Re: [PATCH 4/6] mm, arm64: untag user addresses in mm/gup.c

On Thu, May 3, 2018 at 5:24 PM, Kirill A. Shutemov wrote: > On Thu, May 03, 2018 at 04:09:56PM +0200, Andrey Konovalov wrote: >> On Wed, May 2, 2018 at 7:25 PM, Andrey Konovalov >> wrote: >> I wasn't able to find anything that calls follow_page with pointers >>

Clang arm64 build is broken

Hi Marc! Your recent commit [1] broke clang build on arm64. The issue is that clang doesn't know about the "S" asm constraint. I reported this to clang [2], and hopefully this will get fixed. In the meantime, would it possible to work around using the "S" constraint in the kernel? While we're her

Re: Clang arm64 build is broken

On Fri, Apr 20, 2018 at 10:13 AM, Marc Zyngier wrote: >> The issue is that >> clang doesn't know about the "S" asm constraint. I reported this to >> clang [2], and hopefully this will get fixed. In the meantime, would >> it possible to work around using the "S" constraint in the kernel? > > I have

Re: [PATCH] kasan: add no_sanitize attribute for clang builds

On Fri, Apr 13, 2018 at 5:31 PM, Andrey Ryabinin wrote: > > > On 04/12/2018 08:29 PM, Andrey Konovalov wrote: >> KASAN uses the __no_sanitize_address macro to disable instrumentation >> of particular functions. Right now it's defined only for GCC build, >> which c

[PATCH v2] kasan: add no_sanitize attribute for clang builds

Signed-off-by: Andrey Konovalov --- Changes since v1: - Removed redundant #ifdef CONFIG_KASAN check. include/linux/compiler-clang.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h index ceb96ecab96e..7d98e263e048 100644 ---

Re: [PATCH] kasan: add no_sanitize attribute for clang builds

On Fri, Apr 13, 2018 at 9:16 PM, Andrey Ryabinin wrote: > However, "#ifdef CONFIG_KASAN" seems to be redundant, I'd rather remove it. Done, sent v2. Thanks!

arm64 kvm built with clang doesn't boot

Hi! I've recently tried to boot clang built kernel on real hardware (Odroid C2 board) instead of using a VM. The issue that I stumbled upon is that arm64 kvm built with clang doesn't boot. Adding -fno-jump-tables compiler flag to arch/arm64/kvm/* helps. There was a patch some time ago that did ex

Re: arm64 kvm built with clang doesn't boot

On Fri, Mar 16, 2018 at 3:13 PM, Mark Rutland wrote: > I think that patch is our best bet currently, but to save ourselves pain > in future it would be *really* nice if GCC and clang could provide an > option line -fno-absolute-addressing that would implicitly disable any > feature that would gene

Re: arm64 kvm built with clang doesn't boot

On Fri, Mar 16, 2018 at 3:13 PM, Marc Zyngier wrote: > I wasn't aware of that discussion, but this is indeed quite annoying. > Note that you should be able to restrict this to arch/arm64/kvm/hyp/* > and virt/kvm/arm/hyp/*. That works as well (tried it, the kernel boots). I've also tried compiling

Re: arm64 kvm built with clang doesn't boot

On Fri, Mar 16, 2018 at 3:31 PM, Mark Rutland wrote: > > FWIW, with that same compiler and patch applied atop of v4.16-rc4, and > some bodges around clang not liking the rX register naming in the SMCCC > code, I get a kernel that boots on my Juno, though I immediately hit a > KASAN splat: > > [

[PATCH 4/6] mm, arm64: untag user addresses in mm/gup.c

mm/gup.c provides a kernel interface that accepts user addresses and manipulates user pages directly (for example get_user_pages, that is used by the futex syscall). Here we also need to handle the case of tagged user pointers. Untag addresses passed to this interface. Signed-off-by: Andrey

[PATCH 1/6] arm64: add type casts to untagged_addr macro

This patch makes the untagged_addr macro accept all kinds of address types (void *, unsigned long, etc.) and allows not to specify type casts in each place where it is used. This is done by using __typeof__. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 3 ++- 1 file

[PATCH 5/6] lib, arm64: untag addrs passed to strncpy_from_user and strnlen_user

strncpy_from_user and strnlen_user accept user addresses as arguments, and do not go through the same path as copy_from_user and others, so here we need to separately handle the case of tagged user addresses as well. Untag user pointers passed to these functions. Signed-off-by: Andrey Konovalov

