Syzkaller hit 'WARNING in ftrace_verify_code' bug.
This bug is not a vulnerability and is reproduced only when running
with root privileges on stable 5.10 kernel.
journalctl -k (v5.10.206):
...
bpfilter: Loaded bpfilter_umh pid 2732
Started bpfilter
------------[ cut here ]------------
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4107 at arch/x86/kernel/ftrace.c:97 ftrace_verify_code+0x3e/0x80
WARNING: CPU: 1 PID: 4107 at arch/x86/kernel/ftrace.c:97 ftrace_verify_code+0x3e/0x80
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
CPU: 1 PID: 4107 Comm: repro5 Tainted: G OE 5.10.206-std-def-alt1 #1
CPU: 1 PID: 4107 Comm: repro5 Tainted: G OE 5.10.206-std-def-alt1 #1
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
RIP: 0010:ftrace_verify_code+0x3e/0x80
RIP: 0010:ftrace_verify_code+0x3e/0x80
Code: 25 28 00 00 00 48 89 44 24 08 31 c0 48 8d 7c 24 03 e8 56 f9 1b 00 48 85 c0 75 3e 8b 03 39 44 24 03 74 28 48 89 1d e2 1d 05 03 <0f> 0b b8 ea ff ff ff 48 8b 4c 24 08 65 48 2b 0c 25 28 00 00 00 75
Code: 25 28 00 00 00 48 89 44 24 08 31 c0 48 8d 7c 24 03 e8 56 f9 1b 00 48 85 c0 75 3e 8b 03 39 44 24 03 74 28 48 89 1d e2 1d 05 03 <0f> 0b b8 ea ff ff ff 48 8b 4c 24 08 65 48 2b 0c 25 28 00 00 00 75
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010212
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010212
RAX: 0000000000441f0f RBX: ffffffff82005684 RCX: 0000000000000010
RAX: 0000000000441f0f RBX: ffffffff82005684 RCX: 0000000000000010
RDX: 000000000f9dbb1f RSI: 0000000000000005 RDI: ffffffff8183d240
RDX: 000000000f9dbb1f RSI: 0000000000000005 RDI: ffffffff8183d240
RBP: ffff8881000607a0 R08: 0000000000000001 R09: 0000000000000000
RBP: ffff8881000607a0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
FS: 00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
FS: 00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
PKRU: 55555554
PKRU: 55555554
Call Trace:
Call Trace:
? __warn+0x80/0x100
? __warn+0x80/0x100
? ftrace_verify_code+0x3e/0x80
? ftrace_verify_code+0x3e/0x80
? report_bug+0x9e/0xc0
? report_bug+0x9e/0xc0
? handle_bug+0x32/0xa0
? handle_bug+0x32/0xa0
? exc_invalid_op+0x14/0x70
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x12/0x20
? asm_exc_invalid_op+0x12/0x20
? sk_lookup_convert_ctx_access+0x280/0x280
? sk_lookup_convert_ctx_access+0x280/0x280
? ftrace_verify_code+0x3e/0x80
? ftrace_verify_code+0x3e/0x80
? ftrace_verify_code+0x2a/0x80
? ftrace_verify_code+0x2a/0x80
ftrace_replace_code+0xa6/0x190
ftrace_replace_code+0xa6/0x190
ftrace_modify_all_code+0xd8/0x170
ftrace_modify_all_code+0xd8/0x170
ftrace_run_update_code+0x13/0x70
ftrace_run_update_code+0x13/0x70
ftrace_startup.part.0+0xe9/0x160
ftrace_startup.part.0+0xe9/0x160
register_ftrace_function+0x52/0x90
register_ftrace_function+0x52/0x90
perf_trace_event_init+0x60/0x2b0
perf_trace_event_init+0x60/0x2b0
perf_trace_init+0x69/0xa0
perf_trace_init+0x69/0xa0
perf_tp_event_init+0x1b/0x50
perf_tp_event_init+0x1b/0x50
perf_try_init_event+0x42/0x130
perf_try_init_event+0x42/0x130
perf_event_alloc+0x5e3/0xdf0
perf_event_alloc+0x5e3/0xdf0
? __alloc_fd+0x44/0x170
? __alloc_fd+0x44/0x170
__do_sys_perf_event_open+0x1cd/0xec0
__do_sys_perf_event_open+0x1cd/0xec0
do_syscall_64+0x30/0x40
do_syscall_64+0x30/0x40
entry_SYSCALL_64_after_hwframe+0x62/0xc7
entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7f671d2c0d49
RIP: 0033:0x7f671d2c0d49
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
---[ end trace 74a81e537b634ec5 ]---
---[ end trace 74a81e537b634ec5 ]---
------------[ ftrace bug ]------------
------------[ ftrace bug ]------------
ftrace failed to modify
ftrace failed to modify
[<ffffffff8183d240>] bpf_dispatcher_xdp_func+0x0/0x10
[<ffffffff8183d240>] bpf_dispatcher_xdp_func+0x0/0x10
actual: ffffffe9:ffffffbb:ffffff9d:0f:1f
actual: ffffffe9:ffffffbb:ffffff9d:0f:1f
expected: 0f:1f:44:00:00
expected: 0f:1f:44:00:00
Setting ftrace call site to call ftrace function
