syzbot


BUG: unable to handle kernel paging request in bpf_trace_run3

Status: fixed on 2021/04/09 19:46
Subsystems: bpf trace
[Documentation on labels]
Reported-by: syzbot+83aa762ef23b6f0d1991@syzkaller.appspotmail.com
Fix commit: befe6d946551 tracepoint: Do not fail unregistering a probe due to memory failure
First crash: 1318d, last: 1191d
Cause bisection: introduced by (bisect log) :
commit 9df1c28bb75217b244257152ab7d788bb2a386d0
Author: Matt Mullins <mmullins@fb.com>
Date: Fri Apr 26 18:49:47 2019 +0000

  bpf: add writable context for raw tracepoints

Crash: BUG: unable to handle kernel paging request in __bpf_trace_sched_switch (log)
Repro: C syz .config
  
Discussions (12)
Title Replies (including bot) Last reply
[PATCH 4.19 000/247] 4.19.178-rc1 review 277 (277) 2022/03/02 15:52
[PATCH 5.10 000/663] 5.10.20-rc1 review 673 (673) 2021/03/05 18:03
[PATCH 5.4 000/340] 5.4.102-rc1 review 348 (348) 2021/03/04 09:26
[PATCH 4.4 00/93] 4.4.259-rc1 review 99 (99) 2021/03/02 19:02
[PATCH 4.9 000/134] 4.9.259-rc1 review 137 (137) 2021/03/01 21:45
[PATCH 5.11 000/775] 5.11.3-rc1 review 776 (776) 2021/03/01 16:15
[PATCH 4.14 000/176] 4.14.223-rc1 review 177 (177) 2021/03/01 16:14
[for-next][PATCH 14/15] tracepoint: Do not fail unregistering a probe due to memory failure 8 (8) 2021/02/04 17:47
[PATCH v2] tracepoint: Do not fail unregistering a probe due to memory allocation 5 (5) 2021/01/27 14:30
[PATCH] tracepoint: Do not fail unregistering a probe due to memory allocation 48 (48) 2020/11/24 05:59
[PATCH] bpf: don't fail kmalloc while releasing raw_tp 13 (13) 2020/11/18 04:57
BUG: unable to handle kernel paging request in bpf_trace_run3 0 (1) 2020/10/22 07:13
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: vmalloc-out-of-bounds Read in bpf_trace_run3 bpf trace C done 6 1200d 1303d 20/26 fixed on 2021/04/09 19:46

Sample crash report:
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
BUG: unable to handle page fault for address: ffffc90000e84030
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD aa000067 
P4D aa000067 
PUD aa1ee067 
PMD a9074067 
PTE 0

Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6879 Comm: syz-executor875 Not tainted 5.9.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
RIP: 0010:__bpf_trace_run kernel/trace/bpf_trace.c:2045 [inline]
RIP: 0010:bpf_trace_run3+0x145/0x3f0 kernel/trace/bpf_trace.c:2083
Code: f7 ff 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 9f 02 00 00 48 8d 73 38 48 8d 7c 24 28 <ff> 53 30 e8 c3 00 f7 ff e8 fe 32 c3 06 31 ff 89 c3 89 c6 e8 13 fd
RSP: 0018:ffffc90005457838 EFLAGS: 00010082

