* [net/bpf] Re: WARNING in mark_lock [not found] ` <alpine.DEB.2.21.1906250820060.32342@nanos.tec.linutronix.de> @ 2019-06-25 7:29 ` Eric Biggers 2019-07-01 5:32 ` John Fastabend 0 siblings, 1 reply; 6+ messages in thread From: Eric Biggers @ 2019-06-25 7:29 UTC (permalink / raw) To: bpf; +Cc: syzbot, LKML, syzkaller-bugs, Thomas Gleixner, Peter Zijlstra [+bpf list] On Tue, Jun 25, 2019 at 08:20:56AM +0200, Thomas Gleixner wrote: > On Mon, 24 Jun 2019, syzbot wrote: > > > Hello, > > CC++ Peterz > > > > > syzbot found the following crash on: > > > > HEAD commit: dc636f5d Add linux-next specific files for 20190620 > > git tree: linux-next > > console output: https://syzkaller.appspot.com/x/log.txt?x=162b68b1a00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=99c104b0092a557b > > dashboard link: https://syzkaller.appspot.com/bug?extid=a861f52659ae2596492b > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110b24f6a00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+a861f52659ae2596492b@syzkaller.appspotmail.com The syz repro looks bpf related, and essentially the same repro is in lots of other open syzbot reports which I've assigned to the bpf subsystem... https://lore.kernel.org/lkml/20190624050114.GA30702@sol.localdomain/ {"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"tun":true,"netdev":true,"resetnet":true,"cgroups":true,"binfmt_misc":true,"close_fds":true,"tmpdir":true,"segv":true} bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0xf, 0x4, 0x4, 0x400, 0x0, 0x1}, 0x3c) socket$rxrpc(0x21, 0x2, 0x800000000a) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x1d4) connect$inet6(r0, &(0x7f0000000140), 0x1c) bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x5}, 0xfffffffffffffdcb) bpf$MAP_CREATE(0x2, &(0x7f0000003000)={0x3, 0x0, 0x77fffb, 0x0, 0x10020000000, 0x0}, 0x2c) setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000040)='tls\x00', 0x4) ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [net/bpf] Re: WARNING in mark_lock 2019-06-25 7:29 ` [net/bpf] Re: WARNING in mark_lock Eric Biggers @ 2019-07-01 5:32 ` John Fastabend 2019-07-01 5:51 ` syzbot 0 siblings, 1 reply; 6+ messages in thread From: John Fastabend @ 2019-07-01 5:32 UTC (permalink / raw) To: Eric Biggers, bpf Cc: syzbot, LKML, syzkaller-bugs, Thomas Gleixner, Peter Zijlstra Eric Biggers wrote: > [+bpf list] > > On Tue, Jun 25, 2019 at 08:20:56AM +0200, Thomas Gleixner wrote: > > On Mon, 24 Jun 2019, syzbot wrote: > > > > > Hello, > > > > CC++ Peterz > > > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: dc636f5d Add linux-next specific files for 20190620 > > > git tree: linux-next > > > console output: https://syzkaller.appspot.com/x/log.txt?x=162b68b1a00000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=99c104b0092a557b > > > dashboard link: https://syzkaller.appspot.com/bug?extid=a861f52659ae2596492b > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110b24f6a00000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+a861f52659ae2596492b@syzkaller.appspotmail.com > > The syz repro looks bpf related, and essentially the same repro is in lots of > other open syzbot reports which I've assigned to the bpf subsystem... > https://lore.kernel.org/lkml/20190624050114.GA30702@sol.localdomain/ > > {"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"tun":true,"netdev":true,"resetnet":true,"cgroups":true,"binfmt_misc":true,"close_fds":true,"tmpdir":true,"segv":true} > bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0xf, 0x4, 0x4, 0x400, 0x0, 0x1}, 0x3c) > socket$rxrpc(0x21, 0x2, 0x800000000a) > r0 = socket$inet6_tcp(0xa, 0x1, 0x0) > setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x1d4) > connect$inet6(r0, &(0x7f0000000140), 0x1c) > bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x5}, 0xfffffffffffffdcb) > bpf$MAP_CREATE(0x2, &(0x7f0000003000)={0x3, 0x0, 0x77fffb, 0x0, 0x10020000000, 0x0}, 0x2c) > setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000040)='tls\x00', 0x4) #syz test: git://github.com/cilium/linux ktls-unhash ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in mark_lock 2019-07-01 5:32 ` John Fastabend @ 2019-07-01 5:51 ` syzbot 2019-07-08 16:21 ` John Fastabend 0 siblings, 1 reply; 6+ messages in thread From: syzbot @ 2019-07-01 5:51 UTC (permalink / raw) To: bpf, ebiggers, john.fastabend, linux-kernel, peterz, syzkaller-bugs, tglx Hello, syzbot has tested the proposed patch but the reproducer still triggered crash: KASAN: use-after-free Read in class_equal ================================================================== BUG: KASAN: use-after-free in class_equal+0x40/0x50 kernel/locking/lockdep.c:1527 Read of size 8 at addr ffff88808a268ba0 by task syz-executor.1/9270 CPU: 0 PID: 9270 Comm: syz-executor.1 Not tainted 5.2.