Setting ftrace call site to call ftrace function
ftrace record flags: 10000001
ftrace record flags: 10000001
(1)
(1)
expected tramp: ffffffff81068ac0
------------[ cut here ]------------
------------[ cut here ]------------
WARNING: CPU: 1 PID: 4107 at kernel/trace/ftrace.c:2075 ftrace_bug+0x22c/0x256
WARNING: CPU: 1 PID: 4107 at kernel/trace/ftrace.c:2075 ftrace_bug+0x22c/0x256
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
Modules linked in: xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter bridge stp llc qrtr bnep hid_generic usbhid uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common btusb btrtl btbcm btintel videodev bluetooth mc ecdh_generic ecc nls_utf8 nls_cp866 vfat fat coretemp hwmon x86_pkg_temp_thermal intel_powerclamp mei_hdcp kvm_intel kvm rtsx_pci_sdmmc mmc_core irqbypass crct10dif_pclmul wmi_bmof crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd xhci_pci mei_me ucsi_acpi ideapad_laptop cryptd xhci_pci_renesas glue_helper pcspkr typec_ucsi tiny_power_button rtsx_pci sparse_keymap xhci_hcd mei thermal typec wmi i2c_hid button fan rfkill hid acpi_pad intel_pmc_core battery video ac sch_fq_codel vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) vboxvideo
drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
drm_vram_helper drm_ttm_helper ttm drm_kms_helper cec rc_core vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore drm msr fuse dm_mod efi_pstore efivarfs ip_tables x_tables autofs4 evdev input_leds serio_raw
CPU: 1 PID: 4107 Comm: repro5 Tainted: G W OE 5.10.206-std-def-alt1 #1
CPU: 1 PID: 4107 Comm: repro5 Tainted: G W OE 5.10.206-std-def-alt1 #1
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
Hardware name: LENOVO 82X8/LNVNB161216, BIOS LTCN30WW 11/08/2023
RIP: 0010:ftrace_bug+0x22c/0x256
RIP: 0010:ftrace_bug+0x22c/0x256
Code: ff 84 c0 74 d0 eb b4 48 c7 c7 36 4b 30 82 e8 0b c5 ff ff 48 89 ef e8 2a df 7a ff 48 c7 c7 47 4b 30 82 48 89 c6 e8 f4 c4 ff ff <0f> 0b c7 05 0f a5 2c 01 01 00 00 00 5b c7 05 14 a5 2c 01 00 00 00
Code: ff 84 c0 74 d0 eb b4 48 c7 c7 36 4b 30 82 e8 0b c5 ff ff 48 89 ef e8 2a df 7a ff 48 c7 c7 47 4b 30 82 48 89 c6 e8 f4 c4 ff ff <0f> 0b c7 05 0f a5 2c 01 01 00 00 00 5b c7 05 14 a5 2c 01 00 00 00
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010246
RSP: 0018:ffffc90003aa7c88 EFLAGS: 00010246
RAX: 0000000000000022 RBX: 00000000ffffffea RCX: ffff8882a7860808
RAX: 0000000000000022 RBX: 00000000ffffffea RCX: ffff8882a7860808
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8882a7860800
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8882a7860800
RBP: ffff8881000607a0 R08: 0000000000000000 R09: ffffc90003aa7ac8
RBP: ffff8881000607a0 R08: 0000000000000000 R09: ffffc90003aa7ac8
R10: ffffc90003aa7ac0 R11: ffffffff82ae22e8 R12: ffffffff8183d240
R10: ffffc90003aa7ac0 R11: ffffffff82ae22e8 R12: ffffffff8183d240
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
R13: ffffffff840b9f40 R14: ffffffff82005684 R15: ffffffff82a6a760
FS: 00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
FS: 00007f671d1c2640(0000) GS:ffff8882a7840000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
CR2: 00007efd44003490 CR3: 000000013e3f2000 CR4: 0000000000750ee0
PKRU: 55555554
PKRU: 55555554
Call Trace:
Call Trace:
? __warn+0x80/0x100
? __warn+0x80/0x100
? ftrace_bug+0x22c/0x256
? ftrace_bug+0x22c/0x256
? report_bug+0x9e/0xc0
? report_bug+0x9e/0xc0
? handle_bug+0x32/0xa0
? handle_bug+0x32/0xa0
? exc_invalid_op+0x14/0x70
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x12/0x20
? asm_exc_invalid_op+0x12/0x20
? sk_lookup_convert_ctx_access+0x280/0x280
? sk_lookup_convert_ctx_access+0x280/0x280
? ftrace_bug+0x22c/0x256
? ftrace_bug+0x22c/0x256
? ftrace_bug+0x22c/0x256
? ftrace_bug+0x22c/0x256
ftrace_replace_code+0xbb/0x190
ftrace_replace_code+0xbb/0x190
ftrace_modify_all_code+0xd8/0x170
ftrace_modify_all_code+0xd8/0x170
ftrace_run_update_code+0x13/0x70
ftrace_run_update_code+0x13/0x70
