[syzkaller] KASAN: slab-out-of-bounds Write in tcp_init_congestion_control #182

cpaasch · 2021-04-23T17:31:46Z

==================================================================
BUG: KASAN: slab-out-of-bounds in tcp_init_congestion_control+0x378/0x400 net/ipv4/tcp_cong.c:181
Write of size 4 at addr ffff88810a3d77dc by task syz-executor.3/28134

CPU: 0 PID: 28134 Comm: syz-executor.3 Not tainted 5.12.0-rc758b5536fed9c0430019931a894ca2f389089390e #96
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xdd/0x137 lib/dump_stack.c:120
 print_address_description.constprop.0+0x18/0x140 mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
 tcp_init_congestion_control+0x378/0x400 net/ipv4/tcp_cong.c:181
 tcp_reinit_congestion_control net/ipv4/tcp_cong.c:207 [inline]
 tcp_set_congestion_control+0x6a3/0x790 net/ipv4/tcp_cong.c:377
 mptcp_setsockopt_sol_tcp_congestion net/mptcp/sockopt.c:550 [inline]
 mptcp_setsockopt_sol_tcp net/mptcp/sockopt.c:563 [inline]
 mptcp_setsockopt+0xa71/0x1430 net/mptcp/sockopt.c:599
 __sys_setsockopt+0x14f/0x360 net/socket.c:2117
 __do_sys_setsockopt net/socket.c:2128 [inline]
 __se_sys_setsockopt net/socket.c:2125 [inline]
 __x64_sys_setsockopt+0xb9/0x150 net/socket.c:2125
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f7d45c2f469
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007f7d462feda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000036 RCX: 00007f7d45c2f469
RDX: 000000000000000d RSI: 0000000000000006 RDI: 0000000000000003
RBP: 0000000000000036 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000246 R12: 000000000069c014
R13: 00007ffe3f80e0cf R14: 00007f7d462df000 R15: 0000000000000003

Allocated by task 28130:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc mm/kasan/common.c:506 [inline]
 __kasan_kmalloc+0x7a/0x90 mm/kasan/common.c:515
 kmalloc include/linux/slab.h:559 [inline]
 sk_prot_alloc.constprop.0+0x118/0x230 net/core/sock.c:1703
 sk_alloc+0x2d/0x470 net/core/sock.c:1756
 inet_create net/ipv4/af_inet.c:325 [inline]
 inet_create+0x2a9/0xca0 net/ipv4/af_inet.c:248
 __sock_create+0x1e3/0x430 net/socket.c:1408
 sock_create net/socket.c:1459 [inline]
 __sys_socket+0xef/0x200 net/socket.c:1501
 __do_sys_socket net/socket.c:1510 [inline]
 __se_sys_socket net/socket.c:1508 [inline]
 __x64_sys_socket+0x6e/0xb0 net/socket.c:1508
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xae/0xc0 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3039 [inline]
 call_rcu+0x77/0x9b0 kernel/rcu/tree.c:3114
 netlink_release+0x946/0x1410 net/netlink/af_netlink.c:810
 __sock_release+0xd2/0x280 net/socket.c:599
 sock_close+0x15/0x20 net/socket.c:1258
 __fput+0x261/0x940 fs/file_table.c:280
 task_work_run+0x105/0x1c0 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x10a/0x110 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xae/0xc0 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3039 [inline]
 call_rcu+0x77/0x9b0 kernel/rcu/tree.c:3114
 netlink_release+0x946/0x1410 net/netlink/af_netlink.c:810
 __sock_release net/socket.c:599 [inline]
 sock_release+0x8d/0x1b0 net/socket.c:627
 netlink_kernel_release+0x4b/0x60 net/netlink/af_netlink.c:2115
 genl_pernet_exit+0x34/0x70 net/netlink/genetlink.c:1416
 ops_exit_list+0xb0/0x160 net/core/net_namespace.c:175
 cleanup_net+0x430/0x960 net/core/net_namespace.c:595
 process_one_work+0x896/0x1170 kernel/workqueue.c:2275
 worker_thread+0x605/0x1350 kernel/workqueue.c:2421
 kthread+0x344/0x410 kernel/kthread.c:292
 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff88810a3d7000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 2012 bytes inside of
 2048-byte region [ffff88810a3d7000, ffff88810a3d7800)
The buggy address belongs to the page:
page:000000001c2238c4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10a3d0
head:000000001c2238c4 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100042000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88810a3d7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
 ffff88810a3d7700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88810a3d7780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                    ^
 ffff88810a3d7800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88810a3d7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Process accounting resumed
EXT4-fs warning (device sda): verify_group_input:131: Cannot add at group 259 (only 16 groups)
autofs4:pid:28474:autofs_fill_super: called with bogus options
autofs4:pid:28474:autofs_fill_super: called with bogus options

No reproducer

HEAD is at:
58b5536 ("DO-NOT-MERGE: mptcp: enabled by default") (HEAD, tag: export/20210422T142551, mptcp_net-next/export) (27 hours ago)
721b0ae ("DO-NOT-MERGE: mptcp: add GitHub Actions") (27 hours ago)
c407345 ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (27 hours ago)
6630994 ("DO-NOT-MERGE: git markup: features other trees") (27 hours ago)
e16e051 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (27 hours ago)
a65406b ("bpf:selftests: add MPTCP test base") (27 hours ago)
cbae4cf ("bpf: add 'bpf_mptcp_sock' structure and helper") (27 hours ago)
e327934 ("bpf: expose is_mptcp flag to bpf_tcp_sock") (27 hours ago)
d84c6c9 ("DO-NOT-MERGE: git markup: features net-next") (27 hours ago)
2308dfc ("mptcp: remove redundant initialization in pm_nl_init_net()") (27 hours ago)
eef89f6 ("selftests: mptcp: add a test case for MSG_PEEK") (27 hours ago)
87f9d82 ("mptcp: add MSG_PEEK support") (27 hours ago)
b2c639b ("mptcp: ignore unsupported msg flags") (27 hours ago)
e55cf88 ("mptcp: implement MSG_TRUNC support") (27 hours ago)
86fdb54 ("mptcp: implement dummy MSG_ERRQUEUE support") (27 hours ago)
192ec32 ("DO-NOT-MERGE: git markup: fixes net-next") (27 hours ago)
da78719 ("DO-NOT-MERGE: git markup: fixes net") (27 hours ago)
7986ca2 ("mptcp: Retransmit DATA_FIN") (27 hours ago)
0d6192a ("mptcp: using TOKEN_MAX_RETRIES instead of magic number") (27 hours ago)
a0f3267 ("mptcp: fix pr_debug in mptcp_token_new_connect") (27 hours ago)
1710e2d ("DO-NOT-MERGE: git markup: fixes other trees") (27 hours ago)
dde4d6b ("static_call: fix unused variable warn w/o MODULE") (27 hours ago)
0a2a4a6 ("DO-NOT-MERGE: git markup: net-next") (27 hours ago)
5d86907 ("net: phy: marvell: don't use empty switch default case") (mptcp_net-next/net-next) (2 days ago) <Marek Behún>

The text was updated successfully, but these errors were encountered:

Fix BPF_CORE_READ_BITFIELD() macro used for reading CO-RE-relocatable bitfields. Missing breaks in a switch caused 8-byte reads always. This can confuse libbpf because it does strict checks that memory load size corresponds to the original size of the field, which in this case quite often would be wrong. After fixing that, we run into another problem, which quite subtle, so worth documenting here. The issue is in Clang optimization and CO-RE relocation interactions. Without that asm volatile construct (also known as barrier_var()), Clang will re-order BYTE_OFFSET and BYTE_SIZE relocations and will apply BYTE_OFFSET 4 times for each switch case arm. This will result in the same error from libbpf about mismatch of memory load size and original field size. I.e., if we were reading u32, we'd still have *(u8 *), *(u16 *), *(u32 *), and *(u64 *) memory loads, three of which will fail. Using barrier_var() forces Clang to apply BYTE_OFFSET relocation first (and once) to calculate p, after which value of p is used without relocation in each of switch case arms, doing appropiately-sized memory load. Here's the list of relevant relocations and pieces of generated BPF code before and after this patch for test_core_reloc_bitfields_direct selftests. BEFORE ===== #45: core_reloc: insn #160 --> [5] + 0:5: byte_sz --> struct core_reloc_bitfields.u32 #46: core_reloc: insn #167 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 #47: core_reloc: insn #174 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 #48: core_reloc: insn #178 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 #49: core_reloc: insn #182 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 157: 18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0 ll 159: 7b 12 20 01 00 00 00 00 *(u64 *)(r2 + 288) = r1 160: b7 02 00 00 04 00 00 00 r2 = 4 ; BYTE_SIZE relocation here ^^^ 161: 66 02 07 00 03 00 00 00 if w2 s> 3 goto +7 <LBB0_63> 162: 16 02 0d 00 01 00 00 00 if w2 == 1 goto +13 <LBB0_65> 163: 16 02 01 00 02 00 00 00 if w2 == 2 goto +1 <LBB0_66> 164: 05 00 12 00 00 00 00 00 goto +18 <LBB0_69> 0000000000000528 <LBB0_66>: 165: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll 167: 69 11 08 00 00 00 00 00 r1 = *(u16 *)(r1 + 8) ; BYTE_OFFSET relo here w/ WRONG size ^^^^^^^^^^^^^^^^ 168: 05 00 0e 00 00 00 00 00 goto +14 <LBB0_69> 0000000000000548 <LBB0_63>: 169: 16 02 0a 00 04 00 00 00 if w2 == 4 goto +10 <LBB0_67> 170: 16 02 01 00 08 00 00 00 if w2 == 8 goto +1 <LBB0_68> 171: 05 00 0b 00 00 00 00 00 goto +11 <LBB0_69> 0000000000000560 <LBB0_68>: 172: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll 174: 79 11 08 00 00 00 00 00 r1 = *(u64 *)(r1 + 8) ; BYTE_OFFSET relo here w/ WRONG size ^^^^^^^^^^^^^^^^ 175: 05 00 07 00 00 00 00 00 goto +7 <LBB0_69> 0000000000000580 <LBB0_65>: 176: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll 178: 71 11 08 00 00 00 00 00 r1 = *(u8 *)(r1 + 8) ; BYTE_OFFSET relo here w/ WRONG size ^^^^^^^^^^^^^^^^ 179: 05 00 03 00 00 00 00 00 goto +3 <LBB0_69> 00000000000005a0 <LBB0_67>: 180: 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 0 ll 182: 61 11 08 00 00 00 00 00 r1 = *(u32 *)(r1 + 8) ; BYTE_OFFSET relo here w/ RIGHT size ^^^^^^^^^^^^^^^^ 00000000000005b8 <LBB0_69>: 183: 67 01 00 00 20 00 00 00 r1 <<= 32 184: b7 02 00 00 00 00 00 00 r2 = 0 185: 16 02 02 00 00 00 00 00 if w2 == 0 goto +2 <LBB0_71> 186: c7 01 00 00 20 00 00 00 r1 s>>= 32 187: 05 00 01 00 00 00 00 00 goto +1 <LBB0_72> 00000000000005e0 <LBB0_71>: 188: 77 01 00 00 20 00 00 00 r1 >>= 32 AFTER ===== #30: core_reloc: insn #132 --> [5] + 0:5: byte_off --> struct core_reloc_bitfields.u32 #31: core_reloc: insn #134 --> [5] + 0:5: byte_sz --> struct core_reloc_bitfields.u32 129: 18 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r2 = 0 ll 131: 7b 12 20 01 00 00 00 00 *(u64 *)(r2 + 288) = r1 132: b7 01 00 00 08 00 00 00 r1 = 8 ; BYTE_OFFSET relo here ^^^ ; no size check for non-memory dereferencing instructions 133: 0f 12 00 00 00 00 00 00 r2 += r1 134: b7 03 00 00 04 00 00 00 r3 = 4 ; BYTE_SIZE relocation here ^^^ 135: 66 03 05 00 03 00 00 00 if w3 s> 3 goto +5 <LBB0_63> 136: 16 03 09 00 01 00 00 00 if w3 == 1 goto +9 <LBB0_65> 137: 16 03 01 00 02 00 00 00 if w3 == 2 goto +1 <LBB0_66> 138: 05 00 0a 00 00 00 00 00 goto +10 <LBB0_69> 0000000000000458 <LBB0_66>: 139: 69 21 00 00 00 00 00 00 r1 = *(u16 *)(r2 + 0) ; NO CO-RE relocation here ^^^^^^^^^^^^^^^^ 140: 05 00 08 00 00 00 00 00 goto +8 <LBB0_69> 0000000000000468 <LBB0_63>: 141: 16 03 06 00 04 00 00 00 if w3 == 4 goto +6 <LBB0_67> 142: 16 03 01 00 08 00 00 00 if w3 == 8 goto +1 <LBB0_68> 143: 05 00 05 00 00 00 00 00 goto +5 <LBB0_69> 0000000000000480 <LBB0_68>: 144: 79 21 00 00 00 00 00 00 r1 = *(u64 *)(r2 + 0) ; NO CO-RE relocation here ^^^^^^^^^^^^^^^^ 145: 05 00 03 00 00 00 00 00 goto +3 <LBB0_69> 0000000000000490 <LBB0_65>: 146: 71 21 00 00 00 00 00 00 r1 = *(u8 *)(r2 + 0) ; NO CO-RE relocation here ^^^^^^^^^^^^^^^^ 147: 05 00 01 00 00 00 00 00 goto +1 <LBB0_69> 00000000000004a0 <LBB0_67>: 148: 61 21 00 00 00 00 00 00 r1 = *(u32 *)(r2 + 0) ; NO CO-RE relocation here ^^^^^^^^^^^^^^^^ 00000000000004a8 <LBB0_69>: 149: 67 01 00 00 20 00 00 00 r1 <<= 32 150: b7 02 00 00 00 00 00 00 r2 = 0 151: 16 02 02 00 00 00 00 00 if w2 == 0 goto +2 <LBB0_71> 152: c7 01 00 00 20 00 00 00 r1 s>>= 32 153: 05 00 01 00 00 00 00 00 goto +1 <LBB0_72> 00000000000004d0 <LBB0_71>: 154: 77 01 00 00 20 00 00 00 r1 >>= 323 Fixes: ee26dad ("libbpf: Add support for relocatable bitfields") Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Lorenz Bauer <lmb@cloudflare.com> Link: https://lore.kernel.org/bpf/20210426192949.416837-4-andrii@kernel.org

matttbe · 2021-04-29T16:05:27Z

Thank you for the bug report! :)

Could it eventually be due to aa1fbd9 ("mptcp: sockopt: add TCP_CONGESTION and TCP_INFO")?
cc: @fw-strlen

We can't use tcp_set_congestion_control() on an mptcp socket, as such function can end-up accessing a tcp-specific field - prior_ssthresh - causing an OOB access. To allow propagating the correct ca algo on subflow, cache the ca name at initialization time. Additionally avoid overriding the user-selected CA (if any) at clone time. Closes: #182 Fixes: aa1fbd9 ("mptcp: sockopt: add TCP_CONGESTION and TCP_INFO") Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Paolo Abeni <pabeni@redhat.com>

We can't use tcp_set_congestion_control() on an mptcp socket, as such function can end-up accessing a tcp-specific field - prior_ssthresh - causing an OOB access. To allow propagating the correct ca algo on subflow, cache the ca name at initialization time. Additionally avoid overriding the user-selected CA (if any) at clone time. Closes: #182 Fixes: aa1fbd9 ("mptcp: sockopt: add TCP_CONGESTION and TCP_INFO") Acked-by: Florian Westphal <fw@strlen.de> Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>

We can't use tcp_set_congestion_control() on an mptcp socket, as such function can end-up accessing a tcp-specific field - prior_ssthresh - causing an OOB access. To allow propagating the correct ca algo on subflow, cache the ca name at initialization time. Additionally avoid overriding the user-selected CA (if any) at clone time. Closes: multipath-tcp/mptcp_net-next#182 Fixes: aa1fbd9 ("mptcp: sockopt: add TCP_CONGESTION and TCP_INFO") Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>

We can't use tcp_set_congestion_control() on an mptcp socket, as such function can end-up accessing a tcp-specific field - prior_ssthresh - causing an OOB access. To allow propagating the correct ca algo on subflow, cache the ca name at initialization time. Additionally avoid overriding the user-selected CA (if any) at clone time. Closes: multipath-tcp/mptcp_net-next#182 Fixes: aa1fbd9 ("mptcp: sockopt: add TCP_CONGESTION and TCP_INFO") Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>

We can't use tcp_set_congestion_control() on an mptcp socket, as such function can end-up accessing a tcp-specific field - prior_ssthresh - causing an OOB access. To allow propagating the correct ca algo on subflow, cache the ca name at initialization time. Additionally avoid overriding the user-selected CA (if any) at clone time. Closes: #182 Fixes: aa1fbd9 ("mptcp: sockopt: add TCP_CONGESTION and TCP_INFO") Acked-by: Florian Westphal <fw@strlen.de> Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>

We can't use tcp_set_congestion_control() on an mptcp socket, as such function can end-up accessing a tcp-specific field - prior_ssthresh - causing an OOB access. To allow propagating the correct ca algo on subflow, cache the ca name at initialization time. Additionally avoid overriding the user-selected CA (if any) at clone time. Closes: multipath-tcp/mptcp_net-next#182 Fixes: aa1fbd9 ("mptcp: sockopt: add TCP_CONGESTION and TCP_INFO") Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>

This patch tests bpf_loop in pyperf and strobemeta, and measures the verifier performance of replacing the traditional for loop with bpf_loop. The results are as follows: ~strobemeta~ Baseline verification time 6808200 usec stack depth 496 processed 554252 insns (limit 1000000) max_states_per_insn 16 total_states 15878 peak_states 13489 mark_read 3110 #192 verif_scale_strobemeta:OK (unrolled loop) Using bpf_loop verification time 31589 usec stack depth 96+400 processed 1513 insns (limit 1000000) max_states_per_insn 2 total_states 106 peak_states 106 mark_read 60 #193 verif_scale_strobemeta_bpf_loop:OK ~pyperf600~ Baseline verification time 29702486 usec stack depth 368 processed 626838 insns (limit 1000000) max_states_per_insn 7 total_states 30368 peak_states 30279 mark_read 748 #182 verif_scale_pyperf600:OK (unrolled loop) Using bpf_loop verification time 148488 usec stack depth 320+40 processed 10518 insns (limit 1000000) max_states_per_insn 10 total_states 705 peak_states 517 mark_read 38 #183 verif_scale_pyperf600_bpf_loop:OK Using the bpf_loop helper led to approximately a 99% decrease in the verification time and in the number of instructions. Signed-off-by: Joanne Koong <joannekoong@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20211130030622.4131246-4-joannekoong@fb.com

Somehow recently I frequently hit the following test failure with either ./test_progs or ./test_progs-cpuv4: serial_test_ptr_untrusted:PASS:skel_open 0 nsec serial_test_ptr_untrusted:PASS:lsm_attach 0 nsec serial_test_ptr_untrusted:PASS:raw_tp_attach 0 nsec serial_test_ptr_untrusted:FAIL:cmp_tp_name unexpected cmp_tp_name: actual -115 != expected 0 #182 ptr_untrusted:FAIL Further investigation found the failure is due to bpf_probe_read_user_str() where reading user-level string attr->raw_tracepoint.name is not successfully, most likely due to the string itself still in disk and not populated into memory yet. One solution is do a printf() call of the string before doing bpf syscall which will force the raw_tracepoint.name into memory. But I think a more robust solution is to use bpf_copy_from_user() which is used in sleepable program and can tolerate page fault, and the fix here used the latter approach. Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20240204194452.2785936-1-yonghong.song@linux.dev

matttbe added bug syzkaller labels Apr 23, 2021

matttbe assigned pabeni May 6, 2021

matttbe closed this as completed in 27ccb08 May 7, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[syzkaller] KASAN: slab-out-of-bounds Write in tcp_init_congestion_control #182

[syzkaller] KASAN: slab-out-of-bounds Write in tcp_init_congestion_control #182

cpaasch commented Apr 23, 2021

matttbe commented Apr 29, 2021

[syzkaller] KASAN: slab-out-of-bounds Write in tcp_init_congestion_control #182

[syzkaller] KASAN: slab-out-of-bounds Write in tcp_init_congestion_control #182

Comments

cpaasch commented Apr 23, 2021

matttbe commented Apr 29, 2021