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: Allocated by task 2647419968: BUG: unable to handle page fault for address: ffffffff8c00b020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 8a70067 P4D 8a70067 PUD 8a71063 PMD 0 Thread overran stack, or stack corrupted Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 9270 Comm: syz-executor.1 Not tainted 5.2.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:stack_depot_fetch+0x10/0x30 lib/stackdepot.c:203 Code: e9 7b fd ff ff 4c 89 ff e8 8d b4 62 fe e9 e6 fd ff ff 90 90 90 90 90 90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 20 6c 04 8b 48 8d 47 18 48 89 06 8b 47 0c c3 0f 1f 00 RSP: 0018:ffff88808a2688e8 EFLAGS: 00010006 RAX: 00000000001f8880 RBX: ffff88808a269304 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88808a2688f0 RDI: 0000000000003ff0 RBP: ffff88808a268908 R08: 0000000000000020 R09: ffffed1015d044fa R10: ffffed1015d044f9 R11: ffff8880ae8227cf R12: ffffea0002289a00 R13: ffff88808a268ba0 R14: ffff8880aa58ec40 R15: ffff88808a269300 FS: 00005555570ba940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8c00b020 CR3: 000000008dd00000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: Modules linked in: CR2: ffffffff8c00b020 ---[ end trace 4acfe4b59fbc9cdb ]--- RIP: 0010:stack_depot_fetch+0x10/0x30 lib/stackdepot.c:203 Code: e9 7b fd ff ff 4c 89 ff e8 8d b4 62 fe e9 e6 fd ff ff 90 90 90 90 90 90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 20 6c 04 8b 48 8d 47 18 48 89 06 8b 47 0c c3 0f 1f 00 RSP: 0018:ffff88808a2688e8 EFLAGS: 00010006 RAX: 00000000001f8880 RBX: ffff88808a269304 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88808a2688f0 RDI: 0000000000003ff0 RBP: ffff88808a268908 R08: 0000000000000020 R09: ffffed1015d044fa R10: ffffed1015d044f9 R11: ffff8880ae8227cf R12: ffffea0002289a00 R13: ffff88808a268ba0 R14: ffff8880aa58ec40 R15: ffff88808a269300 FS: 00005555570ba940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8c00b020 CR3: 000000008dd00000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Tested on: commit: 0b58d013 bpf: tls, implement unhash to avoid transition ou.. git tree: git://github.com/cilium/linux ktls-unhash console output: https://syzkaller.appspot.com/x/log.txt?x=153368a3a00000 kernel config: https://syzkaller.appspot.com/x/.config?x=2cc918d28ebd06b4 compiler: gcc (GCC) 9.0.0 20181231 (experimental) ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in mark_lock 2019-07-01 5:51 ` syzbot @ 2019-07-08 16:21 ` John Fastabend 2019-07-08 22:03 ` syzbot 0 siblings, 1 reply; 6+ messages in thread From: John Fastabend @ 2019-07-08 16:21 UTC (permalink / raw) To: syzbot, bpf, ebiggers, john.fastabend, linux-kernel, peterz, syzkaller-bugs, tglx syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer still triggered > crash: > KASAN: use-after-free Read in class_equal > > ================================================================== > BUG: KASAN: use-after-free in class_equal+0x40/0x50 > kernel/locking/lockdep.c:1527 > Read of size 8 at addr ffff88808a268ba0 by task syz-executor.1/9270 > > CPU: 0 PID: 9270 Comm: syz-executor.1 Not tainted 5.2.0-rc3+ #1 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > Allocated by task 2647419968: > BUG: unable to handle page fault for address: ffffffff8c00b020 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 8a70067 P4D 8a70067 PUD 8a71063 PMD 0 > Thread overran stack, or stack corrupted > Oops: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 9270 Comm: syz-executor.1 Not tainted 5.2.0-rc3+ #1 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:stack_depot_fetch+0x10/0x30 lib/stackdepot.c:203 > Code: e9 7b fd ff ff 4c 89 ff e8 8d b4 62 fe e9 e6 fd ff ff 90 90 90 90 90 > 90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 20 > 6c 04 8b 48 8d 47 18 48 89 06 8b 47 0c c3 0f 1f 00 > RSP: 