syzbot

 sign-in | mailing list | source | docs
🐞 Open [121]
🐞 Fixed [23]
🐞 Invalid [252]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: unable to handle kernel paging request in bpf_probe_read_compat_str

Status: auto-obsoleted due to no activity on 2024/11/12 06:12
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+dde0d9748541e35abe36@syzkaller.appspotmail.com
First crash: 315d, last: 121d
Fix bisection: fixed by (bisect log) :
commit e8a67fe34b76a49320b33032228a794f40b0316b
Author: Hou Tao <houtao1@huawei.com>
Date: Fri Feb 2 10:39:34 2024 +0000

  x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

  
Bug presence (2)
Date Name Commit Repro Result
2024/09/05 lts (merge base) b925f60c6ee7 C Didn't crash
2024/09/05 upstream (ToT) c763c4339688 C Didn't crash
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in bpf_probe_read_compat_str mm C done error 4 286d 311d 0/28 auto-obsoleted due to no activity on 2024/07/01 19:05
android-6-1 BUG: unable to handle kernel paging request in bpf_probe_read_compat_str missing-backport origin:upstream C error error 3 150d 315d 0/2 auto-obsoleted due to no activity on 2024/10/14 07:05
linux-5.15 BUG: unable to handle kernel paging request in bpf_probe_read_compat_str origin:upstream missing-backport C done 1 270d 315d 0/3 auto-obsoleted due to no activity on 2024/10/08 10:41
linux-6.1 BUG: unable to handle kernel paging request in bpf_probe_read_compat_str origin:upstream missing-backport C done 1 270d 315d 0/3 upstream: reported C repro on 2024/01/23 14:36
Last patch testing requests (2)
Created Duration User Patch Repo Result
2024/08/04 05:55 17m retest repro android13-5.15-lts report log
2024/05/26 05:42 5m retest repro android13-5.15-lts report log
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2024/09/08 16:34 5h22m bisect fix android13-5.15-lts OK (1) job log
2024/07/05 07:09 1h52m bisect fix android13-5.15-lts OK (0) job log log
2024/05/12 05:09 33m bisect fix android13-5.15-lts OK (0) job log log
2024/04/08 17:52 1h16m bisect fix android13-5.15-lts OK (0) job log log

Sample crash report:
BUG: unable to handle page fault for address: ffffffffff600000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0001) - permissions violation
PGD 6812067 P4D 6812067 PUD 6814067 PMD 6816067 PTE 8000000006809165
Oops: 0001 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 299 Comm: syz-executor916 Not tainted 5.15.147-syzkaller-00327-g1c3a1f32bcbd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:strncpy_from_kernel_nofault+0x92/0x1e0 mm/maccess.c:92
Code: d0 48 c1 e8 03 48 89 45 c0 42 0f b6 04 30 84 c0 48 89 55 c8 0f 85 eb 00 00 00 ff 02 45 31 e4 48 8b 55 d0 4c 8b 7d b8 49 89 dd <42> 8a 1c 23 4a 8d 3c 22 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0
RSP: 0018:ffffc90000997a68 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffffffffff600000 RCX: ffff888118014f00
RDX: ffffc90000997b08 RSI: ffffffffff600000 RDI: ffffffffff600000
RBP: ffffc90000997ab0 R08: ffffffff8135f40d R09: ffffed10230029e1
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffffffff600000 R14: dffffc0000000000 R15: 0000000000000008
FS:  000055555612f380(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600000 CR3: 000000011eced000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bpf_probe_read_kernel_str_common kernel/trace/bpf_trace.c:255 [inline]
 ____bpf_probe_read_compat_str kernel/trace/bpf_trace.c:303 [inline]
 bpf_probe_read_compat_str+0x112/0x180 kernel/trace/bpf_trace.c:296
 bpf_prog_f17ebaf3f5f7baf8+0x3a/0xf68
 bpf_dispatcher_nop_func include/linux/bpf.h:785 [inline]
 __bpf_prog_run include/linux/filter.h:625 [inline]
 bpf_prog_run include/linux/filter.h:632 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:1883 [inline]
 bpf_trace_run3+0x11e/0x250 kernel/trace/bpf_trace.c:1921
 __bpf_trace_sched_switch+0xb/0x10 include/trace/events/sched.h:220
 trace_sched_switch include/trace/events/sched.h:220 [inline]
 __schedule+0x133d/0x1580 kernel/sched/core.c:6509
 schedule+0x11f/0x1e0 kernel/sched/core.c:6595
 freezable_schedule include/linux/freezer.h:197 [inline]
 ptrace_stop+0x4ea/0xa90 kernel/signal.c:2328
 ptrace_do_notify kernel/signal.c:2381 [inline]
 ptrace_notify+0x22b/0x350 kernel/signal.c:2391
 ptrace_report_syscall include/linux/tracehook.h:66 [inline]
 tracehook_report_syscall_exit include/linux/tracehook.h:130 [inline]
 arch_syscall_exit_tracehook include/linux/entry-common.h:297 [inline]
 syscall_exit_work kernel/entry/common.c:256 [inline]
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:283 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:288 [inline]
 syscall_exit_to_user_mode+0xac/0x160 kernel/entry/common.c:301
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fa18c8c8b39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd69596678 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: 0000000000000004 RBX: 0000000000000000 RCX: 00007fa18c8c8b39
RDX: 0000000000000010 RSI: 0000000020000280 RDI: 0000000000000011
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000003a28
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
CR2: ffffffffff600000
---[ end trace 49c030b36d30f650 ]---
RIP: 0010:strncpy_from_kernel_nofault+0x92/0x1e0 mm/maccess.c:92
Code: d0 48 c1 e8 03 48 89 45 c0 42 0f b6 04 30 84 c0 48 89 55 c8 0f 85 eb 00 00 00 ff 02 45 31 e4 48 8b 55 d0 4c 8b 7d b8 49 89 dd <42> 8a 1c 23 4a 8d 3c 22 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0
RSP: 0018:ffffc90000997a68 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffffffffff600000 RCX: ffff888118014f00
RDX: ffffc90000997b08 RSI: ffffffffff600000 RDI: ffffffffff600000
RBP: ffffc90000997ab0 R08: ffffffff8135f40d R09: ffffed10230029e1
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffffffff600000 R14: dffffc0000000000 R15: 0000000000000008
FS:  000055555612f380(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffff600000 CR3: 000000011eced000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	d0 48 c1             	rorb   -0x3f(%rax)
   3:	e8 03 48 89 45       	call   0x4589480b
   8:	c0 42 0f b6          	rolb   $0xb6,0xf(%rdx)
   c:	04 30                	add    $0x30,%al
   e:	84 c0                	test   %al,%al
  10:	48 89 55 c8          	mov    %rdx,-0x38(%rbp)
  14:	0f 85 eb 00 00 00    	jne    0x105
  1a:	ff 02                	incl   (%rdx)
  1c:	45 31 e4             	xor    %r12d,%r12d
  1f:	48 8b 55 d0          	mov    -0x30(%rbp),%rdx
  23:	4c 8b 7d b8          	mov    -0x48(%rbp),%r15
  27:	49 89 dd             	mov    %rbx,%r13
* 2a:	42 8a 1c 23          	mov    (%rbx,%r12,1),%bl <-- trapping instruction
  2e:	4a 8d 3c 22          	lea    (%rdx,%r12,1),%rdi
  32:	48 89 f8             	mov    %rdi,%rax
  35:	48 c1 e8 03          	shr    $0x3,%rax
  39:	42 0f b6 04 30       	movzbl (%rax,%r14,1),%eax
  3e:	84 c0                	test   %al,%al

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/24 11:31 android13-5.15-lts 1c3a1f32bcbd 1e153dc8 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15 BUG: unable to handle kernel paging request in bpf_probe_read_compat_str
2024/01/23 03:06 android13-5.15-lts 1c3a1f32bcbd 9bd8dcda .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-15-perf BUG: unable to handle kernel paging request in bpf_probe_read_compat_str
* Struck through repros no longer work on HEAD.