Besides, another similar bug occurred while fault injection was enabled. ==== BUG: unable to handle kernel paging request in bpf_prog_alloc_no_stats ======================================================== RAX: ffffffffffffffda RBX: 000000000059c080 RCX: 000000000047338d RDX: 0000000000000078 RSI: 0000000020000300 RDI: 0000000000000005 RBP: 00007f7e3c38fc90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00007ffed3a1dd6f R14: 00007ffed3a1df10 R15: 00007f7e3c38fdc0 BUG: unable to handle page fault for address: ffff91f2077ed028 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 1810067 P4D 1810067 PUD 1915067 PMD 3b907067 PTE 0 Oops: 0002 [#1] SMP CPU: 3 PID: 17344 Comm: executor Not tainted 5.12.0-rc6+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:bpf_prog_alloc_no_stats+0x251/0x6e0 kernel/bpf/core.c:94 Code: 45 b0 4c 8d 78 28 4d 8b a5 20 03 00 00 41 8b 85 a8 0f 00 00 89 45 c8 48 83 7d a8 00 0f 85 2e 03 00 00 4c 89 ff e8 4f 18 60 00 <4c> 89 20 4d 85 e4 0f 85 27 03 00 00 49 89 1f 4d 85 e4 74 0c 49 f7 RSP: 0018:ffff89f2077cfaa8 EFLAGS: 00010286 RAX: ffff91f2077ed028 RBX: 0000096680024de8 RCX: ffff91f2077ed028 RDX: ffff99f2077ed028 RSI: 0000000000000008 RDI: ffff89f2077ed028 RBP: ffff89f2077cfb28 R08: ffffd7eb8000000f R09: ffff888b7ffd3000 R10: 000000000000037a R11: 0000000000000000 R12: 0000000000000000 R13: ffff888b1465aad8 R14: 0000000004c30000 R15: ffff89f2077ed028 FS: 00007f7e3c390700(0000) GS:ffff888b7fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff91f2077ed028 CR3: 0000000044802004 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: bpf_prog_alloc+0x74/0x310 kernel/bpf/core.c:119 bpf_prog_load kernel/bpf/syscall.c:2162 [inline] __do_sys_bpf+0x11af3/0x17290 kernel/bpf/syscall.c:4393 __se_sys_bpf+0x8e/0xa0 kernel/bpf/syscall.c:4351 __x64_sys_bpf+0x4a/0x70 kernel/bpf/syscall.c:4351 do_syscall_64+0xa2/0x120 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x47338d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e3c38fc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 000000000059c080 RCX: 000000000047338d RDX: 0000000000000078 RSI: 0000000020000300 RDI: 0000000000000005 RBP: 00007f7e3c38fc90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00007ffed3a1dd6f R14: 00007ffed3a1df10 R15: 00007f7e3c38fdc0 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) CR2: ffff91f2077ed028 ---[ end trace bc1de9e0e1b51e8c ]--- RIP: 0010:bpf_prog_alloc_no_stats+0x251/0x6e0 kernel/bpf/core.c:94 Code: 45 b0 4c 8d 78 28 4d 8b a5 20 03 00 00 41 8b 85 a8 0f 00 00 89 45 c8 48 83 7d a8 00 0f 85 2e 03 00 00 4c 89 ff e8 4f 18 60 00 <4c> 89 20 4d 85 e4 0f 85 27 03 00 00 49 89 1f 4d 85 e4 74 0c 49 f7 RSP: 0018:ffff89f2077cfaa8 EFLAGS: 00010286 RAX: ffff91f2077ed028 RBX: 0000096680024de8 RCX: ffff91f2077ed028 RDX: ffff99f2077ed028 RSI: 0000000000000008 RDI: ffff89f2077ed028 RBP: ffff89f2077cfb28 R08: ffffd7eb8000000f R09: ffff888b7ffd3000 R10: 000000000000037a R11: 0000000000000000 R12: 0000000000000000 R13: ffff888b1465aad8 R14: 0000000004c30000 R15: ffff89f2077ed028 FS: 00007f7e3c390700(0000) GS:ffff888b7fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff91f2077ed028 CR3: 0000000044802004 CR4: 0000000000770ee0 PKRU: 55555554 The following system call sequence (Syzlang format) can reproduce the crash: # {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none Fault:true FaultCall:0 FaultNth:4 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:true USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false} bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000300)=@bpf_ext={0x1c, 0x8, &(0x7f00000001c0)=@raw=[@initr0={0x18, 0x0, 0x0, 0x0, 0x4953b92f0467cc49, 0x0, 0x0, 0x0, 0xdbd689758db6b4a7}, @func={0x85, 0x0, 0x1, 0x0, 0x1}, @exit, @generic={0xd3c15618b9efaeff, 0x0, 0x0, 0x0, 0xc0fc52df13f3fbec}, @map_val={0x18, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf7a72204b1b46d92}, @jmp], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x9, [], 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0}, 0x78) Using syz-execprog can run this reproduction program directly: ./syz-execprog -repeat 0 -procs 1 -slowdown 1 -fault_call 0 -fault_nth 4 -enable tun -enable netdev -enable resetnet -enable cgroups -enable binfmt-misc -enable close_fds -enable devlinkpci -enable usb -enable vhci -enable wifi -enable ieee802154 -enable sysctl repro.prog
Attachment:
log
Description: Binary data