Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp41894pxb; Tue, 15 Feb 2022 05:15:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJwL4kHZqXha3MJYmvosw/EusZ3vxateE5UUpJYC7o/2tl7gkieEAPah5WPP7FonIlBDXHx4 X-Received: by 2002:aa7:dd04:: with SMTP id i4mr3811567edv.313.1644930900915; Tue, 15 Feb 2022 05:15:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644930900; cv=none; d=google.com; s=arc-20160816; b=RTa1Qp83ErICynQ5oVp5nNRhp9XUhZB1a0UAGwemDT0ycgIjE36YVSEZfmIf3N970O cAMVGBbI/foKDP+cEX9g5TvfLZn6BrdNzk6DAmMINbTfsG4rmTDVgmkRplNMebQ/xBf6 rW5TaRDAo0RdsktfKHhukxvvWprjM77PNljNrgt7hVyp7X0o6Z4vQ3fvIEyiF/LusacW t8m8nU2rTiRxIzuvqXsNzd7Yr28qlC5JgIw0Ekxj5nOsVGWTAkKZxmH3ZAP+ccEOJ5Sd odAAnWJajqKaV6D0V+4icZHLzhRUSLwWLfmOfJfuVQEGrXN3Ug6Z2U79wc3ysXvrqT2z e8kQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=yhU2FWV3wsgXqLkd7SObOBlqPrQ009cjVGRen8foyrU=; b=KJ7mk9JDkpQ2bcSln8eG1yiFDKRya8UpXRwm3e1ADBp1PL8U6w4ObQP4ZrbVsnhPeC BtRvF10Zqn8MjRXFh1at+qcK+xDAvMfzfbBfFqHuZMN/OT/B69i7e4JbB4nBYm8VHLOP L/v/B1QE9K7YBhKXAzYJCGj+YTHYEAThvDplmCW5weaJ5aLurB1BngJedFLUc6q88fPk NgTzWL3VaN1qU67ZhphzqkiO3HNj0fqQDEhFKGUQOXeuV0WmHDafgoNsZbBpp8utWew1 cJ4ZxhIZ28e13dFve+41IPB1zLzY2F0JIEjbyYppqSQVNt4YLB6YH959CzlLPqhfwANH qoiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JwYoRmna; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nd3si26507811ejc.431.2022.02.15.05.14.36; Tue, 15 Feb 2022 05:15:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JwYoRmna; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234593AbiBOGlp (ORCPT + 99 others); Tue, 15 Feb 2022 01:41:45 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:51914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234583AbiBOGlo (ORCPT ); Tue, 15 Feb 2022 01:41:44 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71A86B7C50; Mon, 14 Feb 2022 22:41:34 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 21B15B817A0; Tue, 15 Feb 2022 06:41:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C25BDC36AE2; Tue, 15 Feb 2022 06:41:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1644907291; bh=jEmPVNZaBNwt/VLaRLc3lHKKicFk8z2UL+ikTy2DTQI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=JwYoRmnaQEoFzUSq4tfhgUI8/LxYHECZ+i2D+1+J74DSWArNIsM9FCwb+T8mKbOsh RSNWgcVWh9EJ/etpOjmpPZauvrj+QaCjvTCjCaZkiHR3F5qmHisDUiK9SSUo2qXBLY Yj4h0xL71i5a8/1oIelqnABk0CJVn43MiVew+rcgqk4N5IaMxH2dM/ULoT5Lh5Itv4 JIhwCy0WX+RoPrhc9KPQifO/ou7WeN0X33qJ9b1zQLDPfwpM6+uWlkxNSmaALrhVEj kRQ4nOXGLGi7HG7PwaihDIjIRot/wjJnjiBOuY3Mg393XYtdXVoGQ6/ACn1YCo3n4Z n7RgzsEI+FRMQ== Received: by mail-yb1-f172.google.com with SMTP id p5so52903496ybd.13; Mon, 14 Feb 2022 22:41:31 -0800 (PST) X-Gm-Message-State: AOAM532TOcXuCx8Y5vHNvLO3pvtqPpKj7/YYqVf93WR45A+26wnHIxiY YoD3C0PlJKX4zwcdmTEtHe5h0abhwp7lcSz3NkE= X-Received: by 2002:a5b:a03:: with SMTP id k3mr2546249ybq.219.1644907290851; Mon, 14 Feb 2022 22:41:30 -0800 (PST) MIME-Version: 1.0 References: <00000000000073b3e805d7fed17e@google.com> <462fa505-25a8-fd3f-cc36-5860c6539664@iogearbox.net> In-Reply-To: <462fa505-25a8-fd3f-cc36-5860c6539664@iogearbox.net> From: Song Liu Date: Mon, 14 Feb 2022 22:41:19 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [syzbot] KASAN: vmalloc-out-of-bounds