* [syzbot] [serial?] KASAN: stack-out-of-bounds Read in sched_show_task
@ 2023-09-20 16:36 syzbot
2023-09-26 10:59 ` [PATCH] riscv: fix out of bounds in walk_stackframe Edward AD
2023-09-26 11:43 ` Edward AD
0 siblings, 2 replies; 35+ messages in thread
From: syzbot @ 2023-09-20 16:36 UTC (permalink / raw)
To: gregkh, jirislaby, linux-kernel, linux-serial, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 8eb8fe67e2c8 riscv: errata: fix T-Head dcache.cva encoding
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=1206d6c4680000
kernel config: https://syzkaller.appspot.com/x/.config?x=89f0a88d4bc7f0f4
dashboard link: https://syzkaller.appspot.com/bug?extid=8d2757d62d403b2d9275
compiler: riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144d1154680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122a2a3c680000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-8eb8fe67.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a41f94065e95/vmlinux-8eb8fe67.xz
kernel image: https://storage.googleapis.com/syzbot-assets/29db706d00c4/Image-8eb8fe67.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
[<ffffffff8360b8b4>] context_switch kernel/sched/core.c:5382 [inline]
[<ffffffff8360b8b4>] __schedule+0x794/0x1884 kernel/sched/core.c:6695
[<ffffffff8360ca1c>] schedule+0x78/0xfe kernel/sched/core.c:6771
[<ffffffff83617bb6>] do_nanosleep+0x18a/0x318 kernel/time/hrtimer.c:2047
==================================================================
BUG: KASAN: out-of-bounds in walk_stackframe+0x130/0x2f2 arch/riscv/kernel/stacktrace.c:59
Read of size 8 at addr ff20000006d37c38 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.0-rc1-syzkaller-g8eb8fe67e2c8 #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000b966>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:121
[<ffffffff835c3860>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:127
[<ffffffff836036ae>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff836036ae>] dump_stack_lvl+0xe8/0x154 lib/dump_stack.c:106
[<ffffffff835cbf28>] print_address_description mm/kasan/report.c:364 [inline]
[<ffffffff835cbf28>] print_report+0x1e4/0x4f4 mm/kasan/report.c:475
[<ffffffff8057aa66>] kasan_report+0xf0/0x1ba mm/kasan/report.c:588
[<ffffffff8057bd82>] check_region_inline mm/kasan/generic.c:181 [inline]
[<ffffffff8057bd82>] __asan_load8+0x80/0xa8 mm/kasan/generic.c:260
[<ffffffff8000b712>] walk_stackframe+0x130/0x2f2 arch/riscv/kernel/stacktrace.c:59
[<ffffffff8000b966>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:121
[<ffffffff835c3860>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:127
[<ffffffff800f624a>] sched_show_task kernel/sched/core.c:9182 [inline]
[<ffffffff800f624a>] sched_show_task+0x2ee/0x414 kernel/sched/core.c:9156
[<ffffffff80100e02>] show_state_filter+0xa0/0x1e0 kernel/sched/core.c:9227
[<ffffffff80fa0c7e>] show_state include/linux/sched/debug.h:21 [inline]
[<ffffffff80fa0c7e>] fn_show_state+0x1a/0x22 drivers/tty/vt/keyboard.c:614
[<ffffffff80fa1152>] k_spec drivers/tty/vt/keyboard.c:667 [inline]
[<ffffffff80fa1152>] k_spec+0xce/0x102 drivers/tty/vt/keyboard.c:656
[<ffffffff80fa306c>] kbd_keycode drivers/tty/vt/keyboard.c:1524 [inline]
[<ffffffff80fa306c>] kbd_event+0x5fa/0xa5e drivers/tty/vt/keyboard.c:1543
[<ffffffff821384ba>] input_to_handler+0x246/0x24c drivers/input/input.c:132
[<ffffffff8213d310>] input_pass_values+0x410/0x5fe drivers/input/input.c:161
[<ffffffff8213d6ec>] input_event_dispose+0x1ee/0x2c8 drivers/input/input.c:378
[<ffffffff8213f558>] input_handle_event+0xf0/0x972 drivers/input/input.c:406
[<ffffffff8213fe64>] input_event drivers/input/input.c:435 [inline]
[<ffffffff8213fe64>] input_event+0x8a/0xb2 drivers/input/input.c:427
[<ffffffff82678820>] input_sync include/linux/input.h:450 [inline]
[<ffffffff82678820>] hidinput_report_event+0x86/0xae drivers/hid/hid-input.c:1746
[<ffffffff8267261c>] hid_report_raw_event+0x1be/0xa5c drivers/hid/hid-core.c:2016
[<ffffffff82673108>] hid_input_report+0x24e/0x2f4 drivers/hid/hid-core.c:2083
[<ffffffff82738584>] hid_irq_in+0x244/0x412 drivers/hid/usbhid/hid-core.c:284
[<ffffffff81d6a49a>] __usb_hcd_giveback_urb+0x222/0x364 drivers/usb/core/hcd.c:1650
[<ffffffff81d6a856>] usb_hcd_giveback_urb+0x27a/0x290 drivers/usb/core/hcd.c:1733
[<ffffffff82027b14>] dummy_timer+0xfc2/0x204a drivers/usb/gadget/udc/dummy_hcd.c:1987
[<ffffffff801d42d2>] call_timer_fn+0x15a/0x4f2 kernel/time/timer.c:1700
[<ffffffff801d4be8>] expire_timers kernel/time/timer.c:1751 [inline]
[<ffffffff801d4be8>] __run_timers+0x57e/0x73c kernel/time/timer.c:2022
[<ffffffff801d4dec>] run_timer_softirq+0x46/0x80 kernel/time/timer.c:2035
[<ffffffff83619632>] __do_softirq+0x2ee/0x8a2 kernel/softirq.c:553
[<ffffffff8008af50>] invoke_softirq kernel/softirq.c:427 [inline]
[<ffffffff8008af50>] __irq_exit_rcu+0xfa/0x1b0 kernel/softirq.c:632
[<ffffffff8008b1e6>] irq_exit_rcu+0x10/0x72 kernel/softirq.c:644
[<ffffffff836044fa>] handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:349
[<ffffffff83604bae>] do_irq+0x5c/0x86 arch/riscv/kernel/traps.c:359
The buggy address belongs to the virtual mapping at
[ff20000006d30000, ff20000006d39000) created by:
kernel_clone+0x118/0x896 kernel/fork.c:2909
The buggy address belongs to the physical page:
page:ff1c00000250dbc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9436f
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 0ffe000000000000 0000000000000000 0000000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 32, tgid 32 (kworker/u6:1), ts 67487133600, free_ts 66877452400
__set_page_owner+0x32/0x18a mm/page_owner.c:192
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x8c/0xe2 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x84a/0x121e mm/page_alloc.c:3170
__alloc_pages+0x19c/0x142e mm/page_alloc.c:4426
alloc_pages+0x126/0x252 mm/mempolicy.c:2298
vm_area_alloc_pages mm/vmalloc.c:3063 [inline]
__vmalloc_area_node mm/vmalloc.c:3139 [inline]
__vmalloc_node_range+0x838/0xec2 mm/vmalloc.c:3320
alloc_thread_stack_node kernel/fork.c:309 [inline]
dup_task_struct kernel/fork.c:1118 [inline]
copy_process+0x225a/0x3f1e kernel/fork.c:2327
kernel_clone+0x118/0x896 kernel/fork.c:2909
user_mode_thread+0xea/0x11a kernel/fork.c:2987
call_usermodehelper_exec_work kernel/umh.c:172 [inline]
call_usermodehelper_exec_work+0xc8/0x122 kernel/umh.c:158
process_one_work+0x54c/0xd66 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x506/0x980 kernel/workqueue.c:2784
kthread+0x1bc/0x22c kernel/kthread.c:388
ret_from_fork+0xa/0x1c arch/riscv/kernel/entry.S:264
page last free stack trace:
__reset_page_owner+0x4c/0xf8 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x224/0x592 mm/page_alloc.c:2312
free_unref_page+0x5a/0x234 mm/page_alloc.c:2405
free_the_page mm/page_alloc.c:562 [inline]
__free_pages+0x104/0x126 mm/page_alloc.c:4516
vfree+0x14c/0x68e mm/vmalloc.c:2842
delayed_vfree_work+0x42/0x58 mm/vmalloc.c:2763
process_one_work+0x54c/0xd66 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x506/0x980 kernel/workqueue.c:2784
kthread+0x1bc/0x22c kernel/kthread.c:388
ret_from_fork+0xa/0x1c arch/riscv/kernel/entry.S:264
Memory state around the buggy address:
ff20000006d37b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ff20000006d37b80: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ff20000006d37c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
^
ff20000006d37c80: f1 f1 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
ff20000006d37d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-20 16:36 [syzbot] [serial?] KASAN: stack-out-of-bounds Read in sched_show_task syzbot
@ 2023-09-26 10:59 ` Edward AD
2023-09-26 11:12 ` Conor Dooley
2023-09-26 11:43 ` Edward AD
1 sibling, 1 reply; 35+ messages in thread
From: Edward AD @ 2023-09-26 10:59 UTC (permalink / raw)
To: syzbot+8d2757d62d403b2d9275
Cc: gregkh, jirislaby, linux-kernel, linux-serial, syzkaller-bugs
Increase the check on the frame after assigning its value. This is to prevent
frame access from crossing boundaries.
Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
---
arch/riscv/kernel/stacktrace.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index 64a9c093aef9..53bd18672329 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
break;
/* Unwind stack frame */
frame = (struct stackframe *)fp - 1;
+ if (!virt_addr_valid(frame))
+ break;
sp = fp;
if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
fp = frame->ra;
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-26 10:59 ` [PATCH] riscv: fix out of bounds in walk_stackframe Edward AD
@ 2023-09-26 11:12 ` Conor Dooley
0 siblings, 0 replies; 35+ messages in thread
From: Conor Dooley @ 2023-09-26 11:12 UTC (permalink / raw)
To: Edward AD
Cc: syzbot+8d2757d62d403b2d9275, gregkh, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 1277 bytes --]
Hey Edward,
Where did you come up with the CC list for this patch from? Please run
get_maintainer.pl on your patches and CC the output. You've not CCed any
relevant developers on this mail :(
On Tue, Sep 26, 2023 at 06:59:50PM +0800, Edward AD wrote:
> Increase the check on the frame after assigning its value. This is to prevent
> frame access from crossing boundaries.
>
> Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
Please also add a Fixes: tag & a Closes: tag with a link to the report
when you do so.
Thanks,
Conor.
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..53bd18672329 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if (!virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
> --
> 2.25.1
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-20 16:36 [syzbot] [serial?] KASAN: stack-out-of-bounds Read in sched_show_task syzbot
@ 2023-09-26 11:43 ` Edward AD
2023-09-26 11:43 ` Edward AD
1 sibling, 0 replies; 35+ messages in thread
From: Edward AD @ 2023-09-26 11:43 UTC (permalink / raw)
To: conor
Cc: syzbot+8d2757d62d403b2d9275, gregkh, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs, paul.walmsley, palmer, aou, guoren,
alexghiti, liushixin2, linux-riscv
Increase the check on the frame after assigning its value. This is to prevent
frame access from crossing boundaries.
Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
---
arch/riscv/kernel/stacktrace.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index 64a9c093aef9..53bd18672329 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
break;
/* Unwind stack frame */
frame = (struct stackframe *)fp - 1;
+ if (!virt_addr_valid(frame))
+ break;
sp = fp;
if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
fp = frame->ra;
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH] riscv: fix out of bounds in walk_stackframe
@ 2023-09-26 11:43 ` Edward AD
0 siblings, 0 replies; 35+ messages in thread
From: Edward AD @ 2023-09-26 11:43 UTC (permalink / raw)
To: conor
Cc: syzbot+8d2757d62d403b2d9275, gregkh, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs, paul.walmsley, palmer, aou, guoren,
alexghiti, liushixin2, linux-riscv
Increase the check on the frame after assigning its value. This is to prevent
frame access from crossing boundaries.
Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
---
arch/riscv/kernel/stacktrace.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index 64a9c093aef9..53bd18672329 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
break;
/* Unwind stack frame */
frame = (struct stackframe *)fp - 1;
+ if (!virt_addr_valid(frame))
+ break;
sp = fp;
if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
fp = frame->ra;
--
2.25.1
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-26 11:43 ` Edward AD
@ 2023-09-26 11:49 ` Greg KH
-1 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2023-09-26 11:49 UTC (permalink / raw)
To: Edward AD
Cc: conor, syzbot+8d2757d62d403b2d9275, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs, paul.walmsley, palmer, aou, guoren,
alexghiti, liushixin2, linux-riscv
On Tue, Sep 26, 2023 at 07:43:44PM +0800, Edward AD wrote:
> Increase the check on the frame after assigning its value. This is to prevent
> frame access from crossing boundaries.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..53bd18672329 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if (!virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
> --
> 2.25.1
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- You have marked a patch with a "Fixes:" tag for a commit that is in an
older released kernel, yet you do not have a cc: stable line in the
signed-off-by area at all, which means that the patch will not be
applied to any older kernel releases. To properly fix this, please
follow the documented rules in the
Documetnation/process/stable-kernel-rules.rst file for how to resolve
this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
@ 2023-09-26 11:49 ` Greg KH
0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2023-09-26 11:49 UTC (permalink / raw)
To: Edward AD
Cc: conor, syzbot+8d2757d62d403b2d9275, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs, paul.walmsley, palmer, aou, guoren,
alexghiti, liushixin2, linux-riscv
On Tue, Sep 26, 2023 at 07:43:44PM +0800, Edward AD wrote:
> Increase the check on the frame after assigning its value. This is to prevent
> frame access from crossing boundaries.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..53bd18672329 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if (!virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
> --
> 2.25.1
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- You have marked a patch with a "Fixes:" tag for a commit that is in an
older released kernel, yet you do not have a cc: stable line in the
signed-off-by area at all, which means that the patch will not be
applied to any older kernel releases. To properly fix this, please
follow the documented rules in the
Documetnation/process/stable-kernel-rules.rst file for how to resolve
this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-26 11:43 ` Edward AD
@ 2023-09-28 8:02 ` Alexandre Ghiti
-1 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-09-28 8:02 UTC (permalink / raw)
To: Edward AD, conor
Cc: syzbot+8d2757d62d403b2d9275, gregkh, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs, paul.walmsley, palmer, aou, guoren,
alexghiti, liushixin2, linux-riscv
Hi Edward,
On 26/09/2023 13:43, Edward AD wrote:
> Increase the check on the frame after assigning its value. This is to prevent
> frame access from crossing boundaries.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..53bd18672329 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if (!virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
virt_addr_valid() works on kernel linear addresses, not on vmalloc
addresses, which is the case here (0xff20000006d37c38 belongs to the
vmalloc region: see
https://elixir.bootlin.com/linux/latest/source/Documentation/riscv/vm-layout.rst#L125).
So this fix can't work.
I'm a bit surprised though of this out-of-bounds access since
CONFIG_FRAME_POINTER is enabled, so there may be a real issue here (the
console output is horrible, lots of backtraces, which is weird), so it
may be worth digging into that.
Thanks,
Alex
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
@ 2023-09-28 8:02 ` Alexandre Ghiti
0 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-09-28 8:02 UTC (permalink / raw)
To: Edward AD, conor
Cc: syzbot+8d2757d62d403b2d9275, gregkh, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs, paul.walmsley, palmer, aou, guoren,
alexghiti, liushixin2, linux-riscv
Hi Edward,
On 26/09/2023 13:43, Edward AD wrote:
> Increase the check on the frame after assigning its value. This is to prevent
> frame access from crossing boundaries.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-tested-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..53bd18672329 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if (!virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
virt_addr_valid() works on kernel linear addresses, not on vmalloc
addresses, which is the case here (0xff20000006d37c38 belongs to the
vmalloc region: see
https://elixir.bootlin.com/linux/latest/source/Documentation/riscv/vm-layout.rst#L125).
So this fix can't work.
I'm a bit surprised though of this out-of-bounds access since
CONFIG_FRAME_POINTER is enabled, so there may be a real issue here (the
console output is horrible, lots of backtraces, which is weird), so it
may be worth digging into that.
Thanks,
Alex
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-28 8:02 ` Alexandre Ghiti
@ 2023-09-28 8:15 ` Alexandre Ghiti
-1 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-09-28 8:15 UTC (permalink / raw)
To: Edward AD, conor
Cc: syzbot+8d2757d62d403b2d9275, gregkh, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs, paul.walmsley, palmer, aou, guoren,
alexghiti, liushixin2, linux-riscv
Oh and BTW, any idea why linux-riscv was not in CC for the initial report?
On 28/09/2023 10:02, Alexandre Ghiti wrote:
> Hi Edward,
>
> On 26/09/2023 13:43, Edward AD wrote:
>> Increase the check on the frame after assigning its value. This is to
>> prevent
>> frame access from crossing boundaries.
>>
>> Closes:
>> https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>> Reported-and-tested-by:
>> syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
>> Link:
>> https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
>> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
>> ---
>> arch/riscv/kernel/stacktrace.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/arch/riscv/kernel/stacktrace.c
>> b/arch/riscv/kernel/stacktrace.c
>> index 64a9c093aef9..53bd18672329 100644
>> --- a/arch/riscv/kernel/stacktrace.c
>> +++ b/arch/riscv/kernel/stacktrace.c
>> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct
>> *task, struct pt_regs *regs,
>> break;
>> /* Unwind stack frame */
>> frame = (struct stackframe *)fp - 1;
>> + if (!virt_addr_valid(frame))
>> + break;
>> sp = fp;
>> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
>> fp = frame->ra;
>
>
> virt_addr_valid() works on kernel linear addresses, not on vmalloc
> addresses, which is the case here (0xff20000006d37c38 belongs to the
> vmalloc region: see
> https://elixir.bootlin.com/linux/latest/source/Documentation/riscv/vm-layout.rst#L125).
> So this fix can't work.
>
> I'm a bit surprised though of this out-of-bounds access since
> CONFIG_FRAME_POINTER is enabled, so there may be a real issue here
> (the console output is horrible, lots of backtraces, which is weird),
> so it may be worth digging into that.
>
> Thanks,
>
> Alex
>
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
@ 2023-09-28 8:15 ` Alexandre Ghiti
0 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-09-28 8:15 UTC (permalink / raw)
To: Edward AD, conor
Cc: syzbot+8d2757d62d403b2d9275, gregkh, jirislaby, linux-kernel,
linux-serial, syzkaller-bugs, paul.walmsley, palmer, aou, guoren,
alexghiti, liushixin2, linux-riscv
Oh and BTW, any idea why linux-riscv was not in CC for the initial report?
On 28/09/2023 10:02, Alexandre Ghiti wrote:
> Hi Edward,
>
> On 26/09/2023 13:43, Edward AD wrote:
>> Increase the check on the frame after assigning its value. This is to
>> prevent
>> frame access from crossing boundaries.
>>
>> Closes:
>> https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>> Reported-and-tested-by:
>> syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
>> Link:
>> https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
>> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
>> ---
>> arch/riscv/kernel/stacktrace.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/arch/riscv/kernel/stacktrace.c
>> b/arch/riscv/kernel/stacktrace.c
>> index 64a9c093aef9..53bd18672329 100644
>> --- a/arch/riscv/kernel/stacktrace.c
>> +++ b/arch/riscv/kernel/stacktrace.c
>> @@ -54,6 +54,8 @@ void notrace walk_stackframe(struct task_struct
>> *task, struct pt_regs *regs,
>> break;
>> /* Unwind stack frame */
>> frame = (struct stackframe *)fp - 1;
>> + if (!virt_addr_valid(frame))
>> + break;
>> sp = fp;
>> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
>> fp = frame->ra;
>
>
> virt_addr_valid() works on kernel linear addresses, not on vmalloc
> addresses, which is the case here (0xff20000006d37c38 belongs to the
> vmalloc region: see
> https://elixir.bootlin.com/linux/latest/source/Documentation/riscv/vm-layout.rst#L125).
> So this fix can't work.
>
> I'm a bit surprised though of this out-of-bounds access since
> CONFIG_FRAME_POINTER is enabled, so there may be a real issue here
> (the console output is horrible, lots of backtraces, which is weird),
> so it may be worth digging into that.
>
> Thanks,
>
> Alex
>
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-28 8:15 ` Alexandre Ghiti
@ 2023-09-28 23:12 ` Edward AD
-1 siblings, 0 replies; 35+ messages in thread
From: Edward AD @ 2023-09-28 23:12 UTC (permalink / raw)
To: alex
Cc: alexghiti, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs, twuufnxlz
Add vmalloc and kernel addresses check to prevent invalid access.
Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Reported-and-test-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
---
arch/riscv/kernel/stacktrace.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index 64a9c093aef9..031a4a35c1d0 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -54,6 +54,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
break;
/* Unwind stack frame */
frame = (struct stackframe *)fp - 1;
+ if ((is_vmalloc_addr(frame) && !pfn_valid(page_to_pfn(vmalloc_to_page(frame)))) ||
+ !virt_addr_valid(frame))
+ break;
sp = fp;
if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
fp = frame->ra;
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH] riscv: fix out of bounds in walk_stackframe
@ 2023-09-28 23:12 ` Edward AD
0 siblings, 0 replies; 35+ messages in thread
From: Edward AD @ 2023-09-28 23:12 UTC (permalink / raw)
To: alex
Cc: alexghiti, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs, twuufnxlz
Add vmalloc and kernel addresses check to prevent invalid access.
Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Reported-and-test-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
---
arch/riscv/kernel/stacktrace.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index 64a9c093aef9..031a4a35c1d0 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -54,6 +54,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
break;
/* Unwind stack frame */
frame = (struct stackframe *)fp - 1;
+ if ((is_vmalloc_addr(frame) && !pfn_valid(page_to_pfn(vmalloc_to_page(frame)))) ||
+ !virt_addr_valid(frame))
+ break;
sp = fp;
if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
fp = frame->ra;
--
2.25.1
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-28 23:12 ` Edward AD
@ 2023-09-29 6:04 ` Greg KH
-1 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2023-09-29 6:04 UTC (permalink / raw)
To: Edward AD
Cc: alex, alexghiti, aou, conor, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Fri, Sep 29, 2023 at 07:12:40AM +0800, Edward AD wrote:
> Add vmalloc and kernel addresses check to prevent invalid access.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-test-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 3 +++
Where are you getting your odd cc: list from? This has nothing to do
with serial drivers...
greg k-h
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
@ 2023-09-29 6:04 ` Greg KH
0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2023-09-29 6:04 UTC (permalink / raw)
To: Edward AD
Cc: alex, alexghiti, aou, conor, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Fri, Sep 29, 2023 at 07:12:40AM +0800, Edward AD wrote:
> Add vmalloc and kernel addresses check to prevent invalid access.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-test-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 3 +++
Where are you getting your odd cc: list from? This has nothing to do
with serial drivers...
greg k-h
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-28 23:12 ` Edward AD
@ 2023-09-29 6:05 ` Greg KH
-1 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2023-09-29 6:05 UTC (permalink / raw)
To: Edward AD
Cc: alex, alexghiti, aou, conor, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Fri, Sep 29, 2023 at 07:12:40AM +0800, Edward AD wrote:
> Add vmalloc and kernel addresses check to prevent invalid access.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-test-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..031a4a35c1d0 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if ((is_vmalloc_addr(frame) && !pfn_valid(page_to_pfn(vmalloc_to_page(frame)))) ||
> + !virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
> --
> 2.25.1
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- Your patch contains warnings and/or errors noticed by the
scripts/checkpatch.pl tool.
- You have marked a patch with a "Fixes:" tag for a commit that is in an
older released kernel, yet you do not have a cc: stable line in the
signed-off-by area at all, which means that the patch will not be
applied to any older kernel releases. To properly fix this, please
follow the documented rules in the
Documetnation/process/stable-kernel-rules.rst file for how to resolve
this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
@ 2023-09-29 6:05 ` Greg KH
0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2023-09-29 6:05 UTC (permalink / raw)
To: Edward AD
Cc: alex, alexghiti, aou, conor, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Fri, Sep 29, 2023 at 07:12:40AM +0800, Edward AD wrote:
> Add vmalloc and kernel addresses check to prevent invalid access.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-test-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..031a4a35c1d0 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if ((is_vmalloc_addr(frame) && !pfn_valid(page_to_pfn(vmalloc_to_page(frame)))) ||
> + !virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
> --
> 2.25.1
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- Your patch contains warnings and/or errors noticed by the
scripts/checkpatch.pl tool.
- You have marked a patch with a "Fixes:" tag for a commit that is in an
older released kernel, yet you do not have a cc: stable line in the
signed-off-by area at all, which means that the patch will not be
applied to any older kernel releases. To properly fix this, please
follow the documented rules in the
Documetnation/process/stable-kernel-rules.rst file for how to resolve
this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
2023-09-28 23:12 ` Edward AD
@ 2023-09-29 8:25 ` Alexandre Ghiti
-1 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-09-29 8:25 UTC (permalink / raw)
To: Edward AD
Cc: alex, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
Hi Edward,
On Fri, Sep 29, 2023 at 1:12 AM Edward AD <twuufnxlz@gmail.com> wrote:
>
> Add vmalloc and kernel addresses check to prevent invalid access.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-test-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..031a4a35c1d0 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if ((is_vmalloc_addr(frame) && !pfn_valid(page_to_pfn(vmalloc_to_page(frame)))) ||
> + !virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
> --
> 2.25.1
>
I'm still not convinced this will fix the kasan out-of-bounds
accesses, the page can be valid but the read can happen at an offset
not initialized and trigger such errors right? I still think there is
something weird about the stack frame, as to me this should not happen
(but admittedly I don't know much about that).
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] riscv: fix out of bounds in walk_stackframe
@ 2023-09-29 8:25 ` Alexandre Ghiti
0 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-09-29 8:25 UTC (permalink / raw)
To: Edward AD
Cc: alex, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
Hi Edward,
On Fri, Sep 29, 2023 at 1:12 AM Edward AD <twuufnxlz@gmail.com> wrote:
>
> Add vmalloc and kernel addresses check to prevent invalid access.
>
> Closes: https://lore.kernel.org/all/20230926105949.1025995-2-twuufnxlz@gmail.com/
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Reported-and-test-by: syzbot+8d2757d62d403b2d9275@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/T/
> Signed-off-by: Edward AD <twuufnxlz@gmail.com>
> ---
> arch/riscv/kernel/stacktrace.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
> index 64a9c093aef9..031a4a35c1d0 100644
> --- a/arch/riscv/kernel/stacktrace.c
> +++ b/arch/riscv/kernel/stacktrace.c
> @@ -54,6 +54,9 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
> break;
> /* Unwind stack frame */
> frame = (struct stackframe *)fp - 1;
> + if ((is_vmalloc_addr(frame) && !pfn_valid(page_to_pfn(vmalloc_to_page(frame)))) ||
> + !virt_addr_valid(frame))
> + break;
> sp = fp;
> if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
> fp = frame->ra;
> --
> 2.25.1
>
I'm still not convinced this will fix the kasan out-of-bounds
accesses, the page can be valid but the read can happen at an offset
not initialized and trigger such errors right? I still think there is
something weird about the stack frame, as to me this should not happen
(but admittedly I don't know much about that).
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH] Test for riscv fixes
2023-09-29 6:04 ` Greg KH
@ 2023-09-29 23:05 ` Edward AD
-1 siblings, 0 replies; 35+ messages in thread
From: Edward AD @ 2023-09-29 23:05 UTC (permalink / raw)
To: gregkh
Cc: alex, alexghiti, aou, conor, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs, twuufnxlz
On Fri, 29 Sep 2023 08:04:57 +0200 Greg KH wrote:
> Where are you getting your odd cc: list from? This has nothing to do
> with serial drivers...
https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/raw
Thanks,
edward
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH] Test for riscv fixes
@ 2023-09-29 23:05 ` Edward AD
0 siblings, 0 replies; 35+ messages in thread
From: Edward AD @ 2023-09-29 23:05 UTC (permalink / raw)
To: gregkh
Cc: alex, alexghiti, aou, conor, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs, twuufnxlz
On Fri, 29 Sep 2023 08:04:57 +0200 Greg KH wrote:
> Where are you getting your odd cc: list from? This has nothing to do
> with serial drivers...
https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/raw
Thanks,
edward
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH] Test for riscv fixes
2023-09-29 8:25 ` Alexandre Ghiti
@ 2023-09-29 23:05 ` Edward AD
-1 siblings, 0 replies; 35+ messages in thread
From: Edward AD @ 2023-09-29 23:05 UTC (permalink / raw)
To: alexghiti
Cc: alex, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs, twuufnxlz
Hi Alexandre,
On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti <alexghiti@rivosinc.com> wrote:
> I'm still not convinced this will fix the kasan out-of-bounds
> accesses, the page can be valid but the read can happen at an offset
> not initialized and trigger such errors right? I still think there is
> something weird about the stack frame, as to me this should not happen
> (but admittedly I don't know much about that).
The added check can confirm that the physical page is invalid (whether it is a
vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid.
Perhaps we can trust the test results of syzbot.
Thanks,
edward
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH] Test for riscv fixes
@ 2023-09-29 23:05 ` Edward AD
0 siblings, 0 replies; 35+ messages in thread
From: Edward AD @ 2023-09-29 23:05 UTC (permalink / raw)
To: alexghiti
Cc: alex, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs, twuufnxlz
Hi Alexandre,
On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti <alexghiti@rivosinc.com> wrote:
> I'm still not convinced this will fix the kasan out-of-bounds
> accesses, the page can be valid but the read can happen at an offset
> not initialized and trigger such errors right? I still think there is
> something weird about the stack frame, as to me this should not happen
> (but admittedly I don't know much about that).
The added check can confirm that the physical page is invalid (whether it is a
vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid.
Perhaps we can trust the test results of syzbot.
Thanks,
edward
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
2023-09-29 23:05 ` Edward AD
@ 2023-09-30 6:13 ` Greg KH
-1 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2023-09-30 6:13 UTC (permalink / raw)
To: Edward AD
Cc: alex, alexghiti, aou, conor, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Sat, Sep 30, 2023 at 07:05:35AM +0800, Edward AD wrote:
> On Fri, 29 Sep 2023 08:04:57 +0200 Greg KH wrote:
> > Where are you getting your odd cc: list from? This has nothing to do
> > with serial drivers...
> https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/raw
I do not understand this answer.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
@ 2023-09-30 6:13 ` Greg KH
0 siblings, 0 replies; 35+ messages in thread
From: Greg KH @ 2023-09-30 6:13 UTC (permalink / raw)
To: Edward AD
Cc: alex, alexghiti, aou, conor, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Sat, Sep 30, 2023 at 07:05:35AM +0800, Edward AD wrote:
> On Fri, 29 Sep 2023 08:04:57 +0200 Greg KH wrote:
> > Where are you getting your odd cc: list from? This has nothing to do
> > with serial drivers...
> https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/raw
I do not understand this answer.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
2023-09-30 6:13 ` Greg KH
@ 2023-09-30 8:24 ` Conor Dooley
-1 siblings, 0 replies; 35+ messages in thread
From: Conor Dooley @ 2023-09-30 8:24 UTC (permalink / raw)
To: Greg KH
Cc: Edward AD, alex, alexghiti, aou, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 538 bytes --]
On Sat, Sep 30, 2023 at 08:13:56AM +0200, Greg KH wrote:
> On Sat, Sep 30, 2023 at 07:05:35AM +0800, Edward AD wrote:
> > On Fri, 29 Sep 2023 08:04:57 +0200 Greg KH wrote:
> > > Where are you getting your odd cc: list from? This has nothing to do
> > > with serial drivers...
> > https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/raw
>
> I do not understand this answer.
AIUI, the original report from syzbot "blamed" the serial maintainers.
Not too sure how it determined that though, given the contents.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
@ 2023-09-30 8:24 ` Conor Dooley
0 siblings, 0 replies; 35+ messages in thread
From: Conor Dooley @ 2023-09-30 8:24 UTC (permalink / raw)
To: Greg KH
Cc: Edward AD, alex, alexghiti, aou, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
[-- Attachment #1.1: Type: text/plain, Size: 538 bytes --]
On Sat, Sep 30, 2023 at 08:13:56AM +0200, Greg KH wrote:
> On Sat, Sep 30, 2023 at 07:05:35AM +0800, Edward AD wrote:
> > On Fri, 29 Sep 2023 08:04:57 +0200 Greg KH wrote:
> > > Where are you getting your odd cc: list from? This has nothing to do
> > > with serial drivers...
> > https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/raw
>
> I do not understand this answer.
AIUI, the original report from syzbot "blamed" the serial maintainers.
Not too sure how it determined that though, given the contents.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
[-- Attachment #2: Type: text/plain, Size: 161 bytes --]
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
2023-09-29 23:05 ` Edward AD
@ 2023-10-02 7:13 ` Alexandre Ghiti
-1 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-10-02 7:13 UTC (permalink / raw)
To: Edward AD
Cc: alex, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
Hi Edward,
On Sat, Sep 30, 2023 at 1:06 AM Edward AD <twuufnxlz@gmail.com> wrote:
>
> Hi Alexandre,
>
> On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti <alexghiti@rivosinc.com> wrote:
> > I'm still not convinced this will fix the kasan out-of-bounds
> > accesses, the page can be valid but the read can happen at an offset
> > not initialized and trigger such errors right? I still think there is
> > something weird about the stack frame, as to me this should not happen
> > (but admittedly I don't know much about that).
> The added check can confirm that the physical page is invalid (whether it is a
> vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid.
Yes, but to me this is not what happens in the bug report you link:
| BUG: KASAN: out-of-bounds in walk_stackframe+0x130/0x2f2
arch/riscv/kernel/stacktrace.c:59
| Read of size 8 at addr ff20000006d37c38 by task swapper/1/0
So the read at address ff20000006d37c38 is not "normal" according to
KASAN (you can see there is no trap, meaning the physical mapping
exists).
| The buggy address belongs to the virtual mapping at
| [ff20000006d30000, ff20000006d39000) created by:
| kernel_clone+0x118/0x896 kernel/fork.c:2909
The virtual address is legitimate since the vma exists ^
| The buggy address belongs to the physical page:
| page:ff1c00000250dbc0 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x9436f
And the physical page also exists ^
So I insist, checking that a physical mapping exists to exit the loop
is not enough, to me, the error here is that the backtrace goes "too
far" at an address where nothing was written before and then KASAN
complains about that, again, we don't take any page fault here so it's
not a problem of existing physical mapping.
>
> Perhaps we can trust the test results of syzbot.
>
> Thanks,
> edward
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
@ 2023-10-02 7:13 ` Alexandre Ghiti
0 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-10-02 7:13 UTC (permalink / raw)
To: Edward AD
Cc: alex, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
Hi Edward,
On Sat, Sep 30, 2023 at 1:06 AM Edward AD <twuufnxlz@gmail.com> wrote:
>
> Hi Alexandre,
>
> On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti <alexghiti@rivosinc.com> wrote:
> > I'm still not convinced this will fix the kasan out-of-bounds
> > accesses, the page can be valid but the read can happen at an offset
> > not initialized and trigger such errors right? I still think there is
> > something weird about the stack frame, as to me this should not happen
> > (but admittedly I don't know much about that).
> The added check can confirm that the physical page is invalid (whether it is a
> vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid.
