[syzbot] BUG: unable to handle kernel access to user memory in schedule_tail

Dmitry Vyukov dvyukov at google.com
Thu Mar 11 06:50:16 GMT 2021


On Thu, Mar 11, 2021 at 7:40 AM Alex Ghiti <alex at ghiti.fr> wrote:
>
> Hi Ben,
>
> Le 3/10/21 à 5:24 PM, Ben Dooks a écrit :
> > On 10/03/2021 17:16, Dmitry Vyukov wrote:
> >> On Wed, Mar 10, 2021 at 5:46 PM syzbot
> >> <syzbot+e74b94fe601ab9552d69 at syzkaller.appspotmail.com> wrote:
> >>>
> >>> Hello,
> >>>
> >>> syzbot found the following issue on:
> >>>
> >>> HEAD commit:    0d7588ab riscv: process: Fix no prototype for
> >>> arch_dup_tas..
> >>> git tree:
> >>> git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=1212c6e6d00000
> >>> kernel config:
> >>> https://syzkaller.appspot.com/x/.config?x=e3c595255fb2d136
> >>> dashboard link:
> >>> https://syzkaller.appspot.com/bug?extid=e74b94fe601ab9552d69
> >>> userspace arch: riscv64
> >>>
> >>> Unfortunately, I don't have any reproducer for this issue yet.
> >>>
> >>> IMPORTANT: if you fix the issue, please add the following tag to the
> >>> commit:
> >>> Reported-by: syzbot+e74b94fe601ab9552d69 at syzkaller.appspotmail.com
> >>
> >> +riscv maintainers
> >>
> >> This is riscv64-specific.
> >> I've seen similar crashes in put_user in other places. It looks like
> >> put_user crashes in the user address is not mapped/protected (?).
> >
> > The unmapped case should have been handled.
> >
> > I think this issue is that the check for user-mode access added. From
> > what I read the code may be wrong in
> >
> > +    if (!user_mode(regs) && addr < TASK_SIZE &&
> > +            unlikely(!(regs->status & SR_SUM)))
> > +        die_kernel_fault("access to user memory without uaccess routines",
> > +                addr, regs);
> >
> > I think the SR_SUM check might be wrong, as I read the standard the
> > SR_SUM should be set to disable user-space access. So the check
> > should be unlikely(regs->status & SR_SUM) to say access without
> > having disabled the protection.
>
> The check that is done seems correct to me: "The SUM (permit Supervisor
> User Memory access) bit modifies the privilege with which S-mode loads
> and stores access virtual memory.  *When SUM=0, S-mode memory accesses
> to pages that are accessible by U-mode (U=1 in Figure 4.15) will fault*.
>   When SUM=1, these accesses are permitted.SUM  has  no  effect  when
> page-based  virtual  memory  is  not  in  effect".
>
> I will try to reproduce the problem locally.

Weird. It crashes with this all the time:
https://syzkaller.appspot.com/bug?extid=e74b94fe601ab9552d69

Even on trivial programs that almost don't do anything.
Maybe it's qemu bug? Do registers look sane in the dump? That SR_SUM, etc.


00:13:27 executing program 1:
openat$drirender128(0xffffffffffffff9c,
&(0x7f0000000040)='/dev/dri/renderD128\x00', 0x0, 0x0)

[  812.318182][ T4833] Unable to handle kernel access to user memory
without uaccess routines at virtual address 00000000250b60d0
[  812.322304][ T4833] Oops [#1]
[  812.323196][ T4833] Modules linked in:
[  812.324110][ T4833] CPU: 1 PID: 4833 Comm: syz-executor.1 Not
tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
[  812.325862][ T4833] Hardware name: riscv-virtio,qemu (DT)
[  812.327561][ T4833] epc : schedule_tail+0x72/0xb2
[  812.328640][ T4833]  ra : schedule_tail+0x70/0xb2
[  812.330088][ T4833] epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp
: ffffffe0238bbec0
[  812.331312][ T4833]  gp : ffffffe005d25378 tp : ffffffe00a275b00 t0
: 0000000000000000
[  812.333014][ T4833]  t1 : 0000000000000001 t2 : 00000000000f4240 s0
: ffffffe0238bbee0
[  812.334137][ T4833]  s1 : 00000000250b60d0 a0 : 0000000000000036 a1
: 0000000000000003
[  812.336063][ T4833]  a2 : 1ffffffc0cfa8b00 a3 : ffffffe0000c80cc a4
: 7f467e72c6adf800
[  812.337398][ T4833]  a5 : 0000000000000000 a6 : 0000000000f00000 a7
: ffffffe0000f8c84
[  812.339287][ T4833]  s2 : 0000000000040000 s3 : ffffffe0077a96c0 s4
: ffffffe020e67fe0
[  812.340658][ T4833]  s5 : 0000000000004020 s6 : ffffffe0077a9b58 s7
: ffffffe067d74850
[  812.342492][ T4833]  s8 : ffffffe067d73e18 s9 : 0000000000000000
s10: ffffffe00bd72280
[  812.343668][ T4833]  s11: 000000bd067bf638 t3 : 7f467e72c6adf800 t4
: ffffffc403ee7fb2
[  812.345510][ T4833]  t5 : ffffffc403ee7fba t6 : 0000000000040000
[  812.347004][ T4833] status: 0000000000000120 badaddr:
00000000250b60d0 cause: 000000000000000f
[  812.348091][ T4833] Call Trace:
[  812.349291][ T4833] [<ffffffe00008c8b0>] schedule_tail+0x72/0xb2
[  812.350796][ T4833] [<ffffffe000005570>] ret_from_exception+0x0/0x14
[  812.352799][ T4833] Dumping ftrace buffer:
[  812.354328][ T4833]    (ftrace buffer empty)
[  812.428145][ T4833] ---[ end trace 94b077e4d677ee73 ]---


00:10:42 executing program 1:
bpf$ENABLE_STATS(0x20, 0x0, 0x0)
bpf$ENABLE_STATS(0x20, 0x0, 0x0)

[  646.536862][ T5163] loop0: detected capacity change from 0 to 1
[  646.566730][ T5165] Unable to handle kernel access to user memory
without uaccess routines at virtual address 00000000032f80d0
[  646.586024][ T5165] Oops [#1]
[  646.586640][ T5165] Modules linked in:
[  646.587350][ T5165] CPU: 1 PID: 5165 Comm: syz-executor.1 Not
tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
[  646.588209][ T5165] Hardware name: riscv-virtio,qemu (DT)
[  646.589019][ T5165] epc : schedule_tail+0x72/0xb2
[  646.589811][ T5165]  ra : schedule_tail+0x70/0xb2
[  646.590435][ T5165] epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp
: ffffffe008013ec0
[  646.591142][ T5165]  gp : ffffffe005d25378 tp : ffffffe007634440 t0
: 0000000000000000
[  646.591836][ T5165]  t1 : 0000000000000001 t2 : 0000000000000008 s0
: ffffffe008013ee0
[  646.592509][ T5165]  s1 : 00000000032f80d0 a0 : 0000000000000004 a1
: 0000000000000003
[  646.593188][ T5165]  a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4
: 8d229faaffda9500
[  646.593878][ T5165]  a5 : 0000000000000000 a6 : 0000000000f00000 a7
: ffffffe000082eba
[  646.594552][ T5165]  s2 : 0000000000040000 s3 : ffffffe00c82c440 s4
: ffffffe00e61ffe0
[  646.595253][ T5165]  s5 : 0000000000004000 s6 : ffffffe067d57e00 s7
: ffffffe067d57850
[  646.595938][ T5165]  s8 : ffffffe067d56e18 s9 : ffffffe067d57e00
s10: ffffffe00c82c878
[  646.596627][ T5165]  s11: 000000967ba7a1cc t3 : 8d229faaffda9500 t4
: ffffffc4011bc79b
[  646.597319][ T5165]  t5 : ffffffc4011bc79d t6 : ffffffe008de3ce8
[  646.597909][ T5165] status: 0000000000000120 badaddr:
00000000032f80d0 cause: 000000000000000f
[  646.598682][ T5165] Call Trace:
[  646.599294][ T5165] [<ffffffe00008c8b0>] schedule_tail+0x72/0xb2
[  646.600115][ T5165] [<ffffffe000005570>] ret_from_exception+0x0/0x14
[  646.601333][ T5165] Dumping ftrace buffer:
[  646.602322][ T5165]    (ftrace buffer empty)
[  646.663691][ T5165] ---[ end trace e7b7847ce74cdfca ]---





> Thanks,
>
> Alex
>
> >
> > Without this, you can end up with an infinite loop in the fault handler.
> >
> >>
> >>> Unable to handle kernel access to user memory without uaccess
> >>> routines at virtual address 000000002749f0d0
> >>> Oops [#1]
> >>> Modules linked in:
> >>> CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted
> >>> 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
> >>> Hardware name: riscv-virtio,qemu (DT)
> >>> epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
> >>>   ra : task_pid_vnr include/linux/sched.h:1421 [inline]
> >>>   ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264
> >>> epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0
> >>>   gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000
> >>>   t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0
> >>>   s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003
> >>>   a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00
> >>>   a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba
> >>>   s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0
> >>>   s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850
> >>>   s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8
> >>>   s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2
> >>>   t5 : ffffffc4043cafba t6 : 0000000000040000
> >>> status: 0000000000000120 badaddr: 000000002749f0d0 cause:
> >>> 000000000000000f
> >>> Call Trace:
> >>> [<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
> >>> [<ffffffe000005570>] ret_from_exception+0x0/0x14
> >>> Dumping ftrace buffer:
> >>>     (ftrace buffer empty)
> >>> ---[ end trace b5f8f9231dc87dda ]---
> >>>
> >>>
> >>> ---
> >>> This report is generated by a bot. It may contain errors.
> >>> See https://goo.gl/tpsmEJ for more information about syzbot.
> >>> syzbot engineers can be reached at syzkaller at googlegroups.com.
> >>>
> >>> syzbot will keep track of this issue. See:
> >>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >>>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "syzkaller-bugs" group.
> >>> To unsubscribe from this group and stop receiving emails from it,
> >>> send an email to syzkaller-bugs+unsubscribe at googlegroups.com.
> >>> To view this discussion on the web visit
> >>> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000b74f1b05bd316729%40google.com.
> >>>
> >>
> >> _______________________________________________
> >> linux-riscv mailing list
> >> linux-riscv at lists.infradead.org
> >> http://lists.infradead.org/mailman/listinfo/linux-riscv
> >>
> >
> >



More information about the linux-riscv mailing list