On Thu, Aug 22, 2019 at 5:05 AM Eric Biggers wrote:
>
> On Mon, Aug 19, 2019 at 05:22:07AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:5181b473 net: phy: realtek: add NBase-T PHY auto-detection
> > git tree: net-next
> > console output
On Mon, Jun 3, 2019 at 3:31 PM syzbot
wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:69bbe8c7 usb-fuzzer: main usb gadget fuzzer driver
> git tree: https://github.com/google/kasan.git usb-fuzzer
> console output: https://syzkaller.appspot.com/x/log.txt?x=1448d
o 4.17-rc1.
Changes in RFC v2:
- Added "#ifndef untagged_addr..." fallback in linux/uaccess.h instead of
defining it for each arch individually.
- Updated Documentation/arm64/tagged-pointers.txt.
- Dropped "mm, arm64: untag user addresses in memory syscalls".
- Rebased on
arm64.
Acked-by: Catalin Marinas
Signed-off-by: Andrey Konovalov
---
include/linux/mm.h | 4
1 file changed, 4 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 76769749b5a5..4d674518d392 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -99,6 +99,10 @@ extern
, mincore, mlock, mlock2, brk,
mmap_pgoff, old_mmap, munmap, remap_file_pages, mprotect, pkey_mprotect,
mremap, msync and shmdt.
This is done by untagging pointers passed to these syscalls in the
prologues of their handlers.
Signed-off-by: Andrey Konovalov
---
ipc/shm.c | 2 ++
mm/madvise.c | 2
done with untagged pointers.
Untag user pointers in these functions.
Signed-off-by: Andrey Konovalov
---
fs/userfaultfd.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 89800fc7dc9d..a3b70e0d9756 100644
--- a/fs/userfaultfd.c
+++ b/fs
size is calculated to not
allow the exact_copy_from_user() call to cross TASK_SIZE boundary.
However if the address is tagged, then the size will be calculated
incorrectly.
Untag the address before subtracting.
Signed-off-by: Andrey Konovalov
---
fs/namespace.c | 2 +-
1 file changed, 1
get_user_pages, that is used
by the futex syscall). Since a user can provided tagged addresses, we need
to handle this case.
Add untagging to gup.c functions that use user addresses for vma lookups.
Signed-off-by: Andrey Konovalov
---
mm/gup.c | 4
1 file changed, 4 insertions(+)
diff --git
-by: Andrey Konovalov
---
lib/strncpy_from_user.c | 3 ++-
lib/strnlen_user.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
index 58eacd41526c..6209bb9507c7 100644
--- a/lib/strncpy_from_user.c
+++ b/lib
perform validation, which can
only by done with untagged pointers.
Untag user pointers in these functions for vma lookup and validity checks.
Signed-off-by: Andrey Konovalov
---
kernel/sys.c | 44 ++--
1 file changed, 30 insertions(+), 14 deletions
get_user_pages, that is used
by the futex syscall). Since a user can provided tagged addresses, we need
to handle this case.
Add untagging to gup.c functions that use user addresses for vma lookups.
Signed-off-by: Andrey Konovalov
---
mm/gup.c | 4
1 file changed, 4 insertions(+)
diff --git
On Mon, Jun 4, 2018 at 6:29 AM Samuel Ortiz wrote:
>
> Hi Andrey,
>
> On Thu, Apr 12, 2018 at 06:56:56PM +0200, Andrey Konovalov wrote:
> > nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX
> > attribute being present, but doesn't check whether it is
ff-by: Andrey Konovalov
---
net/nfc/netlink.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index f018eafc2a0d..58adfb0c90f6 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -936,7 +936,8 @@ static int nfc_genl_deactivate_t
On Wed, Jan 31, 2018 at 8:27 AM, Eric Biggers wrote:
>
> Also Dmitry, syzbot seems to be grouping together unrelated bugs under the
> refcount_t WARNINGs; maybe those should be on a blacklist?
