linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [syzbot] WARNING: kmalloc bug in bpf_check
@ 2021-09-04  0:01 syzbot
  2021-09-04  0:07 ` Eric Dumazet
  2021-09-05 20:04 ` syzbot
  0 siblings, 2 replies; 3+ messages in thread
From: syzbot @ 2021-09-04  0:01 UTC (permalink / raw)
  To: andrii, ast, bpf, clang-built-linux, daniel, davem, hawk,
	john.fastabend, kafai, kpsingh, kuba, linux-kernel, nathan,
	ndesaulniers, netdev, songliubraving, syzkaller-bugs, yhs

Hello,

syzbot found the following issue on:

HEAD commit:    a9c9a6f741cd Merge tag 'scsi-misc' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13fd5915300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c84ed2c3f57ace
dashboard link: https://syzkaller.appspot.com/bug?extid=f3e749d4c662818ae439
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11e4cdf5300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14ef3b33300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597
Modules linked in:
CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597
Code: ff 48 89 df 44 89 fe 44 89 f2 e8 a3 6e 17 00 48 89 c5 eb 05 e8 19 28 ce ff 48 89 e8 5b 41 5c 41 5e 41 5f 5d c3 e8 08 28 ce ff <0f> 0b 31 ed eb e9 66 90 41 56 53 49 89 f6 48 89 fb e8 f2 27 ce ff
RSP: 0018:ffffc900017ff210 EFLAGS: 00010293
RAX: ffffffff81b2b708 RBX: 0000000200004d00 RCX: ffff888013ded580
RDX: 0000000000000000 RSI: 0000000200004d00 RDI: 000000007fffffff
RBP: 0000000000000000 R08: ffffffff81b2b6ac R09: 00000000ffffffff
R10: fffff520002ffe15 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: 00000000ffffffff R15: 0000000000002dc0
FS:  0000000001386300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3e712d36c0 CR3: 00000000342e8000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 kvmalloc include/linux/mm.h:806 [inline]
 kvmalloc_array include/linux/mm.h:824 [inline]
 kvcalloc include/linux/mm.h:829 [inline]
 check_btf_line kernel/bpf/verifier.c:9925 [inline]
 check_btf_info kernel/bpf/verifier.c:10049 [inline]
 bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759
 bpf_prog_load kernel/bpf/syscall.c:2301 [inline]
 __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587
 __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
 __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43f0a9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe831a89a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f0a9
RDX: 0000000000000078 RSI: 0000000020000500 RDI: 0000000000000005
RBP: 0000000000403090 R08: 0000000000000000 R09: 0000000000400488
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403120
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [syzbot] WARNING: kmalloc bug in bpf_check
  2021-09-04  0:01 [syzbot] WARNING: kmalloc bug in bpf_check syzbot
@ 2021-09-04  0:07 ` Eric Dumazet
  2021-09-05 20:04 ` syzbot
  1 sibling, 0 replies; 3+ messages in thread
From: Eric Dumazet @ 2021-09-04  0:07 UTC (permalink / raw)
  To: syzbot, andrii, ast, bpf, clang-built-linux, daniel, davem, hawk,
	john.fastabend, kafai, kpsingh, kuba, linux-kernel, nathan,
	ndesaulniers, netdev, songliubraving, syzkaller-bugs, yhs



On 9/3/21 5:01 PM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    a9c9a6f741cd Merge tag 'scsi-misc' of git://git.kernel.org..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13fd5915300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c84ed2c3f57ace
> dashboard link: https://syzkaller.appspot.com/bug?extid=f3e749d4c662818ae439
> compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11e4cdf5300000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14ef3b33300000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597
> Modules linked in:
> CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597
> Code: ff 48 89 df 44 89 fe 44 89 f2 e8 a3 6e 17 00 48 89 c5 eb 05 e8 19 28 ce ff 48 89 e8 5b 41 5c 41 5e 41 5f 5d c3 e8 08 28 ce ff <0f> 0b 31 ed eb e9 66 90 41 56 53 49 89 f6 48 89 fb e8 f2 27 ce ff
> RSP: 0018:ffffc900017ff210 EFLAGS: 00010293
> RAX: ffffffff81b2b708 RBX: 0000000200004d00 RCX: ffff888013ded580
> RDX: 0000000000000000 RSI: 0000000200004d00 RDI: 000000007fffffff
> RBP: 0000000000000000 R08: ffffffff81b2b6ac R09: 00000000ffffffff
> R10: fffff520002ffe15 R11: 0000000000000000 R12: 0000000000000000
> R13: dffffc0000000000 R14: 00000000ffffffff R15: 0000000000002dc0
> FS:  0000000001386300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f3e712d36c0 CR3: 00000000342e8000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  kvmalloc include/linux/mm.h:806 [inline]
>  kvmalloc_array include/linux/mm.h:824 [inline]
>  kvcalloc include/linux/mm.h:829 [inline]
>  check_btf_line kernel/bpf/verifier.c:9925 [inline]
>  check_btf_info kernel/bpf/verifier.c:10049 [inline]
>  bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759
>  bpf_prog_load kernel/bpf/syscall.c:2301 [inline]
>  __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587
>  __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
>  __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
>  __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x43f0a9
> Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe831a89a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f0a9
> RDX: 0000000000000078 RSI: 0000000020000500 RDI: 0000000000000005
> RBP: 0000000000403090 R08: 0000000000000000 R09: 0000000000400488
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403120
> R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
> 

As mentioned to Linus earlier, this bug comes after recent patch

commit 7661809d493b426e979f39ab512e3adf41fbcc69
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Jul 14 09:45:49 2021 -0700

    mm: don't allow oversized kvmalloc() calls
    
    'kvmalloc()' is a convenience function for people who want to do a
    kmalloc() but fall back on vmalloc() if there aren't enough physically
    contiguous pages, or if the allocation is larger than what kmalloc()
    supports.
    
    However, let's make sure it doesn't get _too_ easy to do crazy things
    with it.  In particular, don't allow big allocations that could be due
    to integer overflow or underflow.  So make sure the allocation size fits
    in an 'int', to protect against trivial integer conversion issues.
    
    Acked-by: Willy Tarreau <w@1wt.eu>
    Cc: Kees Cook <keescook@chromium.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [syzbot] WARNING: kmalloc bug in bpf_check
  2021-09-04  0:01 [syzbot] WARNING: kmalloc bug in bpf_check syzbot
  2021-09-04  0:07 ` Eric Dumazet
@ 2021-09-05 20:04 ` syzbot
  1 sibling, 0 replies; 3+ messages in thread
From: syzbot @ 2021-09-05 20:04 UTC (permalink / raw)
  To: akpm, andrii, ast, bpf, clang-built-linux, daniel, davem,
	eric.dumazet, hawk, john.fastabend, kafai, kpsingh, kuba,
	linux-kernel, linux-mm, nathan, ndesaulniers, netdev,
	songliubraving, syzkaller-bugs, torvalds, w, yhs

syzbot has bisected this issue to:

commit 7661809d493b426e979f39ab512e3adf41fbcc69
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Jul 14 16:45:49 2021 +0000

    mm: don't allow oversized kvmalloc() calls

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13136b83300000
start commit:   a9c9a6f741cd Merge tag 'scsi-misc' of git://git.kernel.org..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10936b83300000
console output: https://syzkaller.appspot.com/x/log.txt?x=17136b83300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c84ed2c3f57ace
dashboard link: https://syzkaller.appspot.com/bug?extid=f3e749d4c662818ae439
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11e4cdf5300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14ef3b33300000

Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com
Fixes: 7661809d493b ("mm: don't allow oversized kvmalloc() calls")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-05 20:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-04  0:01 [syzbot] WARNING: kmalloc bug in bpf_check syzbot
2021-09-04  0:07 ` Eric Dumazet
2021-09-05 20:04 ` syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).