Hello,
syzbot hit the following crash on net-next commit
9d6474e458b13a94a0d5b141f2b8f38adf1991ae (Mon Jan 22 02:55:38 2018 +0000)
tun: add missing rcu annotation
So far this crash happened 5 times on net-next.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
==================================================================
BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430
net/ipv4/ip_gre.c:735
Read of size 2 at addr ffff8801c50bb08b by task syzkaller525754/3647
CPU: 0 PID: 3647 Comm: syzkaller525754 Not tainted 4.15.0-rc8+ #203
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
__netdev_start_xmit include/linux/netdevice.h:4053 [inline]
netdev_start_xmit include/linux/netdevice.h:4062 [inline]
packet_direct_xmit+0x3ad/0x790 net/packet/af_packet.c:267
packet_snd net/packet/af_packet.c:2944 [inline]
packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
SYSC_sendto+0x361/0x5c0 net/socket.c:1721
SyS_sendto+0x40/0x50 net/socket.c:1689
entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x445649
RSP: 002b:00007ffe82dde5b8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000445649
RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004
RBP: 00000000004a78c5 R08: 0000000020008000 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402720
R13: 00000000004027b0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 3221:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544
getname_flags+0xcb/0x580 fs/namei.c:138
getname+0x19/0x20 fs/namei.c:209
do_sys_open+0x2e7/0x6d0 fs/open.c:1053
SYSC_open fs/open.c:1077 [inline]
SyS_open+0x2d/0x40 fs/open.c:1072
entry_SYSCALL_64_fastpath+0x29/0xa0
Freed by task 3221:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3488 [inline]
kmem_cache_free+0x83/0x2a0 mm/slab.c:3746
putname+0xee/0x130 fs/namei.c:258
do_sys_open+0x31b/0x6d0 fs/open.c:1068
SYSC_open fs/open.c:1077 [inline]
SyS_open+0x2d/0x40 fs/open.c:1072
entry_SYSCALL_64_fastpath+0x29/0xa0
The buggy address belongs to the object at ffff8801c50ba000
which belongs to the cache names_cache of size 4096
The buggy address is located 139 bytes to the right of
4096-byte region [ffff8801c50ba000, ffff8801c50bb000)
The buggy address belongs to the page:
page:ffffea0007142e80 count:1 mapcount:0 mapping:ffff8801c50ba000 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c50ba000 0000000000000000 0000000100000001
raw: ffffea0007145320 ffffea00071433a0 ffff8801dae2c600 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c50baf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c50bb000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c50bb080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801c50bb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c50bb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to [email protected].
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
[ cc William Tu ]
On 1/22/18 12:58 PM, syzbot wrote:
> Hello,
>
> syzbot hit the following crash on net-next commit
> 9d6474e458b13a94a0d5b141f2b8f38adf1991ae (Mon Jan 22 02:55:38 2018 +0000)
> tun: add missing rcu annotation
>
> So far this crash happened 5 times on net-next.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: [email protected]
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430
> net/ipv4/ip_gre.c:735
> Read of size 2 at addr ffff8801c50bb08b by task syzkaller525754/3647
>
> CPU: 0 PID: 3647 Comm: syzkaller525754 Not tainted 4.15.0-rc8+ #203
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> print_address_description+0x73/0x250 mm/kasan/report.c:252
> kasan_report_error mm/kasan/report.c:351 [inline]
> kasan_report+0x25b/0x340 mm/kasan/report.c:409
> __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
> erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
> __netdev_start_xmit include/linux/netdevice.h:4053 [inline]
> netdev_start_xmit include/linux/netdevice.h:4062 [inline]
> packet_direct_xmit+0x3ad/0x790 net/packet/af_packet.c:267
> packet_snd net/packet/af_packet.c:2944 [inline]
> packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
> sock_sendmsg_nosec net/socket.c:630 [inline]
> sock_sendmsg+0xca/0x110 net/socket.c:640
> SYSC_sendto+0x361/0x5c0 net/socket.c:1721
> SyS_sendto+0x40/0x50 net/socket.c:1689
> entry_SYSCALL_64_fastpath+0x29/0xa0
> RIP: 0033:0x445649
> RSP: 002b:00007ffe82dde5b8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000445649
> RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004
> RBP: 00000000004a78c5 R08: 0000000020008000 R09: 000000000000001c
> R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402720
> R13: 00000000004027b0 R14: 0000000000000000 R15: 0000000000000000
>
> Allocated by task 3221:
> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
> set_track mm/kasan/kasan.c:459 [inline]
> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
> kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
> kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544
> getname_flags+0xcb/0x580 fs/namei.c:138
> getname+0x19/0x20 fs/namei.c:209
> do_sys_open+0x2e7/0x6d0 fs/open.c:1053
> SYSC_open fs/open.c:1077 [inline]
> SyS_open+0x2d/0x40 fs/open.c:1072
> entry_SYSCALL_64_fastpath+0x29/0xa0
>
> Freed by task 3221:
> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
> set_track mm/kasan/kasan.c:459 [inline]
> kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
> __cache_free mm/slab.c:3488 [inline]
> kmem_cache_free+0x83/0x2a0 mm/slab.c:3746
> putname+0xee/0x130 fs/namei.c:258
> do_sys_open+0x31b/0x6d0 fs/open.c:1068
> SYSC_open fs/open.c:1077 [inline]
> SyS_open+0x2d/0x40 fs/open.c:1072
> entry_SYSCALL_64_fastpath+0x29/0xa0
>
> The buggy address belongs to the object at ffff8801c50ba000
> which belongs to the cache names_cache of size 4096
> The buggy address is located 139 bytes to the right of
> 4096-byte region [ffff8801c50ba000, ffff8801c50bb000)
> The buggy address belongs to the page:
> page:ffffea0007142e80 count:1 mapcount:0 mapping:ffff8801c50ba000
> index:0x0 compound_mapcount: 0
> flags: 0x2fffc0000008100(slab|head)
> raw: 02fffc0000008100 ffff8801c50ba000 0000000000000000 0000000100000001
> raw: ffffea0007145320 ffffea00071433a0 ffff8801dae2c600 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8801c50baf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801c50bb000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff8801c50bb080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ^
> ffff8801c50bb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c50bb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to [email protected].
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
On Mon, Jan 22, 2018 at 2:45 PM, David Ahern <[email protected]> wrote:
> [ cc William Tu ]
>
> On 1/22/18 12:58 PM, syzbot wrote:
>> Hello,
>>
>> syzbot hit the following crash on net-next commit
>> 9d6474e458b13a94a0d5b141f2b8f38adf1991ae (Mon Jan 22 02:55:38 2018 +0000)
>> tun: add missing rcu annotation
>>
>> So far this crash happened 5 times on net-next.
>> C reproducer is attached.
>> syzkaller reproducer is attached.
>> Raw console output is attached.
