* [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code
@ 2024-01-29 9:17 kovalev
2024-01-29 9:17 ` [PATCH 5.10.y 1/1] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace) kovalev
2024-01-29 16:20 ` [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code Greg KH
0 siblings, 2 replies; 4+ messages in thread
From: kovalev @ 2024-01-29 9:17 UTC (permalink / raw)
To: stable
Cc: linux-kernel, bpf, netdev, kpsingh, john.fastabend, yhs,
songliubraving, kafai, andrii, daniel, ast, kovalev, nickel,
oficerovas, dutyrok
Syzkaller hit 'WARNING in ftrace_verify_code' bug.
This bug is not a vulnerability and is reproduced only when running
with root privileges on stable 5.10 kernel.
journalctl -k (v5.10.206):
...
bpfilter: Loaded bpfilter_umh pid 2732
Started bpfilter
------------[ cut here ]------------
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4107 at arch/x86/kernel/ftrace.c:97 ftrace_verify_code+0x3e/0x80
WARNING: CPU: 1 PID: 4107 at arch/x86/kernel/ftrace.c:97 ftrace_verify_code+0x3e/0x80
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
CPU: 1 PID: 4107 Comm: repro5 Tainted: G OE 5.10.206-std-def-alt1 #1
CPU: 1 PID: 4107 Comm: repro5 Tainted: G OE 5.10.206-std-def-alt1 #1
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
RIP: 0010:ftrace_verify_code+0x3e/0x80
RIP: 0010:ftrace_verify_code+0x3e/0x80
Code: 25 28 00 00 00 48 89 44 24 08 31 c0 48 8d 7c 24 03 e8 56 f9 1b 00 48 85 c0 75 3e 8b 03 39 44 24 03 74 28 48 89 1d e2 1d 05 03 <0f> 0b b8 ea ff ff ff 48 8b 4c 24 08 65 48 2b 0c 25 28 00 00 00 75
Code: 25 28 00 00 00 48 89 44 24 08 31 c0 48 8d 7c 24 03 e8 56 f9 1b 00 48 85 c0 75 3e 8b 03 39 44 24 03 74 28 48 89 1d e2 1d 05 03 <0f> 0b b8 ea ff ff ff 48 8b 4c 24 08 65 48 2b 0c 25 28 00 00 00 75
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010212
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010212
RAX: 0000000000441f0f RBX: ffffffff82005684 RCX: 0000000000000010
RAX: 0000000000441f0f RBX: ffffffff82005684 RCX: 0000000000000010
RDX: 000000000f9dbb1f RSI: 0000000000000005 RDI: ffffffff8183d240
RDX: 000000000f9dbb1f RSI: 0000000000000005 RDI: ffffffff8183d240
RBP: ffff8881000607a0 R08: 0000000000000001 R09: 0000000000000000
RBP: ffff8881000607a0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
FS: 00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
FS: 00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
PKRU: 55555554
PKRU: 55555554
Call Trace:
Call Trace:
? __warn+0x80/0x100
? __warn+0x80/0x100
? ftrace_verify_code+0x3e/0x80
? ftrace_verify_code+0x3e/0x80
? report_bug+0x9e/0xc0
? report_bug+0x9e/0xc0
? handle_bug+0x32/0xa0
? handle_bug+0x32/0xa0
? exc_invalid_op+0x14/0x70
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x12/0x20
? asm_exc_invalid_op+0x12/0x20
? sk_lookup_convert_ctx_access+0x280/0x280
? sk_lookup_convert_ctx_access+0x280/0x280
? ftrace_verify_code+0x3e/0x80
? ftrace_verify_code+0x3e/0x80
? ftrace_verify_code+0x2a/0x80
? ftrace_verify_code+0x2a/0x80
ftrace_replace_code+0xa6/0x190
ftrace_replace_code+0xa6/0x190
ftrace_modify_all_code+0xd8/0x170
ftrace_modify_all_code+0xd8/0x170
ftrace_run_update_code+0x13/0x70
ftrace_run_update_code+0x13/0x70
ftrace_startup.part.0+0xe9/0x160
ftrace_startup.part.0+0xe9/0x160
register_ftrace_function+0x52/0x90
register_ftrace_function+0x52/0x90
perf_trace_event_init+0x60/0x2b0
perf_trace_event_init+0x60/0x2b0
