syzbot


BUG: sleeping function called from invalid context in do_user_addr_fault (2)

Status: upstream: reported syz repro on 2020/12/25 13:45
Reported-by: syzbot+6ce719ff413f52e0a0f2@syzkaller.appspotmail.com
First crash: 715d, last: 147d

Cause bisection: introduced by (bisect log) :
commit 64b59025c15b244c0954cf52b24fbabfcf5ed8f6
Author: David Ahern <dsahern@kernel.org>
Date: Fri May 29 22:07:14 2020 +0000

  xdp: Add xdp_txq_info to xdp_buff

Crash: BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR (log)
Repro: syz .config

Fix bisection: fixed by (bisect log) [merge commit]:
commit 611ffd8acc4b06e606325ca727c891ce70adcaa6
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu Aug 5 18:16:02 2021 +0000

  Merge branch 'pcmcia-next' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux

similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: sleeping function called from invalid context in do_user_addr_fault syz inconclusive done 10 819d 898d 0/24 closed as dup on 2020/09/02 22:06
upstream BUG: unable to handle kernel NULL pointer dereference in bpf_prog_ADDR syz error error 19 542d 856d 0/24 upstream: reported syz repro on 2020/08/02 22:45
upstream BUG: unable to handle kernel paging request in bpf_prog_ADDR C done 13 1220d 1236d 13/24 fixed on 2019/08/27 17:15
Patch testing requests:
Created Duration User Patch Repo Result
2022/10/21 07:30 16m retest repro net OK log
2022/10/21 05:30 16m retest repro net-next OK log
2022/10/21 00:30 16m retest repro net OK log
2022/10/21 00:30 16m retest repro bpf OK log
2022/10/20 23:30 17m retest repro bpf-next error
2022/10/20 23:30 16m retest repro net-next OK log
2022/10/20 13:30 18m retest repro net error
2022/10/20 13:30 16m retest repro bpf OK log
2022/10/20 13:30 17m retest repro bpf-next error
2022/10/20 13:30 17m retest repro net-next error

Sample crash report:
BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1342
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 8814, name: syz-executor.0
2 locks held by syz-executor.0/8814:
 #0: ffffffff8bf73be0 (rcu_read_lock){....}-{1:2}, at: bpf_test_run+0x119/0xc50 net/bpf/test_run.c:28
 #1: ffff88801eaa7158 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:136 [inline]
 #1: ffff88801eaa7158 (&mm->mmap_lock#2){++++}-{3:3}, at: do_user_addr_fault+0x285/0x1210 arch/x86/mm/fault.c:1325
Preemption disabled at:
[<ffffffff814d6d2e>] migrate_disable+0x5e/0x160 kernel/sched/core.c:1751
CPU: 1 PID: 8814 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xfa/0x151 lib/dump_stack.c:120
 ___might_sleep.cold+0x1f1/0x237 kernel/sched/core.c:8290
 do_user_addr_fault+0x2c2/0x1210 arch/x86/mm/fault.c:1342
 handle_page_fault arch/x86/mm/fault.c:1469 [inline]
 exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1525
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
RIP: 0010:bpf_prog_e48ebe87b99394c4+0x11/0xa30
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 66 90 55 48 89 e5 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 d0 00 00 00 c9 c3 cc cc cc cc cc cc cc cc cc cc
RSP: 0018:ffffc90001a4fb38 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ca2000 RCX: 0000000000000000
RDX: ffff8880225a8000 RSI: ffffc90000ca2048 RDI: ffffc90001a4fcb0
RBP: ffffc90001a4fb38 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8736c3c7 R11: 0000000000000000 R12: ffff8880225a8000
R13: ffffc90000ca2000 R14: 0000000000000001 R15: 0000000000000000
 bpf_prog_run_xdp include/linux/filter.h:770 [inline]
 bpf_test_run+0x222/0xc50 net/bpf/test_run.c:48
 bpf_prog_test_run_xdp+0x2c2/0x4d0 net/bpf/test_run.c:646
 bpf_prog_test_run kernel/bpf/syscall.c:3127 [inline]
 __do_sys_bpf+0x1ea9/0x4f00 kernel/bpf/syscall.c:4406
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x465ef9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f87e563f188 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 000000000056c0b0 RCX: 0000000000465ef9
RDX: 0000000000000028 RSI: 0000000020000440 RDI: 000000000000000a
RBP: 00000000004bcd1c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0b0
R13: 00007ffcf598b7bf R14: 00007f87e563f300 R15: 0000000000022000
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 14ba4067 P4D 14ba4067 PUD 152aa067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8814 Comm: syz-executor.0 Tainted: G        W         5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bpf_prog_e48ebe87b99394c4+0x11/0xa30
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 66 90 55 48 89 e5 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 d0 00 00 00 c9 c3 cc cc cc cc cc cc cc cc cc cc
RSP: 0018:ffffc90001a4fb38 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ca2000 RCX: 0000000000000000
RDX: ffff8880225a8000 RSI: ffffc90000ca2048 RDI: ffffc90001a4fcb0
RBP: ffffc90001a4fb38 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8736c3c7 R11: 0000000000000000 R12: ffff8880225a8000
R13: ffffc90000ca2000 R14: 0000000000000001 R15: 0000000000000000
FS:  00007f87e563f700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c2a3fd9ee8 CR3: 0000000018531000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bpf_prog_run_xdp include/linux/filter.h:770 [inline]
 bpf_test_run+0x222/0xc50 net/bpf/test_run.c:48
 bpf_prog_test_run_xdp+0x2c2/0x4d0 net/bpf/test_run.c:646
 bpf_prog_test_run kernel/bpf/syscall.c:3127 [inline]
 __do_sys_bpf+0x1ea9/0x4f00 kernel/bpf/syscall.c:4406
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x465ef9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f87e563f188 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 000000000056c0b0 RCX: 0000000000465ef9
RDX: 0000000000000028 RSI: 0000000020000440 RDI: 000000000000000a
RBP: 00000000004bcd1c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0b0
R13: 00007ffcf598b7bf R14: 00007f87e563f300 R15: 0000000000022000
Modules linked in:
CR2: 0000000000000000
---[ end trace e77324a6fae54e5a ]---
RIP: 0010:bpf_prog_e48ebe87b99394c4+0x11/0xa30
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 66 90 55 48 89 e5 31 c0 48 8b 47 28 <48> 8b 40 00 8b 80 d0 00 00 00 c9 c3 cc cc cc cc cc cc cc cc cc cc
RSP: 0018:ffffc90001a4fb38 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc90000ca2000 RCX: 0000000000000000
RDX: ffff8880225a8000 RSI: ffffc90000ca2048 RDI: ffffc90001a4fcb0
RBP: ffffc90001a4fb38 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff8736c3c7 R11: 0000000000000000 R12: ffff8880225a8000
R13: ffffc90000ca2000 R14: 0000000000000001 R15: 0000000000000000
FS:  00007f87e563f700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c2a3fd9ee8 CR3: 0000000018531000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (27):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-net-this-kasan-gce 2021/02/26 04:08 net 8f1c0fd2c84c 76f7fc95 .config log report syz BUG: sleeping function called from invalid context in do_user_addr_fault
ci-upstream-net-kasan-gce 2021/02/25 22:40 net-next d310ec03a34e 76f7fc95 .config log report syz BUG: sleeping function called from invalid context in do_user_addr_fault
ci-upstream-bpf-next-kasan-gce 2021/01/23 16:40 bpf-next 6e66fbb10597 52e37319 .config log report syz BUG: sleeping function called from invalid context in do_user_addr_fault
ci-upstream-bpf-next-kasan-gce 2020/12/21 16:41 bpf-next 3db1a3fa9880 04201c06 .config log report syz
ci-upstream-bpf-kasan-gce 2021/01/23 17:26 bpf b9557caaf872 52e37319 .config log report syz BUG: sleeping function called from invalid context in do_user_addr_fault
ci-upstream-net-this-kasan-gce 2021/01/23 17:22 net 0607a2cddb60 52e37319 .config log report syz BUG: sleeping function called from invalid context in do_user_addr_fault
ci-upstream-net-kasan-gce 2021/01/23 18:34 net-next 59a49d9617e2 52e37319 .config log report syz BUG: sleeping function called from invalid context in do_user_addr_fault
ci-upstream-net-this-kasan-gce 2020/12/21 14:37 net fec6079b2eea 04201c06 .config log report syz
ci-upstream-bpf-kasan-gce 2020/12/21 14:11 bpf d467d80dc399 04201c06 .config log report syz
ci-upstream-net-kasan-gce 2020/12/21 14:39 net-next 3db1a3fa9880 04201c06 .config log report syz
ci-upstream-bpf-kasan-gce 2021/05/16 11:01 bpf 2d58cee61309 f54a5c09 .config log report info BUG: sleeping function called from invalid context in do_user_addr_fault
ci-upstream-bpf-next-kasan-gce 2021/07/31 06:58 bpf-next f309b4ba989d 6c236867 .config log report info BUG: sleeping function called from invalid context in do_user_addr_fault
ci-upstream-kasan-gce-selinux-root 2020/12/23 01:42 upstream 614cb5894306 04201c06 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/12/23 01:42 upstream 614cb5894306 04201c06 .config log report info
ci-upstream-bpf-kasan-gce 2022/07/12 13:10 bpf 6676d7270ce2 da3d6955 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-kasan-gce 2022/04/07 05:18 bpf 0a210af6d0a0 97582466 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-kasan-gce 2022/03/30 19:17 bpf 2609f635a20d 42718dd6 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-kasan-gce 2020/12/21 13:43 bpf d467d80dc399 04201c06 .config log report info
ci-upstream-bpf-next-kasan-gce 2022/04/14 20:35 bpf-next 241d50ec5d79 b17b2923 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-next-kasan-gce 2022/04/14 13:21 bpf-next 241d50ec5d79 b17b2923 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-next-kasan-gce 2022/04/13 13:06 bpf-next 0f8619929c57 faabdb86 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-next-kasan-gce 2022/04/09 20:29 bpf-next 34ba23b44c66 e22c3da3 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-net-kasan-gce 2022/04/04 06:03 net-next 2975dbdc3989 79a2a8fc .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-next-kasan-gce 2022/03/19 13:47 bpf-next 08063b4bc158 e2d91b1d .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-next-kasan-gce 2022/03/10 05:04 bpf-next de55c9a1967c 9e8eaa75 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-next-kasan-gce 2022/03/08 19:10 bpf-next d23a8720327d 9e8eaa75 .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
ci-upstream-bpf-next-kasan-gce 2022/02/24 06:32 bpf-next e5313968c41b 6e821dbf .config log report info BUG: unable to handle kernel paging request in bpf_prog_ADDR
* Struck through repros no longer work on HEAD.