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: [email protected]
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430
>> net/ipv4/ip_gre.c:735
>> Read of size 2 at addr ffff8801c50bb08b by task syzkaller525754/3647
>>
>> CPU: 0 PID: 3647 Comm: syzkaller525754 Not tainted 4.15.0-rc8+ #203
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:17 [inline]
>> dump_stack+0x194/0x257 lib/dump_stack.c:53
>> print_address_description+0x73/0x250 mm/kasan/report.c:252
>> kasan_report_error mm/kasan/report.c:351 [inline]
>> kasan_report+0x25b/0x340 mm/kasan/report.c:409
>> __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
>> erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
>> __netdev_start_xmit include/linux/netdevice.h:4053 [inline]
>> netdev_start_xmit include/linux/netdevice.h:4062 [inline]
>> packet_direct_xmit+0x3ad/0x790 net/packet/af_packet.c:267
>> packet_snd net/packet/af_packet.c:2944 [inline]
>> packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
>> sock_sendmsg_nosec net/socket.c:630 [inline]
>> sock_sendmsg+0xca/0x110 net/socket.c:640
>> SYSC_sendto+0x361/0x5c0 net/socket.c:1721
>> SyS_sendto+0x40/0x50 net/socket.c:1689
>> entry_SYSCALL_64_fastpath+0x29/0xa0
>> RIP: 0033:0x445649
>> RSP: 002b:00007ffe82dde5b8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
>> RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000445649
>> RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004
>> RBP: 00000000004a78c5 R08: 0000000020008000 R09: 000000000000001c
>> R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402720
>> R13: 00000000004027b0 R14: 0000000000000000 R15: 0000000000000000
>>
>> Allocated by task 3221:
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>> set_track mm/kasan/kasan.c:459 [inline]
>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>> kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
>> kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544
>> getname_flags+0xcb/0x580 fs/namei.c:138
>> getname+0x19/0x20 fs/namei.c:209
>> do_sys_open+0x2e7/0x6d0 fs/open.c:1053
>> SYSC_open fs/open.c:1077 [inline]
>> SyS_open+0x2d/0x40 fs/open.c:1072
>> entry_SYSCALL_64_fastpath+0x29/0xa0
>>
>> Freed by task 3221:
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>> set_track mm/kasan/kasan.c:459 [inline]
>> kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>> __cache_free mm/slab.c:3488 [inline]
>> kmem_cache_free+0x83/0x2a0 mm/slab.c:3746
>> putname+0xee/0x130 fs/namei.c:258
>> do_sys_open+0x31b/0x6d0 fs/open.c:1068
>> SYSC_open fs/open.c:1077 [inline]
>> SyS_open+0x2d/0x40 fs/open.c:1072
>> entry_SYSCALL_64_fastpath+0x29/0xa0
>>
>> The buggy address belongs to the object at ffff8801c50ba000
>> which belongs to the cache names_cache of size 4096
>> The buggy address is located 139 bytes to the right of
>> 4096-byte region [ffff8801c50ba000, ffff8801c50bb000)
>> The buggy address belongs to the page:
>> page:ffffea0007142e80 count:1 mapcount:0 mapping:ffff8801c50ba000
>> index:0x0 compound_mapcount: 0
>> flags: 0x2fffc0000008100(slab|head)
>> raw: 02fffc0000008100 ffff8801c50ba000 0000000000000000 0000000100000001
>> raw: ffffea0007145320 ffffea00071433a0 ffff8801dae2c600 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff8801c50baf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8801c50bb000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff8801c50bb080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ^
>> ffff8801c50bb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff8801c50bb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ==================================================================
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to [email protected].
>>
>> syzbot will keep track of this bug report.
>> If you forgot to add the Reported-by tag, once the fix for this bug is
>> merged
>> into any tree, please reply to this email with:
>> #syz fix: exact-commit-title
>> If you want to test a patch for this bug, please reply with:
>> #syz test: git://repo/address.git branch
>> and provide the patch inline or as an attachment.
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>> Note: all commands must start from beginning of the line in the email body.
>
Thanks. I'm working on it.
Hi,
I'm new to kasan and trying to follow this instruction to reproduce the issue:
https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
After re-compile my kernel with KASAN related config enable, I run
$ ./syz-execprog -cover=0 -repeat=0 -procs=16 program
I wonder does the "program" mean the repro.c.txt? or I should compile
it to binary?
# gcc -o program repro.c.txt
# ./syz-execprog myprogram
2018/01/23 10:45:19 parsed 0 programs
And how to use the "repro.syz.txt"?
It seems to have some command like "syz_emit_ethernet" to generate packet.
but I have no clue where to run it. Maybe I'm still missing something?
