Received: by 10.223.148.5 with SMTP id 5csp7569984wrq; Thu, 18 Jan 2018 06:59:48 -0800 (PST) X-Google-Smtp-Source: ACJfBouHZdBqcf0pkf97CwEeH+o+ijdxQe/pULTzjJ2/J2aP0+UrkONQseKZhJlj+3Dqy/aHpsWE X-Received: by 10.101.101.71 with SMTP id a7mr11982992pgw.192.1516287588794; Thu, 18 Jan 2018 06:59:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516287588; cv=none; d=google.com; s=arc-20160816; b=hVcgsza/DMM/aw7lS5IgoRa5yGJ5N8x7ZcatE1GohPz3EblE/E60OIfsmz5JtD3NFk 7gLx7HVLslpi/SCeTcMWCArj6SdtwCjrTls3Ep6dglaplBHiVBd18ChITcsUEcDXbYHB QZGGVCZlfklPpD+xI18yvh5ebNvf3W3tUJ9R2sCxtUhhyvFvCmX3ODJRF9VwSk1lLhJe P731bHC6Mf9Xm65bn18RAWb0xcLg7JMLyqaPFZDiKW29b2/zJcJoi4Sm6kGUt5JRmjJP W3P1V2WIgoNvenNMT7mVlAjrqjYW812AJStCj0TvVqFBWA+XOG6+MrH5sxGB3PJ/Wz4Z A6Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=UiQ/GNsiDw4qSIUnhoNoUwfpp4Xt9K8VkLDZG4RWLQo=; b=QmwUtA0zxVSi8qTHyyEIAqp7clROTP5DxKYDZQg1iLoHtdlcs5N/y6kTE59c/Q5i6L U5kaFowkM1GG6ZxwhyHvXZQzHPDl1WugZxPb08ch5QDzMyo99Uk5TXV6on+IbtzfgaX1 V7xNzbzUYyj0Wd0Fog57dE1wXLqt7imA9R/PDgXooR1G3p86cDbFFzSfzgjwAbWLKa5V bYLNrbO0DPe0qfrEXneieDGQJCsDZx2FInUdnUrBFLgOW1symU3gZCtD+jsZOYAQjSrz MdSP6VaPwFNvqS9WKCGc4TYJTfEbf8G19IN0o69g/YIyqtOIk8fbO+e1vr2VVa3ZO+jy eYtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=LFWPLZ7Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u14si5998630pgn.261.2018.01.18.06.59.34; Thu, 18 Jan 2018 06:59:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=LFWPLZ7Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756060AbeARNHM (ORCPT + 99 others); Thu, 18 Jan 2018 08:07:12 -0500 Received: from mail-pg0-f47.google.com ([74.125.83.47]:39675 "EHLO mail-pg0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755838AbeARNHJ (ORCPT ); Thu, 18 Jan 2018 08:07:09 -0500 Received: by mail-pg0-f47.google.com with SMTP id w17so8300298pgv.6 for ; Thu, 18 Jan 2018 05:07:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=UiQ/GNsiDw4qSIUnhoNoUwfpp4Xt9K8VkLDZG4RWLQo=; b=LFWPLZ7QElUJvg0f5FA6Gm26Yc0smyc/22DJWIFUNsgRCGel4X4kgo3mwTxW3dDwNx 4okp5bCR/G+q1UI4rmmmmXAk9jXrfg+D0jo5JVFylDufbdIf1TpHEW3NKNQecoQn/mdN 0twAn9366sqq+mTyHdJ6dversJbxzBoaE72USIyvPv30MICO8e3rwkzH9D1756pAK7VV kfvPBozi5VIMvLyYsOIj7ccjm6sy7RwCSNHiQ/NDH6d+gUPMz2PjavxkDEKs/UQcu5ow Xib6cmLhXK/IaRy2GbDQovi6dokDSyIYU+052s0l3DmgT+PZmixnrUy41ooIwZR521Vi rbKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=UiQ/GNsiDw4qSIUnhoNoUwfpp4Xt9K8VkLDZG4RWLQo=; b=qlus1T027xqYoEA/+GuA5hE2NqOiJXTgeDKAqELFbrLpXYz/3tUCB5L9No4cQqqI6s RGdLNLCYg02rEu/AR7O8tV9wu7QyEjfgiCMop3P1EDbGH+QVYTmlM1E4V0CddvwyTT/7 6cPg8LXvGwCgOuCwfzVf+2dU9WRSLmzGe80G8nUJUgk8bsky4D1xZYShFv2RXh+91Fc2 j7JbVAL2oWDJVZ6Cc3Y5kr4FGbAjpKDCZvY3VJ50GS1E4NJ6Fe+x4XzI7jPHNS4+uHk3 /IyPi/RkVGL2bUzohCQNJO7l6J2SxiVbKn5y7N8+xvDudZYmDSOjtwuq0iXNVCgCHQZY Hynw== X-Gm-Message-State: AKwxytcg2AxeJcTQUTOnt7bmlvR1RhtpjZS9jxQyi0sbwvZOYA9LW7VE AAYOJgcQQSnFRH1BU9O2Q3USulzu82KbVg3mbY/a+g== X-Received: by 10.101.90.10 with SMTP id y10mr26892915pgs.445.1516280829090; Thu, 18 Jan 2018 05:07:09 -0800 (PST) MIME-Version: 1.0 Received: by 10.236.140.151 with HTTP; Thu, 18 Jan 2018 05:06:48 -0800 (PST) In-Reply-To: References: <001a11405130ff1e9705629eb53c@google.com> <20180117093225.GB20303@amd> <20180117204735.GC6948@thunk.org> <20180118002111.b7ejjd2adunmkooj@ast-mbp.dhcp.thefacebook.com> <20180118010930.GE6948@thunk.org> From: Dmitry Vyukov Date: Thu, 18 Jan 2018 14:06:48 +0100 Message-ID: Subject: Re: dangers of bots on the mailing lists was Re: divide error in ___bpf_prog_run To: "Theodore Ts'o" , Alexei Starovoitov , Dmitry Vyukov , Daniel Borkmann , Pavel Machek , LKML , netdev , syzkaller-bugs@googlegroups.com, Greg Kroah-Hartman , Guenter Roeck Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 18, 2018 at 2:01 PM, Dmitry Vyukov wrote: > On Thu, Jan 18, 2018 at 2:09 AM, Theodore Ts'o wrote: >> On Wed, Jan 17, 2018 at 04:21:13PM -0800, Alexei Starovoitov wrote: >>> >>> If syzkaller can only test one tree than linux-next should be the one. >> >> Well, there's been some controversy about that. The problem is that >> it's often not clear if this is long-standing bug, or a bug which is >> in a particular subsystem tree --- and if so, *which* subsystem tree, >> etc. So it gets blasted to linux-kernel, and to get_maintainer.pl, >> which is often not accurate --- since the location of the crash >> doesn't necessarily point out where the problem originated, and hence >> who should look at the syzbot report. And so this has caused >> some.... irritation. > > > Re set of tested trees. > > We now have an interesting spectrum of opinions. > > Some assorted thoughts on this: > > 1. First, "upstream is clean" won't happen any time soon. There are > several reasons for this: > - Currently syzkaller only tests a subset of subsystems that it knows > how to test, even the ones that it tests it tests poorly. Over time > it's improved to test most subsystems and existing subsystems better. > Just few weeks ago I've added some descriptions for crypto subsystem > and it uncovered 20+ old bugs. /\/\/\/\/\/\/\/\/\/\/\/\ While we are here, you can help syzkaller to test your subsystem better (or at all). It frequently requires domain expertise which we don't have for all kernel subsystems (sometimes we don't even know they exist). It can be as simple as this (for /dev/ashmem): https://github.com/google/syzkaller/blob/master/sys/linux/ashmem.txt > - syzkaller is guided, genetic fuzzer over time it leans how to do > more complex things by small steps. It takes time. > - We have more bug detection tools coming: LEAKCHECK, KMSAN (uninit > memory), KTSAN (data races). > - generic syzkaller smartness will be improved over time. > - it will get more CPU resources. > Effect of all of these things is multiplicative: we test more code, > smarter, with more bug-detection tools, with more resources. So I > think we need to plan for a mix of old and new bugs for foreseeable > future. > > 2. get_maintainer.pl and mix of old and new bugs was mentioned as > harming attribution. I don't see what will change when/if we test only > upstream. Then the same mix of old/new bugs will be detected just on > upstream, with all of the same problems for old/new, maintainers, > which subsystem, etc. I think the amount of bugs in the kernel is > significant part of the problem, but the exact boundary where we > decide to start killing them won't affect number of bugs. > > 3. If we test only upstream, we increase chances of new security bugs > sinking into releases. We sure could raise perceived security value of > the bugs by keeping them private, letting them sink into release, > letting them sink into distros, and then reporting a high-profile > vulnerability. I think that's wrong. There is something broken with > value measuring in security community. Bug that is killed before > sinking into any release is the highest impact thing. As Alexei noted, > fixing bugs es early as possible also reduces fix costs, backporting > burden, etc. This also can eliminate need in bisection in some cases, > say if you accepted a large change to some files and a bunch of > crashes appears for these files on your tree soon, it's obvious what > happens. > > 4. It was mentioned that linux-next can have a broken slab allocator > and that will manifest as multiple random crashes. FWIW I don't > remember that I ever seen this. Yes, sometimes it does not build/boot, > but these builds are just rejected for testing. > > I don't mind dropping linux-next specifically if that's the common > decision. However, (1) Alexei and Gruenter expressed opposite opinion, > (2) I don't see what it will change dramatically, (2) as far as I > understand Linus actually relies on linux-next giving some concrete > testing to the code there. > But I think that testing bpf-next is a positive thing provided that > there is explicit interest from maintainers. And note that that will > be testing targeted specifically at bpf subsystem, so that instance > will not generate bugs in SCSI, USB, etc (though it will cover a part > of net). Also note that the latest email format includes set of tree > where the crash happened, so if you see "upstream" or "upstream and > bpf-next", nothing really changes, you still know that it happens > upstream. Or if you see only "bpf-next", then you know that it's only > that tree.