Not a blacklist, we need a proper way of extracting the offending
caller like it's done for reports from
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e1d1ea549b57790a3d8cf6300e6ef86118d692a3 (4.15-rc1).
usb 1-1: New USB device found, idVendor=0baf, idProduct=0121
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
On Mon, Nov 6, 2017 at 4:20 PM, Oliver Neukum wrote:
> Am Montag, den 06.11.2017, 13:30 +0100 schrieb Andrey Konovalov:
>> On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum wrote:
>> >
>> >
>> > 2. Will a device work after that? The appropriate fix may be to wa
On Mon, Nov 6, 2017 at 3:06 PM, Bjørn Mork wrote:
> Andrey Konovalov writes:
>
>> Hi!
>>
>> I've got the following report while fuzzing the kernel with syzkaller.
>
> Thanks. It would have helped a lot of you said *what* you were fuzzing,
> though But
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 39dae59d66acd86d1de24294bd2f343fd5e7a625 (4.14-rc8).
qmi_wwan 1-1:0.4: cdc-wdm0: USB WDM device
divide error: [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc
On Mon, Nov 6, 2017 at 10:49 AM, Oliver Neukum wrote:
> Am Donnerstag, den 02.11.2017, 21:26 +0100 schrieb Andrey Konovalov:
>> When asix_suspend() is called dev->driver_priv might not have been
>> assigned a value, so we need to check that it's not NULL.
>>
>&
4d 8b 6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c
RIP: asix_suspend+0x76/0xc0 RSP: 88006bbae718
---[ end trace dfc4f5649284342c ]---
Signed-off-by: Andrey Konovalov
---
Changes in v2:
- added asix_resume() fix
---
drivers/net/usb/asix_devices.c | 4 ++--
1 file changed, 2 insertions(+), 2 dele
+0x76/0xc0 RSP: 88006bbae718
---[ end trace dfc4f5649284342c ]---
Signed-off-by: Andrey Konovalov
---
drivers/net/usb/asix_devices.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index b2ff88e69a81..743416be84f3 100644
On Tue, Oct 24, 2017 at 4:59 PM, Andrey Konovalov wrote:
> Hi!
>
> While fuzzing the kernel with syzkaller I've been getting kernel hangs
> within the asix driver.
>
> On commit 6cff0a118f23b98c604a3604ea9de11338e24fbe (4.14-rc6+).
>
> As far as I can tell the
Hi!
While fuzzing the kernel with syzkaller I've been getting kernel hangs
within the asix driver.
On commit 6cff0a118f23b98c604a3604ea9de11338e24fbe (4.14-rc6+).
As far as I can tell the issue is that asix_phy_reset() doesn't
enforce proper timeout.
asix_phy_reset() calls asix_mdio_read() in a
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
It seems that priv ends up being NULL.
usb 1-1: New USB device found, idVendor=0557, idProduct=2009
usb 1-1: New USB device strings: Mfr=204, Product=1, Seri
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
It seems that the driver doesn't check the endpoint type provided in
the USB descriptor.
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
[ cut here ]--
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
usb 1-1: New USB device found, idVendor=0cf3, idProduct=9375
usb 1-1: New USB device strings: Mfr=2, Product=255, SerialNumber=8
usb 1-1: Product: a
usb 1-1:
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 24 Comm: kw
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
It seems that qos->baud_rate.bits value is taken from USB descriptor
and then used as a array index without any checks.
=
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (4.14-rc4).
I'm not sure whether this is a bug in the driver, or just a way to
report misbehaving device. In the latter case this shouldn't be a
WARN() call, since WARN()
On Wed, Sep 27, 2017 at 2:06 PM, Andrey Konovalov wrote:
> On Wed, Sep 27, 2017 at 1:18 PM, Arvind Yadav
> wrote:
>> We are not releasing 'buf' memory on failure or disconnect a device.
>>
>> Adding 'u8 *buf' as part of 'lan78xx_net'
On Wed, Sep 27, 2017 at 1:18 PM, Arvind Yadav wrote:
> We are not releasing 'buf' memory on failure or disconnect a device.
>
> Adding 'u8 *buf' as part of 'lan78xx_net' structure to make proper
> handle for 'buf'.
> Now releasing 'buf' memory on failure. It's allocate first in
> lan78xx_probe() a
On Tue, Sep 26, 2017 at 5:08 PM, Johannes Berg
wrote:
> Subject should say *not* initialized?
Yes, sent v2.
>
> johannes
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Signed-off-by: Andrey Konovalov
---
changes in v2:
- fixed typo in patch subject
---
drivers/net/wireless/intersil/p54/main.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git
On Sat, Sep 23, 2017 at 9:37 PM, 'Christian Lamparter' via syzkaller
wrote:
> This got rejected by gmail once. Let's see if it works now.
>
> On Thursday, September 21, 2017 8:22:45 PM CEST Andrey Konovalov wrote:
>> On Wed, Sep 20, 2017 at 9:55 PM, Johannes Berg
&
kthread+0x3a1/0x470 kernel/kthread.c:231
ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
Signed-off-by: Andrey Konovalov
---
drivers/net/wireless/intersil/p54/main.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/intersil/p54/main.c
b/drivers
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit e19b205be43d11bff638cad4487008c48d21c103 (4.14-rc2).
==
BUG: KASAN: use-after-free in lan78xx_write_reg.isra.21+0x1a8/0x1b0
Read of size 8 at addr
On Mon, Sep 25, 2017 at 6:26 AM, Kalle Valo wrote:
> Andrey Konovalov writes:
>
>> I've got the following report while fuzzing the kernel with syzkaller.
>>
>> On commit 6e80ecdddf4ea6f3cd8
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit 6e80ecdddf4ea6f3cd84e83720f3d852e6624a68 (Sep 21).
==
BUG: KASAN: use-after-free in __run_timers+0xc0e/0xd40
Write of size 8 at addr 880069f701
On Wed, Sep 20, 2017 at 9:55 PM, Johannes Berg
wrote:
> On Wed, 2017-09-20 at 21:27 +0200, Christian Lamparter wrote:
>
>> It seems this is caused as a result of:
>> -> lock_map_acquire(&work->lockdep_map);
>> lock_map_release(&work->lockdep_map);
>>
>> in flush_work() [0]
>
> Ag
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
Is seems there's no check on the if_num value when it's used in ((u32
*)(id->driver_info))[if_num].
===
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
Looks like hso_create_net_device() can do goto exit before registering
network device.
hso 1-1:4.0: Can't find BULK IN endpoint
[ cut here ]---
Hi!
I've got the following report while fuzzing the kernel with syzkaller.
On commit ebb2c2437d8008d46796902ff390653822af6cc4 (Sep 18).
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 1 PID: 1404 Comm: kw
On Fri, Jun 23, 2017 at 2:21 PM, Andrey Konovalov wrote:
> On Fri, Jun 23, 2017 at 12:29 AM, Cong Wang wrote:
>> The memory allocation size is controlled by user-space,
>> if it is too large just fail silently and return NULL,
>> not to mention there is a fallback allocat
On Fri, Jun 23, 2017 at 12:29 AM, Cong Wang wrote:
> The memory allocation size is controlled by user-space,
> if it is too large just fail silently and return NULL,
> not to mention there is a fallback allocation later.
Thanks!
Tested-by: Andrey Konovalov
>
> Reported-by: A
rey for finding a reliable reproducer.
Thanks! This fixes the bug for me.
Tested-by: Andrey Konovalov
>
> Fixes: 176c39af29bc ("netns: fix addrconf_ifdown kernel panic")
> Reported-by: Andrey Konovalov
> Cc: Andrey Konovalov
> Cc: Daniel Lezcano
> Cc: David Ahe
On Wed, Jun 21, 2017 at 3:09 PM, Andrey Konovalov wrote:
> On Wed, Jun 21, 2017 at 2:08 PM, Andrey Konovalov
> wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 9705596d08ac87c18aee32cc97f278
On Wed, Jun 21, 2017 at 2:08 PM, Andrey Konovalov wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit 9705596d08ac87c18aee32cc97f2783b7d14624e (4.12-rc6+).
>
> It might be related to:
> https://groups.googl
On Thu, Jun 8, 2017 at 5:20 PM, Marc Kleine-Budde wrote:
> On 06/08/2017 05:16 PM, Andrey Konovalov wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit b29794ec95c6856b316c2295904208bf11ffddd9 (4.12
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit b29794ec95c6856b316c2295904208bf11ffddd9 (4.12-rc4+).
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 2 PID: 1740
On Tue, Jun 6, 2017 at 1:00 PM, Andrey Konovalov wrote:
> On Tue, Jun 6, 2017 at 12:30 PM, Gene Blue wrote:
>> Hi:
>> I got this crash when fuzzing the kernel with syzkaller.
>>
>> My kernel version is 4.11.0-rc1 directly download from kernel.org.
>>
&g
On Tue, Jun 6, 2017 at 12:30 PM, Gene Blue wrote:
> Hi:
> I got this crash when fuzzing the kernel with syzkaller.
>
> My kernel version is 4.11.0-rc1 directly download from kernel.org.
>
> And this crash is reproducible. Three times in total during the period of
> fuzzing.
Hi!
This has a
On Thu, Jun 1, 2017 at 2:13 AM, Eric Dumazet wrote:
> On Wed, 2017-05-31 at 16:55 -0700, Eric Dumazet wrote:
>
>> The issue here is the timer firing while ip_mc_clear_src() has been
>> already called.
>>
>> My patch should fix the problem.
>>
>> Or another one using del_timer_sync() instead of del
On Thu, Jun 1, 2017 at 3:17 AM, David Ahern wrote:
> On 5/31/17 4:49 PM, Cong Wang wrote:
> ==
> BUG: KASAN: use-after-free in ip6_dst_ifdown+0x3cc/0x400
> net/ipv6/route.c:422
> Read of size 8 at addr 88006afa4ad
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit 5ed02dbb497422bf225783f46e6eadd237d23d6b (4.12-rc3).
Unfortunately it's not reproducible.
==
BUG: KASAN: use-after-free in add_grec+0x101e/0
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit 5ed02dbb497422bf225783f46e6eadd237d23d6b (4.12-rc3).
Unfortunately it's not reproducible.
==
BUG: KASAN: use-after-free in ip6_dst_ifdown+0x
On Fri, May 19, 2017 at 4:36 PM, 'Eric Dumazet' via syzkaller
wrote:
> On Fri, May 19, 2017 at 5:57 AM, Andrey Konovalov
> wrote:
>> On Fri, May 19, 2017 at 12:18 PM, wrote:
>>> Hi,
>>>
>>> I've got the following bug report while fuz
On Thu, May 18, 2017 at 6:02 AM, Firo Yang wrote:
> The divisor s->par.bitrate will always be 0 until initialized by
> ndo_open() and hdlcdrv_open().
>
> In order to fix this divide zero error, check whether the netdevice was
> opened by ndo_open() before performing divide.And we also check the th
On Wed, May 17, 2017 at 10:07 PM, Alan Cox wrote:
> On Tue, 16 May 2017 17:05:32 +0200
> Andrey Konovalov wrote:
>
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 2ea659a9ef488125eb46da6eb571de5
On Tue, May 16, 2017 at 5:05 PM, Andrey Konovalov wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit 2ea659a9ef488125eb46da6eb571de5eae5c43f6 (4.12-rc1).
>
> A reproducer and .config are attached.
+syzkaller
On Fri, May 5, 2017 at 11:11 AM, Steffen Klassert
wrote:
> On Tue, May 02, 2017 at 06:45:03PM +0200, Andrey Konovalov wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit d3b5d35290d729a251
On Mon, Apr 10, 2017 at 7:46 PM, Andrey Konovalov wrote:
> On Mon, Apr 10, 2017 at 7:42 PM, Cong Wang wrote:
>> On Mon, Apr 10, 2017 at 7:40 AM, Andrey Konovalov
>> wrote:
>>> Hi,
>>>
>>> I've got the following error report while fuzzi
On Thu, May 4, 2017 at 3:53 PM, David Miller wrote:
> From: Andrey Konovalov
> Date: Thu, 4 May 2017 15:36:37 +0200
>
>> On Wed, Mar 1, 2017 at 4:40 PM, Arnaldo Carvalho de Melo
>> wrote:
>>> Em Wed, Mar 01, 2017 at 12:35:10PM -0300, Arnaldo Carvalho de Melo escre
On Fri, Feb 24, 2017 at 3:56 AM, Florian Westphal wrote:
> Andrey Konovalov wrote:
>
> [ CC Paolo ]
>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit c470abd4fde40ea6a0846a2beab642a578c0b8cd (4.10).
>&
On Wed, Mar 1, 2017 at 4:40 PM, Arnaldo Carvalho de Melo
wrote:
> Em Wed, Mar 01, 2017 at 12:35:10PM -0300, Arnaldo Carvalho de Melo escreveu:
>> Em Wed, Mar 01, 2017 at 10:38:54AM +0100, Dmitry Vyukov escreveu:
>> > Hello,
>> >
>> > I've got the following report while running syzkaller fuzzer on
On Wed, May 3, 2017 at 5:50 PM, Andrey Konovalov wrote:
> On Wed, May 3, 2017 at 3:30 PM, Josh Poimboeuf wrote:
>> On Wed, May 03, 2017 at 02:48:28PM +0200, Andrey Konovalov wrote:
>>> Hi,
>>>
>>> I've got the following error report while fuzzing the
init_net.loopback_dev) in addrconf_init().
>
> Reported-by: Andrey Konovalov
> Signed-off-by: Cong Wang
Hi Cong,
This fixes the bug triggered by my reproducer.
Thanks!
Tested-by: Andrey Konovalov
> ---
> include/net/ip6_route.h | 1 +
> net/ipv6/addrconf.c | 2 ++
> net/ip
On Wed, May 3, 2017 at 3:30 PM, Josh Poimboeuf wrote:
> On Wed, May 03, 2017 at 02:48:28PM +0200, Andrey Konovalov wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 89c9fea3c8034cdb2fd74
9/0x1040 net/ipv6/addrconf.c:3963
>>
>> The fix is to call in6_ifa_put() for the inet6_ifaddr before rather
>> than after calling addrconf_ifdown(), as the latter may remove it from
>> the address hash table.
>>
>> Fixes: 85b51b12115c ("net: ipv6: Remove addresses
ich makes starting
> DAD pointless.
>
> Since the second DAD was introduced by a recent change, seems appropriate
> to use it for the Fixes tag and have the fixup function only start DAD for
> addresses in the PREDAD state which occurs in addrconf_ifdown if the
> address is retained.
H
On Wed, May 3, 2017 at 2:48 PM, Andrey Konovalov wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit 89c9fea3c8034cdb2fd745f551cde0b507fd6893 (4.11.0+).
>
> A reproducer and .config are attached.
>
> The
On Tue, May 2, 2017 at 4:44 AM, David Ahern wrote:
> On 4/26/17 9:15 AM, Andrey Konovalov wrote:
>> +David
>>
>> I've enabled CONFIG_DEBUG_OBJECTS_RCU_HEAD and this is what I get.
>>
>> Apparently the rcu warning is related to the fib6_del_route bug I&#x
On Tue, May 2, 2017 at 6:45 PM, Andrey Konovalov wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit d3b5d35290d729a2518af00feca867385a1b08fa (4.11).
