216105 – null pointer dereference when loading bpf_preload on arm 32-bit

Bug 216105 - null pointer dereference when loading bpf_preload on arm 32-bit

Summary: null pointer dereference when loading bpf_preload on arm 32-bit

Status:	NEW

Alias:	None

Product:	Other
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	ARM Linux

Importance:	P1 normal
Assignee:	other_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-09 16:55 UTC by Jan Palus
Modified:	2022-08-25 19:17 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jan Palus 2022-06-09 16:55:53 UTC

Various different ARM 32-bit platforms exhibit following null pointer dereference when loading bpf_preload during boot of 5.18.0 (following sample from Raspberry Pi 2):

cze 02 20:07:24 rpi kernel: 8<--- cut here ---
cze 02 20:07:24 rpi kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000048
cze 02 20:07:24 rpi kernel: [00000048] *pgd=04e9d835, *pte=00000000, *ppte=00000000
cze 02 20:07:24 rpi kernel: Internal error: Oops: 17 [#1] SMP ARM
cze 02 20:07:24 rpi kernel: Modules linked in: bpf_preload(+) ip_tables x_tables autofs4 ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) mmc_block(E) bcm2835(E) mmc_core(E) i2c_bcm2835(E) i2c_core(E) pwm_bcm2835(E) bcm2835_dma(E) virt_dma(E) clk_ra>
cze 02 20:07:24 rpi kernel: CPU: 3 PID: 209 Comm: modprobe Tainted: G            E   T 5.18.3-1 #1 d7f68abd32d50a7eb4ca55cee5f99148ad086616
cze 02 20:07:24 rpi kernel: Hardware name: BCM2835
cze 02 20:07:24 rpi kernel: PC is at mmiocpy+0xc8/0x334
cze 02 20:07:24 rpi kernel: LR is at __sys_bpf+0xec/0x2128
cze 02 20:07:24 rpi kernel: pc : [<80636ac8>]    lr : [<802a13b8>]    psr: 60070013
cze 02 20:07:24 rpi kernel: sp : b49d1b38  ip : b49d1ca0  fp : b49d1b38
cze 02 20:07:24 rpi kernel: r10: 00000051  r9 : b49d1b70  r8 : 00000000
cze 02 20:07:24 rpi kernel: r7 : 00000000  r6 : 00000002  r5 : 00000048  r4 : 84f9dc40
cze 02 20:07:24 rpi kernel: r3 : 00000041  r2 : 00000000  r1 : 00000048  r0 : b49d1c10
cze 02 20:07:24 rpi kernel: Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
cze 02 20:07:24 rpi kernel: Control: 10c5387d  Table: 04f2006a  DAC: 00000051
cze 02 20:07:24 rpi kernel: Register r0 information: 2-page vmalloc region starting at 0xb49d0000 allocated at kernel_clone+0xac/0x3c0
cze 02 20:07:24 rpi kernel: Register r1 information: non-paged memory
cze 02 20:07:24 rpi kernel: Register r2 information: NULL pointer
cze 02 20:07:24 rpi kernel: Register r3 information: non-paged memory
cze 02 20:07:24 rpi kernel: Register r4 information: slab task_struct start 84f9dc40 pointer offset 0
cze 02 20:07:24 rpi kernel: Register r5 information: non-paged memory
cze 02 20:07:24 rpi kernel: Register r6 information: non-paged memory
cze 02 20:07:24 rpi kernel: Register r7 information: NULL pointer
cze 02 20:07:24 rpi kernel: Register r8 information: NULL pointer
cze 02 20:07:24 rpi kernel: Register r9 information: 2-page vmalloc region starting at 0xb49d0000 allocated at kernel_clone+0xac/0x3c0
cze 02 20:07:24 rpi kernel: Register r10 information: non-paged memory
cze 02 20:07:24 rpi kernel: Register r11 information: 2-page vmalloc region starting at 0xb49d0000 allocated at kernel_clone+0xac/0x3c0
cze 02 20:07:24 rpi kernel: Register r12 information: 2-page vmalloc region starting at 0xb49d0000 allocated at kernel_clone+0xac/0x3c0
cze 02 20:07:24 rpi kernel: Process modprobe (pid: 209, stack limit = 0x(ptrval))
cze 02 20:07:24 rpi kernel: Stack: (0xb49d1b38 to 0xb49d2000)
cze 02 20:07:24 rpi kernel: 1b20:                                                       b49d1c10 84f9dc40
cze 02 20:07:24 rpi kernel: 1b40: 0170d5d8 802a13b8 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1b60: 00000000 00000000 00000000 00000000 00000048 84f65941 00000000 00000000
cze 02 20:07:24 rpi kernel: 1b80: 00000000 00000000 00000000 00000000 00000000 957b04f0 8100c84c af93ba34
cze 02 20:07:24 rpi kernel: 1ba0: 00000040 ffffffff 00000cc0 803917c8 81401180 80391878 81401180 af93ba34
cze 02 20:07:24 rpi kernel: 1bc0: 0000003f 80391878 00000000 af8fe5e8 00000000 00000000 af873278 80484b68
cze 02 20:07:24 rpi kernel: 1be0: 00000cc0 81401180 00000000 80393f30 00000000 00000000 00000000 81400080
cze 02 20:07:24 rpi kernel: 1c00: 8100c84c af93ba10 0000002e ffffffff 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1c20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1c40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1c60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1c80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1ca0: 814cd888 957b04f0 00000a20 00000048 b49d1e60 84f65400 00000000 00000000
cze 02 20:07:24 rpi kernel: 1cc0: 00025584 00000051 0170d5d8 802a3498 84f647e8 00000048 84f65941 957b04f0
cze 02 20:07:24 rpi kernel: 1ce0: 00000a20 000017a8 b49d1e60 84f65400 00000000 00000000 00025584 00000051
cze 02 20:07:24 rpi kernel: 1d00: 0170d5d8 7f0b1308 00000002 00000004 000017a8 00000001 00000000 00000000
cze 02 20:07:24 rpi kernel: 1d20: 00000000 6f6c5f5f 72656461 70616d2e 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1d40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1d60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1d80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 957b04f0
cze 02 20:07:24 rpi kernel: 1da0: 84a29380 7f0b1380 ffffffff 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1dc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1de0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1e00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1e20: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1e40: 7f0b5280 957b04f0 84a29380 7f0b5280 84f65400 00000000 00000000 7f01d0d0
cze 02 20:07:24 rpi kernel: 1e60: 84f65400 7f0b20b8 7f0b3864 000017a8 000008a8 00000000 00000000 957b04f0
cze 02 20:07:24 rpi kernel: 1e80: 00000000 7f01d000 0171fb79 84f65ec0 84f9dc40 8010244c 80e2e65c 00000000
cze 02 20:07:24 rpi kernel: 1ea0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
cze 02 20:07:24 rpi kernel: 1ee0: 00000000 957b04f0 7f0b5040 0171fb79 84f65ec0 b4937821 84f9dc40 801f9090
cze 02 20:07:24 rpi kernel: 1f00: b4937821 84f9dc40 00000000 0171fb79 00000000 801fbbf4 00000002 80d8412c
cze 02 20:07:24 rpi kernel: 1f20: 00000000 b4935a1f b4935b00 b4933000 00004558 b4936f18 b4936d74 b493673c
cze 02 20:07:24 rpi kernel: 1f40: 00005000 000052b0 000027d8 0000542a 00000000 00000000 00000001 000027c8
cze 02 20:07:24 rpi kernel: 1f60: 00000000 00000000 00000000 00000025 00000026 0000001d 00000021 00000017
cze 02 20:07:24 rpi kernel: 1f80: 00000000 957b04f0 0170c378 0171b358 00025584 00000080 801002c4 84f9dc40
cze 02 20:07:24 rpi kernel: 1fa0: 00000080 80100060 0170c378 0171b358 0171b358 00004821 00025584 00000000
cze 02 20:07:24 rpi kernel: 1fc0: 0170c378 0171b358 00025584 00000080 0170e7a8 00000000 00000000 0170d5d8
cze 02 20:07:24 rpi kernel: 1fe0: 76b97371 7ed3ba38 0001d7ed 76b9737a 60070030 0171b358 00000000 00000000
cze 02 20:07:24 rpi kernel:  mmiocpy from __sys_bpf+0xec/0x2128
cze 02 20:07:24 rpi kernel:  __sys_bpf from bpf_sys_bpf+0xa4/0x24c
cze 02 20:07:24 rpi kernel:  bpf_sys_bpf from skel_map_create.constprop.0+0x78/0xb0 [bpf_preload]
cze 02 20:07:24 rpi kernel:  skel_map_create.constprop.0 [bpf_preload] from bpf_load_and_run.constprop.0+0x40/0x21c [bpf_preload]
cze 02 20:07:24 rpi kernel:  bpf_load_and_run.constprop.0 [bpf_preload] from load+0xd0/0x1000 [bpf_preload]
cze 02 20:07:24 rpi kernel:  load [bpf_preload] from do_one_initcall+0x50/0x20c
cze 02 20:07:24 rpi kernel:  do_one_initcall from do_init_module+0x4c/0x27c
cze 02 20:07:24 rpi kernel:  do_init_module from sys_init_module+0x1b0/0x1d4
cze 02 20:07:24 rpi kernel:  sys_init_module from ret_fast_syscall+0x0/0x54
cze 02 20:07:24 rpi kernel: Exception stack(0xb49d1fa8 to 0xb49d1ff0)
cze 02 20:07:24 rpi kernel: 1fa0:                   0170c378 0171b358 0171b358 00004821 00025584 00000000
cze 02 20:07:24 rpi kernel: 1fc0: 0170c378 0171b358 00025584 00000080 0170e7a8 00000000 00000000 0170d5d8
cze 02 20:07:24 rpi kernel: 1fe0: 76b97371 7ed3ba38 0001d7ed 76b9737a
cze 02 20:07:24 rpi kernel: Code: e480e004 e8bd0360 e1b02f82 14d13001 (24d14001) 
cze 02 20:07:24 rpi kernel: ---[ end trace 0000000000000000 ]---

Comment 1 Jan Palus 2022-08-25 18:55:03 UTC

With kernel 5.19.4 issue is gone. Tried 5.19.2 before so there is slight chance it was fixed by 5.19.3 but looking at changelog it's unlikely.

Comment 2 Jan Palus 2022-08-25 19:17:19 UTC

My best guess would be that following commit fixed it:

commit 1f6db7148ed7382b336c5827af33b5d9e992630e
Author: Jinghao Jia <jinghao@linux.ibm.com>
Date:   Fri Jul 29 20:17:13 2022 +0000

    BPF: Fix potential bad pointer dereference in bpf_sys_bpf()

Note You need to log in before you can comment on or make changes to this bug.