Thanks a lot
William
On Mon, Jan 22, 2018 at 2:57 PM, William Tu <[email protected]> wrote:
> On Mon, Jan 22, 2018 at 2:45 PM, David Ahern <[email protected]> wrote:
>> [ cc William Tu ]
>>
>> On 1/22/18 12:58 PM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot hit the following crash on net-next commit
>>> 9d6474e458b13a94a0d5b141f2b8f38adf1991ae (Mon Jan 22 02:55:38 2018 +0000)
>>> tun: add missing rcu annotation
>>>
>>> So far this crash happened 5 times on net-next.
>>> C reproducer is attached.
>>> syzkaller reproducer is attached.
>>> Raw console output is attached.
>>> compiler: gcc (GCC) 7.1.1 20170620
>>> .config is attached.
>>>
>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> Reported-by: [email protected]
>>> It will help syzbot understand when the bug is fixed. See footer for
>>> details.
>>> If you forward the report, please keep this part and the footer.
>>>
>>> ==================================================================
>>> BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430
>>> net/ipv4/ip_gre.c:735
>>> Read of size 2 at addr ffff8801c50bb08b by task syzkaller525754/3647
>>>
>>> CPU: 0 PID: 3647 Comm: syzkaller525754 Not tainted 4.15.0-rc8+ #203
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>> __dump_stack lib/dump_stack.c:17 [inline]
>>> dump_stack+0x194/0x257 lib/dump_stack.c:53
>>> print_address_description+0x73/0x250 mm/kasan/report.c:252
>>> kasan_report_error mm/kasan/report.c:351 [inline]
>>> kasan_report+0x25b/0x340 mm/kasan/report.c:409
>>> __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
>>> erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
>>> __netdev_start_xmit include/linux/netdevice.h:4053 [inline]
>>> netdev_start_xmit include/linux/netdevice.h:4062 [inline]
>>> packet_direct_xmit+0x3ad/0x790 net/packet/af_packet.c:267
>>> packet_snd net/packet/af_packet.c:2944 [inline]
>>> packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
>>> sock_sendmsg_nosec net/socket.c:630 [inline]
>>> sock_sendmsg+0xca/0x110 net/socket.c:640
>>> SYSC_sendto+0x361/0x5c0 net/socket.c:1721
>>> SyS_sendto+0x40/0x50 net/socket.c:1689
>>> entry_SYSCALL_64_fastpath+0x29/0xa0
>>> RIP: 0033:0x445649
>>> RSP: 002b:00007ffe82dde5b8 EFLAGS: 00000217 ORIG_RAX: 000000000000002c
>>> RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000445649
>>> RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004
>>> RBP: 00000000004a78c5 R08: 0000000020008000 R09: 000000000000001c
>>> R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000402720
>>> R13: 00000000004027b0 R14: 0000000000000000 R15: 0000000000000000
>>>
>>> Allocated by task 3221:
>>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>> set_track mm/kasan/kasan.c:459 [inline]
>>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>>> kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
>>> kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544
>>> getname_flags+0xcb/0x580 fs/namei.c:138
>>> getname+0x19/0x20 fs/namei.c:209
>>> do_sys_open+0x2e7/0x6d0 fs/open.c:1053
>>> SYSC_open fs/open.c:1077 [inline]
>>> SyS_open+0x2d/0x40 fs/open.c:1072
>>> entry_SYSCALL_64_fastpath+0x29/0xa0
>>>
>>> Freed by task 3221:
>>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>> set_track mm/kasan/kasan.c:459 [inline]
>>> kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>>> __cache_free mm/slab.c:3488 [inline]
>>> kmem_cache_free+0x83/0x2a0 mm/slab.c:3746
>>> putname+0xee/0x130 fs/namei.c:258
>>> do_sys_open+0x31b/0x6d0 fs/open.c:1068
>>> SYSC_open fs/open.c:1077 [inline]
>>> SyS_open+0x2d/0x40 fs/open.c:1072
>>> entry_SYSCALL_64_fastpath+0x29/0xa0
>>>
>>> The buggy address belongs to the object at ffff8801c50ba000
>>> which belongs to the cache names_cache of size 4096
>>> The buggy address is located 139 bytes to the right of
>>> 4096-byte region [ffff8801c50ba000, ffff8801c50bb000)
>>> The buggy address belongs to the page:
>>> page:ffffea0007142e80 count:1 mapcount:0 mapping:ffff8801c50ba000
>>> index:0x0 compound_mapcount: 0
>>> flags: 0x2fffc0000008100(slab|head)
>>> raw: 02fffc0000008100 ffff8801c50ba000 0000000000000000 0000000100000001
>>> raw: ffffea0007145320 ffffea00071433a0 ffff8801dae2c600 0000000000000000
>>> page dumped because: kasan: bad access detected
>>>
>>> Memory state around the buggy address:
>>> ffff8801c50baf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> ffff8801c50bb000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>> ffff8801c50bb080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ^
>>> ffff8801c50bb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff8801c50bb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ==================================================================
>>>
>>>
>>> ---
>>> This bug is generated by a dumb bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for details.
>>> Direct all questions to [email protected].
>>>
>>> syzbot will keep track of this bug report.
>>> If you forgot to add the Reported-by tag, once the fix for this bug is
>>> merged
>>> into any tree, please reply to this email with:
>>> #syz fix: exact-commit-title
>>> If you want to test a patch for this bug, please reply with:
>>> #syz test: git://repo/address.git branch
>>> and provide the patch inline or as an attachment.
>>> To mark this as a duplicate of another syzbot report, please reply with:
>>> #syz dup: exact-subject-of-another-report
>>> If it's a one-off invalid bug report, please reply with:
>>> #syz invalid
>>> Note: if the crash happens again, it will cause creation of a new bug
>>> report.
>>> Note: all commands must start from beginning of the line in the email body.
>>
>
> Thanks. I'm working on it.
On 1/23/18 11:50 AM, William Tu wrote:
> Hi,
>
> I'm new to kasan and trying to follow this instruction to reproduce the issue:
> https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
>
> After re-compile my kernel with KASAN related config enable, I run
> $ ./syz-execprog -cover=0 -repeat=0 -procs=16 program
>
> I wonder does the "program" mean the repro.c.txt? or I should compile
> it to binary?
> # gcc -o program repro.c.txt
> # ./syz-execprog myprogram
> 2018/01/23 10:45:19 parsed 0 programs
>
> And how to use the "repro.syz.txt"?
> It seems to have some command like "syz_emit_ethernet" to generate packet.
> but I have no clue where to run it. Maybe I'm still missing something?
>
In the past I have only compiled a kernel with KASAN, compiled the
reproducer program and run it in a VM. No need for the syzbot overhead.
On Tue, Jan 23, 2018 at 7:58 PM, David Ahern <[email protected]> wrote:
> On 1/23/18 11:50 AM, William Tu wrote:
>> Hi,
>>
>> I'm new to kasan and trying to follow this instruction to reproduce the issue:
>> https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
>>
>> After re-compile my kernel with KASAN related config enable, I run
>> $ ./syz-execprog -cover=0 -repeat=0 -procs=16 program
>>
>> I wonder does the "program" mean the repro.c.txt? or I should compile
>> it to binary?
>> # gcc -o program repro.c.txt
>> # ./syz-execprog myprogram
>> 2018/01/23 10:45:19 parsed 0 programs
>>
>> And how to use the "repro.syz.txt"?
>> It seems to have some command like "syz_emit_ethernet" to generate packet.
>> but I have no clue where to run it. Maybe I'm still missing something?
>>
>
> In the past I have only compiled a kernel with KASAN, compiled the
> reproducer program and run it in a VM. No need for the syzbot overhead.
Yes, if C program reproducer the crash then it's easier to use.
repro.c.txt is the C program, you need to rename it to repro.c,
compile with gcc and run just as ./a.out.
But make sure that you have a gcc that supports KASAN (kernel build
does not in the beginning on compiler not supporting KASAN). I think
it's at least gcc 5+, but gcc 7+ would be better.
You can also run the syzkaller reproducer as:
./syz-execprog -cover=0 -repeat=0 -procs=16 repro.syz.txt
Thanks for the reply.
On Tue, Jan 23, 2018 at 11:03 AM, Dmitry Vyukov <[email protected]> wrote:
> On Tue, Jan 23, 2018 at 7:58 PM, David Ahern <[email protected]> wrote:
>> On 1/23/18 11:50 AM, William Tu wrote:
>>> Hi,
>>>
>>> I'm new to kasan and trying to follow this instruction to reproduce the issue:
>>> https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
>>>
>>> After re-compile my kernel with KASAN related config enable, I run
>>> $ ./syz-execprog -cover=0 -repeat=0 -procs=16 program
>>>
>>> I wonder does the "program" mean the repro.c.txt? or I should compile
>>> it to binary?
>>> # gcc -o program repro.c.txt
>>> # ./syz-execprog myprogram
>>> 2018/01/23 10:45:19 parsed 0 programs
>>>
>>> And how to use the "repro.syz.txt"?
>>> It seems to have some command like "syz_emit_ethernet" to generate packet.
>>> but I have no clue where to run it. Maybe I'm still missing something?
>>>
>>
>> In the past I have only compiled a kernel with KASAN, compiled the
>> reproducer program and run it in a VM. No need for the syzbot overhead.
>
> Yes, if C program reproducer the crash then it's easier to use.
> repro.c.txt is the C program, you need to rename it to repro.c,
> compile with gcc and run just as ./a.out.
> But make sure that you have a gcc that supports KASAN (kernel build
> does not in the beginning on compiler not supporting KASAN). I think
> it's at least gcc 5+, but gcc 7+ would be better.
I was using gcc 5+ and "gcc repro.c".
Running ./a.out does not show any issue on dmesg. Let me switch to gcc 7+.
>
> You can also run the syzkaller reproducer as:
> ./syz-execprog -cover=0 -repeat=0 -procs=16 repro.syz.txt
When using repro.syz.txt, which binary or what tests does it execute?
I didn't see it uses/compiles the repro.c.txt.
But it seems to run something...
~/net-next# ./syz-execprog -cover=0 -repeat=0 -procs=2 repro.syz.txt
2018/01/23 11:15:24 parsed 1 programs
2018/01/23 11:15:24 executed programs: 0
2018/01/23 11:15:29 executed programs: 210
2018/01/23 11:15:34 executed programs: 422
..
Thanks
William
On Tue, Jan 23, 2018 at 8:17 PM, William Tu <[email protected]> wrote:
> Thanks for the reply.
>
> On Tue, Jan 23, 2018 at 11:03 AM, Dmitry Vyukov <[email protected]> wrote:
>> On Tue, Jan 23, 2018 at 7:58 PM, David Ahern <[email protected]> wrote:
>>> On 1/23/18 11:50 AM, William Tu wrote:
>>>> Hi,
>>>>
>>>> I'm new to kasan and trying to follow this instruction to reproduce the issue:
>>>> https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
>>>>
>>>> After re-compile my kernel with KASAN related config enable, I run
>>>> $ ./syz-execprog -cover=0 -repeat=0 -procs=16 program
>>>>
>>>> I wonder does the "program" mean the repro.c.txt? or I should compile
>>>> it to binary?
>>>> # gcc -o program repro.c.txt
>>>> # ./syz-execprog myprogram
>>>> 2018/01/23 10:45:19 parsed 0 programs
>>>>
>>>> And how to use the "repro.syz.txt"?
>>>> It seems to have some command like "syz_emit_ethernet" to generate packet.
>>>> but I have no clue where to run it. Maybe I'm still missing something?
>>>>
>>>
>>> In the past I have only compiled a kernel with KASAN, compiled the
>>> reproducer program and run it in a VM. No need for the syzbot overhead.
