >
>> > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
>> > > > > >
>> > > > > > > Hello,
>> > > > > >
>> > > > > > Thanks. Cc: [email protected]
>> > > > >
>> > > > > I suspect the issue is not on bpf side.
>> > > > > Looks like the bug is somewhere in arm32 bits.
>> > > > > copy_from_kernel_nofault() is called from lots of places.
>> > > > > bpf is just one user that is easy for syzbot to fuzz.
>> > > > > Interestingly arm defines copy_from_kernel_nofault_allowed()
>> > > > > that should have filtered out user addresses.
>> > > > > In this case ffffffe9 is probably a kernel address?
>> > > >
>> > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
>> > > >
>> > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
>> > > >
>> > > > > But the kernel is doing a write?
>> > > > > Which makes no sense, since copy_from_kernel_nofault is probe reading.
>> > > >
>> > > > It makes perfect sense; the read from 'src' happened, then the kernel tries to
>> > > > write the result to 'dst', and that aligns with the disassembly in the report
>> > > > below, which I beleive is:
>> > > >
>> > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
>> > > > c: e3530000 cmp r3, #0
>> > > > * 10: e5852000 str r2, [r5] <-- Write to 'dst'
>> > > >
>> > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL).
>> > > >
>> > > > Are you certain that BPF is passing a sane value for 'dst'? Where does that
>> > > > come from in the first place?
>> > >
>> > > It looks to me like it gets passed in from the BPF program, and the
>> > > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
>> > > means for validation purposes, I've no idea, I'm not a BPF hacker.
>> > >
>> > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
>> > > an arbitary destination address, that would be a huge security hole.
>> >
>> > If that's the case that's indeed a giant security hole,
>> > but I doubt it. We would be crashing other archs as well.
>> > I cannot really tell whether arm32 JIT is on.
>> > If it is, it's likely a bug there.
>> > Puranjay,
>> > could you please take a look.
>> >
>>
>> I dumped the BPF program that repro.c is loading, it works on x86-64
>> and there is nothing special there. We are probe-reading 5 bytes from
>> somewhere into the stack. Everything is unaligned here, but stays
>> within a well-defined memory slot.
>>
>> Note the r3 = (s8)r1, that's a new-ish thing, maybe bug is somewhere
>> there (but then it would be JIT, not verifier itself)
>>
>> 0: (7a) *(u64 *)(r10 -8) = 896542069
>> 1: (bf) r1 = r10
>> 2: (07) r1 += -7
>> 3: (b7) r2 = 5
>> 4: (bf) r3 = (s8)r1
>> 5: (85) call bpf_probe_read_kernel#-72390
>
I have started looking into this, the issue only reproduces when the JIT
is enabled. With the interpreter, it works fine.
I used GDB to dump the JITed BPF program:
0xbf00012c: push {r4, r5, r6, r7, r8, r9, r11, lr}
0xbf000130: mov r11, sp
0xbf000134: mov r3, #0
0xbf000138: sub r2, sp, #80 @ 0x50
0xbf00013c: sub sp, sp, #88 @ 0x58
0xbf000140: strd r2, [r11, #-64] @ 0xffffffc0
0xbf000144: mov r2, #0
0xbf000148: strd r2, [r11, #-72] @ 0xffffffb8
0xbf00014c: mov r2, r0
0xbf000150: movw r8, #9589 @ 0x2575
0xbf000154: movt r8, #13680 @ 0x3570
0xbf000158: mov r9, #0
0xbf00015c: ldr r6, [r11, #-64] @ 0xffffffc0
0xbf000160: str r8, [r6, #-8]
0xbf000164: str r9, [r6, #-4]
0xbf000168: ldrd r2, [r11, #-64] @ 0xffffffc0
0xbf00016c: movw r8, #65529 @ 0xfff9
0xbf000170: movt r8, #65535 @ 0xffff
0xbf000174: movw r9, #65535 @ 0xffff
0xbf000178: movt r9, #65535 @ 0xffff
0xbf00017c: adds r2, r2, r8
0xbf000180: adc r3, r3, r9
0xbf000184: mov r6, #5
0xbf000188: mov r7, #0
0xbf00018c: strd r6, [r11, #-8]
0xbf000190: ldrd r6, [r11, #-16]
0xbf000194: lsl r2, r2, #24
0xbf000198: asr r2, r2, #24
0xbf00019c: str r2, [r11, #-16]
0xbf0001a0: asr r7, r6, #31
0xbf0001a4: mov r1, r3
0xbf0001a8: mov r0, r2
0xbf0001ac: ldrd r2, [r11, #-8]
0xbf0001b0: ldrd r8, [r11, #-32] @ 0xffffffe0
0xbf0001b4: push {r8, r9}
0xbf0001b8: ldrd r8, [r11, #-24] @ 0xffffffe8
0xbf0001bc: push {r8, r9}
0xbf0001c0: ldrd r8, [r11, #-16]
0xbf0001c4: push {r8, r9}
0xbf0001c8: movw r6, #40536 @ 0x9e58
0xbf0001cc: movt r6, #49223 @ 0xc047
0xbf0001d0: blx r6
0xbf0001d4: add sp, sp, #24
0xbf0001d8: mov r0, #0
0xbf0001dc: mov r1, #0
0xbf0001e0: mov sp, r11
0xbf0001e4: pop {r4, r5, r6, r7, r8, r9, r11, pc}
Thanks,
Puranjay
On Tue, Apr 09, 2024 at 07:45:54AM +0000, Puranjay Mohan wrote:
> "Russell King (Oracle)" <[email protected]> writes:
>
> > On Fri, Apr 05, 2024 at 10:50:30AM -0700, Andrii Nakryiko wrote:
> >> On Fri, Apr 5, 2024 at 9:30 AM Alexei Starovoitov
> >> <[email protected]> wrote:
> >> >
> >> > On Fri, Apr 5, 2024 at 4:36 AM Russell King (Oracle)
> >> > <[email protected]> wrote:
> >> > >
> >> > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
> >> > > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
> >> > > > > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
> >> > > > > >
> >> > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
> >> > > > > >
> >> > > > > > > Hello,
> >> > > > > >
> >> > > > > > Thanks. Cc: [email protected]
> >> > > > >
> >> > > > > I suspect the issue is not on bpf side.
> >> > > > > Looks like the bug is somewhere in arm32 bits.
> >> > > > > copy_from_kernel_nofault() is called from lots of places.
> >> > > > > bpf is just one user that is easy for syzbot to fuzz.
> >> > > > > Interestingly arm defines copy_from_kernel_nofault_allowed()
> >> > > > > that should have filtered out user addresses.
> >> > > > > In this case ffffffe9 is probably a kernel address?
> >> > > >
> >> > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
> >> > > >
> >> > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
> >> > > >
> >> > > > > But the kernel is doing a write?
> >> > > > > Which makes no sense, since copy_from_kernel_nofault is probe reading.
> >> > > >
> >> > > > It makes perfect sense; the read from 'src' happened, then the kernel tries to
> >> > > > write the result to 'dst', and that aligns with the disassembly in the report
> >> > > > below, which I beleive is:
> >> > > >
> >> > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
> >> > > > c: e3530000 cmp r3, #0
> >> > > > * 10: e5852000 str r2, [r5] <-- Write to 'dst'
> >> > > >
> >> > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL).
> >> > > >
> >> > > > Are you certain that BPF is passing a sane value for 'dst'? Where does that
> >> > > > come from in the first place?
> >> > >
> >> > > It looks to me like it gets passed in from the BPF program, and the
> >> > > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
> >> > > means for validation purposes, I've no idea, I'm not a BPF hacker.
> >> > >
> >> > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
> >> > > an arbitary destination address, that would be a huge security hole.
> >> >
> >> > If that's the case that's indeed a giant security hole,
> >> > but I doubt it. We would be crashing other archs as well.
> >> > I cannot really tell whether arm32 JIT is on.
> >> > If it is, it's likely a bug there.
> >> > Puranjay,
> >> > could you please take a look.
> >> >
> >>
> >> I dumped the BPF program that repro.c is loading, it works on x86-64
> >> and there is nothing special there. We are probe-reading 5 bytes from
> >> somewhere into the stack. Everything is unaligned here, but stays
> >> within a well-defined memory slot.
> >>
> >> Note the r3 = (s8)r1, that's a new-ish thing, maybe bug is somewhere
> >> there (but then it would be JIT, not verifier itself)
> >>
> >> 0: (7a) *(u64 *)(r10 -8) = 896542069
> >> 1: (bf) r1 = r10
> >> 2: (07) r1 += -7
> >> 3: (b7) r2 = 5
> >> 4: (bf) r3 = (s8)r1
> >> 5: (85) call bpf_probe_read_kernel#-72390
> >
>
> I have started looking into this, the issue only reproduces when the JIT
> is enabled. With the interpreter, it works fine.
