syzbot


BUG: unable to handle kernel paging request in bpf_prog_kallsyms_add

Status: fixed on 2019/09/06 20:45
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+c827a78260579449ad39@syzkaller.appspotmail.com
Fix commit: c751798aa224 bpf: fix use after free in prog symbol exposure
First crash: 2229d, last: 1866d
Cause bisection: failed (error log, bisect log)
  
Discussions (4)
Title Replies (including bot) Last reply
Reminder: 8 active syzbot reports in "net/bpf" subsystem 1 (1) 2019/08/16 04:17
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
Reminder: 30 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/06/24 05:01
BUG: unable to handle kernel paging request in bpf_prog_kallsyms_add 2 (3) 2019/03/04 12:30
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: unable to handle kernel paging request in bpf_prog_kallsyms_add 1 1882d 1882d 0/1 auto-closed as invalid on 2019/12/19 04:54
linux-4.19 BUG: unable to handle kernel paging request in bpf_prog_kallsyms_add 6 1848d 2000d 0/1 auto-closed as invalid on 2020/01/21 09:31

Sample crash report:
**   NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE   **
**********************************************************
BUG: unable to handle kernel paging request at ffffc90001930002
PGD 1da948067 P4D 1da948067 PUD 1da949067 PMD 1d49da067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12601 Comm: syz-executor3 Not tainted 4.19.0-rc2+ #93
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bpf_prog_kallsyms_candidate kernel/bpf/core.c:472 [inline]
RIP: 0010:bpf_prog_kallsyms_add+0xbe/0x9b0 kernel/bpf/core.c:483
Code: d0 31 c0 e8 14 68 f3 ff 49 8d 7c 24 02 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 0f b6 04 18 38 d0 7f 08 84 c0 0f 85 39 07 00 00 <41> 0f b6 5c 24 02 31 ff 83 e3 01 89 de e8 b0 68 f3 ff 84 db 0f 84
RSP: 0018:ffff8801bc2af9c0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff818c8b39
RDX: 0000000000000002 RSI: ffffffff818b671c RDI: ffffc90001930002
RBP: ffff8801bc2afb30 R08: ffff8801bf750100 R09: ffffed003b584732
R10: ffffed003b584732 R11: ffff8801dac23993 R12: ffffc90001930000
R13: ffff8801bc2afd18 R14: 0000000000000000 R15: 1ffff10037855f3d
FS:  00007fb5d21c9700(0000) GS:ffff8801dac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90001930002 CR3: 00000001bcd1c000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bpf_prog_load+0x13d1/0x1cb0 kernel/bpf/syscall.c:1442
 __do_sys_bpf kernel/bpf/syscall.c:2371 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2333 [inline]
 __x64_sys_bpf+0x36c/0x510 kernel/bpf/syscall.c:2333
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457099
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb5d21c8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fb5d21c96d4 RCX: 0000000000457099
RDX: 0000000000000048 RSI: 0000000020000000 RDI: 0000000000000005
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004cb9c8 R14: 00000000004c335d R15: 0000000000000000
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: ffffc90001930002
---[ end trace fcb4474011e9b55c ]---
RIP: 0010:bpf_prog_kallsyms_candidate kernel/bpf/core.c:472 [inline]
RIP: 0010:bpf_prog_kallsyms_add+0xbe/0x9b0 kernel/bpf/core.c:483
Code: d0 31 c0 e8 14 68 f3 ff 49 8d 7c 24 02 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 0f b6 04 18 38 d0 7f 08 84 c0 0f 85 39 07 00 00 <41> 0f b6 5c 24 02 31 ff 83 e3 01 89 de e8 b0 68 f3 ff 84 db 0f 84
RSP: 0018:ffff8801bc2af9c0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff818c8b39
RDX: 0000000000000002 RSI: ffffffff818b671c RDI: ffffc90001930002
RBP: ffff8801bc2afb30 R08: ffff8801bf750100 R09: ffffed003b584732
R10: ffffed003b584732 R11: ffff8801dac23993 R12: ffffc90001930000
R13: ffff8801bc2afd18 R14: 0000000000000000 R15: 1ffff10037855f3d
FS:  00007fb5d21c9700(0000) GS:ffff8801dac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90001930002 CR3: 00000001bcd1c000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (234):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/09/08 06:58 bpf-next f6f3bac08ff9 6b5120a4 .config console log report syz ci-upstream-bpf-next-kasan-gce
2019/08/21 23:07 upstream bb7ba8069de9 984250d5 .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/20 12:57 upstream 5f97cbe22b76 cfc9868f .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/07 02:37 upstream f4eb1423e433 c6f01e54 .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/06 00:34 upstream e21a712a9685 6affd8e8 .config console log report ci-upstream-kasan-gce
2019/07/31 04:02 upstream 629f8205a6cc 7c7ded69 .config console log report ci-upstream-kasan-gce-smack-root