Yes, but to me this is not what happens in the bug report you link:
| BUG: KASAN: out-of-bounds in walk_stackframe+0x130/0x2f2
arch/riscv/kernel/stacktrace.c:59
| Read of size 8 at addr ff20000006d37c38 by task swapper/1/0
So the read at address ff20000006d37c38 is not "normal" according to
KASAN (you can see there is no trap, meaning the physical mapping
exists).
| The buggy address belongs to the virtual mapping at
| [ff20000006d30000, ff20000006d39000) created by:
| kernel_clone+0x118/0x896 kernel/fork.c:2909
The virtual address is legitimate since the vma exists ^
| The buggy address belongs to the physical page:
| page:ff1c00000250dbc0 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x9436f
And the physical page also exists ^
So I insist, checking that a physical mapping exists to exit the loop
is not enough, to me, the error here is that the backtrace goes "too
far" at an address where nothing was written before and then KASAN
complains about that, again, we don't take any page fault here so it's
not a problem of existing physical mapping.
>
> Perhaps we can trust the test results of syzbot.
>
> Thanks,
> edward
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
2023-09-30 8:24 ` Conor Dooley
@ 2023-10-02 10:20 ` Aleksandr Nogikh
-1 siblings, 0 replies; 35+ messages in thread
From: Aleksandr Nogikh @ 2023-10-02 10:20 UTC (permalink / raw)
To: Conor Dooley
Cc: Greg KH, Edward AD, alex, alexghiti, aou, guoren, jirislaby,
linux-kernel, linux-riscv, linux-serial, liushixin2, palmer,
paul.walmsley, syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Sat, Sep 30, 2023 at 10:24 AM Conor Dooley <conor@kernel.org> wrote:
>
> On Sat, Sep 30, 2023 at 08:13:56AM +0200, Greg KH wrote:
> > On Sat, Sep 30, 2023 at 07:05:35AM +0800, Edward AD wrote:
> > > On Fri, 29 Sep 2023 08:04:57 +0200 Greg KH wrote:
> > > > Where are you getting your odd cc: list from? This has nothing to do
> > > > with serial drivers...
> > > https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/raw
> >
> > I do not understand this answer.
>
> AIUI, the original report from syzbot "blamed" the serial maintainers.
> Not too sure how it determined that though, given the contents.
>
blame is too strong a word for that auto-inferred hint :)
Yes, the actual problem was in a totally different place, but FWIW
here's how it happened:
Statistically, stacktrace.c and a number of other generic locations
are rather unlikely to actually contain the bug (they can, but the
chances are that it's deeper in the call stack), so syzbot, while
traversing the stack trace, skipped all frames until
[<ffffffff80fa0c7e>] fn_show_state+0x1a/0x22 drivers/tty/vt/keyboard.c:614
[<ffffffff80fa1152>] k_spec drivers/tty/vt/keyboard.c:667 [inline]
[<ffffffff80fa1152>] k_spec+0xce/0x102 drivers/tty/vt/keyboard.c:656
[<ffffffff80fa306c>] kbd_keycode drivers/tty/vt/keyboard.c:1524 [inline]
[<ffffffff80fa306c>] kbd_event+0x5fa/0xa5e drivers/tty/vt/keyboard.c:1543
Per MAINTAINERS, these locations belonged to "TTY LAYER AND SERIAL
DRIVERS". Therefore serial in Cc.
The automation actually attributes a lot of reports correctly, but,
unfortunately, there are also tricky cases like this.
--
Aleksandr
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
@ 2023-10-02 10:20 ` Aleksandr Nogikh
0 siblings, 0 replies; 35+ messages in thread
From: Aleksandr Nogikh @ 2023-10-02 10:20 UTC (permalink / raw)
To: Conor Dooley
Cc: Greg KH, Edward AD, alex, alexghiti, aou, guoren, jirislaby,
linux-kernel, linux-riscv, linux-serial, liushixin2, palmer,
paul.walmsley, syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Sat, Sep 30, 2023 at 10:24 AM Conor Dooley <conor@kernel.org> wrote:
>
> On Sat, Sep 30, 2023 at 08:13:56AM +0200, Greg KH wrote:
> > On Sat, Sep 30, 2023 at 07:05:35AM +0800, Edward AD wrote:
> > > On Fri, 29 Sep 2023 08:04:57 +0200 Greg KH wrote:
> > > > Where are you getting your odd cc: list from? This has nothing to do
> > > > with serial drivers...
> > > https://lore.kernel.org/all/0000000000000170df0605ccf91a@google.com/raw
> >
> > I do not understand this answer.
>
> AIUI, the original report from syzbot "blamed" the serial maintainers.
> Not too sure how it determined that though, given the contents.
>
blame is too strong a word for that auto-inferred hint :)
Yes, the actual problem was in a totally different place, but FWIW
here's how it happened:
Statistically, stacktrace.c and a number of other generic locations
are rather unlikely to actually contain the bug (they can, but the
chances are that it's deeper in the call stack), so syzbot, while
traversing the stack trace, skipped all frames until
[<ffffffff80fa0c7e>] fn_show_state+0x1a/0x22 drivers/tty/vt/keyboard.c:614
[<ffffffff80fa1152>] k_spec drivers/tty/vt/keyboard.c:667 [inline]
[<ffffffff80fa1152>] k_spec+0xce/0x102 drivers/tty/vt/keyboard.c:656
[<ffffffff80fa306c>] kbd_keycode drivers/tty/vt/keyboard.c:1524 [inline]
[<ffffffff80fa306c>] kbd_event+0x5fa/0xa5e drivers/tty/vt/keyboard.c:1543
Per MAINTAINERS, these locations belonged to "TTY LAYER AND SERIAL
DRIVERS". Therefore serial in Cc.
The automation actually attributes a lot of reports correctly, but,
unfortunately, there are also tricky cases like this.
--
Aleksandr
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
2023-10-02 7:13 ` Alexandre Ghiti
@ 2023-10-02 13:41 ` Mark Rutland
-1 siblings, 0 replies; 35+ messages in thread
From: Mark Rutland @ 2023-10-02 13:41 UTC (permalink / raw)
To: Alexandre Ghiti
Cc: Edward AD, alex, aou, conor, gregkh, guoren, jirislaby,
linux-kernel, linux-riscv, linux-serial, liushixin2, palmer,
paul.walmsley, syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Mon, Oct 02, 2023 at 09:13:52AM +0200, Alexandre Ghiti wrote:
> Hi Edward,
>
> On Sat, Sep 30, 2023 at 1:06 AM Edward AD <twuufnxlz@gmail.com> wrote:
> >
> > Hi Alexandre,
> >
> > On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti <alexghiti@rivosinc.com> wrote:
> > > I'm still not convinced this will fix the kasan out-of-bounds
> > > accesses, the page can be valid but the read can happen at an offset
> > > not initialized and trigger such errors right? I still think there is
> > > something weird about the stack frame, as to me this should not happen
> > > (but admittedly I don't know much about that).
> > The added check can confirm that the physical page is invalid (whether it is a
> > vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid.
>
> Yes, but to me this is not what happens in the bug report you link:
>
> | BUG: KASAN: out-of-bounds in walk_stackframe+0x130/0x2f2
> arch/riscv/kernel/stacktrace.c:59
> | Read of size 8 at addr ff20000006d37c38 by task swapper/1/0
>
> So the read at address ff20000006d37c38 is not "normal" according to
> KASAN (you can see there is no trap, meaning the physical mapping
> exists).
