[net/bpf] Re: WARNING in mark_lock

[net/bpf] Re: WARNING in mark_lock

[Eric Biggers]

[+bpf list]

On Tue, Jun 25, 2019 at 08:20:56AM +0200, Thomas Gleixner wrote:
> On Mon, 24 Jun 2019, syzbot wrote:
> 
> > Hello,
> 
> CC++ Peterz 
> 
> > 
> > syzbot found the following crash on:
> > 
> > HEAD commit:    dc636f5d Add linux-next specific files for 20190620
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=162b68b1a00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=99c104b0092a557b
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a861f52659ae2596492b
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=110b24f6a00000
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a861f52659ae2596492b@syzkaller.appspotmail.com

The syz repro looks bpf related, and essentially the same repro is in lots of
other open syzbot reports which I've assigned to the bpf subsystem...
https://lore.kernel.org/lkml/20190624050114.GA30702@sol.localdomain/

{"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"tun":true,"netdev":true,"resetnet":true,"cgroups":true,"binfmt_misc":true,"close_fds":true,"tmpdir":true,"segv":true}
bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0xf, 0x4, 0x4, 0x400, 0x0, 0x1}, 0x3c)
socket$rxrpc(0x21, 0x2, 0x800000000a)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x1d4)
connect$inet6(r0, &(0x7f0000000140), 0x1c)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x5}, 0xfffffffffffffdcb)
bpf$MAP_CREATE(0x2, &(0x7f0000003000)={0x3, 0x0, 0x77fffb, 0x0, 0x10020000000, 0x0}, 0x2c)
setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000040)='tls\x00', 0x4)

Re: WARNING in mark_lock

[syzbot]

syzbot has bisected this bug to:

commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <john.fastabend@gmail.com>
Date:   Sat Jun 30 13:17:47 2018 +0000

     bpf: sockhash fix omitted bucket lock in sock_close

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1436e7e9a00000
start commit:   dc636f5d Add linux-next specific files for 20190620
git tree:       linux-next
final crash:    https://syzkaller.appspot.com/x/report.txt?x=1636e7e9a00000
console output: https://syzkaller.appspot.com/x/log.txt?x=1236e7e9a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=99c104b0092a557b
dashboard link: https://syzkaller.appspot.com/bug?extid=a861f52659ae2596492b
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=110b24f6a00000

Reported-by: syzbot+a861f52659ae2596492b@syzkaller.appspotmail.com
Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

RE: [net/bpf] Re: WARNING in mark_lock

[John Fastabend]

Eric Biggers wrote:
> [+bpf list]
> 
> On Tue, Jun 25, 2019 at 08:20:56AM +0200, Thomas Gleixner wrote:
> > On Mon, 24 Jun 2019, syzbot wrote:
> > 
> > > Hello,
> > 
> > CC++ Peterz 
> > 
> > > 
> > > syzbot found the following crash on:
> > > 
> > > HEAD commit:    dc636f5d Add linux-next specific files for 20190620
> > > git tree:       linux-next
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=162b68b1a00000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=99c104b0092a557b
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=a861f52659ae2596492b
> > > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=110b24f6a00000
> > > 
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+a861f52659ae2596492b@syzkaller.appspotmail.com
> 
> The syz repro looks bpf related, and essentially the same repro is in lots of
> other open syzbot reports which I've assigned to the bpf subsystem...
> https://lore.kernel.org/lkml/20190624050114.GA30702@sol.localdomain/
> 
> {"threaded":true,"repeat":true,"procs":6,"sandbox":"none","fault_call":-1,"tun":true,"netdev":true,"resetnet":true,"cgroups":true,"binfmt_misc":true,"close_fds":true,"tmpdir":true,"segv":true}
> bpf$MAP_CREATE(0x0, &(0x7f0000000280)={0xf, 0x4, 0x4, 0x400, 0x0, 0x1}, 0x3c)
> socket$rxrpc(0x21, 0x2, 0x800000000a)
> r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
> setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7f00000000c0)=0x100000001, 0x1d4)
> connect$inet6(r0, &(0x7f0000000140), 0x1c)
> bpf$MAP_CREATE(0x0, &(0x7f0000000000)={0x5}, 0xfffffffffffffdcb)
> bpf$MAP_CREATE(0x2, &(0x7f0000003000)={0x3, 0x0, 0x77fffb, 0x0, 0x10020000000, 0x0}, 0x2c)
> setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f0000000040)='tls\x00', 0x4)

#syz test: git://github.com/cilium/linux ktls-unhash

Re: WARNING in mark_lock

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
KASAN: use-after-free Read in class_equal

==================================================================
BUG: KASAN: use-after-free in class_equal+0x40/0x50  
kernel/locking/lockdep.c:1527
Read of size 8 at addr ffff88808a268ba0 by task syz-executor.1/9270

CPU: 0 PID: 9270 Comm: syz-executor.1 Not tainted 5.2.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:

Allocated by task 2647419968:
BUG: unable to handle page fault for address: ffffffff8c00b020
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 8a70067 P4D 8a70067 PUD 8a71063 PMD 0
Thread overran stack, or stack corrupted
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9270 Comm: syz-executor.1 Not tainted 5.2.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:stack_depot_fetch+0x10/0x30 lib/stackdepot.c:203
Code: e9 7b fd ff ff 4c 89 ff e8 8d b4 62 fe e9 e6 fd ff ff 90 90 90 90 90  
90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 20  
6c 04 8b 48 8d 47 18 48 89 06 8b 47 0c c3 0f 1f 00
RSP: 0018:ffff88808a2688e8 EFLAGS: 00010006
RAX: 00000000001f8880 RBX: ffff88808a269304 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88808a2688f0 RDI: 0000000000003ff0
RBP: ffff88808a268908 R08: 0000000000000020 R09: ffffed1015d044fa
R10: ffffed1015d044f9 R11: ffff8880ae8227cf R12: ffffea0002289a00
R13: ffff88808a268ba0 R14: ffff8880aa58ec40 R15: ffff88808a269300
FS:  00005555570ba940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8c00b020 CR3: 000000008dd00000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
CR2: ffffffff8c00b020
---[ end trace 4acfe4b59fbc9cdb ]---
RIP: 0010:stack_depot_fetch+0x10/0x30 lib/stackdepot.c:203
Code: e9 7b fd ff ff 4c 89 ff e8 8d b4 62 fe e9 e6 fd ff ff 90 90 90 90 90  
90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 20  
6c 04 8b 48 8d 47 18 48 89 06 8b 47 0c c3 0f 1f 00
RSP: 0018:ffff88808a2688e8 EFLAGS: 00010006
RAX: 00000000001f8880 RBX: ffff88808a269304 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88808a2688f0 RDI: 0000000000003ff0
RBP: ffff88808a268908 R08: 0000000000000020 R09: ffffed1015d044fa
R10: ffffed1015d044f9 R11: ffff8880ae8227cf R12: ffffea0002289a00
R13: ffff88808a268ba0 R14: ffff8880aa58ec40 R15: ffff88808a269300
FS:  00005555570ba940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff8c00b020 CR3: 000000008dd00000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit:         0b58d013 bpf: tls, implement unhash to avoid transition ou..
git tree:       git://github.com/cilium/linux ktls-unhash
console output: https://syzkaller.appspot.com/x/log.txt?x=153368a3a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2cc918d28ebd06b4
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Re: WARNING in mark_lock

[John Fastabend]

syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer still triggered  
> crash:
> KASAN: use-after-free Read in class_equal
> 
> ==================================================================
> BUG: KASAN: use-after-free in class_equal+0x40/0x50  
> kernel/locking/lockdep.c:1527
> Read of size 8 at addr ffff88808a268ba0 by task syz-executor.1/9270
> 
> CPU: 0 PID: 9270 Comm: syz-executor.1 Not tainted 5.2.0-rc3+ #1
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
> 
> Allocated by task 2647419968:
> BUG: unable to handle page fault for address: ffffffff8c00b020
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 8a70067 P4D 8a70067 PUD 8a71063 PMD 0
> Thread overran stack, or stack corrupted
> Oops: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 9270 Comm: syz-executor.1 Not tainted 5.2.0-rc3+ #1
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> RIP: 0010:stack_depot_fetch+0x10/0x30 lib/stackdepot.c:203
> Code: e9 7b fd ff ff 4c 89 ff e8 8d b4 62 fe e9 e6 fd ff ff 90 90 90 90 90  
> 90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 20  
> 6c 04 8b 48 8d 47 18 48 89 06 8b 47 0c c3 0f 1f 00
> RSP: 0018:ffff88808a2688e8 EFLAGS: 00010006
> RAX: 00000000001f8880 RBX: ffff88808a269304 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffff88808a2688f0 RDI: 0000000000003ff0
> RBP: ffff88808a268908 R08: 0000000000000020 R09: ffffed1015d044fa
> R10: ffffed1015d044f9 R11: ffff8880ae8227cf R12: ffffea0002289a00
> R13: ffff88808a268ba0 R14: ffff8880aa58ec40 R15: ffff88808a269300
> FS:  00005555570ba940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffff8c00b020 CR3: 000000008dd00000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> Modules linked in:
> CR2: ffffffff8c00b020
> ---[ end trace 4acfe4b59fbc9cdb ]---
> RIP: 0010:stack_depot_fetch+0x10/0x30 lib/stackdepot.c:203
> Code: e9 7b fd ff ff 4c 89 ff e8 8d b4 62 fe e9 e6 fd ff ff 90 90 90 90 90  
> 90 90 90 89 f8 c1 ef 11 25 ff ff 1f 00 81 e7 f0 3f 00 00 <48> 03 3c c5 20  
> 6c 04 8b 48 8d 47 18 48 89 06 8b 47 0c c3 0f 1f 00
> RSP: 0018:ffff88808a2688e8 EFLAGS: 00010006
> RAX: 00000000001f8880 RBX: ffff88808a269304 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffff88808a2688f0 RDI: 0000000000003ff0
> RBP: ffff88808a268908 R08: 0000000000000020 R09: ffffed1015d044fa
> R10: ffffed1015d044f9 R11: ffff8880ae8227cf R12: ffffea0002289a00
> R13: ffff88808a268ba0 R14: ffff8880aa58ec40 R15: ffff88808a269300
> FS:  00005555570ba940(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffff8c00b020 CR3: 000000008dd00000 CR4: 00000000001406f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> 
> 
> Tested on:
> 
> commit:         0b58d013 bpf: tls, implement unhash to avoid transition ou..
> git tree:       git://github.com/cilium/linux ktls-unhash
> console output: https://syzkaller.appspot.com/x/log.txt?x=153368a3a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2cc918d28ebd06b4
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> 

#syz test: git://github.com/cilium/linux fix-unhash

Re: WARNING in mark_lock

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger  
crash:

Reported-and-tested-by:  
syzbot+a861f52659ae2596492b@syzkaller.appspotmail.com

Tested on:

commit:         17b3f125 tls: working code
git tree:       git://github.com/cilium/linux fix-unhash
kernel config:  https://syzkaller.appspot.com/x/.config?x=dd16b8dc9d0d210c
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Note: testing is done by a robot and is best-effort only.