perf_trace_init+0x69/0xa0
perf_trace_init+0x69/0xa0
perf_tp_event_init+0x1b/0x50
perf_tp_event_init+0x1b/0x50
perf_try_init_event+0x42/0x130
perf_try_init_event+0x42/0x130
perf_event_alloc+0x5e3/0xdf0
perf_event_alloc+0x5e3/0xdf0
? __alloc_fd+0x44/0x170
? __alloc_fd+0x44/0x170
__do_sys_perf_event_open+0x1cd/0xec0
__do_sys_perf_event_open+0x1cd/0xec0
do_syscall_64+0x30/0x40
do_syscall_64+0x30/0x40
entry_SYSCALL_64_after_hwframe+0x62/0xc7
entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7f671d2c0d49
RIP: 0033:0x7f671d2c0d49
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
---[ end trace 74a81e537b634ec5 ]---
---[ end trace 74a81e537b634ec5 ]---
------------[ ftrace bug ]------------
------------[ ftrace bug ]------------
ftrace failed to modify
ftrace failed to modify
[<ffffffff8183d240>] bpf_dispatcher_xdp_func+0x0/0x10
[<ffffffff8183d240>] bpf_dispatcher_xdp_func+0x0/0x10
actual: ffffffe9:ffffffbb:ffffff9d:0f:1f
actual: ffffffe9:ffffffbb:ffffff9d:0f:1f
expected: 0f:1f:44:00:00
expected: 0f:1f:44:00:00
Setting ftrace call site to call ftrace function
Setting ftrace call site to call ftrace function
ftrace record flags: 10000001
ftrace record flags: 10000001
(1)
(1)
expected tramp: ffffffff81068ac0
------------[ cut here ]------------
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4107 at kernel/trace/ftrace.c:2075 ftrace_bug+0x22c/0x256
WARNING: CPU: 1 PID: 4107 at kernel/trace/ftrace.c:2075 ftrace_bug+0x22c/0x256
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
CPU: 1 PID: 4107 Comm: repro5 Tainted: G W OE 5.10.206-std-def-alt1 #1
CPU: 1 PID: 4107 Comm: repro5 Tainted: G W OE 5.10.206-std-def-alt1 #1
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
RIP: 0010:ftrace_bug+0x22c/0x256
RIP: 0010:ftrace_bug+0x22c/0x256
Code: ff 84 c0 74 d0 eb b4 48 c7 c7 36 4b 30 82 e8 0b c5 ff ff 48 89 ef e8 2a df 7a ff 48 c7 c7 47 4b 30 82 48 89 c6 e8 f4 c4 ff ff <0f> 0b c7 05 0f a5 2c 01 01 00 00 00 5b c7 05 14 a5 2c 01 00 00 00
Code: ff 84 c0 74 d0 eb b4 48 c7 c7 36 4b 30 82 e8 0b c5 ff ff 48 89 ef e8 2a df 7a ff 48 c7 c7 47 4b 30 82 48 89 c6 e8 f4 c4 ff ff <0f> 0b c7 05 0f a5 2c 01 01 00 00 00 5b c7 05 14 a5 2c 01 00 00 00
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010246
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 00000000ffffffea RCX: ffff8882a7860808
RAX: 0000000000000022 RBX: 00000000ffffffea RCX: ffff8882a7860808
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8882a7860800
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8882a7860800
RBP: ffff8881000607a0 R08: 0000000000000000 R09: ffffc90003aa7ac8
RBP: ffff8881000607a0 R08: 0000000000000000 R09: ffffc90003aa7ac8
R10: ffffc90003aa7ac0 R11: ffffffff82ae22e8 R12: ffffffff8183d240
R10: ffffc90003aa7ac0 R11: ffffffff82ae22e8 R12: ffffffff8183d240
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
FS: 00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
FS: 00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
PKRU: 55555554
PKRU: 55555554
Call Trace:
Call Trace:
? __warn+0x80/0x100
? __warn+0x80/0x100
? ftrace_bug+0x22c/0x256
? ftrace_bug+0x22c/0x256
? report_bug+0x9e/0xc0
? report_bug+0x9e/0xc0
? handle_bug+0x32/0xa0
? handle_bug+0x32/0xa0
? exc_invalid_op+0x14/0x70
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x12/0x20
? asm_exc_invalid_op+0x12/0x20
? sk_lookup_convert_ctx_access+0x280/0x280
