Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1327578pxf; Fri, 12 Mar 2021 07:14:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJzgaezSq/nRLHo8kGU3BjVOCplc+zMJ9ch7Rc1pAStwcsrZw2znaOpCfNF0Vk1gUvqSprvk X-Received: by 2002:aa7:c496:: with SMTP id m22mr14516389edq.292.1615562043141; Fri, 12 Mar 2021 07:14:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615562043; cv=none; d=google.com; s=arc-20160816; b=FbJLNv7dEOT4harf1e6r2AkAnYjcf7LAvi3iuMNRA6RsYq9C2PdgPH0no8dG8O16qR ZMcR0DGrk2ursSYCPWXXLqp8iDWJDymG8jgksByYhMcl4Z2B/g2uaBnxmOE3KtsM8x79 ttNTQEUrgyp3ZA6X46T0Q64NL1lgKWDaQBUyfYRb5pvMSS7bPWG1HCfXvqLlByZijvE0 eU2/Z0U4Li2yC+89lIaw5XsgFws9O8EqLY62UTPG88IolU8Htg1a5mYKDzGAI4QLOlHD 7i+DVqkZy46KaZqGojABPF7GkGw5aYaTiPnUNb+W0ReOslkkSt2AirocVEt2oS9y6CIR BclQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DyVA826gppINawo6JgubiSmdPww/CYUYD3ZLTreGL7w=; b=L0Wb63FutcFJF0QjTlLsRn5uCsYphKDgmlM8taPP+9m6pH7jDUmBI/3vL3fZ0YM6b/ 4xcY6gj23b8gCPB1WP0jpyjWMn+jlhSLToWwhWCoeSLRRYt0wmujZrmvKp3LP4NHoOxu a2L42v6UnzEnvV8Rabxw2dB/4QigfeCeYCcFzdc9QzDyhzBCvJJgFdNNaAcuej3ugnny sSfpEG12xt9vj6EsPOWiPouZXo65J0y6IGrR7SI+rH7PfkI+m08pPeSK6pJ7tNSs99Lz z0TjOq0sWYVt6eNXtIYCQWZFMbd8Ti7sasTaxNfDhn3KeRMqlQAm9/82IQoAx5j8QMBu KTHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tFIPJ65L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v10si4231981ejq.299.2021.03.12.07.13.34; Fri, 12 Mar 2021 07:14:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=tFIPJ65L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231786AbhCLPMh (ORCPT + 99 others); Fri, 12 Mar 2021 10:12:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40170 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232054AbhCLPMb (ORCPT ); Fri, 12 Mar 2021 10:12:31 -0500 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5997C061574 for ; Fri, 12 Mar 2021 07:12:29 -0800 (PST) Received: by mail-qt1-x82a.google.com with SMTP id c6so3945775qtc.1 for ; Fri, 12 Mar 2021 07:12:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DyVA826gppINawo6JgubiSmdPww/CYUYD3ZLTreGL7w=; b=tFIPJ65LRLgMpSVeSNRpM8lnfe4GIOvvKUmAS2ffAt4BqlpwZzmsUJp8II5/zBMwis cOPn6EbxtDmAJ+nF+0rYGQM0vB54z6nphsAeGTIwmou/7bS5LxrA5JOCKDWibqTGnrF+ +mnudZ5uLnoWP2U+klQHtE/ryW6mL+VSbSrEOoh5ojpJz8NGr6Eb6C2CJApFNKS10m4B qjPzjIur3t13eWO4cAZD8xNreEa0zHkKeKIY6jX9JzNxlvsh2yDV12rYBcVZu/QkavsK S+uArISOesJRuK945yajvP+42q31ll6jvo/fXOL8Zv5yra8KTUyS6bV7dPjv+lj/AByk LAwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DyVA826gppINawo6JgubiSmdPww/CYUYD3ZLTreGL7w=; b=igrXLDsIfbJIuOqXNou2fXPw8TdkFABqimRPQ3H7wmjySkvhkZ/nEO2+ArudHO9VSU zg+1UluEHoQV7nPBt+MwaPtWcghRq0XqNSsieHMqt6KTHsI/50ovfEJnHMH7qNRkwdOP qvzFC+9JYpwZNfuHSOk3a0YVuFoR1rQP+tdVV+uuuYvijaWu0BjMVQZRrkNG7NQzxKpm AVz1GkBkth8AA3QPg6pzFL5RqPhlkv8PT0d5zMBItbXYY2yEj2EhIueE8Z/kYL6OV0TX LwVOroQlo+d8M3k2JprKwgOsT5fWWxXG1lurkjh9+X/XuMpHYzTE0U/Q12PrM4vEynbd TZyw== X-Gm-Message-State: AOAM531k3x2ARdRzH9tynJSQcR5ADDPeOqPXOcQ2QJaKHkmYF7FfDnQv jIjd99yBh42i1AYWWy78g08dzucF+4IgB5/urkAeJQ== X-Received: by 2002:ac8:4558:: with SMTP id z24mr1159749qtn.66.1615561948503; Fri, 12 Mar 2021 07:12:28 -0800 (PST) MIME-Version: 1.0 References: <000000000000b74f1b05bd316729@google.com> <84b0471d-42c1-175f-ae1d-a18c310c7f77@codethink.co.uk> In-Reply-To: <84b0471d-42c1-175f-ae1d-a18c310c7f77@codethink.co.uk> From: Dmitry Vyukov Date: Fri, 12 Mar 2021 16:12:16 +0100 Message-ID: Subject: Re: [syzbot] BUG: unable to handle kernel access to user memory in schedule_tail To: Ben Dooks Cc: syzbot , Paul Walmsley , Palmer Dabbelt , Albert Ou , linux-riscv , Daniel Bristot de Oliveira , Benjamin Segall , dietmar.eggemann@arm.com, Juri Lelli , LKML , Mel Gorman , Ingo Molnar , Peter Zijlstra , Steven Rostedt , syzkaller-bugs , Vincent Guittot Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 12, 2021 at 2:50 PM Ben Dooks wrote: > > On 10/03/2021 17:16, Dmitry Vyukov wrote: > > On Wed, Mar 10, 2021 at 5:46 PM syzbot > > wrote: > >> > >> Hello, > >> > >> syzbot found the following issue on: > >> > >> HEAD commit: 0d7588ab riscv: process: Fix no prototype for arch_dup_tas.. > >> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes > >> console output: https://syzkaller.appspot.com/x/log.txt?x=1212c6e6d00000 > >> kernel config: https://syzkaller.appspot.com/x/.config?x=e3c595255fb2d136 > >> dashboard link: https://syzkaller.appspot.com/bug?extid=e74b94fe601ab9552d69 > >> userspace arch: riscv64 > >> > >> Unfortunately, I don't have any reproducer for this issue yet. > >> > >> IMPORTANT: if you fix the issue, please add the following tag to the commit: > >> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com > > > > +riscv maintainers > > > > This is riscv64-specific. > > I've seen similar crashes in put_user in other places. It looks like > > put_user crashes in the user address is not mapped/protected (?). > > I've been having a look, and this seems to be down to access of the > tsk->set_child_tid variable. I assume the fuzzing here is to pass a > bad address to clone? > > From looking at the code, the put_user() code should have set the > relevant SR_SUM bit (the value for this, which is 1<<18 is in the > s2 register in the crash report) and from looking at the compiler > output from my gcc-10, the code looks to be dong the relevant csrs > and then csrc around the put_user > > So currently I do not understand how the above could have happened > over than something re-tried the code seqeunce and ended up retrying > the faulting instruction without the SR_SUM bit set. I would maybe blame qemu for randomly resetting SR_SUM, but it's strange that 99% of these crashes are in schedule_tail. If it would be qemu, then they would be more evenly distributed... Another observation: looking at a dozen of crash logs, in none of these cases fuzzer was actually trying to fuzz clone with some insane arguments. So it looks like completely normal clone's (e..g coming from pthread_create) result in this crash. I also wonder why there is ret_from_exception, is it normal? I see handle_exception disables SR_SUM: https://elixir.bootlin.com/linux/v5.12-rc2/source/arch/riscv/kernel/entry.S#L73