>
> I used GDB to dump the JITed BPF program:
>
> 0xbf00012c: push {r4, r5, r6, r7, r8, r9, r11, lr}
> 0xbf000130: mov r11, sp
> 0xbf000134: mov r3, #0
> 0xbf000138: sub r2, sp, #80 @ 0x50
> 0xbf00013c: sub sp, sp, #88 @ 0x58
> 0xbf000140: strd r2, [r11, #-64] @ 0xffffffc0
> 0xbf000144: mov r2, #0
> 0xbf000148: strd r2, [r11, #-72] @ 0xffffffb8
> 0xbf00014c: mov r2, r0
> 0xbf000150: movw r8, #9589 @ 0x2575
> 0xbf000154: movt r8, #13680 @ 0x3570
> 0xbf000158: mov r9, #0
> 0xbf00015c: ldr r6, [r11, #-64] @ 0xffffffc0
> 0xbf000160: str r8, [r6, #-8]
> 0xbf000164: str r9, [r6, #-4]
> 0xbf000168: ldrd r2, [r11, #-64] @ 0xffffffc0
> 0xbf00016c: movw r8, #65529 @ 0xfff9
> 0xbf000170: movt r8, #65535 @ 0xffff
> 0xbf000174: movw r9, #65535 @ 0xffff
> 0xbf000178: movt r9, #65535 @ 0xffff
> 0xbf00017c: adds r2, r2, r8
> 0xbf000180: adc r3, r3, r9
> 0xbf000184: mov r6, #5
> 0xbf000188: mov r7, #0
> 0xbf00018c: strd r6, [r11, #-8]
> 0xbf000190: ldrd r6, [r11, #-16]
Up to this point, it looks correct. r2/r3 contain the stack pointer
which corresponds to the instruction at "2:"
> 0xbf000194: lsl r2, r2, #24
> 0xbf000198: asr r2, r2, #24
> 0xbf00019c: str r2, [r11, #-16]
This then narrows the 64-bit pointer down to just 8!!! bits, but this
is what the instruction at "4:" is asking for. However, it looks like
it's happening to BPF's "r1" rather than "r3" and this is probably
where the problem lies.
I haven't got time to analyse this further this morning - I'm only
around sporadically today. I'll try to look deeper at this later on.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
"Russell King (Oracle)" <[email protected]> writes:
> On Tue, Apr 09, 2024 at 07:45:54AM +0000, Puranjay Mohan wrote:
>> "Russell King (Oracle)" <[email protected]> writes:
>>
>> > On Fri, Apr 05, 2024 at 10:50:30AM -0700, Andrii Nakryiko wrote:
>> >> On Fri, Apr 5, 2024 at 9:30 AM Alexei Starovoitov
>> >> <[email protected]> wrote:
>> >> >
>> >> > On Fri, Apr 5, 2024 at 4:36 AM Russell King (Oracle)
>> >> > <[email protected]> wrote:
>> >> > >
>> >> > > On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
>> >> > > > On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
>> >> > > > > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
>> >> > > > > >
>> >> > > > > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <[email protected]> wrote:
>> >> > > > > >
>> >> > > > > > > Hello,
>> >> > > > > >
>> >> > > > > > Thanks. Cc: [email protected]
>> >> > > > >
>> >> > > > > I suspect the issue is not on bpf side.
>> >> > > > > Looks like the bug is somewhere in arm32 bits.
>> >> > > > > copy_from_kernel_nofault() is called from lots of places.
>> >> > > > > bpf is just one user that is easy for syzbot to fuzz.
>> >> > > > > Interestingly arm defines copy_from_kernel_nofault_allowed()
>> >> > > > > that should have filtered out user addresses.
>> >> > > > > In this case ffffffe9 is probably a kernel address?
>> >> > > >
>> >> > > > It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
>> >> > > >
>> >> > > > 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
>> >> > > >
>> >> > > > > But the kernel is doing a write?
>> >> > > > > Which makes no sense, since copy_from_kernel_nofault is probe reading.
>> >> > > >
>> >> > > > It makes perfect sense; the read from 'src' happened, then the kernel tries to
>> >> > > > write the result to 'dst', and that aligns with the disassembly in the report
>> >> > > > below, which I beleive is:
>> >> > > >
>> >> > > > 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
>> >> > > > c: e3530000 cmp r3, #0
>> >> > > > * 10: e5852000 str r2, [r5] <-- Write to 'dst'
>> >> > > >
>> >> > > > As above, it looks like 'dst' is ERR_PTR(-EINVAL).
>> >> > > >
>> >> > > > Are you certain that BPF is passing a sane value for 'dst'? Where does that
>> >> > > > come from in the first place?
>> >> > >
>> >> > > It looks to me like it gets passed in from the BPF program, and the
>> >> > > "type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
>> >> > > means for validation purposes, I've no idea, I'm not a BPF hacker.
>> >> > >
>> >> > > Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
>> >> > > an arbitary destination address, that would be a huge security hole.
>> >> >
>> >> > If that's the case that's indeed a giant security hole,
>> >> > but I doubt it. We would be crashing other archs as well.
>> >> > I cannot really tell whether arm32 JIT is on.
>> >> > If it is, it's likely a bug there.
>> >> > Puranjay,
>> >> > could you please take a look.
>> >> >
>> >>
>> >> I dumped the BPF program that repro.c is loading, it works on x86-64
>> >> and there is nothing special there. We are probe-reading 5 bytes from
>> >> somewhere into the stack. Everything is unaligned here, but stays
>> >> within a well-defined memory slot.
>> >>
>> >> Note the r3 = (s8)r1, that's a new-ish thing, maybe bug is somewhere
>> >> there (but then it would be JIT, not verifier itself)
>> >>
>> >> 0: (7a) *(u64 *)(r10 -8) = 896542069
>> >> 1: (bf) r1 = r10
>> >> 2: (07) r1 += -7
>> >> 3: (b7) r2 = 5
>> >> 4: (bf) r3 = (s8)r1
>> >> 5: (85) call bpf_probe_read_kernel#-72390
>> >
>>
>> I have started looking into this, the issue only reproduces when the JIT
>> is enabled. With the interpreter, it works fine.
>>
>> I used GDB to dump the JITed BPF program:
>>
>> 0xbf00012c: push {r4, r5, r6, r7, r8, r9, r11, lr}
>> 0xbf000130: mov r11, sp
>> 0xbf000134: mov r3, #0
>> 0xbf000138: sub r2, sp, #80 @ 0x50
>> 0xbf00013c: sub sp, sp, #88 @ 0x58
>> 0xbf000140: strd r2, [r11, #-64] @ 0xffffffc0
>> 0xbf000144: mov r2, #0
>> 0xbf000148: strd r2, [r11, #-72] @ 0xffffffb8
>> 0xbf00014c: mov r2, r0
>> 0xbf000150: movw r8, #9589 @ 0x2575
>> 0xbf000154: movt r8, #13680 @ 0x3570
>> 0xbf000158: mov r9, #0
>> 0xbf00015c: ldr r6, [r11, #-64] @ 0xffffffc0
>> 0xbf000160: str r8, [r6, #-8]
>> 0xbf000164: str r9, [r6, #-4]
>> 0xbf000168: ldrd r2, [r11, #-64] @ 0xffffffc0
>> 0xbf00016c: movw r8, #65529 @ 0xfff9
>> 0xbf000170: movt r8, #65535 @ 0xffff
>> 0xbf000174: movw r9, #65535 @ 0xffff
>> 0xbf000178: movt r9, #65535 @ 0xffff
>> 0xbf00017c: adds r2, r2, r8
>> 0xbf000180: adc r3, r3, r9
>> 0xbf000184: mov r6, #5
>> 0xbf000188: mov r7, #0
>> 0xbf00018c: strd r6, [r11, #-8]
>> 0xbf000190: ldrd r6, [r11, #-16]
>
> Up to this point, it looks correct. r2/r3 contain the stack pointer
> which corresponds to the instruction at "2:"
>
>> 0xbf000194: lsl r2, r2, #24
>> 0xbf000198: asr r2, r2, #24
>> 0xbf00019c: str r2, [r11, #-16]
>
> This then narrows the 64-bit pointer down to just 8!!! bits, but this
> is what the instruction at "4:" is asking for. However, it looks like
> it's happening to BPF's "r1" rather than "r3" and this is probably
> where the problem lies.
>
> I haven't got time to analyse this further this morning - I'm only
> around sporadically today. I'll try to look deeper at this later on.
