syzbot


BUG: unable to handle kernel paging request in bpf_fd_array_map_lookup_elem

Status: fixed on 2018/01/22 13:19
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+2ed81eddc23bed7fc6db@syzkaller.appspotmail.com
Fix commit: bbeb6e4323da bpf, array: fix overflow in max_entries and undefined behavior in index_mask
First crash: 2317d, last: 2313d

Sample crash report:
BUG: unable to handle kernel paging request at ffffed004a792d3e
IP: __read_once_size include/linux/compiler.h:183 [inline]
IP: bpf_fd_array_map_lookup_elem+0x206/0x4c0 kernel/bpf/arraymap.c:374
PGD 21ffee067 P4D 21ffee067 PUD 21ffec067 PMD 0 
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3523 Comm: syz-executor7 Not tainted 4.15.0-rc8+ #263
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:183 [inline]
RIP: 0010:bpf_fd_array_map_lookup_elem+0x206/0x4c0 kernel/bpf/arraymap.c:374
RSP: 0018:ffff8801d4e57710 EFLAGS: 00010a02
RAX: dffffc0000000000 RBX: ffff8801d3ef6840 RCX: ffffffff81811365
RDX: 1ffff1004a792d3e RSI: ffffc900041a3000 RDI: ffff8801d3ef6904
RBP: ffff8801d4e577a8 R08: 1ffff1003a9cae23 R09: 0000000000000002
R10: ffff8801d4e575e0 R11: 0000000000000000 R12: ffff880253c969f0
R13: 1ffff1003a9caee4 R14: ffff8801d8ead880 R15: ffff8801d4e57780
FS:  00007fc9eeab0700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed004a792d3e CR3: 00000001c896d001 CR4: 00000000001626f0
Call Trace:
 map_lookup_elem+0x6b5/0xbd0 kernel/bpf/syscall.c:577
 SYSC_bpf kernel/bpf/syscall.c:1711 [inline]
 SyS_bpf+0x922/0x4400 kernel/bpf/syscall.c:1685
 entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x452df9
RSP: 002b:00007fc9eeaafc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fc9eeab0700 RCX: 0000000000452df9
RDX: 0000000000000018 RSI: 0000000020f6b000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a2f7ef R14: 00007fc9eeab09c0 R15: 0000000000000000
Code: 00 44 23 a3 c4 00 00 00 44 0f af e6 49 01 c4 0f 84 8d 01 00 00 e8 5b 04 ef ff 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 28 02 00 00 49 8b 04 24 4d 8d 67 c0 48 ba 00 
RIP: __read_once_size include/linux/compiler.h:183 [inline] RSP: ffff8801d4e57710
RIP: bpf_fd_array_map_lookup_elem+0x206/0x4c0 kernel/bpf/arraymap.c:374 RSP: ffff8801d4e57710
CR2: ffffed004a792d3e
---[ end trace 56278e66f8d81dd4 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/01/16 20:45 upstream a8750ddca918 a46e5318 .config console log report ci-upstream-kasan-gce
2018/01/14 20:36 upstream 9443c168505d 66d492a6 .config console log report ci-upstream-kasan-gce
2018/01/14 09:32 upstream 2c1cfa499018 c9e7aeae .config console log report ci-upstream-kasan-gce-386
2018/01/16 00:22 net-next-old 594831a8aba3 e17f4a5d .config console log report ci-upstream-net-kasan-gce
2018/01/12 22:20 net-next-old 19d28fbd306e 9dc808a6 .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.