Read in bpf_jit_free To: Daniel Borkmann Cc: syzbot , Andrii Nakryiko , Alexei Starovoitov , bpf , "David S . Miller" , Jesper Dangaard Brouer , John Fastabend , Martin KaFai Lau , KP Singh , Jakub Kicinski , open list , Networking , Song Liu , syzkaller-bugs@googlegroups.com, Yonghong Song Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 14, 2022 at 3:52 PM Daniel Borkmann wrote: > > Song, ptal. > > On 2/14/22 7:45 PM, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: e5313968c41b Merge branch 'Split bpf_sk_lookup remote_port.. > > git tree: bpf-next > > console output: https://syzkaller.appspot.com/x/log.txt?x=10baced8700000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=c40b67275bfe2a58 > > dashboard link: https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+2f649ec6d2eea1495a8f@syzkaller.appspotmail.com > > > > ================================================================== > > BUG: KASAN: vmalloc-out-of-bounds in bpf_jit_binary_pack_free kernel/bpf/core.c:1120 [inline] > > BUG: KASAN: vmalloc-out-of-bounds in bpf_jit_free+0x2b5/0x2e0 kernel/bpf/core.c:1151 > > Read of size 4 at addr ffffffffa0001a80 by task kworker/0:18/13642 > > > > CPU: 0 PID: 13642 Comm: kworker/0:18 Not tainted 5.16.0-syzkaller-11655-ge5313968c41b #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > Workqueue: events bpf_prog_free_deferred > > Call Trace: > > > > __dump_stack lib/dump_stack.c:88 [inline] > > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 > > print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 > > __kasan_report mm/kasan/report.c:442 [inline] > > kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 > > bpf_jit_binary_pack_free kernel/bpf/core.c:1120 [inline] > > bpf_jit_free+0x2b5/0x2e0 kernel/bpf/core.c:1151 > > bpf_prog_free_deferred+0x5c1/0x790 kernel/bpf/core.c:2524 > > process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 > > worker_thread+0x657/0x1110 kernel/workqueue.c:2454 > > kthread+0x2e9/0x3a0 kernel/kthread.c:377 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > > I think this is the same issue as [1], that the 2MB page somehow got freed while still in use. I couldn't spot any bug with bpf_prog_pack allocate/free logic. I haven't got luck reproducing it either. Will continue tomorrow. [1] https://lore.kernel.org/netdev/0000000000007646bd05d7f81943@google.com/t/ > > > > > > Memory state around the buggy address: > > ffffffffa0001980: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 > > ffffffffa0001a00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 > >> ffffffffa0001a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 > > ^ > > ffffffffa0001b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 > > ffffffffa0001b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 > > ================================================================== > > > > > > --- > > This report is generated by a bot. It may contain errors. > > See https://goo.gl/tpsmEJ for more information about syzbot. > > syzbot engineers can be reached at syzkaller@googlegroups.com. > > > > syzbot will keep track of this issue. See: > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > >