Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1256325pxf; Fri, 12 Mar 2021 05:53:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJxZy9zkPJzzFpTAdcqIqFYr+g+wu09ms3+sPDrSF7d2jNzARh16YZ8jzHaoMyOQqYBvSC7T X-Received: by 2002:aa7:cd6a:: with SMTP id ca10mr14376138edb.7.1615557219098; Fri, 12 Mar 2021 05:53:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615557219; cv=none; d=google.com; s=arc-20160816; b=ov+Ek9zA+fjah6OT8yhR1upe21lSYyNKdxQMmfTB1AapikfKsHDlsYkXwgg8w0ck0v By6Y3CZFirAfNjXsJfkFW024ogM7Y2WpnHw0fwDgbGTPAbFso3ECAoMSB3rPST/Vsl3M hymyKHGAgSEfv/5R7dN18EqxOAmYhJHsUGOg730fJyhBKS8uhC1rzTDtRf1kT5YprAM5 SNTJqzgfchxyv0JGNa+UNxX7MoiPPQ8r7obD2N0f+zWy3mrGXE9A6Wd4irh9+2CFFn4w 91c4b3H0J9ohmpN+T/JiG0OkeYdouol/XPjXux1iFSsQLLtNioEGOD6k+yBCCmCtHO9k IUnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:organization :from:references:cc:to:subject; bh=1xet/OcyLZsFnu/FpZDPADpu25wG26mtZt92OzG+8U0=; b=Ux/HC54HVjXvMOIT/GvaYoKpEKKHRevGGQNepNEsLc8TjNu5Y9mDpX+Q3QC0zMM4lz pFMAan+bQdYYgG3ydtf/n14RRlZot01DEAVtB/UsnzqY+4jJdUsqxTaYNrRGcJ4Bfr4x t9nts8ZybOih7l/YJOe3M7SCsi+YMJmUyvsMcbDKOOzvH9YBOoTs4SZmdI8LNyF/CxhE rmJHvnMh+6C1uyJByEUSoQvdzKKxxURelsy9KPQmK3rqb1KSBiYHmoxpUG4JdLkT3ihS 1ENza5EqWid6nradC0lbIU/zNuDllr8+Dq3t8CZJczX69sHWqJtWTjKwhKa2X6O7pXYv iGcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gz5si4115619ejb.19.2021.03.12.05.53.16; Fri, 12 Mar 2021 05:53:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229748AbhCLNuO (ORCPT + 99 others); Fri, 12 Mar 2021 08:50:14 -0500 Received: from imap3.hz.codethink.co.uk ([176.9.8.87]:44926 "EHLO imap3.hz.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229995AbhCLNuK (ORCPT ); Fri, 12 Mar 2021 08:50:10 -0500 Received: from cpc79921-stkp12-2-0-cust288.10-2.cable.virginm.net ([86.16.139.33] helo=[192.168.0.18]) by imap3.hz.codethink.co.uk with esmtpsa (Exim 4.92 #3 (Debian)) id 1lKiAt-0008V6-CR; Fri, 12 Mar 2021 13:49:55 +0000 Subject: Re: [syzbot] BUG: unable to handle kernel access to user memory in schedule_tail To: Dmitry Vyukov , syzbot , Paul Walmsley , Palmer Dabbelt , Albert Ou , linux-riscv Cc: Daniel Bristot de Oliveira , Benjamin Segall , dietmar.eggemann@arm.com, Juri Lelli , LKML , Mel Gorman , Ingo Molnar , Peter Zijlstra , Steven Rostedt , syzkaller-bugs , Vincent Guittot References: <000000000000b74f1b05bd316729@google.com> From: Ben Dooks Organization: Codethink Limited. Message-ID: <84b0471d-42c1-175f-ae1d-a18c310c7f77@codethink.co.uk> Date: Fri, 12 Mar 2021 13:49:53 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/03/2021 17:16, Dmitry Vyukov wrote: > On Wed, Mar 10, 2021 at 5:46 PM syzbot > wrote: >> >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas.. >> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes >> console output: https://syzkaller.appspot.com/x/log.txt?x=1212c6e6d00000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=e3c595255fb2d136 >> dashboard link: https://syzkaller.appspot.com/bug?extid=e74b94fe601ab9552d69 >> userspace arch: riscv64 >> >> Unfortunately, I don't have any reproducer for this issue yet. >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com > > +riscv maintainers > > This is riscv64-specific. > I've seen similar crashes in put_user in other places. It looks like > put_user crashes in the user address is not mapped/protected (?). I've been having a look, and this seems to be down to access of the tsk->set_child_tid variable. I assume the fuzzing here is to pass a bad address to clone? From looking at the code, the put_user() code should have set the relevant SR_SUM bit (the value for this, which is 1<<18 is in the s2 register in the crash report) and from looking at the compiler output from my gcc-10, the code looks to be dong the relevant csrs and then csrc around the put_user So currently I do not understand how the above could have happened over than something re-tried the code seqeunce and ended up retrying the faulting instruction without the SR_SUM bit set. -- Ben Dooks http://www.codethink.co.uk/ Senior Engineer Codethink - Providing Genius https://www.codethink.co.uk/privacy.html