>
> --
> RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
> FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
I found the problem. The implementation of Sign extended move is broken,
it clobbers the source register. I have sent a patch to fix it and also
fixed another issue that I saw:
https://lore.kernel.org/bpf/[email protected]/
I have manually tested with the reproducer but let's try to rerun the
reproducer through syzbot:
#syz test: https://github.com/puranjaymohan/linux.git arm32_movsx_fix
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in _vm_unmap_aliases
INFO: task kworker/0:1:8 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1 state:D stack:0 pid:8 tgid:8 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:df839d94 r5:82e2d400
r4:82e2d400
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:82e2d400 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16005 r9:df839e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4f80
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4f80
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:82e2d400 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f02d000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dfb13000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84eebf54 r4:84eebc00
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:dddd00c0 r6:82c16000 r5:84eebf54 r4:82c0bf00
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:82e2d400 r9:82c0bf2c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
r4:82c0bf00
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:df835e90 r8:82cad880 r7:82c0bf00 r6:802672c4 r5:82e2d400
r4:82cad140
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdf839fb0 to 0xdf839ff8)
9fa0: 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:82cad140
INFO: task kworker/1:6:3904 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:6 state:D stack:0 pid:3904 tgid:3904 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:e0741d94 r5:83efd400
r4:83efd400
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:83efd400 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16205 r9:e0741e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4300
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4300
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:83efd400 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f00b000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:df98f000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84ee9754 r4:84ee9400
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:ddde40c0 r6:82c16200 r5:84ee9754 r4:84603500
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:83efd400 r9:8460352c r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
r4:84603500
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:df879e90 r8:84e34440 r7:84603500 r6:802672c4 r5:83efd400
r4:84cc58c0
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xe0741fb0 to 0xe0741ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84cc58c0
INFO: task kworker/0:55:4238 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:55 state:D stack:0 pid:4238 tgid:4238 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dfb09d94 r5:84e8c800
r4:84e8c800
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84e8c800 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16005 r9:dfb09e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8640
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8640
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84e8c800 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f057000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dffb3000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84e08b54 r4:84e08800
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:dddd00c0 r6:82c16000 r5:84e08b54 r4:84e60000
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84e8c800 r9:84e6002c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
r4:84e60000
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:df9bde90 r8:84616fc0 r7:84e60000 r6:802672c4 r5:84e8c800
r4:84e5b940
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdfb09fb0 to 0xdfb09ff8)
9fa0: 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84e5b940
INFO: task kworker/0:57:4264 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:57 state:D stack:0 pid:4264 tgid:4264 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dfd11d94 r5:844e5400
r4:844e5400
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:844e5400 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16005 r9:dfd11e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4d80
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4d80
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:844e5400 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f02f000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dfb49000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84eeaf54 r4:84eeac00
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:dddd00c0 r6:82c16000 r5:84eeaf54 r4:84e60100
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:844e5400 r9:84e6012c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
r4:84e60100
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dfb09e90 r8:84ea8b80 r7:84e60100 r6:802672c4 r5:844e5400
r4:84ea8b00
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdfd11fb0 to 0xdfd11ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84ea8b00
INFO: task kworker/1:59:4286 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:59 state:D stack:0 pid:4286 tgid:4286 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:dfe89d94 r5:84e96000
r4:84e96000
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84e96000 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16205 r9:dfe89e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8040
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8040
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84e96000 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f055000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dff77000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:82ceb354 r4:82ceb000
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:ddde40c0 r6:82c16200 r5:82ceb354 r4:84e69480
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84e96000 r9:84e694ac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
r4:84e69480
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dfdcde90 r8:84ea8840 r7:84e69480 r6:802672c4 r5:84e96000
r4:84ea8e40
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdfe89fb0 to 0xdfe89ff8)
9fa0: 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84ea8e40
INFO: task kworker/1:63:4298 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:63 state:D stack:0 pid:4298 tgid:4298 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:dfee5d94 r5:84e91800
r4:84e91800
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84e91800 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16205 r9:dfee5e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eba380
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eba380
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84e91800 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f00d000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:df9d3000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84e18b54 r4:84e18800
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:ddde40c0 r6:82c16200 r5:84e18b54 r4:84e69680
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84e91800 r9:84e696ac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
r4:84e69680
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dfe89e90 r8:84e53340 r7:84e69680 r6:802672c4 r5:84e91800
r4:84e532c0
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdfee5fb0 to 0xdfee5ff8)
5fa0: 00000000 00000000 00000000 00000000
5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84e532c0
INFO: task kworker/1:64:4299 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:64 state:D stack:0 pid:4299 tgid:4299 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:dff41d94 r5:84e74800
r4:84e74800
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84e74800 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16205 r9:dff41e20 r8:00000000 r7:ffffffff r6:00000000 r5:84e53640
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84e53640
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84e74800 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f033000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dfbd7000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84ee8f54 r4:84ee8c00
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:ddde40c0 r6:82c16200 r5:84ee8f54 r4:84e69780
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84e74800 r9:84e697ac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
r4:84e69780
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dfe89e90 r8:84eb4000 r7:84e69780 r6:802672c4 r5:84e74800
r4:84e53900
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdff41fb0 to 0xdff41ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84e53900
INFO: task kworker/0:58:4308 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:58 state:D stack:0 pid:4308 tgid:4308 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dff71d94 r5:84e76c00
r4:84e76c00
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84e76c00 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16005 r9:dff71e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8d00
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8d00
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84e76c00 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f031000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dfb8f000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84c30b54 r4:84c30800
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:dddd00c0 r6:82c16000 r5:84c30b54 r4:84e60180
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84e76c00 r9:84e601ac r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
r4:84e60180
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dfd11e90 r8:84eb4a40 r7:84e60180 r6:802672c4 r5:84e76c00
r4:84eb4e00
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdff71fb0 to 0xdff71ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84eb4e00
INFO: task kworker/0:59:4311 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:59 state:D stack:0 pid:4311 tgid:4311 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dfb8dd94 r5:84e75400
r4:84e75400
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84e75400 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16005 r9:dfb8de20 r8:00000000 r7:ffffffff r6:00000000 r5:84e5b5c0
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84e5b5c0
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84e75400 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f03b000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dfcc9000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84e19b54 r4:84e19800
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:dddd00c0 r6:82c16000 r5:84e19b54 r4:84e60280
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84e75400 r9:84e602ac r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
r4:84e60280
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dff71e90 r8:84eb8c00 r7:84e60280 r6:802672c4 r5:84e75400
r4:84eb4380
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdfb8dfb0 to 0xdfb8dff8)
dfa0: 00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84eb4380
INFO: task kworker/0:60:4312 blocked for more than 430 seconds.
Not tainted 6.9.0-rc2-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:60 state:D stack:0 pid:4312 tgid:4312 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dffb1d94 r5:84e90c00
r4:84e90c00
[<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84e90c00 r4:82714be4
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16005 r9:dffb1e20 r8:00000000 r7:ffffffff r6:00000000 r5:84e5b640
r4:00000000
[<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84e5b640
r4:00000000
[<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84e90c00 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f03f000
[<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dfd63000
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:84ef0754 r4:84ef0400
[<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:dddd00c0 r6:82c16000 r5:84ef0754 r4:84e60300
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84e90c00 r9:84e6032c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
r4:84e60300
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dfb8de90 r8:84eb8f40 r7:84e60300 r6:802672c4 r5:84e90c00
r4:84eb4300
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdffb1fb0 to 0xdffb1ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84eb4300
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
NMI backtrace for cpu 0
CPU: 0 PID: 31 Comm: khungtaskd Not tainted 6.9.0-rc2-syzkaller #0
Hardware name: ARM-Versatile Express
Call trace:
[<8187a69c>] (dump_backtrace) from [<8187a798>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:256)
r7:00000000 r6:00000013 r5:60000093 r4:81fc48fc
[<8187a780>] (show_stack) from [<81897f54>] (__dump_stack lib/dump_stack.c:88 [inline])
[<8187a780>] (show_stack) from [<81897f54>] (dump_stack_lvl+0x70/0x7c lib/dump_stack.c:114)
[<81897ee4>] (dump_stack_lvl) from [<81897f78>] (dump_stack+0x18/0x1c lib/dump_stack.c:123)
r5:00000000 r4:00000001
[<81897f60>] (dump_stack) from [<81867a74>] (nmi_cpu_backtrace+0x160/0x17c lib/nmi_backtrace.c:113)
[<81867914>] (nmi_cpu_backtrace) from [<81867bc0>] (nmi_trigger_cpumask_backtrace+0x130/0x1d8 lib/nmi_backtrace.c:62)
r7:00000000 r6:8260c590 r5:8261a88c r4:ffffffff
[<81867a90>] (nmi_trigger_cpumask_backtrace) from [<802105b4>] (arch_trigger_cpumask_backtrace+0x18/0x1c arch/arm/kernel/smp.c:851)
r9:8260c6f4 r8:000076c2 r7:8289dfe0 r6:00007d59 r5:8514be04 r4:850f5d24
[<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec78>] (trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline])
[<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec78>] (check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline])
[<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec78>] (watchdog+0x480/0x594 kernel/hung_task.c:380)
[<8034e7f8>] (watchdog) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:df819e58 r8:82e98340 r7:00000000 r6:8034e7f8 r5:82ee8c00
r4:82f41200
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdf8ddfb0 to 0xdf8ddff8)
dfa0: 00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:82f41200
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 6890 Comm: syz-executor.0 Not tainted 6.9.0-rc2-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at kmap_local_sched_in kernel/sched/core.c:5189 [inline]
PC is at finish_task_switch+0x8c/0x298 kernel/sched/core.c:5291
LR is at __raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
LR is at _raw_spin_unlock+0x2c/0x50 kernel/locking/spinlock.c:186
pc : [<8027cd4c>] lr : [<818a4f88>] psr: 20000113
sp : eb539ab8 ip : eb539aa8 fp : eb539afc
r10: 00000402 r9 : 8514bc00 r8 : 82e33000
r7 : a3e9c050 r6 : 8189c228 r5 : ddde4440 r4 : 00000000
r3 : 8514bc00 r2 : 00000001 r1 : 81fc48fc r0 : 00000001
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 30c5387d Table: 851ca6c0 DAC: 00000000
Call trace:
[<8027ccc0>] (finish_task_switch) from [<8189c228>] (context_switch kernel/sched/core.c:5412 [inline])
[<8027ccc0>] (finish_task_switch) from [<8189c228>] (__schedule+0x408/0xc10 kernel/sched/core.c:6746)
r10:00000000 r9:84df6400 r8:a69b624b r7:a3e9c050 r6:8514bc00 r5:ddde4440
r4:82e33000
[<8189be20>] (__schedule) from [<8189d0b8>] (preempt_schedule_irq+0x40/0xa8 kernel/sched/core.c:7068)
r10:eb539db0 r9:8514bc00 r8:80200b9c r7:eb539bbc r6:ffffffff r5:8514bc00
r4:00000000
[<8189d078>] (preempt_schedule_irq) from [<80200bb4>] (svc_preempt+0x8/0x18)
Exception stack(0xeb539b88 to 0xeb539bd0)
9b80: 000f1b1e 003ff40e 0000071f 00000000 00000000 8514bc00
9ba0: 00000598 0000071f 000f1b1e 00000000 eb539db0 eb539bf4 eb539bf8 eb539bd8
9bc0: 80479eb8 8027f380 60000113 ffffffff
r5:60000113 r4:8027f380
[<8027f354>] (migrate_disable) from [<80479eb8>] (__kmap_local_pfn_prot+0x20/0x1ac mm/highmem.c:548)
r7:0000071f r6:00c00000 r5:dedf605c r4:00000000
[<80479e98>] (__kmap_local_pfn_prot) from [<8047a0b4>] (__kmap_local_page_prot mm/highmem.c:581 [inline])
[<80479e98>] (__kmap_local_pfn_prot) from [<8047a0b4>] (__kmap_local_page_prot+0x70/0x74 mm/highmem.c:564)
r8:00000001 r7:828584e8 r6:00000001 r5:dedf605c r4:00000000
[<8047a044>] (__kmap_local_page_prot) from [<804a23ec>] (kmap_local_page include/linux/highmem-internal.h:73 [inline])
[<8047a044>] (__kmap_local_page_prot) from [<804a23ec>] (clear_highpage_kasan_tagged include/linux/highmem.h:246 [inline])
[<8047a044>] (__kmap_local_page_prot) from [<804a23ec>] (kernel_init_pages+0x3c/0x60 mm/page_alloc.c:1080)
[<804a23b0>] (kernel_init_pages) from [<804a52d4>] (post_alloc_hook+0x88/0xc0 mm/page_alloc.c:1532)
r9:00000000 r8:827e21bc r7:00000001 r6:00000001 r5:dedf6038 r4:00000000
[<804a524c>] (post_alloc_hook) from [<804a7968>] (prep_new_page mm/page_alloc.c:1541 [inline])
[<804a524c>] (post_alloc_hook) from [<804a7968>] (get_page_from_freelist+0x28c/0x13d8 mm/page_alloc.c:3317)
r7:8514bc00 r6:827e1f00 r5:00000000 r4:00540dc2
[<804a76dc>] (get_page_from_freelist) from [<804a8fe4>] (__alloc_pages+0xe0/0x1168 mm/page_alloc.c:4575)
r10:00000000 r9:84df6400 r8:20000000 r7:8514bc00 r6:00440dc2 r5:00540dc2
r4:00000000
[<804a8f04>] (__alloc_pages) from [<8047b688>] (__alloc_pages_node include/linux/gfp.h:238 [inline])
[<804a8f04>] (__alloc_pages) from [<8047b688>] (alloc_pages_node include/linux/gfp.h:261 [inline])
[<804a8f04>] (__alloc_pages) from [<8047b688>] (alloc_pages include/linux/gfp.h:274 [inline])
[<804a8f04>] (__alloc_pages) from [<8047b688>] (pagetable_alloc include/linux/mm.h:2862 [inline])
[<804a8f04>] (__alloc_pages) from [<8047b688>] (__pte_alloc_one include/asm-generic/pgalloc.h:68 [inline])
[<804a8f04>] (__alloc_pages) from [<8047b688>] (pte_alloc_one+0x24/0xf8 arch/arm/include/asm/pgalloc.h:99)
r10:00000040 r9:84df6400 r8:20000000 r7:84db6000 r6:20000000 r5:85268800
r4:84df6400
[<8047b664>] (pte_alloc_one) from [<8047cc70>] (__pte_alloc+0x2c/0x108 mm/memory.c:440)
r5:85268800 r4:84df6400
[<8047cc44>] (__pte_alloc) from [<80481b10>] (do_anonymous_page mm/memory.c:4402 [inline])
[<8047cc44>] (__pte_alloc) from [<80481b10>] (do_pte_missing mm/memory.c:3878 [inline])
[<8047cc44>] (__pte_alloc) from [<80481b10>] (handle_pte_fault mm/memory.c:5300 [inline])
[<8047cc44>] (__pte_alloc) from [<80481b10>] (__handle_mm_fault mm/memory.c:5441 [inline])
[<8047cc44>] (__pte_alloc) from [<80481b10>] (handle_mm_fault+0xfac/0x12b8 mm/memory.c:5606)
r5:8514bc00 r4:00000255
[<80480b64>] (handle_mm_fault) from [<80215d94>] (do_page_fault+0x148/0x3a8 arch/arm/mm/fault.c:333)
r10:00000002 r9:84df6400 r8:20000000 r7:00000a06 r6:00000255 r5:20000000
r4:eb539fb0
[<80215c4c>] (do_page_fault) from [<80216174>] (do_translation_fault+0xfc/0x12c arch/arm/mm/fault.c:444)
r10:7ee33670 r9:7ee33670 r8:80216078 r7:eb539fb0 r6:20000000 r5:00000a06
r4:8261d0d0
[<80216078>] (do_translation_fault) from [<802161dc>] (do_DataAbort+0x38/0xa8 arch/arm/mm/fault.c:565)
r9:7ee33670 r8:80216078 r7:eb539fb0 r6:20000000 r5:00000a06 r4:8261d0d0
[<802161a4>] (do_DataAbort) from [<80200e3c>] (__dabt_usr+0x5c/0x60 arch/arm/kernel/entry-armv.S:427)
Exception stack(0xeb539fb0 to 0xeb539ff8)
9fa0: 00000000 00000000 00000001 20000000
9fc0: 00000004 00000000 00000000 00000000 fffffffe 7ee33670 7ee33670 7ee33630
9fe0: 01068590 7ee333a8 0001d150 0001d4ac 40000010 ffffffff
r8:824a9044 r7:8514bc00 r6:ffffffff r5:40000010 r4:0001d4ac
Tested on:
commit: 2929be95 arm32, bpf: Fix sign-extension mov instruction
git tree: https://github.com/puranjaymohan/linux.git arm32_movsx_fix
console output: https://syzkaller.appspot.com/x/log.txt?x=11362cf3180000
kernel config: https://syzkaller.appspot.com/x/.config?x=10acd270ef193b93
dashboard link: https://syzkaller.appspot.com/bug?extid=186522670e6722692d86
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
Note: no patches were applied.
syzbot <[email protected]> writes:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> INFO: task hung in _vm_unmap_aliases
>
> INFO: task kworker/0:1:8 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:1 state:D stack:0 pid:8 tgid:8 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:df839d94 r5:82e2d400
> r4:82e2d400
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:82e2d400 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16005 r9:df839e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4f80
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4f80
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:82e2d400 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f02d000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dfb13000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84eebf54 r4:84eebc00
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:dddd00c0 r6:82c16000 r5:84eebf54 r4:82c0bf00
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:82e2d400 r9:82c0bf2c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
> r4:82c0bf00
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:df835e90 r8:82cad880 r7:82c0bf00 r6:802672c4 r5:82e2d400
> r4:82cad140
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdf839fb0 to 0xdf839ff8)
> 9fa0: 00000000 00000000 00000000 00000000
> 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:82cad140
> INFO: task kworker/1:6:3904 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:6 state:D stack:0 pid:3904 tgid:3904 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:e0741d94 r5:83efd400
> r4:83efd400
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:83efd400 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16205 r9:e0741e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4300
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4300
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:83efd400 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f00b000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:df98f000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84ee9754 r4:84ee9400
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:ddde40c0 r6:82c16200 r5:84ee9754 r4:84603500
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:83efd400 r9:8460352c r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
> r4:84603500
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:df879e90 r8:84e34440 r7:84603500 r6:802672c4 r5:83efd400
> r4:84cc58c0
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xe0741fb0 to 0xe0741ff8)
> 1fa0: 00000000 00000000 00000000 00000000
> 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84cc58c0
> INFO: task kworker/0:55:4238 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:55 state:D stack:0 pid:4238 tgid:4238 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dfb09d94 r5:84e8c800
> r4:84e8c800
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84e8c800 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16005 r9:dfb09e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8640
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8640
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84e8c800 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f057000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dffb3000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84e08b54 r4:84e08800
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:dddd00c0 r6:82c16000 r5:84e08b54 r4:84e60000
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84e8c800 r9:84e6002c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
> r4:84e60000
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:df9bde90 r8:84616fc0 r7:84e60000 r6:802672c4 r5:84e8c800
> r4:84e5b940
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdfb09fb0 to 0xdfb09ff8)
> 9fa0: 00000000 00000000 00000000 00000000
> 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84e5b940
> INFO: task kworker/0:57:4264 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:57 state:D stack:0 pid:4264 tgid:4264 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dfd11d94 r5:844e5400
> r4:844e5400
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:844e5400 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16005 r9:dfd11e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4d80
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb4d80
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:844e5400 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f02f000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dfb49000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84eeaf54 r4:84eeac00
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:dddd00c0 r6:82c16000 r5:84eeaf54 r4:84e60100
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:844e5400 r9:84e6012c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
> r4:84e60100
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dfb09e90 r8:84ea8b80 r7:84e60100 r6:802672c4 r5:844e5400
> r4:84ea8b00
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdfd11fb0 to 0xdfd11ff8)
> 1fa0: 00000000 00000000 00000000 00000000
> 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84ea8b00
> INFO: task kworker/1:59:4286 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:59 state:D stack:0 pid:4286 tgid:4286 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:dfe89d94 r5:84e96000
> r4:84e96000
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84e96000 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16205 r9:dfe89e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8040
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8040
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84e96000 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f055000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dff77000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:82ceb354 r4:82ceb000
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:ddde40c0 r6:82c16200 r5:82ceb354 r4:84e69480
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84e96000 r9:84e694ac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
> r4:84e69480
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dfdcde90 r8:84ea8840 r7:84e69480 r6:802672c4 r5:84e96000
> r4:84ea8e40
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdfe89fb0 to 0xdfe89ff8)
> 9fa0: 00000000 00000000 00000000 00000000
> 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84ea8e40
> INFO: task kworker/1:63:4298 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:63 state:D stack:0 pid:4298 tgid:4298 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:dfee5d94 r5:84e91800
> r4:84e91800
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84e91800 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16205 r9:dfee5e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eba380
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eba380
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84e91800 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f00d000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:df9d3000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84e18b54 r4:84e18800
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:ddde40c0 r6:82c16200 r5:84e18b54 r4:84e69680
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84e91800 r9:84e696ac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
> r4:84e69680
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dfe89e90 r8:84e53340 r7:84e69680 r6:802672c4 r5:84e91800
> r4:84e532c0
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdfee5fb0 to 0xdfee5ff8)
> 5fa0: 00000000 00000000 00000000 00000000
> 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84e532c0
> INFO: task kworker/1:64:4299 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:64 state:D stack:0 pid:4299 tgid:4299 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:dff41d94 r5:84e74800
> r4:84e74800
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84e74800 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16205 r9:dff41e20 r8:00000000 r7:ffffffff r6:00000000 r5:84e53640
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84e53640
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84e74800 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f033000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dfbd7000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84ee8f54 r4:84ee8c00
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:ddde40c0 r6:82c16200 r5:84ee8f54 r4:84e69780
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84e74800 r9:84e697ac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
> r4:84e69780
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dfe89e90 r8:84eb4000 r7:84e69780 r6:802672c4 r5:84e74800
> r4:84e53900
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdff41fb0 to 0xdff41ff8)
> 1fa0: 00000000 00000000 00000000 00000000
> 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84e53900
> INFO: task kworker/0:58:4308 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:58 state:D stack:0 pid:4308 tgid:4308 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dff71d94 r5:84e76c00
> r4:84e76c00
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84e76c00 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16005 r9:dff71e20 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8d00
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84eb8d00
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84e76c00 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f031000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dfb8f000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84c30b54 r4:84c30800
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:dddd00c0 r6:82c16000 r5:84c30b54 r4:84e60180
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84e76c00 r9:84e601ac r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
> r4:84e60180
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dfd11e90 r8:84eb4a40 r7:84e60180 r6:802672c4 r5:84e76c00
> r4:84eb4e00
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdff71fb0 to 0xdff71ff8)
> 1fa0: 00000000 00000000 00000000 00000000
> 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84eb4e00
> INFO: task kworker/0:59:4311 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:59 state:D stack:0 pid:4311 tgid:4311 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dfb8dd94 r5:84e75400
> r4:84e75400
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84e75400 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16005 r9:dfb8de20 r8:00000000 r7:ffffffff r6:00000000 r5:84e5b5c0
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84e5b5c0
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84e75400 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f03b000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dfcc9000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84e19b54 r4:84e19800
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:dddd00c0 r6:82c16000 r5:84e19b54 r4:84e60280
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84e75400 r9:84e602ac r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
> r4:84e60280
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dff71e90 r8:84eb8c00 r7:84e60280 r6:802672c4 r5:84e75400
> r4:84eb4380
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdfb8dfb0 to 0xdfb8dff8)
> dfa0: 00000000 00000000 00000000 00000000
> dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84eb4380
> INFO: task kworker/0:60:4312 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc2-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:60 state:D stack:0 pid:4312 tgid:4312 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189be20>] (__schedule) from [<8189ca5c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189be20>] (__schedule) from [<8189ca5c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dffb1d94 r5:84e90c00
> r4:84e90c00
> [<8189ca30>] (schedule) from [<8189d06c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84e90c00 r4:82714be4
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189d054>] (schedule_preempt_disabled) from [<8189f94c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189f664>] (__mutex_lock.constprop.0) from [<818a0218>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16005 r9:dffb1e20 r8:00000000 r7:ffffffff r6:00000000 r5:84e5b640
> r4:00000000
> [<818a0204>] (__mutex_lock_slowpath) from [<818a0258>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<818a021c>] (mutex_lock) from [<8049c734>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c6d4>] (_vm_unmap_aliases) from [<804a05b8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84e5b640
> r4:00000000
> [<804a0448>] (vfree) from [<802edb3c>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84e90c00 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f03f000
> [<802edb0c>] (module_memfree) from [<803916e0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dfd63000
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916d0>] (bpf_jit_free_exec) from [<803918a0>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391838>] (bpf_jit_free) from [<80392988>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:84ef0754 r4:84ef0400
> [<8039283c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:dddd00c0 r6:82c16000 r5:84ef0754 r4:84e60300
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84e90c00 r9:84e6032c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
> r4:84e60300
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dfb8de90 r8:84eb8f40 r7:84e60300 r6:802672c4 r5:84e90c00
> r4:84eb4300
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdffb1fb0 to 0xdffb1ff8)
> 1fa0: 00000000 00000000 00000000 00000000
> 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84eb4300
> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
> NMI backtrace for cpu 0
> CPU: 0 PID: 31 Comm: khungtaskd Not tainted 6.9.0-rc2-syzkaller #0
> Hardware name: ARM-Versatile Express
> Call trace:
> [<8187a69c>] (dump_backtrace) from [<8187a798>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:256)
> r7:00000000 r6:00000013 r5:60000093 r4:81fc48fc
> [<8187a780>] (show_stack) from [<81897f54>] (__dump_stack lib/dump_stack.c:88 [inline])
> [<8187a780>] (show_stack) from [<81897f54>] (dump_stack_lvl+0x70/0x7c lib/dump_stack.c:114)
> [<81897ee4>] (dump_stack_lvl) from [<81897f78>] (dump_stack+0x18/0x1c lib/dump_stack.c:123)
> r5:00000000 r4:00000001
> [<81897f60>] (dump_stack) from [<81867a74>] (nmi_cpu_backtrace+0x160/0x17c lib/nmi_backtrace.c:113)
> [<81867914>] (nmi_cpu_backtrace) from [<81867bc0>] (nmi_trigger_cpumask_backtrace+0x130/0x1d8 lib/nmi_backtrace.c:62)
> r7:00000000 r6:8260c590 r5:8261a88c r4:ffffffff
> [<81867a90>] (nmi_trigger_cpumask_backtrace) from [<802105b4>] (arch_trigger_cpumask_backtrace+0x18/0x1c arch/arm/kernel/smp.c:851)
> r9:8260c6f4 r8:000076c2 r7:8289dfe0 r6:00007d59 r5:8514be04 r4:850f5d24
> [<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec78>] (trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline])
> [<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec78>] (check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline])
> [<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec78>] (watchdog+0x480/0x594 kernel/hung_task.c:380)
> [<8034e7f8>] (watchdog) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:df819e58 r8:82e98340 r7:00000000 r6:8034e7f8 r5:82ee8c00
> r4:82f41200
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdf8ddfb0 to 0xdf8ddff8)
> dfa0: 00000000 00000000 00000000 00000000
> dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:82f41200
> Sending NMI from CPU 0 to CPUs 1:
> NMI backtrace for cpu 1
> CPU: 1 PID: 6890 Comm: syz-executor.0 Not tainted 6.9.0-rc2-syzkaller #0
> Hardware name: ARM-Versatile Express
> PC is at kmap_local_sched_in kernel/sched/core.c:5189 [inline]
> PC is at finish_task_switch+0x8c/0x298 kernel/sched/core.c:5291
> LR is at __raw_spin_unlock include/linux/spinlock_api_smp.h:143 [inline]
> LR is at _raw_spin_unlock+0x2c/0x50 kernel/locking/spinlock.c:186
> pc : [<8027cd4c>] lr : [<818a4f88>] psr: 20000113
> sp : eb539ab8 ip : eb539aa8 fp : eb539afc
> r10: 00000402 r9 : 8514bc00 r8 : 82e33000
> r7 : a3e9c050 r6 : 8189c228 r5 : ddde4440 r4 : 00000000
> r3 : 8514bc00 r2 : 00000001 r1 : 81fc48fc r0 : 00000001
> Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 30c5387d Table: 851ca6c0 DAC: 00000000
> Call trace:
> [<8027ccc0>] (finish_task_switch) from [<8189c228>] (context_switch kernel/sched/core.c:5412 [inline])
> [<8027ccc0>] (finish_task_switch) from [<8189c228>] (__schedule+0x408/0xc10 kernel/sched/core.c:6746)
> r10:00000000 r9:84df6400 r8:a69b624b r7:a3e9c050 r6:8514bc00 r5:ddde4440
> r4:82e33000
> [<8189be20>] (__schedule) from [<8189d0b8>] (preempt_schedule_irq+0x40/0xa8 kernel/sched/core.c:7068)
> r10:eb539db0 r9:8514bc00 r8:80200b9c r7:eb539bbc r6:ffffffff r5:8514bc00
> r4:00000000
> [<8189d078>] (preempt_schedule_irq) from [<80200bb4>] (svc_preempt+0x8/0x18)
> Exception stack(0xeb539b88 to 0xeb539bd0)
> 9b80: 000f1b1e 003ff40e 0000071f 00000000 00000000 8514bc00
> 9ba0: 00000598 0000071f 000f1b1e 00000000 eb539db0 eb539bf4 eb539bf8 eb539bd8
> 9bc0: 80479eb8 8027f380 60000113 ffffffff
> r5:60000113 r4:8027f380
> [<8027f354>] (migrate_disable) from [<80479eb8>] (__kmap_local_pfn_prot+0x20/0x1ac mm/highmem.c:548)
> r7:0000071f r6:00c00000 r5:dedf605c r4:00000000
> [<80479e98>] (__kmap_local_pfn_prot) from [<8047a0b4>] (__kmap_local_page_prot mm/highmem.c:581 [inline])
> [<80479e98>] (__kmap_local_pfn_prot) from [<8047a0b4>] (__kmap_local_page_prot+0x70/0x74 mm/highmem.c:564)
> r8:00000001 r7:828584e8 r6:00000001 r5:dedf605c r4:00000000
> [<8047a044>] (__kmap_local_page_prot) from [<804a23ec>] (kmap_local_page include/linux/highmem-internal.h:73 [inline])
> [<8047a044>] (__kmap_local_page_prot) from [<804a23ec>] (clear_highpage_kasan_tagged include/linux/highmem.h:246 [inline])
> [<8047a044>] (__kmap_local_page_prot) from [<804a23ec>] (kernel_init_pages+0x3c/0x60 mm/page_alloc.c:1080)
> [<804a23b0>] (kernel_init_pages) from [<804a52d4>] (post_alloc_hook+0x88/0xc0 mm/page_alloc.c:1532)
> r9:00000000 r8:827e21bc r7:00000001 r6:00000001 r5:dedf6038 r4:00000000
> [<804a524c>] (post_alloc_hook) from [<804a7968>] (prep_new_page mm/page_alloc.c:1541 [inline])
> [<804a524c>] (post_alloc_hook) from [<804a7968>] (get_page_from_freelist+0x28c/0x13d8 mm/page_alloc.c:3317)
> r7:8514bc00 r6:827e1f00 r5:00000000 r4:00540dc2
> [<804a76dc>] (get_page_from_freelist) from [<804a8fe4>] (__alloc_pages+0xe0/0x1168 mm/page_alloc.c:4575)
> r10:00000000 r9:84df6400 r8:20000000 r7:8514bc00 r6:00440dc2 r5:00540dc2
> r4:00000000
> [<804a8f04>] (__alloc_pages) from [<8047b688>] (__alloc_pages_node include/linux/gfp.h:238 [inline])
> [<804a8f04>] (__alloc_pages) from [<8047b688>] (alloc_pages_node include/linux/gfp.h:261 [inline])
> [<804a8f04>] (__alloc_pages) from [<8047b688>] (alloc_pages include/linux/gfp.h:274 [inline])
> [<804a8f04>] (__alloc_pages) from [<8047b688>] (pagetable_alloc include/linux/mm.h:2862 [inline])
> [<804a8f04>] (__alloc_pages) from [<8047b688>] (__pte_alloc_one include/asm-generic/pgalloc.h:68 [inline])
> [<804a8f04>] (__alloc_pages) from [<8047b688>] (pte_alloc_one+0x24/0xf8 arch/arm/include/asm/pgalloc.h:99)
> r10:00000040 r9:84df6400 r8:20000000 r7:84db6000 r6:20000000 r5:85268800
> r4:84df6400
> [<8047b664>] (pte_alloc_one) from [<8047cc70>] (__pte_alloc+0x2c/0x108 mm/memory.c:440)
> r5:85268800 r4:84df6400
> [<8047cc44>] (__pte_alloc) from [<80481b10>] (do_anonymous_page mm/memory.c:4402 [inline])
> [<8047cc44>] (__pte_alloc) from [<80481b10>] (do_pte_missing mm/memory.c:3878 [inline])
> [<8047cc44>] (__pte_alloc) from [<80481b10>] (handle_pte_fault mm/memory.c:5300 [inline])
> [<8047cc44>] (__pte_alloc) from [<80481b10>] (__handle_mm_fault mm/memory.c:5441 [inline])
> [<8047cc44>] (__pte_alloc) from [<80481b10>] (handle_mm_fault+0xfac/0x12b8 mm/memory.c:5606)
> r5:8514bc00 r4:00000255
> [<80480b64>] (handle_mm_fault) from [<80215d94>] (do_page_fault+0x148/0x3a8 arch/arm/mm/fault.c:333)
> r10:00000002 r9:84df6400 r8:20000000 r7:00000a06 r6:00000255 r5:20000000
> r4:eb539fb0
> [<80215c4c>] (do_page_fault) from [<80216174>] (do_translation_fault+0xfc/0x12c arch/arm/mm/fault.c:444)
> r10:7ee33670 r9:7ee33670 r8:80216078 r7:eb539fb0 r6:20000000 r5:00000a06
> r4:8261d0d0
> [<80216078>] (do_translation_fault) from [<802161dc>] (do_DataAbort+0x38/0xa8 arch/arm/mm/fault.c:565)
> r9:7ee33670 r8:80216078 r7:eb539fb0 r6:20000000 r5:00000a06 r4:8261d0d0
> [<802161a4>] (do_DataAbort) from [<80200e3c>] (__dabt_usr+0x5c/0x60 arch/arm/kernel/entry-armv.S:427)
> Exception stack(0xeb539fb0 to 0xeb539ff8)
> 9fa0: 00000000 00000000 00000001 20000000
> 9fc0: 00000004 00000000 00000000 00000000 fffffffe 7ee33670 7ee33670 7ee33630
> 9fe0: 01068590 7ee333a8 0001d150 0001d4ac 40000010 ffffffff
> r8:824a9044 r7:8514bc00 r6:ffffffff r5:40000010 r4:0001d4ac
>
>
> Tested on:
>
> commit: 2929be95 arm32, bpf: Fix sign-extension mov instruction
> git tree: https://github.com/puranjaymohan/linux.git arm32_movsx_fix
> console output: https://syzkaller.appspot.com/x/log.txt?x=11362cf3180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=10acd270ef193b93
> dashboard link: https://syzkaller.appspot.com/bug?extid=186522670e6722692d86
> compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm
>
> Note: no patches were applied.
I gave it the bpf.git tree maybe that is the reason for the above??
Should have given the upstream tree with the exact commit where it was
reproduced earlier.
Let's try again, I pushed the correct tree now:
#syz test: https://github.com/puranjaymohan/linux.git arm32_movsx_fix
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in _vm_unmap_aliases
INFO: task kworker/0:41:4201 blocked for more than 430 seconds.
Not tainted 6.9.0-rc1-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:41 state:D stack:0 pid:4201 tgid:4201 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189ad40>] (__schedule) from [<8189b97c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189ad40>] (__schedule) from [<8189b97c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dfd0dd94 r5:84dd1800
r4:84dd1800
[<8189b950>] (schedule) from [<8189bf8c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84dd1800 r4:82714be4
[<8189bf74>] (schedule_preempt_disabled) from [<8189e86c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189bf74>] (schedule_preempt_disabled) from [<8189e86c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189e584>] (__mutex_lock.constprop.0) from [<8189f138>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16005 r9:dfd0de20 r8:00000000 r7:ffffffff r6:00000000 r5:84c7a680
r4:00000000
[<8189f124>] (__mutex_lock_slowpath) from [<8189f178>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<8189f13c>] (mutex_lock) from [<8049c624>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c5c4>] (_vm_unmap_aliases) from [<804a04a8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c5c4>] (_vm_unmap_aliases) from [<804a04a8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84c7a680
r4:00000000
[<804a0338>] (vfree) from [<802edb08>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84dd1800 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f055000
[<802edad8>] (module_memfree) from [<803916b0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dfe91000
[<803916a0>] (bpf_jit_free_exec) from [<80391870>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916a0>] (bpf_jit_free_exec) from [<80391870>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391808>] (bpf_jit_free) from [<80392958>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:845b0754 r4:845b0400
[<8039280c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:dddd00c0 r6:82c16000 r5:845b0754 r4:84d7cb00
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84dd1800 r9:84d7cb2c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
r4:84d7cb00
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dfa55e90 r8:845d8e80 r7:84d7cb00 r6:802672c4 r5:84dd1800
r4:84c66500
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdfd0dfb0 to 0xdfd0dff8)
dfa0: 00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84c66500
INFO: task kworker/1:55:4229 blocked for more than 430 seconds.
