* BUG: assuming atomic context at kernel/seccomp.c:LINE @ 2019-02-20 9:32 syzbot 2019-02-20 10:00 ` Daniel Borkmann 2019-02-20 12:33 ` syzbot 0 siblings, 2 replies; 4+ messages in thread From: syzbot @ 2019-02-20 9:32 UTC (permalink / raw) To: ast, daniel, kafai, keescook, linux-kernel, luto, netdev, songliubraving, syzkaller-bugs, wad, yhs Hello, syzbot found the following crash on: HEAD commit: abf446c90405 Add linux-next specific files for 20190220 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=17f250d8c00000 kernel config: https://syzkaller.appspot.com/x/.config?x=463cb576ac40e350 dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+8bf19ee2aa580de7a2a7@syzkaller.appspotmail.com BUG: assuming atomic context at kernel/seccomp.c:271 in_atomic(): 0, irqs_disabled(): 0, pid: 12803, name: syz-executor.5 no locks held by syz-executor.5/12803. CPU: 1 PID: 12803 Comm: syz-executor.5 Not tainted 5.0.0-rc7-next-20190220 #39 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 __cant_sleep kernel/sched/core.c:6218 [inline] __cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195 seccomp_run_filters kernel/seccomp.c:271 [inline] __seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801 __secure_computing+0x101/0x360 kernel/seccomp.c:932 syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120 do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45ac8a Code: 25 18 00 00 00 00 74 01 f0 48 0f b1 3d df ba 5f 00 48 39 c2 75 da f3 c3 0f 1f 84 00 00 00 00 00 48 63 ff b8 e4 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 f3 c3 0f 1f 40 00 48 c7 c2 d4 ff ff ff f7 RSP: 002b:00007f92ed7b2c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e4 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ac8a RDX: 0000000000017230 RSI: 00007f92ed7b2c60 RDI: 0000000000000001 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00000000004c4cd5 R14: 00000000004d8890 R15: 00000000ffffffff --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: BUG: assuming atomic context at kernel/seccomp.c:LINE 2019-02-20 9:32 BUG: assuming atomic context at kernel/seccomp.c:LINE syzbot @ 2019-02-20 10:00 ` Daniel Borkmann 2019-02-20 18:23 ` Kees Cook 2019-02-20 12:33 ` syzbot 1 sibling, 1 reply; 4+ messages in thread From: Daniel Borkmann @ 2019-02-20 10:00 UTC (permalink / raw) To: syzbot, ast, kafai, keescook, linux-kernel, luto, netdev, songliubraving, syzkaller-bugs, wad, yhs On 02/20/2019 10:32 AM, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: abf446c90405 Add linux-next specific files for 20190220 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=17f250d8c00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=463cb576ac40e350 > dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > Unfortunately, I don't have any reproducer for this crash yet. > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+8bf19ee2aa580de7a2a7@syzkaller.appspotmail.com > > BUG: assuming atomic context at kernel/seccomp.c:271 > in_atomic(): 0, irqs_disabled(): 0, pid: 12803, name: syz-executor.5 > no locks held by syz-executor.5/12803. > CPU: 1 PID: 12803 Comm: syz-executor.5 Not tainted 5.0.0-rc7-next-20190220 #39 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x172/0x1f0 lib/dump_stack.c:113 > __cant_sleep kernel/sched/core.c:6218 [inline] > __cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195 > seccomp_run_filters kernel/seccomp.c:271 [inline] > __seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801 > __secure_computing+0x101/0x360 kernel/seccomp.c:932 > syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120 > do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280 > entry_SYSCALL_64_after_hwframe+0x49/0xbe False positive; bpf-next only. Pushing this out in a bit: From d56547070162a105ff666f3324e558fa6492aedd Mon Sep 17 00:00:00 2001 From: Daniel Borkmann <daniel@iogearbox.net> Date: Wed, 20 Feb 2019 10:51:17 +0100 Subject: [PATCH bpf-next] bpf, seccomp: fix false positive preemption splat for cbpf->ebpf progs In 568f196756ad ("bpf: check that BPF programs run with preemption disabled") a check