>
> | The buggy address belongs to the virtual mapping at
> | [ff20000006d30000, ff20000006d39000) created by:
> | kernel_clone+0x118/0x896 kernel/fork.c:2909
>
> The virtual address is legitimate since the vma exists ^
>
> | The buggy address belongs to the physical page:
> | page:ff1c00000250dbc0 refcount:1 mapcount:0 mapping:0000000000000000
> index:0x0 pfn:0x9436f
>
> And the physical page also exists ^
>
> So I insist, checking that a physical mapping exists to exit the loop
> is not enough, to me, the error here is that the backtrace goes "too
> far" at an address where nothing was written before and then KASAN
> complains about that, again, we don't take any page fault here so it's
> not a problem of existing physical mapping.
Yep!
I believe what's happening here is one task unwinding another (starting from
whatever gets saved in switch_to()), and there's nothing that prevents that
other task from running concurrently and modifying/poisoning its stack. In
general trying to unwind a remote stack is racy and broken, but we're stuck
with a few bits of the kernel tryingto do that occasionally and so the arch
code needs to handle that without blowing up.
For KASAN specifically you'll need to access the stack with unchecked accesses
(e.g. using READ_ONCE_NOCHECK() to read the struct stackframe), and you'll
probably want to add some explicit checks that pointers are within stack bounds
since concurrent modification (or corruption) could result in entirely bogus
pointers.
I *think* that we do the right thing on arm64, so you might want to take a look
at arm64's unwinder in arch/arm64/kernel/stacktrace.c,
arch/arm64/include/asm/stacktrace.h, and
arch/arm64/include/asm/stacktrace/common.h.
Mark.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
@ 2023-10-02 13:41 ` Mark Rutland
0 siblings, 0 replies; 35+ messages in thread
From: Mark Rutland @ 2023-10-02 13:41 UTC (permalink / raw)
To: Alexandre Ghiti
Cc: Edward AD, alex, aou, conor, gregkh, guoren, jirislaby,
linux-kernel, linux-riscv, linux-serial, liushixin2, palmer,
paul.walmsley, syzbot+8d2757d62d403b2d9275, syzkaller-bugs
On Mon, Oct 02, 2023 at 09:13:52AM +0200, Alexandre Ghiti wrote:
> Hi Edward,
>
> On Sat, Sep 30, 2023 at 1:06 AM Edward AD <twuufnxlz@gmail.com> wrote:
> >
> > Hi Alexandre,
> >
> > On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti <alexghiti@rivosinc.com> wrote:
> > > I'm still not convinced this will fix the kasan out-of-bounds
> > > accesses, the page can be valid but the read can happen at an offset
> > > not initialized and trigger such errors right? I still think there is
> > > something weird about the stack frame, as to me this should not happen
> > > (but admittedly I don't know much about that).
> > The added check can confirm that the physical page is invalid (whether it is a
> > vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid.
>
> Yes, but to me this is not what happens in the bug report you link:
>
> | BUG: KASAN: out-of-bounds in walk_stackframe+0x130/0x2f2
> arch/riscv/kernel/stacktrace.c:59
> | Read of size 8 at addr ff20000006d37c38 by task swapper/1/0
>
> So the read at address ff20000006d37c38 is not "normal" according to
> KASAN (you can see there is no trap, meaning the physical mapping
> exists).
>
> | The buggy address belongs to the virtual mapping at
> | [ff20000006d30000, ff20000006d39000) created by:
> | kernel_clone+0x118/0x896 kernel/fork.c:2909
>
> The virtual address is legitimate since the vma exists ^
>
> | The buggy address belongs to the physical page:
> | page:ff1c00000250dbc0 refcount:1 mapcount:0 mapping:0000000000000000
> index:0x0 pfn:0x9436f
>
> And the physical page also exists ^
>
> So I insist, checking that a physical mapping exists to exit the loop
> is not enough, to me, the error here is that the backtrace goes "too
> far" at an address where nothing was written before and then KASAN
> complains about that, again, we don't take any page fault here so it's
> not a problem of existing physical mapping.
Yep!
I believe what's happening here is one task unwinding another (starting from
whatever gets saved in switch_to()), and there's nothing that prevents that
other task from running concurrently and modifying/poisoning its stack. In
general trying to unwind a remote stack is racy and broken, but we're stuck
with a few bits of the kernel tryingto do that occasionally and so the arch
code needs to handle that without blowing up.
For KASAN specifically you'll need to access the stack with unchecked accesses
(e.g. using READ_ONCE_NOCHECK() to read the struct stackframe), and you'll
probably want to add some explicit checks that pointers are within stack bounds
since concurrent modification (or corruption) could result in entirely bogus
pointers.
I *think* that we do the right thing on arm64, so you might want to take a look
at arm64's unwinder in arch/arm64/kernel/stacktrace.c,
arch/arm64/include/asm/stacktrace.h, and
arch/arm64/include/asm/stacktrace/common.h.
Mark.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
2023-10-02 13:41 ` Mark Rutland
@ 2023-10-06 11:38 ` Alexandre Ghiti
-1 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-10-06 11:38 UTC (permalink / raw)
To: Mark Rutland, Alexandre Ghiti
Cc: Edward AD, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
Hi Mark,
On 02/10/2023 15:41, Mark Rutland wrote:
> On Mon, Oct 02, 2023 at 09:13:52AM +0200, Alexandre Ghiti wrote:
>> Hi Edward,
>>
>> On Sat, Sep 30, 2023 at 1:06 AM Edward AD<twuufnxlz@gmail.com> wrote:
>>> Hi Alexandre,
>>>
>>> On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti<alexghiti@rivosinc.com> wrote:
>>>> I'm still not convinced this will fix the kasan out-of-bounds
>>>> accesses, the page can be valid but the read can happen at an offset
>>>> not initialized and trigger such errors right? I still think there is
>>>> something weird about the stack frame, as to me this should not happen
>>>> (but admittedly I don't know much about that).
>>> The added check can confirm that the physical page is invalid (whether it is a
>>> vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid.
>> Yes, but to me this is not what happens in the bug report you link:
>>
>> | BUG: KASAN: out-of-bounds in walk_stackframe+0x130/0x2f2
>> arch/riscv/kernel/stacktrace.c:59
>> | Read of size 8 at addr ff20000006d37c38 by task swapper/1/0
>>
>> So the read at address ff20000006d37c38 is not "normal" according to
>> KASAN (you can see there is no trap, meaning the physical mapping
>> exists).
>>
>> | The buggy address belongs to the virtual mapping at
>> | [ff20000006d30000, ff20000006d39000) created by:
>> | kernel_clone+0x118/0x896 kernel/fork.c:2909
>>
>> The virtual address is legitimate since the vma exists ^
>>
>> | The buggy address belongs to the physical page:
>> | page:ff1c00000250dbc0 refcount:1 mapcount:0 mapping:0000000000000000
>> index:0x0 pfn:0x9436f
>>
>> And the physical page also exists ^
>>
>> So I insist, checking that a physical mapping exists to exit the loop
>> is not enough, to me, the error here is that the backtrace goes "too
>> far" at an address where nothing was written before and then KASAN
>> complains about that, again, we don't take any page fault here so it's
>> not a problem of existing physical mapping.
> Yep!
>
> I believe what's happening here is one task unwinding another (starting from
> whatever gets saved in switch_to()), and there's nothing that prevents that
> other task from running concurrently and modifying/poisoning its stack. In
> general trying to unwind a remote stack is racy and broken, but we're stuck
> with a few bits of the kernel tryingto do that occasionally and so the arch
> code needs to handle that without blowing up.
Thanks for that, I had already fixed the "imprecise" unwinder (when we
don't have a frame pointer) using READ_ONCE_NOCHECK() but I had not this
use case in mind, so I'll fix that too.
> For KASAN specifically you'll need to access the stack with unchecked accesses
> (e.g. using READ_ONCE_NOCHECK() to read the struct stackframe), and you'll
> probably want to add some explicit checks that pointers are within stack bounds
> since concurrent modification (or corruption) could result in entirely bogus
> pointers.
>
> I *think* that we do the right thing on arm64, so you might want to take a look
> at arm64's unwinder in arch/arm64/kernel/stacktrace.c,
> arch/arm64/include/asm/stacktrace.h, and
> arch/arm64/include/asm/stacktrace/common.h.
And I'll check that for the stack bounds check.
Thanks again,
Alex
>
> Mark.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH] Test for riscv fixes
@ 2023-10-06 11:38 ` Alexandre Ghiti
0 siblings, 0 replies; 35+ messages in thread
From: Alexandre Ghiti @ 2023-10-06 11:38 UTC (permalink / raw)
To: Mark Rutland, Alexandre Ghiti
Cc: Edward AD, aou, conor, gregkh, guoren, jirislaby, linux-kernel,
linux-riscv, linux-serial, liushixin2, palmer, paul.walmsley,
syzbot+8d2757d62d403b2d9275, syzkaller-bugs
Hi Mark,
On 02/10/2023 15:41, Mark Rutland wrote:
> On Mon, Oct 02, 2023 at 09:13:52AM +0200, Alexandre Ghiti wrote:
>> Hi Edward,
>>
>> On Sat, Sep 30, 2023 at 1:06 AM Edward AD<twuufnxlz@gmail.com> wrote:
>>> Hi Alexandre,
>>>
>>> On Fri, 29 Sep 2023 10:25:59 +0200 Alexandre Ghiti<alexghiti@rivosinc.com> wrote:
>>>> I'm still not convinced this will fix the kasan out-of-bounds
>>>> accesses, the page can be valid but the read can happen at an offset
>>>> not initialized and trigger such errors right? I still think there is
>>>> something weird about the stack frame, as to me this should not happen
>>>> (but admittedly I don't know much about that).
>>> The added check can confirm that the physical page is invalid (whether it is a
>>> vmalloc allocated page or a slab allocated page), and exit the for loop when it is invalid.
>> Yes, but to me this is not what happens in the bug report you link:
>>
>> | BUG: KASAN: out-of-bounds in walk_stackframe+0x130/0x2f2
>> arch/riscv/kernel/stacktrace.c:59
>> | Read of size 8 at addr ff20000006d37c38 by task swapper/1/0
>>
>> So the read at address ff20000006d37c38 is not "normal" according to
>> KASAN (you can see there is no trap, meaning the physical mapping
>> exists).
>>
>> | The buggy address belongs to the virtual mapping at
>> | [ff20000006d30000, ff20000006d39000) created by:
>> | kernel_clone+0x118/0x896 kernel/fork.c:2909
>>
>> The virtual address is legitimate since the vma exists ^
>>
>> | The buggy address belongs to the physical page:
>> | page:ff1c00000250dbc0 refcount:1 mapcount:0 mapping:0000000000000000
>> index:0x0 pfn:0x9436f
>>
>> And the physical page also exists ^
>>
>> So I insist, checking that a physical mapping exists to exit the loop
>> is not enough, to me, the error here is that the backtrace goes "too
>> far" at an address where nothing was written before and then KASAN
>> complains about that, again, we don't take any page fault here so it's
>> not a problem of existing physical mapping.
> Yep!
>
> I believe what's happening here is one task unwinding another (starting from
> whatever gets saved in switch_to()), and there's nothing that prevents that
> other task from running concurrently and modifying/poisoning its stack. In
> general trying to unwind a remote stack is racy and broken, but we're stuck
> with a few bits of the kernel tryingto do that occasionally and so the arch
> code needs to handle that without blowing up.
Thanks for that, I had already fixed the "imprecise" unwinder (when we
don't have a frame pointer) using READ_ONCE_NOCHECK() but I had not this
use case in mind, so I'll fix that too.
> For KASAN specifically you'll need to access the stack with unchecked accesses
> (e.g. using READ_ONCE_NOCHECK() to read the struct stackframe), and you'll
> probably want to add some explicit checks that pointers are within stack bounds
> since concurrent modification (or corruption) could result in entirely bogus
> pointers.
>
> I *think* that we do the right thing on arm64, so you might want to take a look
> at arm64's unwinder in arch/arm64/kernel/stacktrace.c,
> arch/arm64/include/asm/stacktrace.h, and
> arch/arm64/include/asm/stacktrace/common.h.
And I'll check that for the stack bounds check.
Thanks again,
Alex
>
> Mark.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 35+ messages in thread
end of thread, other threads:[~2023-10-06 11:38 UTC | newest]
Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-20 16:36 [syzbot] [serial?] KASAN: stack-out-of-bounds Read in sched_show_task syzbot
2023-09-26 10:59 ` [PATCH] riscv: fix out of bounds in walk_stackframe Edward AD
2023-09-26 11:12 ` Conor Dooley
2023-09-26 11:43 ` Edward AD
2023-09-26 11:43 ` Edward AD
2023-09-26 11:49 ` Greg KH
2023-09-26 11:49 ` Greg KH
2023-09-28 8:02 ` Alexandre Ghiti
2023-09-28 8:02 ` Alexandre Ghiti
2023-09-28 8:15 ` Alexandre Ghiti
2023-09-28 8:15 ` Alexandre Ghiti
2023-09-28 23:12 ` Edward AD
2023-09-28 23:12 ` Edward AD
2023-09-29 6:04 ` Greg KH
2023-09-29 6:04 ` Greg KH
2023-09-29 23:05 ` [PATCH] Test for riscv fixes Edward AD
2023-09-29 23:05 ` Edward AD
2023-09-30 6:13 ` Greg KH
2023-09-30 6:13 ` Greg KH
2023-09-30 8:24 ` Conor Dooley
2023-09-30 8:24 ` Conor Dooley
2023-10-02 10:20 ` Aleksandr Nogikh
2023-10-02 10:20 ` Aleksandr Nogikh
2023-09-29 6:05 ` [PATCH] riscv: fix out of bounds in walk_stackframe Greg KH
2023-09-29 6:05 ` Greg KH
2023-09-29 8:25 ` Alexandre Ghiti
2023-09-29 8:25 ` Alexandre Ghiti
2023-09-29 23:05 ` [PATCH] Test for riscv fixes Edward AD
2023-09-29 23:05 ` Edward AD
2023-10-02 7:13 ` Alexandre Ghiti
2023-10-02 7:13 ` Alexandre Ghiti
2023-10-02 13:41 ` Mark Rutland
2023-10-02 13:41 ` Mark Rutland
2023-10-06 11:38 ` Alexandre Ghiti
2023-10-06 11:38 ` Alexandre Ghiti
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.