>
> A reproduce
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit d3b5d35290d729a2518af00feca867385a1b08fa (4.11).
A reproducer and .config are attached.
==
BUG: KASAN: slab-out-of-bounds in pfkey_compile_p
t;head is not reallocated.
Hi Eric,
With all 3 of your patches applied to net-next I don't see the warning any more.
Thanks!
Tested-by: Andrey Konovalov
>
> Signed-off-by: Eric Dumazet
> Reported-by: Andrey Konovalov
> ---
> net/ipv4/tcp_output.c | 19 -
> sock_edemux().
Hi Eric,
I still see the warning even with your patch.
Thanks!
>
> Signed-off-by: Eric Dumazet
> Reported-by: Andrey Konovalov
> Cc: Willem de Bruijn
> ---
> net/core/skbuff.c |2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git
On Wed, Apr 26, 2017 at 3:59 PM, Paul E. McKenney
wrote:
> On Wed, Apr 26, 2017 at 02:34:15PM +0200, Andrey Konovalov wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 5a7ad1146caa
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit 5a7ad1146caa895ad718a534399e38bd2ba721b7 (4.11-rc8).
Unfortunately it's not reproducible.
I'm not sure whether is is an issue with rcu or ipv6.
===
On Tue, Apr 25, 2017 at 6:36 PM, Andrey Konovalov wrote:
> On Tue, Apr 25, 2017 at 5:56 PM, David Ahern wrote:
>> On 3/4/17 11:57 AM, Dmitry Vyukov wrote:
>>> ==
>>> BUG: KASAN: slab-out-of-bounds in
On Tue, Apr 25, 2017 at 5:56 PM, David Ahern wrote:
> On 3/4/17 11:57 AM, Dmitry Vyukov wrote:
>> ==
>> BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0
>> net/ipv6/route.c:3551 at addr 88007e523694
>> Read of size 4 b
On Tue, Apr 25, 2017 at 5:54 PM, David Ahern wrote:
> On 4/25/17 6:50 AM, Andrey Konovalov wrote:
>> I've been running syzkaller with your patch and got another report
>> from ip6_pol_route.
>
> In general the existing patch cleans up all of the ipv6 fib kasan and
>
fb fb fb fb fb fb fb
======
>
> Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional")
> Reported-by: Dmitry Vyukov
> Reported-by: Andrey Konovalov
> Signed-off-by: David Ahern
> --
he network header of the skb at this point should be still IPv4?
>
> Please try the attached patch.
I don't see these crashes with your patch.
Thanks!
Tested-by: Andrey Konovalov
>
> I am not sure how we could handle 4in6 case better than just relying on
> the config of ip6 tunnel.
On Mon, Apr 24, 2017 at 5:03 PM, Andrey Konovalov wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit 5a7ad1146caa895ad718a534399e38bd2ba721b7 (4.11-rc8).
>
> Unfortunately it's not reproducible.
>
> T
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit 5a7ad1146caa895ad718a534399e38bd2ba721b7 (4.11-rc8).
Unfortunately it's not reproducible.
The issue might be similar to this one:
https://groups.google.com/forum/#!topic/syzkaller/IDoQHFmrnRI
===
or the address is removed, the
> WARN_ON in fib6_del is triggered.
>
> All of those faults are fixed by regenerating the host route of the
> existing one has been moved to the gc list, something that can be
> determined by checking if the rt6i_ref counter is 0.
>
> Fixes: f1705e
On Fri, Apr 21, 2017 at 9:45 PM, Florian Westphal wrote:
> Florian Westphal wrote:
>> Indeed. Setting net.netfilter.nf_conntrack_default_on=0 cuts time
>> cleanup time by 2/3 ...
>>
>> nf unregister is way too happy to issue synchronize_net(), I'll work on
>> a fix.
>
> I'll test this patch as a
On Fri, Apr 21, 2017 at 8:30 PM, Nikolay Aleksandrov
wrote:
> On 21/04/17 20:42, Nikolay Aleksandrov wrote:
>> Andrey Konovalov reported a BUG caused by the ip6mr code which is caused
>> because we call unregister_netdevice_many for a device that is already
>> being destroyed
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7).
rose_xmit calls rose_route_frame(skb, ax25 = NULL), and
rose_route_frame then dereferences ax25 when doing
ax25cmp(&ax25->dest_addr, &rose_neigh->callsi
On Thu, Apr 20, 2017 at 6:47 PM, Andrey Konovalov wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On linux-next commit 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7).
>
> A reproduce
On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov wrote:
> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote:
>> On 4/20/17 9:28 AM, Andrey Konovalov wrote:
>>> This one seems to be much closer to what Dmitry reported intially.
>>
>> does not repro here; I ran
On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote:
> On 4/20/17 9:28 AM, Andrey Konovalov wrote:
>> This one seems to be much closer to what Dmitry reported intially.
>
> does not repro here; I ran in a loop and nothing.
You use the attached config, right?
>
> can you send
On Thu, Apr 20, 2017 at 5:28 PM, Andrey Konovalov wrote:
> I've extracted a reproducer for another bug.
It works for me as is, but you might need to run it in a loop.
>
> This one seems to be much closer to what Dmitry reported intially.
>
> [ cut here ]---
On Thu, Apr 20, 2017 at 10:35 AM, Dmitry Vyukov wrote:
> On Thu, Apr 20, 2017 at 1:51 AM, David Ahern wrote:
>> On 4/19/17 5:47 PM, Cong Wang wrote:
>>> On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov
>>> wrote:
>>>>
>>>> Anyway, I just f
Thanks!
Tested-by: Andrey Konovalov
On Wed, Apr 19, 2017 at 11:52 PM, Martin KaFai Lau wrote:
> On Wed, Apr 19, 2017 at 02:19:43PM -0700, David Ahern wrote:
>> Andrey reported a fault in the IPv6 route code:
>>
>> kasan: GPF could be caused by NULL-ptr deref or user mem
On Wed, Apr 19, 2017 at 6:09 PM, David Ahern wrote:
> On 4/18/17 2:43 PM, Andrey Konovalov wrote:
>> Hi!
>>
>> I've finally managed to reproduce one of the crashes on commit
>> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7).
>>
>> I'm not sure
On Wed, Apr 19, 2017 at 1:20 AM, David Ahern wrote:
> On 4/18/17 2:43 PM, Andrey Konovalov wrote:
>> I've finally managed to reproduce one of the crashes on commit
>> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7).
>>
>> I'm not sure if this bug has
On Tue, Apr 18, 2017 at 6:05 PM, Cong Wang wrote:
> On Tue, Apr 18, 2017 at 5:15 AM, Andrey Konovalov
> wrote:
>> Yes, I don't have this field in the rtable struct.
>>
>> I'm on 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>>
>> I als
On Tue, Apr 18, 2017 at 5:16 PM, David Lebrun wrote:
> On 04/18/2017 04:54 PM, Andrey Konovalov wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc
On Thu, Apr 13, 2017 at 9:59 PM, Cong Wang wrote:
> On Thu, Apr 13, 2017 at 11:49 AM, Andrey Konovalov
> wrote:
>> On Mon, Apr 10, 2017 at 7:46 PM, Andrey Konovalov
>> wrote:
>>> On Mon, Apr 10, 2017 at 7:42 PM, Cong Wang wrote:
>>>> On Mon, Ap
On Mon, Apr 10, 2017 at 7:46 PM, Andrey Konovalov wrote:
> On Mon, Apr 10, 2017 at 7:42 PM, Cong Wang wrote:
>> On Mon, Apr 10, 2017 at 7:40 AM, Andrey Konovalov
>> wrote:
>>> Hi,
>>>
>>> I've got the following error report while fuzzi
1 - 100 of 234 matches
Mail list logo