0018:ffff88808a2688e8 EFLAGS: 00010006 > RAX: 00000000001f8880 RBX: ffff88808a269304 RCX: 0000000000000000 > RDX: 0000000000000000 RSI: ffff88808a2688f0 RDI: 0000000000003ff0 > RBP: ffff88808a268908 R08: 0000000000000020 R09: ffffed1015d044fa > R10: ffffed1015d044f9 R11: ffff8880ae8227cf R12: ffffea0002289a00 > R13: ffff88808a268ba0 R14: ffff8880aa58ec40 R15: ffff88808a269300 > FS: 00005555570ba940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: ffffffff8c00b020 CR3: 000000008dd00000 CR4: 00000000001406f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > Modules linked in: > CR2: ffffffff8c00b020 > ---[ end trace 4acfe4b59fbc9cdb ]--- > RIP: 0010:stack_depot_fetch+0x10/0x30 lib/stackdepot.c:203 > Code: e9 7b fd ff ff 4c 89 ff e8 8d b4 62 fe e9 e6 fd ff ff 90 90 90 90 90 > 90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 20 > 6c 04 8b 48 8d 47 18 48 89 06 8b 47 0c c3 0f 1f 00 > RSP: 0018:ffff88808a2688e8 EFLAGS: 00010006 > RAX: 00000000001f8880 RBX: ffff88808a269304 RCX: 0000000000000000 > RDX: 0000000000000000 RSI: ffff88808a2688f0 RDI: 0000000000003ff0 > RBP: ffff88808a268908 R08: 0000000000000020 R09: ffffed1015d044fa > R10: ffffed1015d044f9 R11: ffff8880ae8227cf R12: ffffea0002289a00 > R13: ffff88808a268ba0 R14: ffff8880aa58ec40 R15: ffff88808a269300 > FS: 00005555570ba940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: ffffffff8c00b020 CR3: 000000008dd00000 CR4: 00000000001406f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > Tested on: > > commit: 0b58d013 bpf: tls, implement unhash to avoid transition ou.. > git tree: git://github.com/cilium/linux ktls-unhash > console output: https://syzkaller.appspot.com/x/log.txt?x=153368a3a00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2cc918d28ebd06b4 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > #syz test: git://github.com/cilium/linux fix-unhash ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in mark_lock 2019-07-08 16:21 ` John Fastabend @ 2019-07-08 22:03 ` syzbot 0 siblings, 0 replies; 6+ messages in thread From: syzbot @ 2019-07-08 22:03 UTC (permalink / raw) To: bpf, ebiggers, john.fastabend, linux-kernel, peterz, syzkaller-bugs, tglx Hello, syzbot has tested the proposed patch and the reproducer did not trigger crash: Reported-and-tested-by: syzbot+a861f52659ae2596492b@syzkaller.appspotmail.com Tested on: commit: 17b3f125 tls: working code git tree: git://github.com/cilium/linux fix-unhash kernel config: https://syzkaller.appspot.com/x/.config?x=dd16b8dc9d0d210c compiler: gcc (GCC) 9.0.0 20181231 (experimental) Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: WARNING in mark_lock [not found] <0000000000005aedf1058c1bf7e8@google.com> [not found] ` <alpine.DEB.2.21.1906250820060.32342@nanos.tec.linutronix.de> @ 2019-06-27 22:03 ` syzbot 1 sibling, 0 replies; 6+ messages in thread From: syzbot @ 2019-06-27 22:03 UTC (permalink / raw) To: ast, bpf, daniel, dvyukov, ebiggers, john.fastabend, linux-kernel, netdev, peterz, syzkaller-bugs, tglx syzbot has bisected this bug to: commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650 Author: John Fastabend <john.fastabend@gmail.com> Date: Sat Jun 30 13:17:47 2018 +0000 bpf: sockhash fix omitted bucket lock in sock_close bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1436e7e9a00000 start commit: dc636f5d Add linux-next specific files for 20190620 git tree: linux-next final crash: https://syzkaller.appspot.com/x/report.txt?x=1636e7e9a00000 console output: https://syzkaller.appspot.com/x/log.txt?x=1236e7e9a00000 kernel config: https://syzkaller.appspot.com/x/.config?x=99c104b0092a557b dashboard link: https://syzkaller.appspot.com/bug?extid=a861f52659ae2596492b syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110b24f6a00000 Reported-by: syzbot+a861f52659ae2596492b@syzkaller.appspotmail.com Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-07-08 22:03 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <0000000000005aedf1058c1bf7e8@google.com> [not found] ` <alpine.DEB.2.21.1906250820060.32342@nanos.tec.linutronix.de> 2019-06-25 7:29 ` [net/bpf] Re: WARNING in mark_lock Eric Biggers 2019-07-01 5:32 ` John Fastabend 2019-07-01 5:51 ` syzbot 2019-07-08 16:21 ` John Fastabend 2019-07-08 22:03 ` syzbot 2019-06-27 22:03 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).