ftrace_startup.part.0+0xe9/0x160
ftrace_startup.part.0+0xe9/0x160
register_ftrace_function+0x52/0x90
register_ftrace_function+0x52/0x90
perf_trace_event_init+0x60/0x2b0
perf_trace_event_init+0x60/0x2b0
perf_trace_init+0x69/0xa0
perf_trace_init+0x69/0xa0
perf_tp_event_init+0x1b/0x50
perf_tp_event_init+0x1b/0x50
perf_try_init_event+0x42/0x130
perf_try_init_event+0x42/0x130
perf_event_alloc+0x5e3/0xdf0
perf_event_alloc+0x5e3/0xdf0
? __alloc_fd+0x44/0x170
? __alloc_fd+0x44/0x170
__do_sys_perf_event_open+0x1cd/0xec0
__do_sys_perf_event_open+0x1cd/0xec0
do_syscall_64+0x30/0x40
do_syscall_64+0x30/0x40
entry_SYSCALL_64_after_hwframe+0x62/0xc7
entry_SYSCALL_64_after_hwframe+0x62/0xc7
RIP: 0033:0x7f671d2c0d49
RIP: 0033:0x7f671d2c0d49
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RSP: 002b:00007f671d1c1df8 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f671d2c0d49
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
RBP: 00007f671d1c1e20 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd562f62de
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
R13: 00007ffd562f62df R14: 0000000000000000 R15: 00007f671d1c2640
---[ end trace 74a81e537b634ec6 ]---
---[ end trace 74a81e537b634ec6 ]---
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <time.h>
#include <unistd.h>
#include <linux/futex.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static void thread_start(void* (*fn)(void*), void* arg)
{
pthread_t th;
pthread_attr_t attr;
pthread_attr_init(&attr);
pthread_attr_setstacksize(&attr, 128 << 10);
int i = 0;
for (; i < 100; i++) {
if (pthread_create(&th, &attr, fn, arg) == 0) {
pthread_attr_destroy(&attr);
return;
}
if (errno == EAGAIN) {
usleep(50);
continue;
}
break;
}
exit(1);
}
#define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
typedef struct {
int state;
} event_t;
static void event_init(event_t* ev)
{
ev->state = 0;
}
static void event_reset(event_t* ev)
{
ev->state = 0;
}
static void event_set(event_t* ev)
{
if (ev->state)
exit(1);
__atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE);
syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000);
}
static void event_wait(event_t* ev)
{
while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0);
}
static int event_isset(event_t* ev)
{
return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE);
}
static int event_timedwait(event_t* ev, uint64_t timeout)
{
uint64_t start = current_time_ms();
uint64_t now = start;
for (;;) {
uint64_t remain = timeout - (now - start);
struct timespec ts;
ts.tv_sec = remain / 1000;
ts.tv_nsec = (remain % 1000) * 1000 * 1000;
syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts);
if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE))
return 1;
now = current_time_ms();
if (now - start > timeout)
return 0;
}
}
struct thread_t {
int created, call;
event_t ready, done;
};
static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static void* thr(void* arg)
{
struct thread_t* th = (struct thread_t*)arg;
for (;;) {
event_wait(&th->ready);
event_reset(&th->ready);
execute_call(th->call);
__atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
event_set(&th->done);
}
return 0;
}
static void loop(void)
{
int i, call, thread;
for (call = 0; call < 3; call++) {
for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) {
struct thread_t* th = &threads[thread];
if (!th->created) {
th->created = 1;
event_init(&th->ready);
event_init(&th->done);
event_set(&th->done);
thread_start(thr, th);
}
if (!event_isset(&th->done))
continue;
event_reset(&th->done);
th->call = call;
__atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
event_set(&th->ready);
event_timedwait(&th->done, 50 + (call == 0 ? 500 : 0));
break;
}
}
for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++)
sleep_ms(1);
}
uint64_t r[1] = {0xffffffffffffffff};
void execute_call(int call)
{
intptr_t res = 0;
switch (call) {
case 0:
*(uint32_t*)0x20000000 = 6;
*(uint32_t*)0x20000004 = 3;
*(uint64_t*)0x20000008 = 0x200000c0;
*(uint8_t*)0x200000c0 = 0x18;
STORE_BY_BITMASK(uint8_t, , 0x200000c1, 0, 0, 4);
STORE_BY_BITMASK(uint8_t, , 0x200000c1, 0, 4, 4);
*(uint16_t*)0x200000c2 = 0;
*(uint32_t*)0x200000c4 = 0;
*(uint8_t*)0x200000c8 = 0;
*(uint8_t*)0x200000c9 = 0;
*(uint16_t*)0x200000ca = 0;
*(uint32_t*)0x200000cc = 0;
*(uint8_t*)0x200000d0 = 0x95;
*(uint8_t*)0x200000d1 = 0;
*(uint16_t*)0x200000d2 = 0;
*(uint32_t*)0x200000d4 = 0;
*(uint64_t*)0x20000010 = 0x20000100;
memcpy((void*)0x20000100, "syzkaller\000", 10);
*(uint32_t*)0x20000018 = 0;
*(uint32_t*)0x2000001c = 0;
*(uint64_t*)0x20000020 = 0;
*(uint32_t*)0x20000028 = 0;
*(uint32_t*)0x2000002c = 0;
memset((void*)0x20000030, 0, 16);
*(uint32_t*)0x20000040 = 0;
*(uint32_t*)0x20000044 = 0x1b;
*(uint32_t*)0x20000048 = -1;
*(uint32_t*)0x2000004c = 8;
*(uint64_t*)0x20000050 = 0;
*(uint32_t*)0x20000058 = 0;
*(uint32_t*)0x2000005c = 0x10;
*(uint64_t*)0x20000060 = 0;
*(uint32_t*)0x20000068 = 0;
*(uint32_t*)0x2000006c = 0;
*(uint32_t*)0x20000070 = 0;
*(uint32_t*)0x20000074 = 0;
*(uint64_t*)0x20000078 = 0;
res = syscall(__NR_bpf, 5ul, 0x20000000ul, 0x80ul);
if (res != -1)
r[0] = res;
break;
case 1:
*(uint32_t*)0x20000280 = r[0];
*(uint32_t*)0x20000284 = 0;
*(uint32_t*)0x20000288 = 0;
*(uint32_t*)0x2000028c = 0;
*(uint64_t*)0x20000290 = 0;
*(uint64_t*)0x20000298 = 0;
*(uint32_t*)0x200002a0 = 0xffffff7f;
*(uint32_t*)0x200002a4 = 0;
*(uint32_t*)0x200002a8 = 0;
*(uint32_t*)0x200002ac = 0;
*(uint64_t*)0x200002b0 = 0;
*(uint64_t*)0x200002b8 = 0;
*(uint32_t*)0x200002c0 = 0;
*(uint32_t*)0x200002c4 = 0;
syscall(__NR_bpf, 0xaul, 0x20000280ul, 0x48ul);
break;
case 2:
*(uint32_t*)0x200000c0 = 2;
*(uint32_t*)0x200000c4 = 0x80;
*(uint8_t*)0x200000c8 = 1;
*(uint8_t*)0x200000c9 = 0;
*(uint8_t*)0x200000ca = 0;
*(uint8_t*)0x200000cb = 0;
*(uint32_t*)0x200000cc = 0;
*(uint64_t*)0x200000d0 = 0;
*(uint64_t*)0x200000d8 = 0;
*(uint64_t*)0x200000e0 = 0;
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 0, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 1, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 2, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 5, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 10, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 13, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 17, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 18, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 19, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 25, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 27, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 28, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 29, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 30, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 31, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 32, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 33, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 34, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 35, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 36, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 37, 1);
STORE_BY_BITMASK(uint64_t, , 0x200000e8, 0, 38, 26);
*(uint32_t*)0x200000f0 = 0;
*(uint32_t*)0x200000f4 = 2;
*(uint64_t*)0x200000f8 = 0;
*(uint64_t*)0x20000100 = 0;
*(uint64_t*)0x20000108 = 0;
*(uint64_t*)0x20000110 = 4;
*(uint32_t*)0x20000118 = 0;
*(uint32_t*)0x2000011c = 0;
*(uint64_t*)0x20000120 = 0;
*(uint32_t*)0x20000128 = 0;
*(uint16_t*)0x2000012c = 0;
*(uint16_t*)0x2000012e = 0;
*(uint32_t*)0x20000130 = 0;
*(uint32_t*)0x20000134 = 0;
*(uint64_t*)0x20000138 = 0;
syscall(__NR_perf_event_open, 0x200000c0ul, 0, 0ul, -1, 0ul);
break;
}
}
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
loop();
return 0;
}
The following adapted patch is proposed to fix the bug on the 5.10.y kernel:
[PATCH 5.10.y 1/1] bpf: Convert BPF_DISPATCHER to use static_call() (not ftrace)
