-
-
Save xrivendell7/37b74ecaeccd48127ed6137127a6b134 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TITLE: KMSAN: uninit-value in __bpf_strtoull | |
CORRUPTED: false () | |
MAINTAINERS (TO): [linux-kernel@vger.kernel.org] | |
MAINTAINERS (CC): [andrii@kernel.org ast@kernel.org bpf@vger.kernel.org daniel@iogearbox.net eddyz87@gmail.com haoluo@google.com john.fastabend@gmail.com jolsa@kernel.org kpsingh@kernel.org martin.lau@linux.dev sdf@google.com song@kernel.org yonghong.song@linux.dev] | |
===================================================== | |
BUG: KMSAN: uninit-value in __bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465 | |
__bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465 | |
__bpf_strtoll kernel/bpf/helpers.c:504 [inline] | |
____bpf_strtol kernel/bpf/helpers.c:525 [inline] | |
bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519 | |
___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997 | |
__bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236 | |
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] | |
__bpf_prog_run include/linux/filter.h:657 [inline] | |
bpf_prog_run_xdp include/net/xdp.h:514 [inline] | |
bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423 | |
bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269 | |
bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240 | |
__sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649 | |
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline] | |
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline] | |
__x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736 | |
do_syscall_64+0xd5/0x1f0 | |
entry_SYSCALL_64_after_hwframe+0x6d/0x75 | |
Local variable stack created at: | |
__bpf_prog_run96+0x50/0xf0 kernel/bpf/core.c:2236 | |
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] | |
__bpf_prog_run include/linux/filter.h:657 [inline] | |
bpf_prog_run_xdp include/net/xdp.h:514 [inline] | |
bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423 | |
CPU: 2 PID: 8031 Comm: 6be Not tainted 6.8.0-05242-g32fa4366cc4d #3 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 | |
===================================================== | |
TITLE: kernel panic: kmsan.panic set ... | |
CORRUPTED: false () | |
MAINTAINERS (TO): [linux-kernel@vger.kernel.org] | |
MAINTAINERS (CC): [andrii@kernel.org ast@kernel.org bpf@vger.kernel.org daniel@iogearbox.net eddyz87@gmail.com haoluo@google.com john.fastabend@gmail.com jolsa@kernel.org kpsingh@kernel.org martin.lau@linux.dev sdf@google.com song@kernel.org yonghong.song@linux.dev] | |
__bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465 | |
__bpf_strtoll kernel/bpf/helpers.c:504 [inline] | |
____bpf_strtol kernel/bpf/helpers.c:525 [inline] | |
bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519 | |
___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997 | |
__bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236 | |
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] | |
__bpf_prog_run include/linux/filter.h:657 [inline] | |
bpf_prog_run_xdp include/net/xdp.h:514 [inline] | |
bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423 | |
bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269 | |
bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240 | |
__sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649 | |
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline] | |
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline] | |
__x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736 | |
do_syscall_64+0xd5/0x1f0 | |
entry_SYSCALL_64_after_hwframe+0x6d/0x75 | |
Local variable stack created at: | |
__bpf_prog_run96+0x50/0xf0 kernel/bpf/core.c:2236 | |
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] | |
__bpf_prog_run include/linux/filter.h:657 [inline] | |
bpf_prog_run_xdp include/net/xdp.h:514 [inline] | |
bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423 | |
CPU: 2 PID: 8031 Comm: 6be Not tainted 6.8.0-05242-g32fa4366cc4d #3 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 | |
===================================================== | |
Disabling lock debugging due to kernel taint | |
Kernel panic - not syncing: kmsan.panic set ... | |