RAX: 0000000000000000 RBX: ffffc90000e84000 RCX: ffffffff817e37b0
RDX: 0000000000000000 RSI: ffffc90000e84038 RDI: ffffc90005457860
RBP: 1ffff92000a8af08 R08: 0000000000000000 R09: ffffffff8d7149a7
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff888092df4440 R14: 0000000000000001 R15: ffff8880a8f2e300
FS:  0000000001666880(0000) GS:ffff8880ae400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000e84030 CR3: 000000009d9ab000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __bpf_trace_sched_switch+0xdc/0x120 include/trace/events/sched.h:138
 __traceiter_sched_switch+0x64/0xb0 include/trace/events/sched.h:138
 trace_sched_switch include/trace/events/sched.h:138 [inline]
 __schedule+0x1197/0x2200 kernel/sched/core.c:4520
 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:4682
 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:40
 vprintk_emit+0x2d7/0x6e0 kernel/printk/printk.c:2029
 vprintk_func+0x8d/0x1e0 kernel/printk/printk_safe.c:393
 printk+0xba/0xed kernel/printk/printk.c:2076
 fail_dump lib/fault-inject.c:45 [inline]
 should_fail+0x472/0x5a0 lib/fault-inject.c:146
 should_failslab+0x5/0x10 mm/slab_common.c:1194
 slab_pre_alloc_hook.constprop.0+0xf4/0x200 mm/slab.h:512
 slab_alloc mm/slab.c:3300 [inline]
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x6f/0x360 mm/slab.c:3666
 kmalloc include/linux/slab.h:559 [inline]
 allocate_probes kernel/tracepoint.c:58 [inline]
 func_remove kernel/tracepoint.c:210 [inline]
 tracepoint_remove_func kernel/tracepoint.c:297 [inline]
 tracepoint_probe_unregister+0x1cf/0x890 kernel/tracepoint.c:382
 bpf_raw_tp_link_release+0x51/0xa0 kernel/bpf/syscall.c:2734
 bpf_link_free+0xe6/0x1b0 kernel/bpf/syscall.c:2327
 bpf_link_put+0x15e/0x1b0 kernel/bpf/syscall.c:2353
 bpf_link_release+0x33/0x40 kernel/bpf/syscall.c:2361
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:165 [inline]
 exit_to_user_mode_prepare+0x20e/0x230 kernel/entry/common.c:192
 syscall_exit_to_user_mode+0x7a/0x2c0 kernel/entry/common.c:267
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441509
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd2b2c6888 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000441509
RDX: fffffffffffffffd RSI: 0000000000000001 RDI: 0000000000000004
RBP: 00007ffd2b2c68a0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff
R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
CR2: ffffc90000e84030
---[ end trace a42c1d698c9da70b ]---
RIP: 0010:bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
RIP: 0010:__bpf_trace_run kernel/trace/bpf_trace.c:2045 [inline]
RIP: 0010:bpf_trace_run3+0x145/0x3f0 kernel/trace/bpf_trace.c:2083
Code: f7 ff 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 9f 02 00 00 48 8d 73 38 48 8d 7c 24 28 <ff> 53 30 e8 c3 00 f7 ff e8 fe 32 c3 06 31 ff 89 c3 89 c6 e8 13 fd
RSP: 0018:ffffc90005457838 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffffc90000e84000 RCX: ffffffff817e37b0
RDX: 0000000000000000 RSI: ffffc90000e84038 RDI: ffffc90005457860
RBP: 1ffff92000a8af08 R08: 0000000000000000 R09: ffffffff8d7149a7
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff888092df4440 R14: 0000000000000001 R15: ffff8880a8f2e300
FS:  0000000001666880(0000) GS:ffff8880ae400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000e84030 CR3: 000000009d9ab000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (40):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/10/18 07:30 bpf 9ff9b0d392ea fea47c01 .config console log report syz C ci-upstream-bpf-kasan-gce
2021/02/21 13:42 upstream e767b3530acb 3e5ed8b4 .config console log report info ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in bpf_trace_run3