[PATCH 6/6] arm64: update Documentation/arm64/tagged-pointers.txt

Add a note that work on passing tagged user pointers to the kernel via syscalls has started, but might not be complete yet. Signed-off-by: Andrey Konovalov --- Documentation/arm64/tagged-pointers.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Documentation/arm64

[PATCH 3/6] arm64: untag user addresses in copy_from_user and others

in access_ok and in __uaccess_mask_ptr. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..24a221678fe3 100644 --- a

[PATCH 0/6] arm64: untag user pointers passed to the kernel

ch individually. - Updated Documentation/arm64/tagged-pointers.txt. - Dropped “mm, arm64: untag user addresses in memory syscalls”. - Rebased onto 3eb2ce82 (4.16-rc7). Andrey Konovalov (6): arm64: add type casts to untagged_addr macro uaccess: add untagged_addr definition for other arches ar

[PATCH 2/6] uaccess: add untagged_addr definition for other arches

architectures besides arm64. Signed-off-by: Andrey Konovalov --- include/linux/uaccess.h | 4 1 file changed, 4 insertions(+) diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h index efe79c1cdd47..c045b4eff95e 100644 --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h

Re: usb/gadget: GPF in usb_gadget_unregister_driver

On Sat, Dec 3, 2016 at 6:13 PM, Greg Kroah-Hartman wrote: > On Sat, Dec 03, 2016 at 05:36:35PM +0100, Andrey Konovalov wrote: >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d5647cda8b42c4255

usb/gadget: use-after-free in gadgetfs_setup

Hi! I've got the following error report while running the syzkaller fuzzer. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr 88003dfe5bf2 Read of size 2 by task syz-executor0/22994 CPU: 3 PID: 22994 Comm: syz-execu

usb/gadget: warning in dummy_free_request

Hi! I've got the following error report while running the syzkaller fuzzer. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). WARNING: CPU: 0 PID: 5257 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170 Kernel panic - not syncing: panic_on_warn set ... usb 2-1: s

Re: [PATCH] usbip: fix warning in vhci_hcd_probe/lockdep_init_map

up+0x1f/0x30 fs/sysfs/group.c:156 >> [] vhci_start+0x5b4/0x7a0 drivers/usb/usbip/vhci_hcd.c:978 >> [] usb_add_hcd+0x8da/0x1c60 drivers/usb/core/hcd.c:2867 >> [] vhci_hcd_probe+0x97/0x130 >> drivers/usb/usbip/vhci_hcd.c:1103 >> --- >> --- >> ---[ end trace c33

Re: usb/gadget: use-after-free in gadgetfs_setup

On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern wrote: > On Mon, 5 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (De

net/gadget: slab-out-of-bounds write in dev_config

Hi! I've got the following error report while running the syzkaller fuzzer. ep0_write() doesn't check the length, so a user can cause an out-of-bounds with both size and data controlled. There's a comment which says "IN DATA+STATUS caller makes len <= wLength". While I'm not exactly sure what tha

Re: usb/gadget: use-after-free in gadgetfs_setup

On Tue, Dec 6, 2016 at 1:28 PM, Andrey Konovalov wrote: > On Mon, Dec 5, 2016 at 8:31 PM, Alan Stern wrote: >> On Mon, 5 Dec 2016, Andrey Konovalov wrote: >> >>> Hi! >>> >>> I've got the following error report while

Re: net/gadget: slab-out-of-bounds write in dev_config

On Tue, Dec 6, 2016 at 4:30 PM, Alan Stern wrote: > On Tue, 6 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> ep0_write() doesn't check the length, so a user can cau

net/can: use-after-free in bcm_rx_thr_flush

Hi, I've got the following error report while fuzzing the kernel with syzkaller. A reproducer is attached. You may need to run it a few times. On commit 9c763584b7c8911106bb77af7e648bef09af9d80 (4.9-rc6, Nov 20). == BUG: KASAN: use

