xrivendell7/report Secret

## report
------------[ cut here ]------------
WARNING: CPU: 0 PID: 83417 at mm/util.c:622 kvmalloc_node+0x19f/0x1b0 mm/util.c:622
Modules linked in:
CPU: 0 PID: 83417 Comm: syz-executor.3 Not tainted 6.7.0-rc1-g7475e51b8796-dirty #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:kvmalloc_node+0x19f/0x1b0 mm/util.c:622
Code: 00 eb aa e8 d3 9d c3 ff 41 81 e4 00 20 00 00 31 ff 44 89 e6 e8 32 99 c3 ff 45 85 e4 0f 85 17 ff ff ff 31 ff e8 b2 9d c3 ff 90 <0f> 0b 90 31 ed e9 d9 fe ff ff 0f 1f 80 00 00 00 00 f3 0f 1e fa 41
RSP: 0018:ffffc90004a07b70 EFLAGS: 00010246
RAX: 0000000000001ad4 RBX: 00000037ffffcec8 RCX: 0000000000040000
RDX: ffffffff81c85fde RSI: ffffc9001273a000 RDI: 0000000000000000
RBP: 0000000000000400 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 00000000ffffffff R14: 00000000ffffff1f R15: ffff88812269cf50
FS:  00007fb6461c66c0(0000) GS:ffff888063800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b318ce000 CR3: 0000000109a49000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
 <TASK>
 kvmalloc include/linux/slab.h:738 [inline]
 kvmalloc_array include/linux/slab.h:756 [inline]
 kvcalloc include/linux/slab.h:761 [inline]
 bpf_uprobe_multi_link_attach+0x447/0x1020 kernel/trace/bpf_trace.c:3239
 link_create kernel/bpf/syscall.c:5012 [inline]
 __sys_bpf+0x256e/0x4cb0 kernel/bpf/syscall.c:5453
 __do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
 __x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:5485
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fb6476cc559
Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 77 08 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007fb6461c5d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007fb6476cc559
RDX: 0000000000000040 RSI: 0000000020000340 RDI: 000000000000001c
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c
R13: 000000000000000b R14: 00000000004bbf80 R15: 00007fb6461a6000
 </TASK>

## repro.c
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#ifndef __NR_bpf
#define __NR_bpf 321
#endif

#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)     \
  *(type*)(addr) =                                                   \
      htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
            (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

uint64_t r[1] = {0xffffffffffffffff};

int main(void) {
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  intptr_t res = 0;
  *(uint32_t*)0x20000140 = 2;
  *(uint32_t*)0x20000144 = 3;
  *(uint64_t*)0x20000148 = 0x20000200;
  *(uint8_t*)0x20000200 = 0x18;
  STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 0, 4);
  STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 4, 4);
  *(uint16_t*)0x20000202 = 0;
  *(uint32_t*)0x20000204 = 0;
  *(uint8_t*)0x20000208 = 0;
  *(uint8_t*)0x20000209 = 0;
  *(uint16_t*)0x2000020a = 0;
  *(uint32_t*)0x2000020c = 0;
  *(uint8_t*)0x20000210 = 0x95;
  *(uint8_t*)0x20000211 = 0;
  *(uint16_t*)0x20000212 = 0;
  *(uint32_t*)0x20000214 = 0;
  *(uint64_t*)0x20000150 = 0x20000240;
  memcpy((void*)0x20000240, "GPL\000", 4);
  *(uint32_t*)0x20000158 = 0;
  *(uint32_t*)0x2000015c = 0;
  *(uint64_t*)0x20000160 = 0;
  *(uint32_t*)0x20000168 = 0;
  *(uint32_t*)0x2000016c = 0;
  memset((void*)0x20000170, 0, 16);
  *(uint32_t*)0x20000180 = 0;
  *(uint32_t*)0x20000184 = 0x30;
  *(uint32_t*)0x20000188 = 0;
  *(uint32_t*)0x2000018c = 0;
  *(uint64_t*)0x20000190 = 0;
  *(uint32_t*)0x20000198 = 0;
  *(uint32_t*)0x2000019c = 0;
  *(uint64_t*)0x200001a0 = 0;
  *(uint32_t*)0x200001a8 = 0;
  *(uint32_t*)0x200001ac = 0;
  *(uint32_t*)0x200001b0 = 0;
  *(uint32_t*)0x200001b4 = 0;
  *(uint64_t*)0x200001b8 = 0;
  *(uint64_t*)0x200001c0 = 0;
  *(uint32_t*)0x200001c8 = 0;
  *(uint32_t*)0x200001cc = 0;
  res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000140ul, /*size=*/0x90ul);
  if (res != -1) r[0] = res;
  memcpy((void*)0x20000000, "./file0\000", 8);
  syscall(__NR_creat, /*file=*/0x20000000ul, /*mode=*/0ul);
  *(uint32_t*)0x20000340 = r[0];
  *(uint32_t*)0x20000344 = 0;
  *(uint32_t*)0x20000348 = 0x30;
  *(uint32_t*)0x2000034c = 0;
  *(uint64_t*)0x20000350 = 0x20000080;
  memcpy((void*)0x20000080, "./file0\000", 8);
  *(uint64_t*)0x20000358 = 0x200000c0;
  *(uint64_t*)0x200000c0 = 0;
  *(uint64_t*)0x20000360 = 0;
  *(uint64_t*)0x20000368 = 0;
  *(uint32_t*)0x20000370 = 0xffffff1f;
  *(uint32_t*)0x20000374 = 0;
  *(uint32_t*)0x20000378 = 0;
  syscall(__NR_bpf, /*cmd=*/0x1cul, /*arg=*/0x20000340ul, /*size=*/0x40ul);
  return 0;
}

