Re: [BUG] bpf:

From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Jiri Olsa <jolsa@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Daniel Borkmann <daniel@iogearbox.net>, X86 ML <x86@kernel.org>,
	Network Development <netdev@vger.kernel.org>,
	bpf <bpf@vger.kernel.org>, Kernel Team <kernel-team@fb.com>
Subject: Re: [BUG] bpf:
Date: Wed, 30 Oct 2019 09:44:11 -0700	[thread overview]
Message-ID: <CAADnVQKNJ9H9yxxuHn72ikfjii4vciVi8S6ztJ4oJCGk5A3FrA@mail.gmail.com> (raw)
In-Reply-To: <20191030154323.GJ20826@krava>

On Wed, Oct 30, 2019 at 8:43 AM Jiri Olsa <jolsa@redhat.com> wrote:
>
>
> hi,
> I'm getting oops when running the kfree_skb test:
>
> dell-r440-01 login: [  758.049877] BUG: kernel NULL pointer dereference, address: 0000000000000000^M
> [  758.056834] #PF: supervisor read access in kernel mode^M
> [  758.061975] #PF: error_code(0x0000) - not-present page^M
> [  758.067112] PGD 8000000befba8067 P4D 8000000befba8067 PUD bffe11067 PMD 0 ^M
> [  758.073987] Oops: 0000 [#1] SMP PTI^M
> [  758.077478] CPU: 16 PID: 6854 Comm: test_progs Not tainted 5.4.0-rc3+ #96^M
> [  758.084263] Hardware name: Dell Inc. PowerEdge R440/08CYF7, BIOS 1.7.0 12/14/2018^M
> [  758.091745] RIP: 0010:0xffffffffc03b672c^M
> [  758.095669] Code: 4c 8b 6a 00 4c 89 6d c0 8b 77 00 89 75 cc 31 ff 89 75 fc 48 8b 71 00 48 01 fe bf 78 00 00 00 48 89 da 48 01 fa bf 08 00 00 00 <4c> 8b 76 00 4c 89 f6 48 01 fe 4c 8b 7e 00 48 89 ef 48 83 c7 f9 be^M
> [  758.114414] RSP: 0018:ffffaa3287583d20 EFLAGS: 00010286^M
> [  758.119640] RAX: ffffffffc03b66ac RBX: ffff9cef028c3900 RCX: ffff9cef0a652018^M
> [  758.126775] RDX: ffff9cef028c3978 RSI: 0000000000000000 RDI: 0000000000000008^M
> [  758.133906] RBP: ffffaa3287583d90 R08: 00000000000000b0 R09: 0000000000000000^M
> [  758.141040] R10: 98ff036c00000000 R11: 0000000000000040 R12: ffffffffba8b5c37^M
> [  758.148170] R13: ffff9cfb05daf440 R14: 0000000000000000 R15: 000000000000004a^M
> [  758.155303] FS:  00007f08a18d3740(0000) GS:ffff9cef10c00000(0000) knlGS:0000000000000000^M
> [  758.163392] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
> [  758.169136] CR2: 0000000000000000 CR3: 0000000c08e50001 CR4: 00000000007606e0^M
> [  758.176268] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000^M
> [  758.183401] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400^M
> [  758.190534] PKRU: 55555554^M
> [  758.193248] Call Trace:^M
> [  758.195704]  ? bpf_test_run+0x13d/0x230^M
> [  758.199539]  ? _cond_resched+0x15/0x30^M
> [  758.203304]  bpf_trace_run2+0x37/0x90^M
> [  758.206967]  ? bpf_prog_test_run_skb+0x337/0x450^M
> [  758.211589]  kfree_skb+0x73/0xa0^M
> [  758.214820]  bpf_prog_test_run_skb+0x337/0x450^M
> [  758.219293]  __do_sys_bpf+0x82e/0x1730^M
> [  758.223043]  ? ep_show_fdinfo+0x80/0x80^M
> [  758.226885]  do_syscall_64+0x5b/0x180^M
> [  758.230550]  entry_SYSCALL_64_after_hwframe+0x44/0xa9^M
> [  758.235620] RIP: 0033:0x7f08a19e91fd^M
> [  758.239198] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b 8c 0c 00 f7 d8 64 89 01 48^M
>
>
> this seems to be the culprit:
>
> ; ptr = dev->ifalias->rcuhead.next;
>   80:   mov    0x0(%rsi),%r14

with rsi being zero. yes. that's the point of the test.

> I used the patch below to bypass the crash, but I guess
> verifier should not let this through

Could you please send me your .config and the way you
run test_progs ?
Is it with or without jit?

I thought I've tested all combinations. Something slipped through.

> also the net_device struct in the test seems outdated

It's not outdated. It's specifically done this way on purpose.