ci2 starts bisection 2024-09-08 16:34:26.485617747 +0000 UTC m=+177780.149473304 bisecting fixing commit since 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b building syzkaller on 1e153dc8b31e685ca8495576db4f8c077585e39c ensuring issue is reproducible on original commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b testing commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7b552aa5a443424be6b0abe3006eb10d72916b12c24d5914fcef2a7e114d4292 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f4af11aa0cd6aac5c471142296b9f4cf61ae4ae629c0d8978b1a0883dee1292f all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed kconfig minimization: base=4920 full=6161 leaves diff=241 split chunks (needed=false): <241> split chunk #0 of len 241 into 5 parts testing without sub-chunk 1/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cb2a47bf9ee6056be56eba3d7f1be3730b193348c49ec4d6d1a2239cf0069548 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3009e069012e9d98ffa05ab1b6c21b56d0453ea8b8a17792bd0253426cf43134 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7ecf04bcd65c3bf477d49c71e72b518b43032d0d0381901f75433bc91bdc7b2c all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG KASAN], they are not needed testing commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4e965e64f391dc973f7bc3d4e16d05bbb6cc74781c800e7c9b9861ef4615ab0b all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b: net/socket.c:1191: undefined reference to `wext_handle_ioctl' net/socket.c:3385: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 45 configs; suspects: [HID_ZEROPLUS USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS X86_X32 ZEROPLUS_FF] disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing current HEAD 53be7c8abe115da0ea109a44829b46385e9a2240 testing commit 53be7c8abe115da0ea109a44829b46385e9a2240 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f98ef624bf2458e5306bfd4f7a9986dd6369221a5ab6ea886ffb1fe46a857cc0 all runs: OK false negative chance: 0.000 # git bisect start 53be7c8abe115da0ea109a44829b46385e9a2240 1c3a1f32bcbdc0591d0eab67b745f1f4d3ecef6b Bisecting: 1394 revisions left to test after this (roughly 11 steps) [26827907c27e3842534170fb1bb2e91f4b52ae5a] drm/tegra: dsi: Make use of the helper function dev_err_probe() determine whether the revision contains the guilty commit checking the merge base ddcaf49990615eb5659e8f06f5bab4bc3d65c4a5 no existing result, test the revision testing commit ddcaf49990615eb5659e8f06f5bab4bc3d65c4a5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0566e131e1aad4e419cd57b902ac66741c1cec684d0d1b0b983928470b6c1fe0 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] testing commit 26827907c27e3842534170fb1bb2e91f4b52ae5a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3439ba4e834c2e2623a90821e44db001be0a3465461eb974b0e960efe87c6ded all runs: OK false negative chance: 0.000 # git bisect bad 26827907c27e3842534170fb1bb2e91f4b52ae5a Bisecting: 696 revisions left to test after this (roughly 10 steps) [0d3dab886706c9894c17df51e83e5b94948c9ce8] scsi: core: Move scsi_host_busy() out of host lock if it is for per-command determine whether the revision contains the guilty commit revision ddcaf49990615eb5659e8f06f5bab4bc3d65c4a5 crashed and is reachable testing commit 0d3dab886706c9894c17df51e83e5b94948c9ce8 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5b8cd1ead0300723478b4e686de842e880c755551e2bc2bfd7e2a5582db247a4 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] # git bisect good 0d3dab886706c9894c17df51e83e5b94948c9ce8 Bisecting: 348 revisions left to test after this (roughly 9 steps) [aeb5ac1c9d10325991d406f16239b160db40bef0] RDMA/bnxt_re: Return error for SRQ resize determine whether the revision contains the guilty commit revision ddcaf49990615eb5659e8f06f5bab4bc3d65c4a5 crashed and is reachable testing commit aeb5ac1c9d10325991d406f16239b160db40bef0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e48d510bd2e09e84df9ac71d2f705a218e2d22fb97271a1c8b52d8f3e44cd330 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] # git bisect good aeb5ac1c9d10325991d406f16239b160db40bef0 Bisecting: 174 revisions left to test after this (roughly 8 steps) [2aa7bcfdbb46241c701811bbc0d64d7884e3346c] xhci: handle isoc Babble and Buffer Overrun events properly determine whether the revision contains the guilty commit revision aeb5ac1c9d10325991d406f16239b160db40bef0 crashed and is reachable testing commit 2aa7bcfdbb46241c701811bbc0d64d7884e3346c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b25bb6a45cb477aa9679f4326dfb50e9d7e9b6d45815be5be7a42d957711e7e7 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] # git bisect good 2aa7bcfdbb46241c701811bbc0d64d7884e3346c Bisecting: 87 revisions left to test after this (roughly 7 steps) [0f632a68804d5fd2751f1bd9a743cf9b4c087e1a] cpufreq: mediatek-hw: Wait for CPU supplies before probing determine whether the revision contains the guilty commit revision 0d3dab886706c9894c17df51e83e5b94948c9ce8 crashed and is reachable testing commit 0f632a68804d5fd2751f1bd9a743cf9b4c087e1a gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c99a341c2ae7d0494466e1cd944234a678486e93fc0d31818ea54337ec8f730 all runs: OK false negative chance: 0.000 # git bisect bad 0f632a68804d5fd2751f1bd9a743cf9b4c087e1a Bisecting: 43 revisions left to test after this (roughly 6 steps) [59be50a37f37812688547ae0f9a43947494adf0f] net/iucv: fix the allocation size of iucv_path_table array determine whether the revision contains the guilty commit revision 0d3dab886706c9894c17df51e83e5b94948c9ce8 crashed and is reachable testing commit 59be50a37f37812688547ae0f9a43947494adf0f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 304c61682366b3f7c297d1d46cda80c435cc329943d5a57b0df06d8850f1707f all runs: OK false negative chance: 0.000 # git bisect bad 59be50a37f37812688547ae0f9a43947494adf0f Bisecting: 21 revisions left to test after this (roughly 5 steps) [36dba3f4cd36c23b5ec71ea32529c62f19e8f677] ALSA: usb-audio: Add FIXED_RATE quirk for JBL Quantum610 Wireless determine whether the revision contains the guilty commit revision ddcaf49990615eb5659e8f06f5bab4bc3d65c4a5 crashed and is reachable testing commit 36dba3f4cd36c23b5ec71ea32529c62f19e8f677 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f06e1abbd38734ccbb2d0dd4ccdaed370ff7d20e44de17e76f983b4073cc6c2c all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] # git bisect good 36dba3f4cd36c23b5ec71ea32529c62f19e8f677 Bisecting: 10 revisions left to test after this (roughly 4 steps) [0d7cfe2ef5a79aef337f179aa35ea57f18a2daa7] selftests: tls: use exact comparison in recv_partial determine whether the revision contains the guilty commit revision ddcaf49990615eb5659e8f06f5bab4bc3d65c4a5 crashed and is reachable testing commit 0d7cfe2ef5a79aef337f179aa35ea57f18a2daa7 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5e9f7c03d321165a47c04d3527366dd018dc8953b78bcf84597cbe3191207360 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] # git bisect good 0d7cfe2ef5a79aef337f179aa35ea57f18a2daa7 Bisecting: 5 revisions left to test after this (roughly 3 steps) [e524979a8a3bf9c0b6c32e9fc0a898069785f840] gen_compile_commands: fix invalid escape sequence warning determine whether the revision contains the guilty commit revision 36dba3f4cd36c23b5ec71ea32529c62f19e8f677 crashed and is reachable testing commit e524979a8a3bf9c0b6c32e9fc0a898069785f840 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d0b35ba769942730c196ca8ceb1cec018a11d81ea8ee714cc2c76d377f0ef4f8 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] # git bisect good e524979a8a3bf9c0b6c32e9fc0a898069785f840 Bisecting: 2 revisions left to test after this (roughly 2 steps) [7e13a78e2ba4b3c2afb28ae44c91882536f862a2] riscv: dts: sifive: add missing #interrupt-cells to pmic determine whether the revision contains the guilty commit revision 36dba3f4cd36c23b5ec71ea32529c62f19e8f677 crashed and is reachable testing commit 7e13a78e2ba4b3c2afb28ae44c91882536f862a2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 359a97b928761b86297b43b232501987a3512166777f4573cfcf42a005946684 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] # git bisect good 7e13a78e2ba4b3c2afb28ae44c91882536f862a2 Bisecting: 0 revisions left to test after this (roughly 1 step) [e8a67fe34b76a49320b33032228a794f40b0316b] x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() determine whether the revision contains the guilty commit revision 36dba3f4cd36c23b5ec71ea32529c62f19e8f677 crashed and is reachable testing commit e8a67fe34b76a49320b33032228a794f40b0316b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0798ee9d2130dd8ddc1ace4aec6d8ad1b0b4df34c410b73f31fb8f8a0af4992e all runs: OK false negative chance: 0.000 # git bisect bad e8a67fe34b76a49320b33032228a794f40b0316b Bisecting: 0 revisions left to test after this (roughly 0 steps) [e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2] x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h determine whether the revision contains the guilty commit revision 36dba3f4cd36c23b5ec71ea32529c62f19e8f677 crashed and is reachable testing commit e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bda173a16e80c82c55e38971459e3bda0f98005ccc2c48c92eeba1acb126ffe6 all runs: crashed: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str representative crash: BUG: unable to handle kernel paging request in bpf_probe_read_compat_str, types: [UNKNOWN] # git bisect good e2d5cf0dcb9f824fe4e7244ddd24e3dddd7216f2 e8a67fe34b76a49320b33032228a794f40b0316b is the first bad commit commit e8a67fe34b76a49320b33032228a794f40b0316b Author: Hou Tao Date: Fri Feb 2 18:39:34 2024 +0800 x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() [ Upstream commit 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58 ] When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault(). Originally-by: Thomas Gleixner Reported-by: syzbot+72aa0161922eba61b50e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@mail.gmail.com Reported-by: xingwei lee Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@mail.gmail.com Signed-off-by: Hou Tao Reviewed-by: Sohil Mehta Acked-by: Thomas Gleixner Link: https://lore.kernel.org/r/20240202103935.3154011-3-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin arch/x86/mm/maccess.c | 10 ++++++++++ 1 file changed, 10 insertions(+) accumulated error probability: 0.00 culprit signature: 0798ee9d2130dd8ddc1ace4aec6d8ad1b0b4df34c410b73f31fb8f8a0af4992e parent signature: bda173a16e80c82c55e38971459e3bda0f98005ccc2c48c92eeba1acb126ffe6 revisions tested: 20, total time: 5h21m57.451350002s (build: 1h54m4.006991741s, test: 2h37m27.451352093s) first good commit: e8a67fe34b76a49320b33032228a794f40b0316b x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() recipients (to): ["ast@kernel.org" "houtao1@huawei.com" "sashal@kernel.org" "sohil.mehta@intel.com" "tglx@linutronix.de"] recipients (cc): []