syzbot


KASAN: vmalloc-out-of-bounds Read in bpf_trace_run3

Status: fixed on 2021/04/09 19:46
Subsystems: bpf trace
[Documentation on labels]
Reported-by: syzbot+d29e58bb557324e55e5e@syzkaller.appspotmail.com
Fix commit: befe6d946551 tracepoint: Do not fail unregistering a probe due to memory failure
First crash: 1306d, last: 1202d
Cause bisection: introduced by (bisect log) :
commit 9df1c28bb75217b244257152ab7d788bb2a386d0
Author: Matt Mullins <mmullins@fb.com>
Date: Fri Apr 26 18:49:47 2019 +0000

  bpf: add writable context for raw tracepoints

Crash: BUG: unable to handle kernel paging request in __bpf_trace_sched_switch (log)
Repro: C syz .config
  
Discussions (12)
Title Replies (including bot) Last reply
[PATCH 4.19 000/247] 4.19.178-rc1 review 277 (277) 2022/03/02 15:52
[PATCH 5.10 000/663] 5.10.20-rc1 review 673 (673) 2021/03/05 18:03
[PATCH 5.4 000/340] 5.4.102-rc1 review 348 (348) 2021/03/04 09:26
[PATCH 4.4 00/93] 4.4.259-rc1 review 99 (99) 2021/03/02 19:02
[PATCH 4.9 000/134] 4.9.259-rc1 review 137 (137) 2021/03/01 21:45
[PATCH 5.11 000/775] 5.11.3-rc1 review 776 (776) 2021/03/01 16:15
[PATCH 4.14 000/176] 4.14.223-rc1 review 177 (177) 2021/03/01 16:14
KASAN: vmalloc-out-of-bounds Read in bpf_trace_run3 5 (6) 2021/02/10 19:52
[for-next][PATCH 14/15] tracepoint: Do not fail unregistering a probe due to memory failure 8 (8) 2021/02/04 17:47
[PATCH v2] tracepoint: Do not fail unregistering a probe due to memory allocation 5 (5) 2021/01/27 14:30
[PATCH] tracepoint: Do not fail unregistering a probe due to memory allocation 48 (48) 2020/11/24 05:59
[PATCH] bpf: don't fail kmalloc while releasing raw_tp 13 (13) 2020/11/18 04:57
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in bpf_trace_run3 bpf trace C done 40 1193d 1315d 20/26 fixed on 2021/04/09 19:46
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2021/01/17 00:48 15m bisect fix bpf job log (0) log
2020/12/17 20:48 15m bisect fix bpf job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in __bpf_trace_run kernel/trace/bpf_trace.c:2045 [inline]
BUG: KASAN: vmalloc-out-of-bounds in bpf_trace_run3+0x3e0/0x3f0 kernel/trace/bpf_trace.c:2083
Read of size 8 at addr ffffc90000e6c030 by task kworker/0:3/3754

CPU: 0 PID: 3754 Comm: kworker/0:3 Not tainted 5.9.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue:  0x0 (events)
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 __bpf_trace_run kernel/trace/bpf_trace.c:2045 [inline]
 bpf_trace_run3+0x3e0/0x3f0 kernel/trace/bpf_trace.c:2083
 __bpf_trace_sched_switch+0xdc/0x120 include/trace/events/sched.h:138
 __traceiter_sched_switch+0x64/0xb0 include/trace/events/sched.h:138
 trace_sched_switch include/trace/events/sched.h:138 [inline]
 __schedule+0xeb8/0x2130 kernel/sched/core.c:4520
 schedule+0xcf/0x270 kernel/sched/core.c:4601
 worker_thread+0x14c/0x1120 kernel/workqueue.c:2439
 kthread+0x3af/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296


Memory state around the buggy address:
 ffffc90000e6bf00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000e6bf80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000e6c000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                                     ^
 ffffc90000e6c080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000e6c100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/10/30 17:26 bpf 080b6f407635 a6e3ac3b .config console log report syz C ci-upstream-bpf-kasan-gce
2021/01/26 02:51 upstream f8ad8187c3b5 52e37319 .config console log report info ci-upstream-kasan-gce-root KASAN: vmalloc-out-of-bounds Read in bpf_trace_run3
2021/02/12 14:16 bpf-next b2e37a7114ef a5f86b15 .config console log report info ci-upstream-bpf-next-kasan-gce KASAN: vmalloc-out-of-bounds Read in bpf_trace_run3
2021/02/09 14:00 bpf-next ee5cc0363ea0 2bd9619f .config console log report info ci-upstream-bpf-next-kasan-gce KASAN: vmalloc-out-of-bounds Read in bpf_trace_run3
2020/10/30 17:09 bpf 080b6f407635 a6e3ac3b .config console log report info ci-upstream-bpf-kasan-gce
2020/11/13 02:38 bpf-next c36538798fc6 16fca0c8 .config console log report info ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.