? sk_lookup_convert_ctx_access+0x280/0x280
? ftrace_bug+0x22c/0x256
? ftrace_bug+0x22c/0x256
? ftrace_bug+0x22c/0x256
? ftrace_bug+0x22c/0x256
ftrace_replace_code+0xbb/0x190
ftrace_replace_code+0xbb/0x190
ftrace_modify_all_code+0xd8/0x170
ftrace_modify_all_code+0xd8/0x170
ftrace_run_update_code+0x13/0x70
ftrace_run_update_code+0x13/0x70
ftrace_startup.part.0+0xe9/0x160
ftrace_startup.part.0+0xe9/0x160
register_ftrace_function+0x52/0x90
register_ftrace_function+0x52/0x90
perf_trace_event_init+0x60/0x2b0
perf_trace_event_init+0x60/0x2b0
perf_trace_init+0x69/0xa0
perf_trace_init+0x69/0xa0
perf_tp_event_init+0x1b/0x50
perf_tp_event_init+0x1b/0x50
perf_try_init_event+0x42/0x130
perf_try_init_event+0x42/0x130
perf_event_alloc+0x5e3/0xdf0
perf_event_alloc+0x5e3/0xdf0
? __alloc_fd+0x44/0x170
? __alloc_fd+0x44/0x170
__do_sys_perf_event_open+0x1cd/0xec0
__do_sys_perf_event_open+0x1cd/0xec0
do_syscall_64+0x30/0x40
do_syscall_64+0x30/0x40
entry_SYSCALL_64_after_hwframe+0x62/0xc7
entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7f671d2c0d49
RIP: 0033:0x7f671d2c0d49
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
---[ end trace 74a81e537b634ec6 ]---
---[ end trace 74a81e537b634ec6 ]---
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void loop(void)
{
int i, call, thread;
for (call = 0; call < 3; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50 + (call == 0 ? 500 : 0));
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
uint64_t r[1] = {0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
*(uint32_t*)0x20000000 = 6;
*(uint32_t*)0x20000004 = 3;
*(uint64_t*)0x20000008 = 0x200000c0;
*(uint8_t*)0x200000c0 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x200000c1, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000c1, 0, 4, 4);
*(uint16_t*)0x200000c2 = 0;
*(uint32_t*)0x200000c4 = 0;
*(uint8_t*)0x200000c8 = 0;
*(uint8_t*)0x200000c9 = 0;
*(uint16_t*)0x200000ca = 0;
*(uint32_t*)0x200000cc = 0;
*(uint8_t*)0x200000d0 = 0x95;
*(uint8_t*)0x200000d1 = 0;
*(uint16_t*)0x200000d2 = 0;
*(uint32_t*)0x200000d4 = 0;
*(uint64_t*)0x20000010 = 0x20000100;
memcpy((void*)0x20000100, "syzkaller\000", 10);
*(uint32_t*)0x20000018 = 0;
*(uint32_t*)0x2000001c = 0;
*(uint64_t*)0x20000020 = 0;
*(uint32_t*)0x20000028 = 0;
*(uint32_t*)0x2000002c = 0;
memset((void*)0x20000030, 0, 16);
*(uint32_t*)0x20000040 = 0;
*(uint32_t*)0x20000044 = 0x1b;
*(uint32_t*)0x20000048 = -1;
*(uint32_t*)0x2000004c = 8;
*(uint64_t*)0x20000050 = 0;
*(uint32_t*)0x20000058 = 0;
*(uint32_t*)0x2000005c = 0x10;
*(uint64_t*)0x20000060 = 0;
*(uint32_t*)0x20000068 = 0;
*(uint32_t*)0x2000006c = 0;
*(uint32_t*)0x20000070 = 0;
*(uint32_t*)0x20000074 = 0;
*(uint64_t*)0x20000078 = 0;
res = syscall(__NR_bpf, 5ul, 0x20000000ul, 0x80ul);
if (res != -1)
r[0] = res;
break;
case 1:
*(uint32_t*)0x20000280 = r[0];
*(uint32_t*)0x20000284 = 0;
*(uint32_t*)0x20000288 = 0;
*(uint32_t*)0x2000028c = 0;
*(uint64_t*)0x20000290 = 0;
*(uint64_t*)0x20000298 = 0;
*(uint32_t*)0x200002a0 = 0xffffff7f;
*(uint32_t*)0x200002a4 = 0;
*(uint32_t*)0x200002a8 = 0;
*(uint32_t*)0x200002ac = 0;
*(uint64_t*)0x200002b0 = 0;
*(uint64_t*)0x200002b8 = 0;
*(uint32_t*)0x200002c0 = 0;
*(uint32_t*)0x200002c4 = 0;
syscall(__NR_bpf, 0xaul, 0x20000280ul, 0x48ul);
break;
case 2:
*(uint32_t*)0x200000c0 = 2;
*(uint32_t*)0x200000c4 = 0x80;
*(uint8_t*)0x200000c8 = 1;
*(uint8_t*)0x200000c9 = 0;
*(uint8_t*)0x200000ca = 0;