2019/07/30 02:29 upstream 2a11c76e5301 f67095ee .config console log report ci-upstream-kasan-gce-root
2019/07/28 13:35 upstream 5168afe6ef59 c85e1c5b .config console log report ci-upstream-kasan-gce-selinux-root
2019/07/27 11:54 upstream 3ea54d9b0d65 c85e1c5b .config console log report ci-upstream-kasan-gce-selinux-root
2019/07/30 03:54 bpf cb8ffde5694a f67095ee .config console log report ci-upstream-bpf-kasan-gce
2019/07/24 08:32 bpf d9b8aadaffa6 de453f34 .config console log report ci-upstream-bpf-kasan-gce
2019/07/23 22:36 net-old 107e47cc80ec de453f34 .config console log report ci-upstream-net-this-kasan-gce
2019/09/05 19:08 bpf-next 310f4204eeb6 040fda58 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/29 20:14 bpf-next 47ee6e86e0a3 fd37b39e .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/28 11:21 bpf-next 47ee6e86e0a3 fd37b39e .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/21 12:09 net-next-old ac2eb56e7504 4ea67ff8 .config console log report ci-upstream-net-kasan-gce
2019/08/19 22:03 bpf-next 1f7267232711 ee12860b .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/17 03:22 bpf-next e03250061b54 8fd428a1 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/13 14:47 bpf-next 192f0f8e9db7 8620c2c2 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/12 17:19 bpf-next 192f0f8e9db7 acb51638 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/12 13:32 bpf-next 192f0f8e9db7 acb51638 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/11 16:24 bpf-next 192f0f8e9db7 acb51638 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/11 10:27 bpf-next 192f0f8e9db7 acb51638 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/11 07:36 bpf-next 192f0f8e9db7 acb51638 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/08 15:35 bpf-next 192f0f8e9db7 e6ebef88 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/08 07:17 bpf-next 192f0f8e9db7 e6ebef88 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/07 08:25 bpf-next 192f0f8e9db7 cdde7486 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/07 05:21 bpf-next 192f0f8e9db7 c6f01e54 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/03 22:04 net-next-old 31cc088a4f5d 6affd8e8 .config console log report ci-upstream-net-kasan-gce
2019/08/03 18:56 bpf-next 192f0f8e9db7 6affd8e8 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/02 18:08 bpf-next 192f0f8e9db7 835dffe7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/02 10:03 bpf-next 192f0f8e9db7 835dffe7 .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/30 00:57 bpf-next 192f0f8e9db7 f67095ee .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/29 22:51 bpf-next 192f0f8e9db7 f67095ee .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/29 06:31 bpf-next 192f0f8e9db7 c85e1c5b .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/28 15:27 bpf-next 192f0f8e9db7 c85e1c5b .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/27 15:53 bpf-next 192f0f8e9db7 c85e1c5b .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/27 06:16 bpf-next 192f0f8e9db7 c85e1c5b .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/27 04:56 bpf-next 192f0f8e9db7 c85e1c5b .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/26 15:48 bpf-next 192f0f8e9db7 3e5d1beb .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/26 13:43 bpf-next 192f0f8e9db7 3e5d1beb .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/26 12:22 bpf-next 192f0f8e9db7 3e5d1beb .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/26 07:38 bpf-next 192f0f8e9db7 732bc5a0 .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/26 04:18 bpf-next 192f0f8e9db7 732bc5a0 .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/25 20:35 bpf-next 192f0f8e9db7 732bc5a0 .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/25 03:53 bpf-next 192f0f8e9db7 32329ceb .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/25 01:40 bpf-next 192f0f8e9db7 32329ceb .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/24 04:36 bpf-next 192f0f8e9db7 de453f34 .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/22 21:43 bpf-next 192f0f8e9db7 55e0c077 .config console log report ci-upstream-bpf-next-kasan-gce
2019/07/22 02:00 bpf-next 192f0f8e9db7 1656845f .config console log report ci-upstream-bpf-next-kasan-gce
2019/08/16 08:14 linux-next 17da61ae48ec 8fd428a1 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/08/15 21:49 linux-next 17da61ae48ec 0d298d6b .config console log report ci-upstream-linux-next-kasan-gce-root
2019/07/21 14:13 linux-next 6d21a41b7b1f 1656845f .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.