was added for BPF_PROG_RUN() that for every invocation preemption is disabled to not break eBPF assumptions (e.g. per-cpu map). Of course this does not count for seccomp because only cBPF -> eBPF is loaded here and it does not make use of any functionality that would require this assertion. Fix this false positive by adding and using __BPF_PROG_RUN() variant that does not have the cant_sleep(); check. Fixes: 568f196756ad ("bpf: check that BPF programs run with preemption disabled") Reported-by: syzbot+8bf19ee2aa580de7a2a7@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> --- include/linux/filter.h | 9 ++++++++- kernel/seccomp.c | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index f32b3ec..2f3e29a 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -533,7 +533,14 @@ struct sk_filter { struct bpf_prog *prog; }; -#define BPF_PROG_RUN(filter, ctx) ({ cant_sleep(); (*(filter)->bpf_func)(ctx, (filter)->insnsi); }) +#define bpf_prog_run__non_preempt(prog, ctx) \ + ({ cant_sleep(); __BPF_PROG_RUN(prog, ctx); }) +/* Native eBPF or cBPF -> eBPF transitions. Preemption must be disabled. */ +#define BPF_PROG_RUN(prog, ctx) \ + bpf_prog_run__non_preempt(prog, ctx) +/* cBPF -> eBPF only, but not for native eBPF. */ +#define __BPF_PROG_RUN(prog, ctx) \ + (*(prog)->bpf_func)(ctx, (prog)->insnsi) #define BPF_SKB_CB_LEN QDISC_CB_PRIV_LEN diff --git a/kernel/seccomp.c b/kernel/seccomp.c index e815781..826d4e4 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -268,7 +268,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd, * value always takes priority (ignoring the DATA). */ for (; f; f = f->prev) { - u32 cur_ret = BPF_PROG_RUN(f->prog, sd); + u32 cur_ret = __BPF_PROG_RUN(f->prog, sd); if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) { ret = cur_ret; -- 2.9.5 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: BUG: assuming atomic context at kernel/seccomp.c:LINE 2019-02-20 10:00 ` Daniel Borkmann @ 2019-02-20 18:23 ` Kees Cook 0 siblings, 0 replies; 4+ messages in thread From: Kees Cook @ 2019-02-20 18:23 UTC (permalink / raw) To: Daniel Borkmann Cc: syzbot, Alexei Starovoitov, kafai, LKML, Andy Lutomirski, Network Development, Song Liu, syzkaller-bugs, Will Drewry, Yonghong Song On Wed, Feb 20, 2019 at 2:00 AM Daniel Borkmann <daniel@iogearbox.net> wrote: > > On 02/20/2019 10:32 AM, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: abf446c90405 Add linux-next specific files for 20190220 > > git tree: linux-next > > console output: https://syzkaller.appspot.com/x/log.txt?x=17f250d8c00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=463cb576ac40e350 > > dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+8bf19ee2aa580de7a2a7@syzkaller.appspotmail.com > > > > BUG: assuming atomic context at kernel/seccomp.c:271 > > in_atomic(): 0, irqs_disabled(): 0, pid: 12803, name: syz-executor.5 > > no locks held by syz-executor.5/12803. > > CPU: 1 PID: 12803 Comm: syz-executor.5 Not tainted 5.0.0-rc7-next-20190220 #39 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x172/0x1f0 lib/dump_stack.c:113 > > __cant_sleep kernel/sched/core.c:6218 [inline] > > __cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195 > > seccomp_run_filters kernel/seccomp.c:271 [inline] > > __seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801 > > __secure_computing+0x101/0x360 kernel/seccomp.c:932 > > syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120 > > do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280 > > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > False positive; bpf-next only. Pushing this out in a bit: > > From d56547070162a105ff666f3324e558fa6492aedd Mon Sep 17 00:00:00 2001 > From: Daniel Borkmann <daniel@iogearbox.net> > Date: Wed, 20 Feb 2019 10:51:17 +0100 > Subject: [PATCH bpf-next] bpf, seccomp: fix false positive preemption splat for > cbpf->ebpf progs > > In 568f196756ad ("bpf: check that BPF programs run with preemption disabled") > a check was added for BPF_PROG_RUN() that for every invocation preemption is > disabled to not break eBPF assumptions (e.g. per-cpu map). Of course this does > not count for seccomp because only cBPF -> eBPF is loaded here and it does not > make use of any functionality that would require this assertion. Fix this false > positive by adding and using __BPF_PROG_RUN() variant that does not have the > cant_sleep(); check. > > Fixes: 568f196756ad ("bpf: check that BPF programs run with preemption disabled") > Reported-by: syzbot+8bf19ee2aa580de7a2a7@syzkaller.appspotmail.com > Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Kees Cook <keescook@chromium.org> -Kees > --- > include/linux/filter.h | 9 ++++++++- > kernel/seccomp.c | 2 +- > 2 files changed, 9 insertions(+), 2 deletions(-) > > diff --git a/include/linux/filter.h b/include/linux/filter.h > index f32b3ec..2f3e29a 100644 > --- a/include/linux/filter.h > +++ b/include/linux/filter.h > @@ -533,7 +533,14 @@ struct sk_filter { > struct bpf_prog *prog; > }; > > -#define BPF_PROG_RUN(filter, ctx) ({ cant_sleep(); (*(filter)->bpf_func)(ctx, (filter)->insnsi); }) > +#define bpf_prog_run__non_preempt(prog, ctx) \ > + ({ cant_sleep(); __BPF_PROG_RUN(prog, ctx); }) > +/* Native eBPF or cBPF -> eBPF transitions. Preemption must be disabled. */ > +#define BPF_PROG_RUN(prog, ctx) \ > + bpf_prog_run__non_preempt(prog, ctx) > +/* cBPF -> eBPF only, but not for native eBPF. */ > +#define __BPF_PROG_RUN(prog, ctx) \ > + (*(prog)->bpf_func)(ctx, (prog)->insnsi) > > #define BPF_SKB_CB_LEN QDISC_CB_PRIV_LEN > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index e815781..826d4e4 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -268,7 +268,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd, > * value always takes priority (ignoring the DATA). > */ > for (; f; f = f->prev) { > - u32 cur_ret = BPF_PROG_RUN(f->prog, sd); > + u32 cur_ret = __BPF_PROG_RUN(f->prog, sd); > > if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) { > ret = cur_ret; > -- > 2.9.5 -- Kees Cook ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: BUG: assuming atomic context at kernel/seccomp.c:LINE 2019-02-20 9:32 BUG: assuming atomic context at kernel/seccomp.c:LINE syzbot 2019-02-20 10:00 ` Daniel Borkmann @ 2019-02-20 12:33 ` syzbot 1 sibling, 0 replies; 4+ messages in thread From: syzbot @ 2019-02-20 12:33 UTC (permalink / raw) To: ast, daniel, kafai, keescook, linux-kernel, luto, netdev, songliubraving, syzkaller-bugs, wad, yhs syzbot has found a reproducer for the following crash on: HEAD commit: abf446c90405 Add linux-next specific files for 20190220 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=101e7fb0c00000 kernel config: https://syzkaller.appspot.com/x/.config?x=463cb576ac40e350 dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a52778c00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a1007cc00000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+8bf19ee2aa580de7a2a7@syzkaller.appspotmail.com BUG: assuming atomic context at kernel/seccomp.c:271 in_atomic(): 0, irqs_disabled(): 0, pid: 7853, name: syz-executor140 no locks held by syz-executor140/7853. CPU: 1 PID: 7853 Comm: syz-executor140 Not tainted 5.0.0-rc7-next-20190220 #39 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 __cant_sleep kernel/sched/core.c:6218 [inline] __cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195 seccomp_run_filters kernel/seccomp.c:271 [inline] __seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801 __secure_computing+0x101/0x360 kernel/seccomp.c:932 syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120 do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43ec58 Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 RSP: 002b:00007ffc2d0b2f48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ec58 RDX: 0000000000000000 RSI: 0000000 ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-02-20 18:23 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-02-20 9:32 BUG: assuming atomic context at kernel/seccomp.c:LINE syzbot 2019-02-20 10:00 ` Daniel Borkmann 2019-02-20 18:23 ` Kees Cook 2019-02-20 12:33 ` syzbot
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.