CPU: 2 PID: 8031 Comm: 6be Tainted: G B 6.8.0-05242-g32fa4366cc4d #3 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 | |
Call Trace: | |
<TASK> | |
__dump_stack lib/dump_stack.c:88 [inline] | |
dump_stack_lvl+0x1f7/0x290 lib/dump_stack.c:106 | |
dump_stack+0x29/0x30 lib/dump_stack.c:113 | |
panic+0x506/0xd80 kernel/panic.c:344 | |
kmsan_report+0x2d5/0x2e0 mm/kmsan/report.c:216 | |
__msan_warning+0x95/0x120 mm/kmsan/instrumentation.c:317 | |
__bpf_strtoull+0x292/0x690 kernel/bpf/helpers.c:465 | |
__bpf_strtoll kernel/bpf/helpers.c:504 [inline] | |
____bpf_strtol kernel/bpf/helpers.c:525 [inline] | |
bpf_strtol+0x87/0x2c0 kernel/bpf/helpers.c:519 | |
___bpf_prog_run+0x14de/0xec60 kernel/bpf/core.c:1997 | |
__bpf_prog_run96+0xc0/0xf0 kernel/bpf/core.c:2236 | |
bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline] | |
__bpf_prog_run include/linux/filter.h:657 [inline] | |
bpf_prog_run_xdp include/net/xdp.h:514 [inline] | |
bpf_test_run+0x464/0xcc0 net/bpf/test_run.c:423 | |
bpf_prog_test_run_xdp+0x101c/0x1c70 net/bpf/test_run.c:1269 | |
bpf_prog_test_run+0x754/0xba0 kernel/bpf/syscall.c:4240 | |
__sys_bpf+0x7a6/0x1010 kernel/bpf/syscall.c:5649 | |
__do_sys_bpf kernel/bpf/syscall.c:5738 [inline] | |
__se_sys_bpf kernel/bpf/syscall.c:5736 [inline] | |
__x64_sys_bpf+0xa9/0xf0 kernel/bpf/syscall.c:5736 | |
do_syscall_64+0xd5/0x1f0 | |
entry_SYSCALL_64_after_hwframe+0x6d/0x75 | |
RIP: 0033:0x432e39 | |
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8 | |
RSP: 002b:00007ffd5c90c5a8 EFLAGS: 00000217 ORIG_RAX: 0000000000000141 | |
RAX: ffffffffffffffda RBX: 00007ffd5c90c7d8 RCX: 0000000000432e39 | |
RDX: 0000000000000050 RSI: 0000000020000640 RDI: 000000000000000a | |
RBP: 00007ffd5c90c5c0 R08: 00007ffd5c90c5c0 R09: 00007ffd5c90c5c0 | |
R10: 00007ffd5c90c5c0 R11: 0000000000000217 R12: 0000000000000001 | |
R13: 00007ffd5c90c7c8 R14: 0000000000000001 R15: 0000000000000001 | |
</TASK> | |
Kernel Offset: disabled | |
Rebooting in 86400 seconds.. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <dirent.h> | |
#include <endian.h> | |
#include <errno.h> | |
#include <fcntl.h> | |
#include <signal.h> | |
#include <stdarg.h> | |
#include <stdbool.h> | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/prctl.h> | |
#include <sys/stat.h> | |
#include <sys/syscall.h> | |
#include <sys/types.h> | |
#include <sys/wait.h> | |
#include <time.h> | |
#include <unistd.h> | |
#ifndef __NR_bpf | |
#define __NR_bpf 321 | |
#endif | |
static void sleep_ms(uint64_t ms) { | |
usleep(ms * 1000); | |
} | |
static uint64_t current_time_ms(void) { | |
struct timespec ts; | |
if (clock_gettime(CLOCK_MONOTONIC, &ts)) | |
exit(1); | |
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; | |
} | |
static bool write_file(const char* file, const char* what, ...) { | |
char buf[1024]; | |
va_list args; | |
va_start(args, what); | |
vsnprintf(buf, sizeof(buf), what, args); | |
va_end(args); | |
buf[sizeof(buf) - 1] = 0; | |
int len = strlen(buf); | |
int fd = open(file, O_WRONLY | O_CLOEXEC); | |
if (fd == -1) | |
return false; | |
if (write(fd, buf, len) != len) { | |
int err = errno; | |
close(fd); | |
errno = err; | |
return false; | |
} | |
close(fd); | |
return true; | |
} | |
static void kill_and_wait(int pid, int* status) { | |
kill(-pid, SIGKILL); | |
kill(pid, SIGKILL); | |
for (int i = 0; i < 100; i++) { | |
if (waitpid(-1, status, WNOHANG | __WALL) == pid) | |
return; | |
usleep(1000); | |
} | |
DIR* dir = opendir("/sys/fs/fuse/connections"); | |
if (dir) { | |
for (;;) { | |
struct dirent* ent = readdir(dir); | |
if (!ent) | |
break; | |
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) | |
continue; | |
char abort[300]; | |
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", | |
ent->d_name); | |
int fd = open(abort, O_WRONLY); | |
if (fd == -1) { | |
continue; | |
} | |
if (write(fd, abort, 1) < 0) { | |
} | |
close(fd); | |
} | |
closedir(dir); | |
} else { | |
} | |
while (waitpid(-1, status, __WALL) != pid) { | |
} | |
} | |
static void setup_test() { | |
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | |
setpgrp(); | |
write_file("/proc/self/oom_score_adj", "1000"); | |
} | |
static void execute_one(void); | |
#define WAIT_FLAGS __WALL | |
static void loop(void) { | |
int iter = 0; | |
for (;; iter++) { | |