Not tainted 6.9.0-rc1-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:55 state:D stack:0 pid:4229 tgid:4229 ppid:2 flags:0x00000000
Workqueue: events bpf_prog_free_deferred
Call trace:
[<8189ad40>] (__schedule) from [<8189b97c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
[<8189ad40>] (__schedule) from [<8189b97c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:dfe39d94 r5:84e83c00
r4:84e83c00
[<8189b950>] (schedule) from [<8189bf8c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
r5:84e83c00 r4:82714be4
[<8189bf74>] (schedule_preempt_disabled) from [<8189e86c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
[<8189bf74>] (schedule_preempt_disabled) from [<8189e86c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
[<8189e584>] (__mutex_lock.constprop.0) from [<8189f138>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
r10:82c16205 r9:dfe39e20 r8:00000000 r7:ffffffff r6:00000000 r5:84c7a240
r4:00000000
[<8189f124>] (__mutex_lock_slowpath) from [<8189f178>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
[<8189f13c>] (mutex_lock) from [<8049c624>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
[<8049c5c4>] (_vm_unmap_aliases) from [<804a04a8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
[<8049c5c4>] (_vm_unmap_aliases) from [<804a04a8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84c7a240
r4:00000000
[<804a0338>] (vfree) from [<802edb08>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
r9:84e83c00 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f053000
[<802edad8>] (module_memfree) from [<803916b0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
r5:00001000 r4:dfe73000
[<803916a0>] (bpf_jit_free_exec) from [<80391870>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
[<803916a0>] (bpf_jit_free_exec) from [<80391870>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
[<80391808>] (bpf_jit_free) from [<80392958>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
r5:845b2b54 r4:845b2800
[<8039280c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r7:ddde40c0 r6:82c16200 r5:845b2b54 r4:845d9f80
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:84e83c00 r9:845d9fac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
r4:845d9f80
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:dfde5e90 r8:84640600 r7:845d9f80 r6:802672c4 r5:84e83c00
r4:84c66300
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdfe39fb0 to 0xdfe39ff8)
9fa0: 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84c66300
NMI backtrace for cpu 0
CPU: 0 PID: 31 Comm: khungtaskd Not tainted 6.9.0-rc1-syzkaller #0
Hardware name: ARM-Versatile Express
Call trace:
[<818795bc>] (dump_backtrace) from [<818796b8>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:256)
r7:00000000 r6:00000113 r5:60000193 r4:81fc4768
[<818796a0>] (show_stack) from [<81896e70>] (__dump_stack lib/dump_stack.c:88 [inline])
[<818796a0>] (show_stack) from [<81896e70>] (dump_stack_lvl+0x70/0x7c lib/dump_stack.c:114)
[<81896e00>] (dump_stack_lvl) from [<81896e94>] (dump_stack+0x18/0x1c lib/dump_stack.c:123)
r5:00000000 r4:00000001
[<81896e7c>] (dump_stack) from [<81866994>] (nmi_cpu_backtrace+0x160/0x17c lib/nmi_backtrace.c:113)
[<81866834>] (nmi_cpu_backtrace) from [<81866ae0>] (nmi_trigger_cpumask_backtrace+0x130/0x1d8 lib/nmi_backtrace.c:62)
r7:00000000 r6:8260c590 r5:8261a88c r4:ffffffff
[<818669b0>] (nmi_trigger_cpumask_backtrace) from [<802105b4>] (arch_trigger_cpumask_backtrace+0x18/0x1c arch/arm/kernel/smp.c:851)
r9:8260c6f4 r8:00007b4d r7:8289dfe0 r6:00007d59 r5:8500ee04 r4:850d4b24
[<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec48>] (trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline])
[<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec48>] (check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline])
[<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec48>] (watchdog+0x480/0x594 kernel/hung_task.c:380)
[<8034e7c8>] (watchdog) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:df819e58 r8:82e98440 r7:00000000 r6:8034e7c8 r5:82ee8c00
r4:82f42100
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xdf8ddfb0 to 0xdf8ddff8)
dfa0: 00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:82f42100
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5655 Comm: kworker/1:259 Not tainted 6.9.0-rc1-syzkaller #0
Hardware name: ARM-Versatile Express
Workqueue: wg-crypt-wg0 wg_packet_encrypt_worker
PC is at poly1305_final_arch+0x0/0x80 arch/arm/crypto/poly1305-glue.c:189
LR is at poly1305_final include/crypto/poly1305.h:94 [inline]
LR is at chacha20poly1305_crypt_sg_inplace+0x43c/0x4b4 lib/crypto/chacha20poly1305.c:320
pc : [<80232f80>] lr : [<807fa0e4>] psr: 60000113
sp : eafa1990 ip : eafa1990 fp : eafa1bb4
r10: 00000000 r9 : 00000000 r8 : 00000000
r7 : eafa19e0 r6 : 00000000 r5 : 00000000 r4 : eafa19f0
r3 : 00000000 r2 : 00000000 r1 : eafa19f0 r0 : eafa1a68
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 30c5387d Table: 8461dec0 DAC: 00000000
Call trace:
[<807f9ca8>] (chacha20poly1305_crypt_sg_inplace) from [<807fa188>] (chacha20poly1305_encrypt_sg_inplace+0x2c/0x34 lib/crypto/chacha20poly1305.c:338)
r10:00000000 r9:00000000 r8:00000074 r7:00000001 r6:84dca018 r5:00000000
r4:00000074
[<807fa15c>] (chacha20poly1305_encrypt_sg_inplace) from [<80bfb0f8>] (encrypt_packet+0x194/0x230 drivers/net/wireguard/send.c:216)
r5:00000000 r4:00000074
[<80bfaf64>] (encrypt_packet) from [<80bfb8d0>] (wg_packet_encrypt_worker+0xbc/0x270 drivers/net/wireguard/send.c:297)
r10:846c86e8 r9:82f2a540 r8:00000000 r7:846c86a0 r6:8260eea8 r5:00000000
r4:82f2a540
[<80bfb814>] (wg_packet_encrypt_worker) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
r10:84032e05 r9:85156000 r8:00000180 r7:ddde40c0 r6:84032e00 r5:ff7ffcf4
r4:8505ff00
[<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
[<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
r10:85156000 r9:8505ff2c r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
r4:8505ff00
[<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
r10:00000000 r9:eaeb1e90 r8:84ed1a40 r7:8505ff00 r6:802672c4 r5:85156000
r4:847e7040
[<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
Exception stack(0xeafa1fb0 to 0xeafa1ff8)
1fa0: 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:847e7040
Tested on:
commit: 7deb8d88 arm32, bpf: Fix sign-extension mov instruction
git tree: https://github.com/puranjaymohan/linux.git arm32_movsx_fix
console output: https://syzkaller.appspot.com/x/log.txt?x=175200cb180000
kernel config: https://syzkaller.appspot.com/x/.config?x=43f1e0cbdb852271
dashboard link: https://syzkaller.appspot.com/bug?extid=186522670e6722692d86
compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
Note: no patches were applied.
syzbot <[email protected]> writes:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> INFO: task hung in _vm_unmap_aliases
>
> INFO: task kworker/0:41:4201 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc1-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:41 state:D stack:0 pid:4201 tgid:4201 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189ad40>] (__schedule) from [<8189b97c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189ad40>] (__schedule) from [<8189b97c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16005 r9:00000000 r8:82714be8 r7:00000002 r6:dfd0dd94 r5:84dd1800
> r4:84dd1800
> [<8189b950>] (schedule) from [<8189bf8c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84dd1800 r4:82714be4
> [<8189bf74>] (schedule_preempt_disabled) from [<8189e86c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189bf74>] (schedule_preempt_disabled) from [<8189e86c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189e584>] (__mutex_lock.constprop.0) from [<8189f138>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16005 r9:dfd0de20 r8:00000000 r7:ffffffff r6:00000000 r5:84c7a680
> r4:00000000
> [<8189f124>] (__mutex_lock_slowpath) from [<8189f178>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<8189f13c>] (mutex_lock) from [<8049c624>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c5c4>] (_vm_unmap_aliases) from [<804a04a8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c5c4>] (_vm_unmap_aliases) from [<804a04a8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16005 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84c7a680
> r4:00000000
> [<804a0338>] (vfree) from [<802edb08>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84dd1800 r8:00000080 r7:00000000 r6:82c16000 r5:00001000 r4:7f055000
> [<802edad8>] (module_memfree) from [<803916b0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dfe91000
> [<803916a0>] (bpf_jit_free_exec) from [<80391870>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916a0>] (bpf_jit_free_exec) from [<80391870>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391808>] (bpf_jit_free) from [<80392958>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:845b0754 r4:845b0400
> [<8039280c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:dddd00c0 r6:82c16000 r5:845b0754 r4:84d7cb00
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84dd1800 r9:84d7cb2c r8:61c88647 r7:dddd00e0 r6:82604d40 r5:dddd00c0
> r4:84d7cb00
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dfa55e90 r8:845d8e80 r7:84d7cb00 r6:802672c4 r5:84dd1800
> r4:84c66500
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdfd0dfb0 to 0xdfd0dff8)
> dfa0: 00000000 00000000 00000000 00000000
> dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84c66500
> INFO: task kworker/1:55:4229 blocked for more than 430 seconds.
> Not tainted 6.9.0-rc1-syzkaller #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:55 state:D stack:0 pid:4229 tgid:4229 ppid:2 flags:0x00000000
> Workqueue: events bpf_prog_free_deferred
> Call trace:
> [<8189ad40>] (__schedule) from [<8189b97c>] (__schedule_loop kernel/sched/core.c:6823 [inline])
> [<8189ad40>] (__schedule) from [<8189b97c>] (schedule+0x2c/0xfc kernel/sched/core.c:6838)
> r10:82c16205 r9:00000000 r8:82714be8 r7:00000002 r6:dfe39d94 r5:84e83c00
> r4:84e83c00
> [<8189b950>] (schedule) from [<8189bf8c>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6895)
> r5:84e83c00 r4:82714be4
> [<8189bf74>] (schedule_preempt_disabled) from [<8189e86c>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline])
> [<8189bf74>] (schedule_preempt_disabled) from [<8189e86c>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752)
> [<8189e584>] (__mutex_lock.constprop.0) from [<8189f138>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040)
> r10:82c16205 r9:dfe39e20 r8:00000000 r7:ffffffff r6:00000000 r5:84c7a240
> r4:00000000
> [<8189f124>] (__mutex_lock_slowpath) from [<8189f178>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286)
> [<8189f13c>] (mutex_lock) from [<8049c624>] (_vm_unmap_aliases+0x60/0x2e8 mm/vmalloc.c:2788)
> [<8049c5c4>] (_vm_unmap_aliases) from [<804a04a8>] (vm_reset_perms mm/vmalloc.c:3235 [inline])
> [<8049c5c4>] (_vm_unmap_aliases) from [<804a04a8>] (vfree+0x170/0x1e4 mm/vmalloc.c:3314)
> r10:82c16205 r9:00000001 r8:00000000 r7:ffffffff r6:00000000 r5:84c7a240
> r4:00000000
> [<804a0338>] (vfree) from [<802edb08>] (module_memfree+0x30/0x50 kernel/module/main.c:1189)
> r9:84e83c00 r8:00000180 r7:00000000 r6:82c16200 r5:00001000 r4:7f053000
> [<802edad8>] (module_memfree) from [<803916b0>] (bpf_jit_free_exec+0x10/0x14 kernel/bpf/core.c:1058)
> r5:00001000 r4:dfe73000
> [<803916a0>] (bpf_jit_free_exec) from [<80391870>] (bpf_jit_binary_free kernel/bpf/core.c:1104 [inline])
> [<803916a0>] (bpf_jit_free_exec) from [<80391870>] (bpf_jit_free+0x68/0xe4 kernel/bpf/core.c:1228)
> [<80391808>] (bpf_jit_free) from [<80392958>] (bpf_prog_free_deferred+0x14c/0x164 kernel/bpf/core.c:2783)
> r5:845b2b54 r4:845b2800
> [<8039280c>] (bpf_prog_free_deferred) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r7:ddde40c0 r6:82c16200 r5:845b2b54 r4:845d9f80
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:84e83c00 r9:845d9fac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
> r4:845d9f80
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:dfde5e90 r8:84640600 r7:845d9f80 r6:802672c4 r5:84e83c00
> r4:84c66300
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdfe39fb0 to 0xdfe39ff8)
> 9fa0: 00000000 00000000 00000000 00000000
> 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:84c66300
> NMI backtrace for cpu 0
> CPU: 0 PID: 31 Comm: khungtaskd Not tainted 6.9.0-rc1-syzkaller #0
> Hardware name: ARM-Versatile Express
> Call trace:
> [<818795bc>] (dump_backtrace) from [<818796b8>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:256)
> r7:00000000 r6:00000113 r5:60000193 r4:81fc4768
> [<818796a0>] (show_stack) from [<81896e70>] (__dump_stack lib/dump_stack.c:88 [inline])
> [<818796a0>] (show_stack) from [<81896e70>] (dump_stack_lvl+0x70/0x7c lib/dump_stack.c:114)
> [<81896e00>] (dump_stack_lvl) from [<81896e94>] (dump_stack+0x18/0x1c lib/dump_stack.c:123)
> r5:00000000 r4:00000001
> [<81896e7c>] (dump_stack) from [<81866994>] (nmi_cpu_backtrace+0x160/0x17c lib/nmi_backtrace.c:113)
> [<81866834>] (nmi_cpu_backtrace) from [<81866ae0>] (nmi_trigger_cpumask_backtrace+0x130/0x1d8 lib/nmi_backtrace.c:62)
> r7:00000000 r6:8260c590 r5:8261a88c r4:ffffffff
> [<818669b0>] (nmi_trigger_cpumask_backtrace) from [<802105b4>] (arch_trigger_cpumask_backtrace+0x18/0x1c arch/arm/kernel/smp.c:851)
> r9:8260c6f4 r8:00007b4d r7:8289dfe0 r6:00007d59 r5:8500ee04 r4:850d4b24
> [<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec48>] (trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline])
> [<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec48>] (check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline])
> [<8021059c>] (arch_trigger_cpumask_backtrace) from [<8034ec48>] (watchdog+0x480/0x594 kernel/hung_task.c:380)
> [<8034e7c8>] (watchdog) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:df819e58 r8:82e98440 r7:00000000 r6:8034e7c8 r5:82ee8c00
> r4:82f42100
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xdf8ddfb0 to 0xdf8ddff8)
> dfa0: 00000000 00000000 00000000 00000000
> dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:82f42100
> Sending NMI from CPU 0 to CPUs 1:
> NMI backtrace for cpu 1
> CPU: 1 PID: 5655 Comm: kworker/1:259 Not tainted 6.9.0-rc1-syzkaller #0
> Hardware name: ARM-Versatile Express
> Workqueue: wg-crypt-wg0 wg_packet_encrypt_worker
> PC is at poly1305_final_arch+0x0/0x80 arch/arm/crypto/poly1305-glue.c:189
> LR is at poly1305_final include/crypto/poly1305.h:94 [inline]
> LR is at chacha20poly1305_crypt_sg_inplace+0x43c/0x4b4 lib/crypto/chacha20poly1305.c:320
> pc : [<80232f80>] lr : [<807fa0e4>] psr: 60000113
> sp : eafa1990 ip : eafa1990 fp : eafa1bb4
> r10: 00000000 r9 : 00000000 r8 : 00000000
> r7 : eafa19e0 r6 : 00000000 r5 : 00000000 r4 : eafa19f0
> r3 : 00000000 r2 : 00000000 r1 : eafa19f0 r0 : eafa1a68
> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 30c5387d Table: 8461dec0 DAC: 00000000
> Call trace:
> [<807f9ca8>] (chacha20poly1305_crypt_sg_inplace) from [<807fa188>] (chacha20poly1305_encrypt_sg_inplace+0x2c/0x34 lib/crypto/chacha20poly1305.c:338)
> r10:00000000 r9:00000000 r8:00000074 r7:00000001 r6:84dca018 r5:00000000
> r4:00000074
> [<807fa15c>] (chacha20poly1305_encrypt_sg_inplace) from [<80bfb0f8>] (encrypt_packet+0x194/0x230 drivers/net/wireguard/send.c:216)
> r5:00000000 r4:00000074
> [<80bfaf64>] (encrypt_packet) from [<80bfb8d0>] (wg_packet_encrypt_worker+0xbc/0x270 drivers/net/wireguard/send.c:297)
> r10:846c86e8 r9:82f2a540 r8:00000000 r7:846c86a0 r6:8260eea8 r5:00000000
> r4:82f2a540
> [<80bfb814>] (wg_packet_encrypt_worker) from [<8026678c>] (process_one_work+0x1b8/0x508 kernel/workqueue.c:3254)
> r10:84032e05 r9:85156000 r8:00000180 r7:ddde40c0 r6:84032e00 r5:ff7ffcf4
> r4:8505ff00
> [<802665d4>] (process_one_work) from [<802674b0>] (process_scheduled_works kernel/workqueue.c:3335 [inline])
> [<802665d4>] (process_one_work) from [<802674b0>] (worker_thread+0x1ec/0x418 kernel/workqueue.c:3416)
> r10:85156000 r9:8505ff2c r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0
> r4:8505ff00
> [<802672c4>] (worker_thread) from [<802701c4>] (kthread+0x104/0x134 kernel/kthread.c:388)
> r10:00000000 r9:eaeb1e90 r8:84ed1a40 r7:8505ff00 r6:802672c4 r5:85156000
> r4:847e7040
> [<802700c0>] (kthread) from [<80200104>] (ret_from_fork+0x14/0x30 arch/arm/kernel/entry-common.S:134)
> Exception stack(0xeafa1fb0 to 0xeafa1ff8)
> 1fa0: 00000000 00000000 00000000 00000000
> 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:802700c0 r4:847e7040
>
>
> Tested on:
>
> commit: 7deb8d88 arm32, bpf: Fix sign-extension mov instruction
> git tree: https://github.com/puranjaymohan/linux.git arm32_movsx_fix
> console output: https://syzkaller.appspot.com/x/log.txt?x=175200cb180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=43f1e0cbdb852271
> dashboard link: https://syzkaller.appspot.com/bug?extid=186522670e6722692d86
> compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm
>
> Note: no patches were applied.
I am not able to reproduce the above locally. I don't think it is
related to the change.
Thanks,
Puranjay