Re: net/l2tp: use-after-free write in l2tp_ip6_close

Hi Guillaume, Sorry, I was on vacation last week, couldn't reply. As I can see a fix was already sent upstream. Thanks! On Thu, Nov 10, 2016 at 6:44 PM, Guillaume Nault wrote: > On Mon, Nov 07, 2016 at 11:35:26PM +0100, Andrey Konovalov wrote: >> Hi, >> >> I've

net/icmp: null-ptr-deref in icmp6_send

Hi, I've got the following error report while fuzzing the kernel with syzkaller. It seems that skb_dst(skb) may end up being NULL. As far as I can see the bug was introduced in commit 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain"). ICMP v4 probaly has similar issue due t

net/udp: bug in skb_pull_rcsum

Hi, I've got the following error report while fuzzing the kernel with syzkaller. A reproducer is attached. On commit 9c763584b7c8911106bb77af7e648bef09af9d80 (4.9-rc6, Nov 20). [ cut here ] kernel BUG at net/core/skbuff.c:3029! invalid opcode: [#1] SMP KASAN Modules

Re: net/can: use-after-free in bcm_rx_thr_flush

On Tue, Nov 22, 2016 at 6:29 PM, Oliver Hartkopp wrote: > Hi Andrey, > > thanks for the report. > > Although I can't see the issue in the code ... > > On 11/22/2016 10:22 AM, Andrey Konovalov wrote: > >>

net/tcp: warning in tcp_try_coalesce/skb_try_coalesce

Hi, I've got the following error report while running the syzkaller fuzzer. On commit 566cf877a1fcb6d6dc0126b076aad062054c2637 (4.10-rc6). The fuzzer hits this issue quite often, but I don't have a working reproducer. WARNING: CPU: 3 PID: 7091 at net/core/skbuff.c:4331 skb_try_coalesce+0x14b1/0

Re: usb/gadget: warning in dummy_free_request

On Tue, Dec 27, 2016 at 12:40 PM, Felipe Balbi wrote: > > Hi, > > Andrey Konovalov writes: >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). >&g

net/ipv6: use-after-free in sock_wfree

Hi! I've got the following error report while running the syzkaller fuzzer. On commit a121103c922847ba5010819a3f250f1f7fc84ab8 (4.10-rc3). A reproducer is attached. == BUG: KASAN: use-after-free in sock_wfree+0x118/0x120 Read of si

Re: net/ipv6: use-after-free in sock_wfree

On Mon, Jan 9, 2017 at 6:08 PM, Andrey Konovalov wrote: > Hi! > > I've got the following error report while running the syzkaller fuzzer. > > On commit a121103c922847ba5010819a3f250f1f7fc84ab8 (4.10-rc3). > >

net/atm: warning in alloc_tx/__might_sleep

Hi! I've got the following error report while running the syzkaller fuzzer. On commit a121103c922847ba5010819a3f250f1f7fc84ab8 (4.10-rc3). A reproducer is attached. [ cut here ] WARNING: CPU: 0 PID: 4114 at kernel/sched/core.c:7737 __might_sleep+0x149/0x1a0 do not call b

Re: net/ipv6: use-after-free in sock_wfree

On Mon, Jan 9, 2017 at 6:21 PM, Eric Dumazet wrote: > On Mon, Jan 9, 2017 at 9:11 AM, Andrey Konovalov > wrote: >> On Mon, Jan 9, 2017 at 6:08 PM, Andrey Konovalov >> wrote: >>> Hi! >>> >>> I've got the following error report whi

Re: net/ipv6: use-after-free in sock_wfree

On Mon, Jan 9, 2017 at 8:08 PM, Eric Dumazet wrote: > On Mon, Jan 9, 2017 at 11:06 AM, Andrey Konovalov > wrote: >> >> Hi Eric, >> >> This patch fixes the issue. >> >> Thanks! > > Thanks Andrey. > > Could you please post your .config for ne

net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

Hi, I've got the following error report while running the syzkaller fuzzer: [ cut here ] WARNING: CPU: 0 PID: 4608 at kernel/sched/core.c:7724 __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719 do not call blocking ops when !TASK_RUNNING; state=1 set at [] prepare_to_wait+

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

et.c:1533 [] SyS_connect+0x24/0x30 net/socket.c:1514 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:209 ---[ end trace c7e036cf4dc54077 ]--- Thanks! On Sat, Oct 29, 2016 at 8:10 AM, Cong Wang wrote: > On Fri, Oct 28, 2016 at 5:40 PM, Andrey Konovalov > wrote: >> Hi, >

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

Hi Eric, Tested with both patches applied, still seeing the warning. Thanks! On Sat, Oct 29, 2016 at 7:43 PM, Eric Dumazet wrote: > On Sat, 2016-10-29 at 19:06 +0200, Andrey Konovalov wrote: >> Hi Cong, >> >> Tested with your patch, still getting a warning, though it

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

0-29 at 19:59 +0200, Andrey Konovalov wrote: >> Hi Eric, >> >> Tested with both patches applied, still seeing the warning. >> >> Thanks! > > Arg, sorry, this was at the wrong place. > > Thanks for testing ! > > diff --git a/net/dccp/output.c b/net/dc

net/tcp: warning in tcp_recvmsg

Hi, I've got the following error report while running the syzkaller fuzzer: [ cut here ] WARNING: CPU: 1 PID: 9957 at net/ipv4/tcp.c:1766 tcp_recvmsg+0x19d7/0x26e0 net/ipv4/tcp.c:1765 Modules linked in: CPU: 1 PID: 9957 Comm: syz-executor Not tainted 4.9.0-rc4+ #352 Hardwa

net/sctp: null-ptr-deref in sctp_inet_listen

Hi, I've got the following error report while running the syzkaller fuzzer: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Modules linked in: CPU: 1 PID: 3851 Comm: a.out Not tainted 4.9.0-rc4+ #3

net/l2tp: use-after-free write in l2tp_ip6_close

Hi, I've got the following error report while running the syzkaller fuzzer: == BUG: KASAN: use-after-free in l2tp_ip6_close+0x239/0x2a0 at addr 8800677276d8 Write of size 8 by task a.out/8668 CPU: 0 PID: 8668 Comm: a.out Not tain

Re: net/sctp: null-ptr-deref in sctp_inet_listen

Hi Xin, Your patch seems to be fixing the issue. Tested-by: Andrey Konovalov Thanks! On Tue, Nov 8, 2016 at 11:06 AM, Xin Long wrote: > On Tue, Nov 8, 2016 at 5:44 AM, Andrey Konovalov > wrote: >> Hi, >> >> I've got the following error report while running the

[PATCH 1/2] stacktrace: fix print_stack_trace printing timestamp twice

trace+0x16/0x20 [ 18.822232] [ 18.822232] [] save_stack+0x46/0xd0 [ 18.822232] [ 18.822232] [] kasan_kmalloc+0xab/0xe0 Fix by calling printk only once. Signed-off-by: Andrey Konovalov --- kernel/stacktrace.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/k

[PATCH 0/2] kasan,stacktrace: improve error reports

fc fc 00 00 fc fc fb fb fc fc 00 00 fc fc [ 24.247301] == Andrey Konovalov (2): stacktrace: fix print_stack_trace printing timestamp twice kasan: improve error reports kernel/stacktrace.c | 6 +- mm/kasan/report.c

[PATCH 2/2] kasan: improve error reports

1. Change header format. 2. Unify header format between different kinds of bad accesses. 3. Add empty lines between parts of the report to improve readability. 4. Improve slab object description. 5. Improve mm/kasan/report.c readability. Signed-off-by: Andrey Konovalov --- mm/kasan/report.c

Re: net/l2tp: use-after-free write in l2tp_ip6_close

Hi Cong, Tried with your patch, still seeing the reports. Thanks! On Tue, Nov 8, 2016 at 12:02 AM, Cong Wang wrote: > On Mon, Nov 7, 2016 at 2:35 PM, Andrey Konovalov > wrote: >> Hi, >> >> I've got the following error report while

Re: net/sctp: null-ptr-deref in sctp_inet_listen

On Wed, Nov 9, 2016 at 4:32 AM, Xin Long wrote: > this fix may break TYPE_SCTP_PRIMITIVE_SHUTDOWN statetable, > could you give the following one a try ? thanks. This one also works. Thanks. > > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -4288,9 +4288,9 @@ static void sctp_shutdown(s

[PATCH v2] kcov: properly check if we are in an interrupt

in_interrupt() returns a nonzero value when we are either in an interrupt or have bh disabled via local_bh_disable(). Since we are interested in only ignoring coverage from actual interrupts, do a proper check instead of just calling in_interrupt(). Signed-off-by: Andrey Konovalov --- Changes in

[PATCH v3] kcov: properly check if we are in an interrupt

collect coverage from within local_bh_disable()/local_bh_enable() sections. Signed-off-by: Andrey Konovalov --- Changes in v3: - Add a description of user-visible effects of this change kernel/kcov.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/kernel/kcov.c b

Re: [PATCH v2] kcov: properly check if we are in an interrupt

On Tue, Oct 11, 2016 at 1:32 AM, Andrew Morton wrote: > On Mon, 10 Oct 2016 19:19:11 +0200 Dmitry Vyukov wrote: > >> On Mon, Oct 10, 2016 at 6:10 PM, Andrey Konovalov >> wrote: >> > in_interrupt() returns a nonzero value when we are either in an >> &g

Re: net: GPF in eth_header

On Sat, Nov 26, 2016 at 7:28 PM, 'Eric Dumazet' via syzkaller wrote: > On Sat, Nov 26, 2016 at 9:30 AM, Dmitry Vyukov wrote: >> Hello, >> >> The following program triggers GPF in eth_header: >> >> https://gist.githubusercontent.com/dvyukov/613cadf05543b55a419f237e419cd495/raw/5471231523d1a07c3de5

net/sctp: vmalloc allocation failure in sctp_setsockopt/xt_alloc_table_info

Hi! I've got the following error report while running the syzkaller fuzzer. On commit d8e435f3ab6fea2ea324dce72b51dd7761747523 (Nov 26). A reproducer is attached. a.out: vmalloc: allocation failure, allocated 823562240 of 1427091456 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) oom_reaper: r

net/dccp: use-after-free in dccp_invalid_packet

Hi! I've got the following error report while running the syzkaller fuzzer. On commit d8e435f3ab6fea2ea324dce72b51dd7761747523 (Nov 26). dh->dccph_doff is being accessed (line 731) right after skb was freed (line 732) in net/dccp/ipv4.c. A reproducer is attached. ==

Re: net/sctp: vmalloc allocation failure in sctp_setsockopt/xt_alloc_table_info

On Mon, Nov 28, 2016 at 3:13 PM, Neil Horman wrote: > On Mon, Nov 28, 2016 at 02:00:19PM +0100, Andrey Konovalov wrote: >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit d8e435f3ab6fea2ea324dce72b51dd7761

Re: net: GPF in eth_header

On Mon, Nov 28, 2016 at 7:50 PM, Eric Dumazet wrote: > On Sat, 2016-11-26 at 20:07 +0100, Andrey Konovalov wrote: >> On Sat, Nov 26, 2016 at 7:28 PM, 'Eric Dumazet' via syzkaller >> wrote: >> > On Sat, Nov 26, 2016 at 9:30 AM, Dmitry Vyukov wrote: >> >

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

Hi Cong, Yes, your patches fix the warnings. Tested-by: Andrey Konovalov Thanks! On Mon, Oct 31, 2016 at 7:40 PM, Eric Dumazet wrote: > On Mon, 2016-10-31 at 11:00 -0700, Cong Wang wrote: >> On Sun, Oct 30, 2016 at 6:20 AM, Eric Dumazet wrote: >> > On Sun, 2016-10-30 at 0

net/tcp: null-ptr-deref in __inet_lookup_listener/inet_exact_dif_match

Hi, I've got the following error report while running the syzkaller fuzzer: general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 648 Comm: syz-executor Not tainted 4.9.0-rc3+ #333 Hardware name: QEMU Standard PC (i440FX + PII

Re: net/tcp: null-ptr-deref in __inet_lookup_listener/inet_exact_dif_match

Hi David, I'm able to reproduce it, so I'd be happy to test your fix. Thanks! On Wed, Nov 2, 2016 at 7:31 PM, David Ahern wrote: > On 11/2/16 11:21 AM, Eric Dumazet wrote: >> Thanks for your report. >> >> David, please take a look. >> >> TCP MD5 can call __inet_lookup_listener() with a NULL skb

net/dccp: null-ptr-deref in dccp_v4_rcv/selinux_socket_sock_rcv_skb

Hi, I've got the following error report while running the syzkaller fuzzer: IPv4: Attempt to release alive inet socket 880068e98940 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Modules linke

Re: net/dccp: null-ptr-deref in dccp_v4_rcv/selinux_socket_sock_rcv_skb

Hi Eric, Your patch fixes the issue. Tested-by: Andrey Konovalov Thanks! On Wed, Nov 2, 2016 at 9:16 PM, Eric Dumazet wrote: > On Wed, 2016-11-02 at 19:44 +0100, Andrey Konovalov wrote: >> Hi, >> >> I've got the following error report while running the syzkaller f

net/dccp: null-ptr-deref in dccp_parse_options

Hi, I've got the following error report while running the syzkaller fuzzer: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Modules linked in: CPU: 0 PID: 4677 Comm: syz-executor Not tainted 4.9.0-

net/ipv6: null-ptr-deref in inet6_bind

Hi, I've got the following error report while running the syzkaller fuzzer: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) PGD 66b6f067 [ 102.549865] PUD 66c6e067 PMD 0 [ 102.549865] Oops: 0010 [#1] SMP KASAN Modules linked in

x86: warning in unwind_get_return_address

Hi, I've got the following warning while running the syzkaller fuzzer: WARNING: unrecognized kernel stack return address a001 at 88006377fa18 in a.out:4467 By adding a BUG() to unwind_get_return_address() I was able to capture the stack trace (see below). Looks like unwind_get_re

Re: x86: warning in unwind_get_return_address

On Tue, Dec 20, 2016 at 10:01 PM, Josh Poimboeuf wrote: > On Tue, Dec 20, 2016 at 03:43:27PM +0100, Andrey Konovalov wrote: >> Hi, >> >> I've got the following warning while running the syzkaller fuzzer: >> >> WARNING: unrecognized kernel st

net/dccp: warning in dccp_set_state

Hi, I've got the following error report while running the syzkaller fuzzer: WARNING: CPU: 1 PID: 21072 at net/dccp/proto.c:83 dccp_set_state+0x229/0x290 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 21072 Comm: syz-executor Not tainted 4.9.0-rc1+ #293 Hardware name: QEMU Standard

Re: net/dccp: warning in dccp_set_state

Hi Eric, I can confirm that with your patch the warning goes away. Tested-by: Andrey Konovalov On Mon, Oct 24, 2016 at 2:52 PM, Eric Dumazet wrote: > On Mon, 2016-10-24 at 05:47 -0700, Eric Dumazet wrote: >> On Mon, 2016-10-24 at 14:23 +0200, Andrey Konovalov wrote: >> >

Fwd: net/ipx: null-ptr-deref in ipxrtr_route_packet

+a...@redhat.com Hi, I've got the following error report while running the syzkaller fuzzer: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN Modules linked in: CPU: 0 PID: 3953 Comm: syz-executor

net/sctp: slab-out-of-bounds in sctp_sf_ootb

Hi, I've got the following error report while running the syzkaller fuzzer: == BUG: KASAN: slab-out-of-bounds in sctp_sf_ootb+0x634/0x6c0 at addr 88006bc1f210 Read of size 2 by task syz-executor/13493 CPU: 3 PID: 13493 Comm: syz-

net/ipv4: warning in inet_sock_destruct

Hi, I've got the following error report while running the syzkaller fuzzer: [ cut here ] WARNING: CPU: 1 PID: 0 at net/ipv4/af_inet.c:153[] inet_sock_destruct+0x64d/0x810 net/ipv4/af_inet.c:153 Modules linked in: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.9

net/can: warning in bcm_connect/proc_register

Hi, I've got the following error report while running the syzkaller fuzzer: WARNING: CPU: 0 PID: 32451 at fs/proc/generic.c:345 proc_register+0x25e/0x300 proc_dir_entry 'can-bcm/249757' already registered Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 32451 Comm: syz-executor Not

Re: net/can: warning in bcm_connect/proc_register

x5, 0xfffd, 0x0, "341b3a01b257849ca1d7d1ff9f999d8127b185f88d1d775dbec88a3aa6a8ddacdf2bdc324ea6578a21b85114610186c3817c34b05eaffd2c3f54f57fa81ba0", 0x1ff}, 0x60) Unfortunately I wasn't able to create a simpler reproducer. Thanks! On Mon, Oct 24, 2016 at 6:58 PM, Cong Wang wrote: > On Mon, Oct 24, 2016 at 9:21 AM, Andrey Konovalov > wrote: >> Hi, >> >> I&#x

Re: [PATCH] can: fix warning in bcm_connect/proc_register

Hi Oliver, I can confirm that your patch fixes the warnings for me. Tested-by: Andrey Konovalov On Mon, Oct 24, 2016 at 10:17 PM, Cong Wang wrote: > On Mon, Oct 24, 2016 at 1:10 PM, Cong Wang wrote: >> On Mon, Oct 24, 2016 at 12:11 PM, Oliver Hartkopp >> wrote: >>&

Re: net/sctp: slab-out-of-bounds in sctp_sf_ootb

Hi Marcelo, I can confirm that your patch fixes the issue for me. Tested-by: Andrey Konovalov On Mon, Oct 24, 2016 at 9:44 PM, Marcelo Ricardo Leitner wrote: > Hi Andrey, > > On Mon, Oct 24, 2016 at 05:30:04PM +0200, Andrey Konovalov wrote: >> The problem is that sctp_walk_e

usb/gadget: warning in ep_write_iter/__alloc_pages_nodemask

Hi! While running the syzkaller fuzzer I've got the following error report. The issue is that the len argument is not checked for being too big. WARNING: CPU: 1 PID: 9935 at mm/page_alloc.c:3511 __alloc_pages_nodemask+0x159c/0x1e20 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 9

Re: usb/gadget: warning in ep_write_iter/__alloc_pages_nodemask

On Mon, Dec 12, 2016 at 9:31 PM, Andrey Konovalov wrote: > Hi! > > While running the syzkaller fuzzer I've got the following error report. > > The issue is that the len argument is not checked for being too big. > > WARNING: CPU: 1 PID: 9935 at mm/page_alloc.c:3511 >

usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns

Hi! While running the syzkaller fuzzer I've got the following error report. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dev 2). WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0 gadgetfs: disconnected sysfs: cannot create duplicate filename '/devices/platform/dummy_h

net/can: warning in raw_setsockopt/__alloc_pages_slowpath

Hi! I've got the following error report while running the syzkaller fuzzer. A reproducer is attached. On commit d8e435f3ab6fea2ea324dce72b51dd7761747523 (Nov 26). [ cut here ] WARNING: CPU: 0 PID: 4009 at mm/page_alloc.c:3511 __alloc_pages_slowpath+0x3d4/0x1bf0 Modules l

usb: warning in vhci_hcd_probe/lockdep_init_map

Hi! I've got the following error report while booting the kernel with various usb configs enabled. On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1). gadgetfs: USB Gadget filesystem, version 24 Aug 2004 usbip_core: USB/IP Core v1.0.0 vhci_hcd vhci_hcd: USB/IP Virtual Host Controller vhc

usb/gadget: warning in dev_config/memdup_user

Hi! I've got the following error report while running the syzkaller fuzzer. The length passed to memdup_user() directly without limitations. On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1). WARNING: CPU: 3 PID: 14477 at mm/page_alloc.c:3511 __alloc_pages_nodemask+0x159c/0x1e20 Kernel

Re: usb: warning in vhci_hcd_probe/lockdep_init_map

On Fri, Dec 2, 2016 at 4:58 PM, Greg Kroah-Hartman wrote: > On Fri, Dec 02, 2016 at 03:35:44PM +0100, Andrey Konovalov wrote: >> Hi! >> >> I've got the following error report while booting the kernel with >> various usb configs enabled. > > Any hint as to wha

net: use-after-free in worker_thread

Hi! I'm seeing lots of the following error reports while running the syzkaller fuzzer. Reports appeared when I updated to 3c49de52 (Dec 2) from 2caceb32 (Dec 1). == BUG: KASAN: use-after-free in worker_thread+0x17d8/0x18a0 Read of s

Re: net: use-after-free in worker_thread

On Sat, Dec 3, 2016 at 1:58 PM, Andrey Konovalov wrote: > +syzkal...@googlegroups.com > > On Sat, Dec 3, 2016 at 1:56 PM, Andrey Konovalov > wrote: >> Hi! >> >> I'm seeing lots of the following error reports while running the >> syzkaller fuzzer.

Re: net: use-after-free in worker_thread

+syzkal...@googlegroups.com On Sat, Dec 3, 2016 at 1:56 PM, Andrey Konovalov wrote: > Hi! > > I'm seeing lots of the following error reports while running the > syzkaller fuzzer. > > Reports appeared when I updated to 3c49de52 (Dec

Re: net: use-after-free in worker_thread

On Sat, Dec 3, 2016 at 2:49 PM, Eric Dumazet wrote: > On Sat, 2016-12-03 at 14:05 +0100, Andrey Konovalov wrote: >> On Sat, Dec 3, 2016 at 1:58 PM, Andrey Konovalov >> wrote: >> > +syzkal...@googlegroups.com >> > >> > On Sat, Dec 3, 2016 at 1:56 P

usb/gadget: GPF in usb_gadget_unregister_driver

Hi! I've got the following error report while running the syzkaller fuzzer. On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). general protection fault: [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 10564 Comm: syz-executor0 Not taint

Re: [v3 PATCH] netlink: Do not schedule work from sk_destruct

truct netlink_sock, > rcu); > + struct sock *sk = &nlk->sk; > + > + if (!atomic_dec_and_test(&sk->sk_refcnt)) > + return; > + > + if (nlk->cb_running && nlk->cb.done) { > + INIT_WORK(&nlk->work, netlink

Re: usb/gadget: GPF in usb_gadget_unregister_driver

On Sat, Dec 3, 2016 at 6:13 PM, Greg Kroah-Hartman wrote: > On Sat, Dec 03, 2016 at 05:36:35PM +0100, Andrey Konovalov wrote: >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d5647cda8b42c4255

Re: usb/gadget: GPF in usb_gadget_unregister_driver

On Sat, Dec 3, 2016 at 6:31 PM, Felix Hädicke wrote: > Hi, >> Hi! >> >> I've got the following error report while running the syzkaller fuzzer. >> >> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dec 2). >> >> general protection fault: [#1] SMP KASAN >> Dumping ftrace buffer: >>(ftr

Re: usb/core: warning in usb_create_ep_devs/sysfs_create_dir_ns

On Fri, Dec 16, 2016 at 7:01 PM, Alan Stern wrote: > On Mon, 12 Dec 2016, Andrey Konovalov wrote: > >> Hi! >> >> While running the syzkaller fuzzer I've got the following error report. >> >> On commit 3c49de52d5647cda8b42c4255cf8a29d1e22eff5 (Dev 2). &

Re: net: GPF in eth_header

On Sat, Nov 26, 2016 at 9:05 PM, Eric Dumazet wrote: >> I actually see multiple places where skb_network_offset() is used as >> an argument to skb_pull(). >> So I guess every place can potentially be buggy. > > Well, I think the intent is to accept a negative number. I'm not sure that was the int

[PATCH] tun: Use netif_receive_skb instead of netif_rx

lists/netdev/thrd440.html#130570 [3] https://www.spinics.net/lists/netdev/msg130570.html Signed-off-by: Andrey Konovalov --- drivers/net/tun.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 8093e39..4b56e91 100644 --- a/driver

Re: net: GPF in eth_header

On Tue, Nov 29, 2016 at 3:58 PM, Eric Dumazet wrote: > On Tue, 2016-11-29 at 11:26 +0100, Andrey Konovalov wrote: >> On Sat, Nov 26, 2016 at 9:05 PM, Eric Dumazet wrote: >> >> I actually see multiple places where skb_network_offset() is used as >> >> an argumen

Re: net: GPF in rt6_get_cookie

On Sat, Nov 26, 2016 at 5:23 PM, 'Dmitry Vyukov' via syzkaller wrote: > Hello, > > I got several GPFs in rt6_get_cookie while running syzkaller: > > general protection fault: [#1] SMP DEBUG_PAGEALLOC KASAN > Dumping ftrace buffer: >(ftrace buffer empty) > Modules linked in: > CPU: 2 PID:

net/ipv6: null-ptr-deref in ip6_rt_cache_alloc

Hi! I've got the following error report while running the syzkaller fuzzer. On commit d8e435f3ab6fea2ea324dce72b51dd7761747523 (Nov 26). This might be related to the crash in rt6_get_cookie that Dmitry reported, since it also happens when accessing ort->dst: https://groups.google.com/forum/#!msg

Re: net: GPF in rt6_get_cookie

On Wed, Nov 30, 2016 at 12:00 PM, Hannes Frederic Sowa wrote: > Hi > > On 30.11.2016 11:39, Andrey Konovalov wrote: >> On Sat, Nov 26, 2016 at 5:23 PM, 'Dmitry Vyukov' via syzkaller >> wrote: >>> Hello, >>> >>> I got several GPFs

[PATCH v2] tun: Use netif_receive_skb instead of netif_rx

.html Signed-off-by: Andrey Konovalov --- Changes since v1: - incorporate Eric's note about speed improvements in commit description - use netif_receive_skb CONFIG_4KSTACKS is not enabled drivers/net/tun.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/tun.c b/drivers

Re: [PATCH] tun: Use netif_receive_skb instead of netif_rx

On Tue, Nov 29, 2016 at 5:20 PM, Michael S. Tsirkin wrote: > On Tue, Nov 29, 2016 at 04:25:36PM +0100, Andrey Konovalov wrote: >> This patch changes tun.c to call netif_receive_skb instead of netif_rx >> when a packet is received. The difference between the two is that netif_r

<    5   6   7   8   9   10   11   12   13   14   >