int pid = fork(); | |
if (pid < 0) | |
exit(1); | |
if (pid == 0) { | |
setup_test(); | |
execute_one(); | |
exit(0); | |
} | |
int status = 0; | |
uint64_t start = current_time_ms(); | |
for (;;) { | |
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) | |
break; | |
sleep_ms(1); | |
if (current_time_ms() - start < 5000) | |
continue; | |
kill_and_wait(pid, &status); | |
break; | |
} | |
} | |
} | |
uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; | |
void execute_one(void) { | |
intptr_t res = 0; | |
*(uint32_t*)0x20000340 = 2; | |
*(uint32_t*)0x20000344 = 4; | |
*(uint32_t*)0x20000348 = 8; | |
*(uint32_t*)0x2000034c = 1; | |
*(uint32_t*)0x20000350 = 0x80; | |
*(uint32_t*)0x20000354 = 0; | |
*(uint32_t*)0x20000358 = 0; | |
memset((void*)0x2000035c, 0, 16); | |
*(uint32_t*)0x2000036c = 0; | |
*(uint32_t*)0x20000370 = 0; | |
*(uint32_t*)0x20000374 = 0; | |
*(uint32_t*)0x20000378 = 0; | |
*(uint32_t*)0x2000037c = 0; | |
*(uint64_t*)0x20000380 = 0; | |
res = syscall(__NR_bpf, /*cmd=*/0ul, /*arg=*/0x20000340ul, /*size=*/0x48ul); | |
if (res != -1) | |
r[0] = res; | |
*(uint32_t*)0x200004c0 = 6; | |
*(uint32_t*)0x200004c4 = 0x10; | |
*(uint64_t*)0x200004c8 = 0x20000000; | |
memcpy((void*)0x20000000, | |
"\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb7" | |
"\x08\x00\x00\x00\x00\x00\x00\x7b\x8a\xb8\xff\x00\x00\x00\x00\xb7\x08" | |
"\x00\x00\x00\x00\x00\x00\x7b\x8a\xf0\xff\x00\x00\x00\x00\xbf\xa1\x00" | |
"\x00\x00\x00\x00\x00\x07\x01\x00\x00\xf8\xff\xff\xff\xbf\xa4\x00\x00" | |
"\x00\x00\x00\x00\x07\x04\x00\x00\xf0\xff\xff\xff\xb7\x02\x00\x00\x08" | |
"\x00\x00\x00\x18\x23\x00\x00", | |
92); | |
*(uint32_t*)0x2000005c = r[0]; | |
memcpy((void*)0x20000060, | |
"\x00\x00\x00\x00\x00\x00\x00\x00\xb7\x03\x00\x00\x00\x00\x00\x00\x85" | |
"\x00\x00\x00\x69\x00\x00\x00\x95", | |
25); | |
*(uint64_t*)0x200004d0 = 0x20000600; | |
memcpy((void*)0x20000600, "GPL\000", 4); | |
*(uint32_t*)0x200004d8 = 0; | |
*(uint32_t*)0x200004dc = 0; | |
*(uint64_t*)0x200004e0 = 0; | |
*(uint32_t*)0x200004e8 = 0; | |
*(uint32_t*)0x200004ec = 0; | |
memset((void*)0x200004f0, 0, 16); | |
*(uint32_t*)0x20000500 = 0; | |
*(uint32_t*)0x20000504 = 0; | |
*(uint32_t*)0x20000508 = 0; | |
*(uint32_t*)0x2000050c = 0; | |
*(uint64_t*)0x20000510 = 0; | |
*(uint32_t*)0x20000518 = 0; | |
*(uint32_t*)0x2000051c = 0; | |
*(uint64_t*)0x20000520 = 0; | |
*(uint32_t*)0x20000528 = 0; | |
*(uint32_t*)0x2000052c = 0; | |
*(uint32_t*)0x20000530 = 0; | |
*(uint32_t*)0x20000534 = 0; | |
*(uint64_t*)0x20000538 = 0; | |
*(uint64_t*)0x20000540 = 0; | |
*(uint32_t*)0x20000548 = 0; | |
*(uint32_t*)0x2000054c = 0; | |
res = syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x200004c0ul, /*size=*/0x90ul); | |
if (res != -1) | |
r[1] = res; | |
*(uint32_t*)0x20000640 = r[1]; | |
*(uint32_t*)0x20000644 = 5; | |
*(uint32_t*)0x20000648 = 0; | |
*(uint32_t*)0x2000064c = 0; | |
*(uint64_t*)0x20000650 = 0; | |
*(uint64_t*)0x20000658 = 0; | |
*(uint32_t*)0x20000660 = 0; | |
*(uint32_t*)0x20000664 = 0; | |
*(uint32_t*)0x20000668 = 0; | |
*(uint32_t*)0x2000066c = 0; | |
*(uint64_t*)0x20000670 = 0; | |
*(uint64_t*)0x20000678 = 0; | |
*(uint32_t*)0x20000680 = 0; | |
*(uint32_t*)0x20000684 = 0; | |
*(uint32_t*)0x20000688 = 0; | |
syscall(__NR_bpf, /*cmd=*/0xaul, /*arg=*/0x20000640ul, /*size=*/0x50ul); | |
} | |
int main(void) { | |
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, | |
/*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, | |
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, | |
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, | |
/*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/-1, | |
/*offset=*/0ul); | |
loop(); | |
return 0; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
r0 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48) | |
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8ab8ff00000000b7080000000000007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r0, @ANYBLOB="0000000000000000b703000000000000850000006900000095"], &(0x7f0000000600)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90) | |
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000640)={r1, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x50) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment