Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp879499pxu; Mon, 23 Nov 2020 06:29:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJziXTh1h6DsQCQInzbEd64pWj4sY7v0wEg4tDiyobWp5jqoSwL08HuxInAChte5ZwMM3gp+ X-Received: by 2002:a17:906:f14c:: with SMTP id gw12mr18437206ejb.261.1606141773285; Mon, 23 Nov 2020 06:29:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606141773; cv=none; d=google.com; s=arc-20160816; b=DlPhrkZRqJsOFsNcbzmFHsy/8WKwb//ztU4KIM1tCgCLKUNfBd4THrOATWEYiFUvlb P2JfPcE7PhVjrx5ZIRZEyCwPoiC7fzHp3B83pUoxwmMLSMtwPWeJbKftpPJQA03I/U3x t3bKkQiiHMVKHikU4mQCzl9fWTIy1xjvgM5qctiCpCo5QeOFdMNm9itAi7WB1uinNOYn LI0Z62V6u5PY469aCRq83vLpjLeSWFA//U4XRtuilk4JUi6qL/IAfE3MzMTf49SEjySZ lDcUewDvaEs70XAa+oUGWByejoRL/KAViyTqfO33r5jse32h+1+cftgGmNDl4CvzVF0u nbOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:organization:subject:cc:to:from; bh=ThYwmx4ovxEZzwl26I10ZVdadxexFfbCZq+hK1XYdN8=; b=jOu7VFaz3mcPaAyloui+x0TyfzcTTyO6q+CVbnynoe5pt3nz4hDQMAOktQi/xKiawM cDxgsAy46OmNzE3emkuGu4ZjvDWGvOzVWR7jI66NLgZSF2S1JS6B7XRrwxrJaRwAJqcg HtljpVrH07nGvEDL6ElYZBszNEOraxzKvjNMFiuBRyeNnoiBUYeOoL27aaX1KOUTDFnX UC75h1KTX5z7bHv5NX20d7Xnf3uLXS/8K+i1c83+MuDcR3uZNRGTG7Mg/Y914fUl5jnd KSZdOMdnXoa+RZlc2QyHDfAnpkMGsMnfm/AvQ1r0MzNQGIAAjq30hBsjjtXgOK/y6ygS uHLA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l9si6577795eji.419.2020.11.23.06.29.08; Mon, 23 Nov 2020 06:29:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731435AbgKWO03 (ORCPT + 99 others); Mon, 23 Nov 2020 09:26:29 -0500 Received: from bhuna.collabora.co.uk ([46.235.227.227]:34654 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730282AbgKWO03 (ORCPT ); Mon, 23 Nov 2020 09:26:29 -0500 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: krisman) with ESMTPSA id 7711D1F44CB9 From: Gabriel Krisman Bertazi To: Jann Horn Cc: Arnd Bergmann , Andy Lutomirski , Thomas Gleixner , Naresh Kamboju , open list , Netdev , bpf , lkft-triage@lists.linaro.org, Linux ARM , Daniel Borkmann , Kees Cook , Andrii Nakryiko , Song Liu , Yonghong Song , Andy Lutomirski , Sumit Semwal , Arnd Bergmann , YiFei Zhu Subject: Re: [arm64] kernel BUG at kernel/seccomp.c:1309! Organization: Collabora References: Date: Mon, 23 Nov 2020 09:26:20 -0500 In-Reply-To: (Jann Horn's message of "Mon, 23 Nov 2020 15:02:10 +0100") Message-ID: <87h7pgqhdf.fsf@collabora.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jann Horn writes: > On Mon, Nov 23, 2020 at 2:45 PM Arnd Bergmann wrote: >> On Mon, Nov 23, 2020 at 12:15 PM Naresh Kamboju >> wrote: >> > >> > While booting arm64 kernel the following kernel BUG noticed on several arm64 >> > devices running linux next 20201123 tag kernel. >> > >> > >> > $ git log --oneline next-20201120..next-20201123 -- kernel/seccomp.c >> > 5c5c5fa055ea Merge remote-tracking branch 'seccomp/for-next/seccomp' >> > bce6a8cba7bf Merge branch 'linus' >> > 7ef95e3dbcee Merge branch 'for-linus/seccomp' into for-next/seccomp >> > fab686eb0307 seccomp: Remove bogus __user annotations >> > 0d8315dddd28 seccomp/cache: Report cache data through /proc/pid/seccomp_cache >> > 8e01b51a31a1 seccomp/cache: Add "emulator" to check if filter is constant allow >> > f9d480b6ffbe seccomp/cache: Lookup syscall allowlist bitmap for fast path >> > 23d67a54857a seccomp: Migrate to use SYSCALL_WORK flag >> > >> > >> > Please find these easy steps to reproduce the kernel build and boot. >> >> Adding Gabriel Krisman Bertazi to Cc, as the last patch (23d67a54857a) here >> seems suspicious: it changes >> >> diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h >> index 02aef2844c38..47763f3999f7 100644 >> --- a/include/linux/seccomp.h >> +++ b/include/linux/seccomp.h >> @@ -42,7 +42,7 @@ struct seccomp { >> extern int __secure_computing(const struct seccomp_data *sd); >> static inline int secure_computing(void) >> { >> - if (unlikely(test_thread_flag(TIF_SECCOMP))) >> + if (unlikely(test_syscall_work(SECCOMP))) >> return __secure_computing(NULL); >> return 0; >> } >> >> which is in the call chain directly before >> >> int __secure_computing(const struct seccomp_data *sd) >> { >> int mode = current->seccomp.mode; >> >> ... >> switch (mode) { >> case SECCOMP_MODE_STRICT: >> __secure_computing_strict(this_syscall); /* may call do_exit */ >> return 0; >> case SECCOMP_MODE_FILTER: >> return __seccomp_filter(this_syscall, sd, false); >> default: >> BUG(); >> } >> } >> >> Clearly, current->seccomp.mode is set to something other >> than SECCOMP_MODE_STRICT or SECCOMP_MODE_FILTER >> while the test_syscall_work(SECCOMP) returns true, and this >> must have not been the case earlier. > > Ah, I think the problem is actually in > 3136b93c3fb2b7c19e853e049203ff8f2b9dd2cd ("entry: Expose helpers to > migrate TIF to SYSCALL_WORK flag"). In the !GENERIC_ENTRY case, it > adds this code: > > +#define set_syscall_work(fl) \ > + set_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) > +#define test_syscall_work(fl) \ > + test_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) > +#define clear_syscall_work(fl) \ > + clear_ti_thread_flag(current_thread_info(), SYSCALL_WORK_##fl) > + > +#define set_task_syscall_work(t, fl) \ > + set_ti_thread_flag(task_thread_info(t), TIF_##fl) > +#define test_task_syscall_work(t, fl) \ > + test_ti_thread_flag(task_thread_info(t), TIF_##fl) > +#define clear_task_syscall_work(t, fl) \ > + clear_ti_thread_flag(task_thread_info(t), TIF_##fl) > > but the SYSCALL_WORK_FLAGS are not valid on !GENERIC_ENTRY, we'll mix > up (on arm64) SYSCALL_WORK_BIT_SECCOMP (==0) and TIF_SIGPENDING (==0). > > As part of fixing this, it might be a good idea to put "enum > syscall_work_bit" behind a "#ifdef CONFIG_GENERIC_ENTRY" to avoid > future accidents like this? Hi Jan, Arnd, That is correct. This is a copy pasta mistake. My apologies. I didn't have a !GENERIC_ENTRY device to test, but just the ifdef would have caught it. -- Gabriel Krisman Bertazi