*(uint8_t*)0x200000cb = 0;
*(uint32_t*)0x200000cc = 0;
*(uint64_t*)0x200000d0 = 0;
*(uint64_t*)0x200000d8 = 0;
*(uint64_t*)0x200000e0 = 0;
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 0, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 1, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 2, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 5, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 10, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 13, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 17, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 18, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 19, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 25, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 27, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 28, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 29, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 30, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 31, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 32, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 33, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 34, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 35, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 36, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 37, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 38, 26);
*(uint32_t*)0x200000f0 = 0;
*(uint32_t*)0x200000f4 = 2;
*(uint64_t*)0x200000f8 = 0;
*(uint64_t*)0x20000100 = 0;
*(uint64_t*)0x20000108 = 0;
*(uint64_t*)0x20000110 = 4;
*(uint32_t*)0x20000118 = 0;
*(uint32_t*)0x2000011c = 0;
*(uint64_t*)0x20000120 = 0;
*(uint32_t*)0x20000128 = 0;
*(uint16_t*)0x2000012c = 0;
*(uint16_t*)0x2000012e = 0;
*(uint32_t*)0x20000130 = 0;
*(uint32_t*)0x20000134 = 0;
*(uint64_t*)0x20000138 = 0;
syscall(__NR_perf_event_open, 0x200000c0ul, 0, 0ul, -1, 0ul);
break;
}
}
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
loop();
return 0;
}
The following adapted patch is proposed to fix the bug on the 5.10.y kernel:
[PATCH 5.10.y 1/1] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 5.10.y 1/1] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)
2024-01-29 9:17 [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code kovalev
@ 2024-01-29 9:17 ` kovalev
2024-01-29 16:20 ` [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code Greg KH
1 sibling, 0 replies; 4+ messages in thread
From: kovalev @ 2024-01-29 9:17 UTC (permalink / raw)
To: stable
Cc: linux-kernel, bpf, netdev, kpsingh, john.fastabend, yhs,
songliubraving, kafai, andrii, daniel, ast, kovalev, nickel,
oficerovas, dutyrok
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit c86df29d11dfba27c0a1f5039cd6fe387fbf4239 ]
The dispatcher function is currently abusing the ftrace __fentry__
call location for its own purposes -- this obviously gives trouble
when the dispatcher and ftrace are both in use.
A previous solution tried using __attribute__((patchable_function_entry()))
which works, except it is GCC-8+ only, breaking the build on the
earlier still supported compilers. Instead use static_call() -- which
has its own annotations and does not conflict with ftrace -- to
rewrite the dispatch function.
By using: return static_call()(ctx, insni, bpf_func) you get a perfect
forwarding tail call as function body (iow a single jmp instruction).
By having the default static_call() target be bpf_dispatcher_nop_func()
it retains the default behaviour (an indirect call to the argument
function). Only once a dispatcher program is attached is the target
rewritten to directly call the JIT'ed image.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Björn Töpel <bjorn@kernel.org>
Tested-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Björn Töpel <bjorn@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lkml.kernel.org/r/Y1/oBlK0yFk5c/Im@hirez.programming.kicks-ass.net
Link: https://lore.kernel.org/bpf/20221103120647.796772565@infradead.org
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
include/linux/bpf.h | 39 ++++++++++++++++++++++++++++++++++++++-
kernel/bpf/dispatcher.c | 22 ++++++++--------------
2 files changed, 46 insertions(+), 15 deletions(-)
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 8f4379e93ad49b..2c8c7515609a07 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -21,6 +21,7 @@
#include <linux/kallsyms.h>
#include <linux/capability.h>
#include <linux/percpu-refcount.h>
+#include <linux/static_call.h>
struct bpf_verifier_env;
struct bpf_verifier_log;
@@ -650,6 +651,10 @@ struct bpf_dispatcher {
void *image;
u32 image_off;
struct bpf_ksym ksym;
+#ifdef CONFIG_HAVE_STATIC_CALL
+ struct static_call_key *sc_key;
+ void *sc_tramp;
+#endif
};
static __always_inline unsigned int bpf_dispatcher_nop_func(
@@ -667,6 +672,34 @@ struct bpf_trampoline *bpf_trampoline_get(u64 key,
struct bpf_attach_target_info *tgt_info);
void bpf_trampoline_put(struct bpf_trampoline *tr);
int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs);
+
+/*
+ * When the architecture supports STATIC_CALL replace the bpf_dispatcher_fn
+ * indirection with a direct call to the bpf program. If the architecture does
+ * not have STATIC_CALL, avoid a double-indirection.
+ */
+#ifdef CONFIG_HAVE_STATIC_CALL
+
+#define __BPF_DISPATCHER_SC_INIT(_name) \
+ .sc_key = &STATIC_CALL_KEY(_name), \
+ .sc_tramp = STATIC_CALL_TRAMP_ADDR(_name),
+
+#define __BPF_DISPATCHER_SC(name) \
+ DEFINE_STATIC_CALL(bpf_dispatcher_##name##_call, bpf_dispatcher_nop_func)
+
+#define __BPF_DISPATCHER_CALL(name) \
+ static_call(bpf_dispatcher_##name##_call)(ctx, insnsi, bpf_func)
+
+#define __BPF_DISPATCHER_UPDATE(_d, _new) \
+ __static_call_update((_d)->sc_key, (_d)->sc_tramp, (_new))
+
+#else
+#define __BPF_DISPATCHER_SC_INIT(name)
+#define __BPF_DISPATCHER_SC(name)
+#define __BPF_DISPATCHER_CALL(name) bpf_func(ctx, insnsi)
+#define __BPF_DISPATCHER_UPDATE(_d, _new)
+#endif
+
#define BPF_DISPATCHER_INIT(_name) { \
.mutex = __MUTEX_INITIALIZER(_name.mutex), \
.func = &_name##_func, \
@@ -678,20 +711,23 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs);
.name = #_name, \
.lnode = LIST_HEAD_INIT(_name.ksym.lnode), \
}, \
+ __BPF_DISPATCHER_SC_INIT(_name##_call) \
}
#define DEFINE_BPF_DISPATCHER(name) \
+ __BPF_DISPATCHER_SC(name); \
noinline unsigned int bpf_dispatcher_##name##_func( \
const void *ctx, \
const struct bpf_insn *insnsi, \
unsigned int (*bpf_func)(const void *, \
const struct bpf_insn *)) \
{ \
- return bpf_func(ctx, insnsi); \
+ return __BPF_DISPATCHER_CALL(name); \
} \
EXPORT_SYMBOL(bpf_dispatcher_##name##_func); \
struct bpf_dispatcher bpf_dispatcher_##name = \
BPF_DISPATCHER_INIT(bpf_dispatcher_##name);
+
#define DECLARE_BPF_DISPATCHER(name) \
unsigned int bpf_dispatcher_##name##_func( \
const void *ctx, \
@@ -699,6 +735,7 @@ int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs);
unsigned int (*bpf_func)(const void *, \
const struct bpf_insn *)); \
extern struct bpf_dispatcher bpf_dispatcher_##name;
+
#define BPF_DISPATCHER_FUNC(name) bpf_dispatcher_##name##_func
#define BPF_DISPATCHER_PTR(name) (&bpf_dispatcher_##name)
void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from,
diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c
index 2444bd15cc2d03..4c6c2e3ac56459 100644
--- a/kernel/bpf/dispatcher.c
+++ b/kernel/bpf/dispatcher.c
@@ -4,6 +4,7 @@
#include <linux/hash.h>
#include <linux/bpf.h>
#include <linux/filter.h>
+#include <linux/static_call.h>
/* The BPF dispatcher is a multiway branch code generator. The
* dispatcher is a mechanism to avoid the performance penalty of an
@@ -104,17 +105,11 @@ static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image)
static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs)
{
- void *old, *new;
- u32 noff;
- int err;
-
- if (!prev_num_progs) {
- old = NULL;
- noff = 0;
- } else {
- old = d->image + d->image_off;
+ void *new, *tmp;
+ u32 noff = 0;
+
+ if (prev_num_progs)
noff = d->image_off ^ (PAGE_SIZE / 2);
- }
new = d->num_progs ? d->image + noff : NULL;
if (new) {
@@ -122,11 +117,10 @@ static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs)
return;
}
- err = bpf_arch_text_poke(d->func, BPF_MOD_JUMP, old, new);
- if (err || !new)
- return;
+ __BPF_DISPATCHER_UPDATE(d, new ?: &bpf_dispatcher_nop_func);
- d->image_off = noff;
+ if (new)
+ d->image_off = noff;
}
void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from,
--
2.33.8
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code
2024-01-29 9:17 [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code kovalev
2024-01-29 9:17 ` [PATCH 5.10.y 1/1] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace) kovalev
@ 2024-01-29 16:20 ` Greg KH
2024-01-29 18:33 ` kovalev
1 sibling, 1 reply; 4+ messages in thread
From: Greg KH @ 2024-01-29 16:20 UTC (permalink / raw)
To: kovalev
Cc: stable, linux-kernel, bpf, netdev, kpsingh, john.fastabend, yhs,
songliubraving, kafai, andrii, daniel, ast, nickel, oficerovas,
dutyrok
On Mon, Jan 29, 2024 at 12:17:45PM +0300, kovalev@altlinux.org wrote:
> Syzkaller hit 'WARNING in ftrace_verify_code' bug.
>
> This bug is not a vulnerability and is reproduced only when running
> with root privileges on stable 5.10 kernel.
What about 5.15.y? We can't take a patch for older kernels and not for
newer ones, right?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code
2024-01-29 16:20 ` [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code Greg KH
@ 2024-01-29 18:33 ` kovalev
0 siblings, 0 replies; 4+ messages in thread
From: kovalev @ 2024-01-29 18:33 UTC (permalink / raw)
To: Greg KH
Cc: stable, linux-kernel, bpf, netdev, kpsingh, john.fastabend, yhs,
songliubraving, kafai, andrii, daniel, ast, nickel, oficerovas,
dutyrok
29.01.2024 19:20, Greg KH wrote:
> On Mon, Jan 29, 2024 at 12:17:45PM +0300, kovalev@altlinux.org wrote:
>> Syzkaller hit 'WARNING in ftrace_verify_code' bug.
>>
>> This bug is not a vulnerability and is reproduced only when running
>> with root privileges on stable 5.10 kernel.
> What about 5.15.y? We can't take a patch for older kernels and not for
> newer ones, right?
Indeed, this patch was not backported at 5.15.
I fixed it, successfully tested it on the 5.15.148 kernel and sent the
patch [1]
However, at the time of the kernel build, I noticed a compiler warning
about an unused "*tmp" variable,
that I fixed in the patch for 5.15, but remained in this patch 5.10:
...
+ void *new, *tmp;
...
need to fix on
...
+ void *new;
...
Therefore, I resend the patch with a fix (deleted the unused tmp
pointer). [2]
[1]
https://lore.kernel.org/bpf/20240129180108.284057-1-kovalev@altlinux.org/T/#u
[2]
https://lore.kernel.org/bpf/20240129183120.284801-1-kovalev@altlinux.org/T/#u
--
Regards,
Vasiliy Kovalev
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-01-29 18:34 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-29 9:17 [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code kovalev
2024-01-29 9:17 ` [PATCH 5.10.y 1/1] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace) kovalev
2024-01-29 16:20 ` [PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code Greg KH
2024-01-29 18:33 ` kovalev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).