## repro.txt
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=@framed, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
creat(&(0x7f0000000000)='./file0\x00', 0x0)
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r0, 0x0, 0x30, 0x0, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=[0x0], 0x0, 0x0, 0xffffff1f}}, 0x40)
	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 83417 at mm/util.c:622 kvmalloc_node+0x19f/0x1b0 mm/util.c:622
	Modules linked in:
	CPU: 0 PID: 83417 Comm: syz-executor.3 Not tainted 6.7.0-rc1-g7475e51b8796-dirty #2
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
	RIP: 0010:kvmalloc_node+0x19f/0x1b0 mm/util.c:622
	Code: 00 eb aa e8 d3 9d c3 ff 41 81 e4 00 20 00 00 31 ff 44 89 e6 e8 32 99 c3 ff 45 85 e4 0f 85 17 ff ff ff 31 ff e8 b2 9d c3 ff 90 <0f> 0b 90 31 ed e9 d9 fe ff ff 0f 1f 80 00 00 00 00 f3 0f 1e fa 41
	RSP: 0018:ffffc90004a07b70 EFLAGS: 00010246
	RAX: 0000000000001ad4 RBX: 00000037ffffcec8 RCX: 0000000000040000
	RDX: ffffffff81c85fde RSI: ffffc9001273a000 RDI: 0000000000000000
	RBP: 0000000000000400 R08: 0000000000000005 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
	R13: 00000000ffffffff R14: 00000000ffffff1f R15: ffff88812269cf50
	FS: 00007fb6461c66c0(0000) GS:ffff888063800000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 0000001b318ce000 CR3: 0000000109a49000 CR4: 0000000000750ef0
	PKRU: 55555554
	Call Trace:
	<TASK>
	kvmalloc include/linux/slab.h:738 [inline]
	kvmalloc_array include/linux/slab.h:756 [inline]
	kvcalloc include/linux/slab.h:761 [inline]
	bpf_uprobe_multi_link_attach+0x447/0x1020 kernel/trace/bpf_trace.c:3239
	link_create kernel/bpf/syscall.c:5012 [inline]
	__sys_bpf+0x256e/0x4cb0 kernel/bpf/syscall.c:5453
	__do_sys_bpf kernel/bpf/syscall.c:5487 [inline]
	__se_sys_bpf kernel/bpf/syscall.c:5485 [inline]
	__x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:5485
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x63/0x6b
	RIP: 0033:0x7fb6476cc559
	Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 77 08 0d 00 f7 d8 64 89 01 48
	RSP: 002b:00007fb6461c5d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
	RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007fb6476cc559
	RDX: 0000000000000040 RSI: 0000000020000340 RDI: 000000000000001c
	RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbf8c
	R13: 000000000000000b R14: 00000000004bbf80 R15: 00007fb6461a6000
	</TASK>
	// autogenerated by syzkaller (https://github.com/google/syzkaller)

	#define _GNU_SOURCE

	#include <endian.h>
	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/syscall.h>
	#include <sys/types.h>
	#include <unistd.h>

	#ifndef __NR_bpf
	#define __NR_bpf 321
	#endif

	#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
	#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
	(type)(addr) = \
	htobe((htobe((type)(addr)) & ~BITMASK((bf_off), (bf_len))) \| \
	(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

	uint64_t r[1] = {0xffffffffffffffff};

	int main(void) {
	syscall(__NR_mmap, /addr=/0x1ffff000ul, /len=/0x1000ul, /prot=/0ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);
	syscall(__NR_mmap, /addr=/0x20000000ul, /len=/0x1000000ul, /prot=/7ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);
	syscall(__NR_mmap, /addr=/0x21000000ul, /len=/0x1000ul, /prot=/0ul,
	/flags=/0x32ul, /fd=/-1, /offset=/0ul);
	intptr_t res = 0;
	(uint32_t)0x20000140 = 2;
	(uint32_t)0x20000144 = 3;
	(uint64_t)0x20000148 = 0x20000200;
	(uint8_t)0x20000200 = 0x18;
	STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 0, 4);
	STORE_BY_BITMASK(uint8_t, , 0x20000201, 0, 4, 4);
	(uint16_t)0x20000202 = 0;
	(uint32_t)0x20000204 = 0;
	(uint8_t)0x20000208 = 0;
	(uint8_t)0x20000209 = 0;
	(uint16_t)0x2000020a = 0;
	(uint32_t)0x2000020c = 0;
	(uint8_t)0x20000210 = 0x95;
	(uint8_t)0x20000211 = 0;
	(uint16_t)0x20000212 = 0;
	(uint32_t)0x20000214 = 0;
	(uint64_t)0x20000150 = 0x20000240;
	memcpy((void*)0x20000240, "GPL\000", 4);
	(uint32_t)0x20000158 = 0;
	(uint32_t)0x2000015c = 0;
	(uint64_t)0x20000160 = 0;
	(uint32_t)0x20000168 = 0;
	(uint32_t)0x2000016c = 0;
	memset((void*)0x20000170, 0, 16);
	(uint32_t)0x20000180 = 0;
	(uint32_t)0x20000184 = 0x30;
	(uint32_t)0x20000188 = 0;
	(uint32_t)0x2000018c = 0;
	(uint64_t)0x20000190 = 0;
	(uint32_t)0x20000198 = 0;
	(uint32_t)0x2000019c = 0;
	(uint64_t)0x200001a0 = 0;
	(uint32_t)0x200001a8 = 0;
	(uint32_t)0x200001ac = 0;
	(uint32_t)0x200001b0 = 0;
	(uint32_t)0x200001b4 = 0;
	(uint64_t)0x200001b8 = 0;
	(uint64_t)0x200001c0 = 0;
	(uint32_t)0x200001c8 = 0;
	(uint32_t)0x200001cc = 0;
	res = syscall(__NR_bpf, /cmd=/5ul, /arg=/0x20000140ul, /size=/0x90ul);
	if (res != -1) r[0] = res;
	memcpy((void*)0x20000000, "./file0\000", 8);
	syscall(__NR_creat, /file=/0x20000000ul, /mode=/0ul);
	(uint32_t)0x20000340 = r[0];
	(uint32_t)0x20000344 = 0;
	(uint32_t)0x20000348 = 0x30;
	(uint32_t)0x2000034c = 0;
	(uint64_t)0x20000350 = 0x20000080;
	memcpy((void*)0x20000080, "./file0\000", 8);
	(uint64_t)0x20000358 = 0x200000c0;
	(uint64_t)0x200000c0 = 0;
	(uint64_t)0x20000360 = 0;
	(uint64_t)0x20000368 = 0;
	(uint32_t)0x20000370 = 0xffffff1f;
	(uint32_t)0x20000374 = 0;
	(uint32_t)0x20000378 = 0;
	syscall(__NR_bpf, /cmd=/0x1cul, /arg=/0x20000340ul, /size=/0x40ul);
	return 0;
	}
	r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=@framed, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
	creat(&(0x7f0000000000)='./file0\x00', 0x0)
	bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r0, 0x0, 0x30, 0x0, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)=[0x0], 0x0, 0x0, 0xffffff1f}}, 0x40)