[PATCH 5.10.y 0/1] bpf: fix warning ftrace_verify_code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Syzkaller hit 'WARNING in ftrace_verify_code' bug.

This bug is not a vulnerability and is reproduced only when running
with root privileges on stable 5.10 kernel.

journalctl -k (v5.10.206):
... 
bpfilter: Loaded bpfilter_umh pid 2732
Started bpfilter
------------[ cut here ]------------
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4107 at arch/x86/kernel/ftrace.c:97 ftrace_verify_code+0x3e/0x80
WARNING: CPU: 1 PID: 4107 at arch/x86/kernel/ftrace.c:97 ftrace_verify_code+0x3e/0x80
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
 drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
 drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
CPU: 1 PID: 4107 Comm: repro5 Tainted: G           OE     5.10.206-std-def-alt1 #1
CPU: 1 PID: 4107 Comm: repro5 Tainted: G           OE     5.10.206-std-def-alt1 #1
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
RIP: 0010:ftrace_verify_code+0x3e/0x80
RIP: 0010:ftrace_verify_code+0x3e/0x80
Code: 25 28 00 00 00 48 89 44 24 08 31 c0 48 8d 7c 24 03 e8 56 f9 1b 00 48 85 c0 75 3e 8b 03 39 44 24 03 74 28 48 89 1d e2 1d 05 03 <0f> 0b b8 ea ff ff ff 48 8b 4c 24 08 65 48 2b 0c 25 28 00 00 00 75
Code: 25 28 00 00 00 48 89 44 24 08 31 c0 48 8d 7c 24 03 e8 56 f9 1b 00 48 85 c0 75 3e 8b 03 39 44 24 03 74 28 48 89 1d e2 1d 05 03 <0f> 0b b8 ea ff ff ff 48 8b 4c 24 08 65 48 2b 0c 25 28 00 00 00 75
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010212
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010212
RAX: 0000000000441f0f RBX: ffffffff82005684 RCX: 0000000000000010
RAX: 0000000000441f0f RBX: ffffffff82005684 RCX: 0000000000000010
RDX: 000000000f9dbb1f RSI: 0000000000000005 RDI: ffffffff8183d240
RDX: 000000000f9dbb1f RSI: 0000000000000005 RDI: ffffffff8183d240
RBP: ffff8881000607a0 R08: 0000000000000001 R09: 0000000000000000
RBP: ffff8881000607a0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
FS:  00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
FS:  00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
PKRU: 55555554
PKRU: 55555554
Call Trace:
Call Trace:
 ? __warn+0x80/0x100
 ? __warn+0x80/0x100
 ? ftrace_verify_code+0x3e/0x80
 ? ftrace_verify_code+0x3e/0x80
 ? report_bug+0x9e/0xc0
 ? report_bug+0x9e/0xc0
 ? handle_bug+0x32/0xa0
 ? handle_bug+0x32/0xa0
 ? exc_invalid_op+0x14/0x70
 ? exc_invalid_op+0x14/0x70
 ? asm_exc_invalid_op+0x12/0x20
 ? asm_exc_invalid_op+0x12/0x20
 ? sk_lookup_convert_ctx_access+0x280/0x280
 ? sk_lookup_convert_ctx_access+0x280/0x280
 ? ftrace_verify_code+0x3e/0x80
 ? ftrace_verify_code+0x3e/0x80
 ? ftrace_verify_code+0x2a/0x80
 ? ftrace_verify_code+0x2a/0x80
 ftrace_replace_code+0xa6/0x190
 ftrace_replace_code+0xa6/0x190
 ftrace_modify_all_code+0xd8/0x170
 ftrace_modify_all_code+0xd8/0x170
 ftrace_run_update_code+0x13/0x70
 ftrace_run_update_code+0x13/0x70
 ftrace_startup.part.0+0xe9/0x160
 ftrace_startup.part.0+0xe9/0x160
 register_ftrace_function+0x52/0x90
 register_ftrace_function+0x52/0x90
 perf_trace_event_init+0x60/0x2b0
 perf_trace_event_init+0x60/0x2b0
 perf_trace_init+0x69/0xa0
 perf_trace_init+0x69/0xa0
 perf_tp_event_init+0x1b/0x50
 perf_tp_event_init+0x1b/0x50
 perf_try_init_event+0x42/0x130
 perf_try_init_event+0x42/0x130
 perf_event_alloc+0x5e3/0xdf0
 perf_event_alloc+0x5e3/0xdf0
 ? __alloc_fd+0x44/0x170
 ? __alloc_fd+0x44/0x170
 __do_sys_perf_event_open+0x1cd/0xec0
 __do_sys_perf_event_open+0x1cd/0xec0
 do_syscall_64+0x30/0x40
 do_syscall_64+0x30/0x40
 entry_SYSCALL_64_after_hwframe+0x62/0xc7
 entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7f671d2c0d49
RIP: 0033:0x7f671d2c0d49
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
---[ end trace 74a81e537b634ec5 ]---
---[ end trace 74a81e537b634ec5 ]---
------------[ ftrace bug ]------------
------------[ ftrace bug ]------------
ftrace failed to modify
ftrace failed to modify
[<ffffffff8183d240>] bpf_dispatcher_xdp_func+0x0/0x10
[<ffffffff8183d240>] bpf_dispatcher_xdp_func+0x0/0x10
 actual:   ffffffe9:ffffffbb:ffffff9d:0f:1f
 actual:   ffffffe9:ffffffbb:ffffff9d:0f:1f
 expected: 0f:1f:44:00:00
 expected: 0f:1f:44:00:00
Setting ftrace call site to call ftrace function
Setting ftrace call site to call ftrace function
ftrace record flags: 10000001
ftrace record flags: 10000001
 (1)
 (1)
                                  expected tramp: ffffffff81068ac0
------------[ cut here ]------------
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4107 at kernel/trace/ftrace.c:2075 ftrace_bug+0x22c/0x256
WARNING: CPU: 1 PID: 4107 at kernel/trace/ftrace.c:2075 ftrace_bug+0x22c/0x256
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
 drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
 drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
CPU: 1 PID: 4107 Comm: repro5 Tainted: G        W  OE     5.10.206-std-def-alt1 #1
CPU: 1 PID: 4107 Comm: repro5 Tainted: G        W  OE     5.10.206-std-def-alt1 #1
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
RIP: 0010:ftrace_bug+0x22c/0x256
RIP: 0010:ftrace_bug+0x22c/0x256
Code: ff 84 c0 74 d0 eb b4 48 c7 c7 36 4b 30 82 e8 0b c5 ff ff 48 89 ef e8 2a df 7a ff 48 c7 c7 47 4b 30 82 48 89 c6 e8 f4 c4 ff ff <0f> 0b c7 05 0f a5 2c 01 01 00 00 00 5b c7 05 14 a5 2c 01 00 00 00
Code: ff 84 c0 74 d0 eb b4 48 c7 c7 36 4b 30 82 e8 0b c5 ff ff 48 89 ef e8 2a df 7a ff 48 c7 c7 47 4b 30 82 48 89 c6 e8 f4 c4 ff ff <0f> 0b c7 05 0f a5 2c 01 01 00 00 00 5b c7 05 14 a5 2c 01 00 00 00
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010246
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 00000000ffffffea RCX: ffff8882a7860808
RAX: 0000000000000022 RBX: 00000000ffffffea RCX: ffff8882a7860808
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8882a7860800
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8882a7860800
RBP: ffff8881000607a0 R08: 0000000000000000 R09: ffffc90003aa7ac8
RBP: ffff8881000607a0 R08: 0000000000000000 R09: ffffc90003aa7ac8
R10: ffffc90003aa7ac0 R11: ffffffff82ae22e8 R12: ffffffff8183d240
R10: ffffc90003aa7ac0 R11: ffffffff82ae22e8 R12: ffffffff8183d240
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
FS:  00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
FS:  00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
PKRU: 55555554
PKRU: 55555554
Call Trace:
Call Trace:
 ? __warn+0x80/0x100
 ? __warn+0x80/0x100
 ? ftrace_bug+0x22c/0x256
 ? ftrace_bug+0x22c/0x256
 ? report_bug+0x9e/0xc0
 ? report_bug+0x9e/0xc0
 ? handle_bug+0x32/0xa0
 ? handle_bug+0x32/0xa0
 ? exc_invalid_op+0x14/0x70
 ? exc_invalid_op+0x14/0x70
 ? asm_exc_invalid_op+0x12/0x20
 ? asm_exc_invalid_op+0x12/0x20
 ? sk_lookup_convert_ctx_access+0x280/0x280
 ? sk_lookup_convert_ctx_access+0x280/0x280
 ? ftrace_bug+0x22c/0x256
 ? ftrace_bug+0x22c/0x256
 ? ftrace_bug+0x22c/0x256
 ? ftrace_bug+0x22c/0x256
 ftrace_replace_code+0xbb/0x190
 ftrace_replace_code+0xbb/0x190
 ftrace_modify_all_code+0xd8/0x170
 ftrace_modify_all_code+0xd8/0x170
 ftrace_run_update_code+0x13/0x70
 ftrace_run_update_code+0x13/0x70
 ftrace_startup.part.0+0xe9/0x160
 ftrace_startup.part.0+0xe9/0x160
 register_ftrace_function+0x52/0x90
 register_ftrace_function+0x52/0x90
 perf_trace_event_init+0x60/0x2b0
 perf_trace_event_init+0x60/0x2b0
 perf_trace_init+0x69/0xa0
 perf_trace_init+0x69/0xa0
 perf_tp_event_init+0x1b/0x50
 perf_tp_event_init+0x1b/0x50
 perf_try_init_event+0x42/0x130
 perf_try_init_event+0x42/0x130
 perf_event_alloc+0x5e3/0xdf0
 perf_event_alloc+0x5e3/0xdf0
 ? __alloc_fd+0x44/0x170
 ? __alloc_fd+0x44/0x170
 __do_sys_perf_event_open+0x1cd/0xec0
 __do_sys_perf_event_open+0x1cd/0xec0
 do_syscall_64+0x30/0x40
 do_syscall_64+0x30/0x40
 entry_SYSCALL_64_after_hwframe+0x62/0xc7
 entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7f671d2c0d49
RIP: 0033:0x7f671d2c0d49
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
---[ end trace 74a81e537b634ec6 ]---
---[ end trace 74a81e537b634ec6 ]---


C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE 

#include <endian.h>
#include <errno.h>
#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <time.h>
#include <unistd.h>

#include <linux/futex.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

static void sleep_ms(uint64_t ms)
{
	usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
	struct timespec ts;
	if (clock_gettime(CLOCK_MONOTONIC, &ts))
	exit(1);
	return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static void thread_start(void* (*fn)(void*), void* arg)
{
	pthread_t th;
	pthread_attr_t attr;
	pthread_attr_init(&attr);
	pthread_attr_setstacksize(&attr, 128 << 10);
	int i = 0;
	for (; i < 100; i++) {
		if (pthread_create(&th, &attr, fn, arg) == 0) {
			pthread_attr_destroy(&attr);
			return;
		}
		if (errno == EAGAIN) {
			usleep(50);
			continue;
		}
		break;
	}
	exit(1);
}

#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

typedef struct {
	int state;
} event_t;

static void event_init(event_t* ev)
{
	ev->state = 0;
}

static void event_reset(event_t* ev)
{
	ev->state = 0;
}

static void event_set(event_t* ev)
{
	if (ev->state)
	exit(1);
	__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
	syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}

static void event_wait(event_t* ev)
{
	while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
		syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}

static int event_isset(event_t* ev)
{
	return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}

static int event_timedwait(event_t* ev, uint64_t timeout)
{
	uint64_t start = current_time_ms();
	uint64_t now = start;
	for (;;) {
		uint64_t remain = timeout - (now - start);
		struct timespec ts;
		ts.tv_sec = remain / 1000;
		ts.tv_nsec = (remain % 1000) * 1000 * 1000;
		syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
		if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
			return 1;
		now = current_time_ms();
		if (now - start > timeout)
			return 0;
	}
}

struct thread_t {
	int created, call;
	event_t ready, done;
};

static struct thread_t threads[16];
static void execute_call(int call);
static int running;

static void* thr(void* arg)
{
	struct thread_t* th = (struct thread_t*)arg;
	for (;;) {
		event_wait(&th->ready);
		event_reset(&th->ready);
		execute_call(th->call);
		__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
		event_set(&th->done);
	}
	return 0;
}

static void loop(void)
{
	int i, call, thread;
	for (call = 0; call < 3; call++) {
		for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
			struct thread_t* th = &threads[thread];
			if (!th->created) {
				th->created = 1;
				event_init(&th->ready);
				event_init(&th->done);
				event_set(&th->done);
				thread_start(thr, th);
			}
			if (!event_isset(&th->done))
				continue;
			event_reset(&th->done);
			th->call = call;
			__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
			event_set(&th->ready);
			event_timedwait(&th->done, 50 + (call == 0 ? 500 : 0));
			break;
		}
	}
	for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
		sleep_ms(1);
}

uint64_t r[1] = {0xffffffffffffffff};

void execute_call(int call)
{
		intptr_t res = 0;
	switch (call) {
	case 0:
*(uint32_t*)0x20000000 = 6;
*(uint32_t*)0x20000004 = 3;
*(uint64_t*)0x20000008 = 0x200000c0;
*(uint8_t*)0x200000c0 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x200000c1, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000c1, 0, 4, 4);
*(uint16_t*)0x200000c2 = 0;
*(uint32_t*)0x200000c4 = 0;
*(uint8_t*)0x200000c8 = 0;
*(uint8_t*)0x200000c9 = 0;
*(uint16_t*)0x200000ca = 0;
*(uint32_t*)0x200000cc = 0;
*(uint8_t*)0x200000d0 = 0x95;
*(uint8_t*)0x200000d1 = 0;
*(uint16_t*)0x200000d2 = 0;
*(uint32_t*)0x200000d4 = 0;
*(uint64_t*)0x20000010 = 0x20000100;
memcpy((void*)0x20000100, "syzkaller\000", 10);
*(uint32_t*)0x20000018 = 0;
*(uint32_t*)0x2000001c = 0;
*(uint64_t*)0x20000020 = 0;
*(uint32_t*)0x20000028 = 0;
*(uint32_t*)0x2000002c = 0;
memset((void*)0x20000030, 0, 16);
*(uint32_t*)0x20000040 = 0;
*(uint32_t*)0x20000044 = 0x1b;
*(uint32_t*)0x20000048 = -1;
*(uint32_t*)0x2000004c = 8;
*(uint64_t*)0x20000050 = 0;
*(uint32_t*)0x20000058 = 0;
*(uint32_t*)0x2000005c = 0x10;
*(uint64_t*)0x20000060 = 0;
*(uint32_t*)0x20000068 = 0;
*(uint32_t*)0x2000006c = 0;
*(uint32_t*)0x20000070 = 0;
*(uint32_t*)0x20000074 = 0;
*(uint64_t*)0x20000078 = 0;
		res = syscall(__NR_bpf, 5ul, 0x20000000ul, 0x80ul);
		if (res != -1)
				r[0] = res;
		break;
	case 1:
*(uint32_t*)0x20000280 = r[0];
*(uint32_t*)0x20000284 = 0;
*(uint32_t*)0x20000288 = 0;
*(uint32_t*)0x2000028c = 0;
*(uint64_t*)0x20000290 = 0;
*(uint64_t*)0x20000298 = 0;
*(uint32_t*)0x200002a0 = 0xffffff7f;
*(uint32_t*)0x200002a4 = 0;
*(uint32_t*)0x200002a8 = 0;
*(uint32_t*)0x200002ac = 0;
*(uint64_t*)0x200002b0 = 0;
*(uint64_t*)0x200002b8 = 0;
*(uint32_t*)0x200002c0 = 0;
*(uint32_t*)0x200002c4 = 0;
		syscall(__NR_bpf, 0xaul, 0x20000280ul, 0x48ul);
		break;
	case 2:
*(uint32_t*)0x200000c0 = 2;
*(uint32_t*)0x200000c4 = 0x80;
*(uint8_t*)0x200000c8 = 1;
*(uint8_t*)0x200000c9 = 0;
*(uint8_t*)0x200000ca = 0;
*(uint8_t*)0x200000cb = 0;
*(uint32_t*)0x200000cc = 0;
*(uint64_t*)0x200000d0 = 0;
*(uint64_t*)0x200000d8 = 0;
*(uint64_t*)0x200000e0 = 0;
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 0, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 1, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 2, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 5, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 10, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 13, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 17, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 18, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 19, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 25, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 27, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 28, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 29, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 30, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 31, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 32, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 33, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 34, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 35, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 36, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 37, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 38, 26);
*(uint32_t*)0x200000f0 = 0;
*(uint32_t*)0x200000f4 = 2;
*(uint64_t*)0x200000f8 = 0;
*(uint64_t*)0x20000100 = 0;
*(uint64_t*)0x20000108 = 0;
*(uint64_t*)0x20000110 = 4;
*(uint32_t*)0x20000118 = 0;
*(uint32_t*)0x2000011c = 0;
*(uint64_t*)0x20000120 = 0;
*(uint32_t*)0x20000128 = 0;
*(uint16_t*)0x2000012c = 0;
*(uint16_t*)0x2000012e = 0;
*(uint32_t*)0x20000130 = 0;
*(uint32_t*)0x20000134 = 0;
*(uint64_t*)0x20000138 = 0;
		syscall(__NR_perf_event_open, 0x200000c0ul, 0, 0ul, -1, 0ul);
		break;
	}

}
int main(void)
{
		syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
	syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
	syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
			loop();
	return 0;
}


The following adapted patch is proposed to fix the bug on the 5.10.y kernel:
[PATCH 5.10.y 1/1] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)





[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux