syzbot


BUG: unable to handle kernel paging request in bpf_lru_populate

Status: fixed on 2021/03/10 01:49
Subsystems: bpf
[Documentation on labels]
Reported-by: syzbot+ec2234240c96fdd26b93@syzkaller.appspotmail.com
Fix commit: e1868b9e36d0 bpf: Avoid overflows involving hash elem_size
First crash: 1201d, last: 1191d
Cause bisection: introduced by (bisect log) :
commit b93ef089d35c3386dd197e85afb6399bbd54cfb3
Author: Martin KaFai Lau <kafai@fb.com>
Date: Mon Nov 16 20:01:13 2020 +0000

  bpf: Fix the irq and nmi check in bpf_sk_storage for tracing usage

Crash: BUG: sleeping function called from invalid context in sta_info_move_state (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
BUG: unable to handle kernel paging request in bpf_lru_populate 1 (2) 2020/12/08 07:25

Sample crash report:
BUG: unable to handle page fault for address: fffff5200471266c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23fff2067 P4D 23fff2067 PUD 101a4067 PMD 32e3a067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8503 Comm: syz-executor608 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bpf_common_lru_populate kernel/bpf/bpf_lru_list.c:569 [inline]
RIP: 0010:bpf_lru_populate+0xd8/0x5e0 kernel/bpf/bpf_lru_list.c:614
Code: 03 4d 01 e7 48 01 d8 48 89 4c 24 10 4d 89 fe 48 89 44 24 08 e8 99 23 eb ff 49 8d 7e 12 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 18 38 d0 7f 08 84 c0 0f 85 80 04 00 00 49 8d 7e 13 41 c6
RSP: 0018:ffffc9000126fc20 EFLAGS: 00010202
RAX: 1ffff9200471266c RBX: dffffc0000000000 RCX: ffffffff8184e3e2
RDX: 0000000000000002 RSI: ffffffff8184e2e7 RDI: ffffc90023893362
RBP: 00000000000000bc R08: 000000000000107c R09: 0000000000000000
R10: 000000000000107c R11: 0000000000000000 R12: 0000000000000001
R13: 000000000000107c R14: ffffc90023893350 R15: ffffc900234832f0
FS:  0000000000fe0880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff5200471266c CR3: 000000001ba62000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 prealloc_init kernel/bpf/hashtab.c:319 [inline]
 htab_map_alloc+0xf6e/0x1230 kernel/bpf/hashtab.c:507
 find_and_alloc_map kernel/bpf/syscall.c:123 [inline]
 map_create kernel/bpf/syscall.c:829 [inline]
 __do_sys_bpf+0xa81/0x5170 kernel/bpf/syscall.c:4374
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4402e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe77af23b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402e9
RDX: 0000000000000040 RSI: 0000000020000000 RDI: 0d00000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401af0
R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
CR2: fffff5200471266c
---[ end trace 4f3928bacde7b3ed ]---
RIP: 0010:bpf_common_lru_populate kernel/bpf/bpf_lru_list.c:569 [inline]
RIP: 0010:bpf_lru_populate+0xd8/0x5e0 kernel/bpf/bpf_lru_list.c:614
Code: 03 4d 01 e7 48 01 d8 48 89 4c 24 10 4d 89 fe 48 89 44 24 08 e8 99 23 eb ff 49 8d 7e 12 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 <0f> b6 04 18 38 d0 7f 08 84 c0 0f 85 80 04 00 00 49 8d 7e 13 41 c6
RSP: 0018:ffffc9000126fc20 EFLAGS: 00010202
RAX: 1ffff9200471266c RBX: dffffc0000000000 RCX: ffffffff8184e3e2
RDX: 0000000000000002 RSI: ffffffff8184e2e7 RDI: ffffc90023893362
RBP: 00000000000000bc R08: 000000000000107c R09: 0000000000000000
R10: 000000000000107c R11: 0000000000000000 R12: 0000000000000001
R13: 000000000000107c R14: ffffc90023893350 R15: ffffc900234832f0
FS:  0000000000fe0880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff5200471266c CR3: 000000001ba62000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (12):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/06 03:16 net-next-old bcd684aace34 50503117 .config console log report syz C ci-upstream-net-kasan-gce
2020/12/05 22:47 bpf-next 34da87213d3d 50503117 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2020/12/13 11:52 net-next-old 00f7763a26cb bca53db9 .config console log report info ci-upstream-net-kasan-gce
2020/12/11 17:43 net-next-old 91163f821436 ba24ffcd .config console log report info ci-upstream-net-kasan-gce
2020/12/11 15:37 net-next-old 91163f821436 ba24ffcd .config console log report info ci-upstream-net-kasan-gce
2020/12/10 14:19 net-next-old a7105e3472bf f900b48c .config console log report info ci-upstream-net-kasan-gce
2020/12/08 19:36 net-next-old 8e98387b16b8 a7f7f4a4 .config console log report info ci-upstream-net-kasan-gce
2020/12/07 22:00 bpf-next 34da87213d3d 1190297f .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/07 05:12 bpf-next 34da87213d3d c521566d .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/06 23:07 bpf-next 34da87213d3d c521566d .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/05 22:23 bpf-next 34da87213d3d 50503117 .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/03 11:41 bpf-next 97306be45fbe e6b0d314 .config console log report info ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.