>>
>> Yes, if C program reproducer the crash then it's easier to use.
>> repro.c.txt is the C program, you need to rename it to repro.c,
>> compile with gcc and run just as ./a.out.
>> But make sure that you have a gcc that supports KASAN (kernel build
>> does not in the beginning on compiler not supporting KASAN). I think
>> it's at least gcc 5+, but gcc 7+ would be better.
>
> I was using gcc 5+ and "gcc repro.c".
> Running ./a.out does not show any issue on dmesg. Let me switch to gcc 7+.
>
>>
>> You can also run the syzkaller reproducer as:
>> ./syz-execprog -cover=0 -repeat=0 -procs=16 repro.syz.txt
>
> When using repro.syz.txt, which binary or what tests does it execute?
It interprets the program in syzkaller notation in repro.syz.txt file.
It should be more of less equivalent to repro.c.txt C program in
behavior.
> I didn't see it uses/compiles the repro.c.txt.
> But it seems to run something...
> ~/net-next# ./syz-execprog -cover=0 -repeat=0 -procs=2 repro.syz.txt
> 2018/01/23 11:15:24 parsed 1 programs
> 2018/01/23 11:15:24 executed programs: 0
> 2018/01/23 11:15:29 executed programs: 210
> 2018/01/23 11:15:34 executed programs: 422
> ..
>
> Thanks
> William
On Tue, Jan 23, 2018 at 11:45 AM, Dmitry Vyukov <[email protected]> wrote:
> On Tue, Jan 23, 2018 at 8:17 PM, William Tu <[email protected]> wrote:
>> Thanks for the reply.
>>
>> On Tue, Jan 23, 2018 at 11:03 AM, Dmitry Vyukov <[email protected]> wrote:
>>> On Tue, Jan 23, 2018 at 7:58 PM, David Ahern <[email protected]> wrote:
>>>> On 1/23/18 11:50 AM, William Tu wrote:
>>>>> Hi,
>>>>>
>>>>> I'm new to kasan and trying to follow this instruction to reproduce the issue:
>>>>> https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
>>>>>
>>>>> After re-compile my kernel with KASAN related config enable, I run
>>>>> $ ./syz-execprog -cover=0 -repeat=0 -procs=16 program
>>>>>
>>>>> I wonder does the "program" mean the repro.c.txt? or I should compile
>>>>> it to binary?
>>>>> # gcc -o program repro.c.txt
>>>>> # ./syz-execprog myprogram
>>>>> 2018/01/23 10:45:19 parsed 0 programs
>>>>>
>>>>> And how to use the "repro.syz.txt"?
>>>>> It seems to have some command like "syz_emit_ethernet" to generate packet.
>>>>> but I have no clue where to run it. Maybe I'm still missing something?
>>>>>
>>>>
>>>> In the past I have only compiled a kernel with KASAN, compiled the
>>>> reproducer program and run it in a VM. No need for the syzbot overhead.
>>>
>>> Yes, if C program reproducer the crash then it's easier to use.
>>> repro.c.txt is the C program, you need to rename it to repro.c,
>>> compile with gcc and run just as ./a.out.
>>> But make sure that you have a gcc that supports KASAN (kernel build
>>> does not in the beginning on compiler not supporting KASAN). I think
>>> it's at least gcc 5+, but gcc 7+ would be better.
>>
>> I was using gcc 5+ and "gcc repro.c".
>> Running ./a.out does not show any issue on dmesg. Let me switch to gcc 7+.
>>
>>>
>>> You can also run the syzkaller reproducer as:
>>> ./syz-execprog -cover=0 -repeat=0 -procs=16 repro.syz.txt
>>
>> When using repro.syz.txt, which binary or what tests does it execute?
>
> It interprets the program in syzkaller notation in repro.syz.txt file.
> It should be more of less equivalent to repro.c.txt C program in
> behavior.
>
thanks!. Now I can reproduce the issue.