2021/02/12 14:27 net-old 308daa19e2d0 a5f86b15 .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/02/12 06:27 net-old 1bcc51ac0731 a5f86b15 .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/02/11 10:56 bpf 291009f656e8 a52ee10a .config console log report info ci-upstream-bpf-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/02/11 04:46 net-old 291009f656e8 a52ee10a .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/02/08 11:44 bpf 6183f4d3a0a2 2ce644fc .config console log report info ci-upstream-bpf-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/01/25 20:43 net-old 344db93ae3ee 52e37319 .config console log report info ci-upstream-net-this-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/02/15 04:40 bpf-next 5e1d40b75ed8 98682e5e .config console log report info ci-upstream-bpf-next-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/02/12 14:23 net-next-old 3c5a2fd042d0 a5f86b15 .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/02/10 17:00 bpf-next ee5cc0363ea0 2bd9619f .config console log report info ci-upstream-bpf-next-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/01/30 11:24 net-next-old 14e8e0f60088 fc9fd31e .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/01/27 13:56 bpf-next 86ce322d21eb a0ebf917 .config console log report info ci-upstream-bpf-next-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/01/21 20:18 net-next-old 9e8789c85dee d4f4eca5 .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/01/19 16:31 bpf-next 95204c9bfa48 63631df1 .config console log report info ci-upstream-bpf-next-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/01/17 21:08 net-next-old 213b97b12580 813be542 .config console log report info ci-upstream-net-kasan-gce BUG: unable to handle kernel paging request in bpf_trace_run3
2021/01/10 05:48 bpf 286e95eed12e 2c1f2513 .config console log report info ci-upstream-bpf-kasan-gce
2021/01/09 19:32 bpf 286e95eed12e 2c1f2513 .config console log report info ci-upstream-bpf-kasan-gce
2021/01/07 07:24 net-old 3503ee6c0bec c104d4a3 .config console log report info ci-upstream-net-this-kasan-gce
2020/12/03 17:21 bpf 3413f04141aa e6b0d314 .config console log report info ci-upstream-bpf-kasan-gce
2020/12/01 20:01 bpf ed1182dc004d 07bfe8a5 .config console log report info ci-upstream-bpf-kasan-gce
2020/11/18 20:26 bpf 4363023d2668 09323409 .config console log report info ci-upstream-bpf-kasan-gce
2020/10/28 04:22 bpf 343a3e8bc635 96e03c1c .config console log report info ci-upstream-bpf-kasan-gce
2020/10/18 07:11 bpf 9ff9b0d392ea fea47c01 .config console log report info ci-upstream-bpf-kasan-gce
2021/01/09 14:21 bpf-next e22d7f05e445 a6c52263 .config console log report info ci-upstream-bpf-next-kasan-gce
2021/01/06 17:09 net-next-old ede71cae7285 c104d4a3 .config console log report info ci-upstream-net-kasan-gce
2020/12/29 02:43 bpf-next 00a279e42f67 8259d56c .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/26 03:43 bpf-next 00a279e42f67 821e0b09 .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/24 02:16 bpf-next 00a279e42f67 c2c1d1dd .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/16 21:17 net-next-old 3db1a3fa9880 04201c06 .config console log report info ci-upstream-net-kasan-gce
2020/12/15 04:31 net-next-old 13458ffe0a95 97183ed7 .config console log report info ci-upstream-net-kasan-gce
2020/12/06 17:16 net-next-old 00649542f1ba f12ba0c5 .config console log report info ci-upstream-net-kasan-gce
2020/12/03 15:33 bpf-next 97306be45fbe e6b0d314 .config console log report info ci-upstream-bpf-next-kasan-gce
2020/11/29 10:17 net-next-old e71d2b957ee4 a0092f9d .config console log report info ci-upstream-net-kasan-gce
2020/11/10 14:57 net-next-old 8be33ecfc1ff cca87986 .config console log report info ci-upstream-net-kasan-gce
2020/11/07 19:32 bpf-next f055f355faf1 64069d48 .config console log report info ci-upstream-bpf-next-kasan-gce
2020/10/28 04:22 bpf-next 3cb12d27ff65 96e03c1c .config console log report info ci-upstream-bpf-next-kasan-gce
2020/10/26 13:24 bpf-next 9ff9b0d392ea a7aac492 .config console log report info ci-upstream-bpf-next-kasan-gce
2020/10/24 00:26 bpf-next 9ff9b0d392ea 2bb6666c .config console log report info ci-upstream-bpf-next-kasan-gce
2020/10/22 23:43 bpf-next 9ff9b0d392ea 4e740c00 .config console log report info ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.