Received: by 10.192.165.148 with SMTP id m20csp4001887imm;
        Tue, 8 May 2018 00:54:12 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZr/1rvSUUgRuIVeniIGzh9s7/qEbvPDg+Rt1P3ls+dNtYDX7rD96ADNHSaz1xr/w+X27Acz
X-Received: by 2002:a17:902:3001:: with SMTP id u1-v6mr40502829plb.164.1525766052407;
        Tue, 08 May 2018 00:54:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525766052; cv=none;
        d=google.com; s=arc-20160816;
        b=OVNiqtG+kPOnVDu2l6xbuLjyMXS8+rcSoui5cAitMm1c9+oyqpwhf0t1XdtR68NyHH
         VMrYTqA2/X7e07/VTX3T8U6pA6AloY2di/LyRZmhtaQtPzxqbyD65Rf5OKMPVGpRphxu
         fxLszDAmLxW5zzWzlXkn7mXt2AdNgVK65ITur9pvH3eBlbIT4JBUFEOvxdstR6JnC3ud
         h8mhvAPd+nbSDAhPQfkb5RBt9uG4sxky6nMzMaARMWQ30Vfcvod+d6I59CBM2ZhQqCyE
         3yEosycrGlJ/8wej5iBP/tg/PWpmAqKl5EKNbSWiNTu276I4KGjdMsxAUwiVutBpVvjb
         UyHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=18bVvZl8mZS2IMoGGGVnu4zhpIpRagd3RN5B6x5T3Ns=;
        b=Kg7v/FyNa+1Vw7NrPXiTQ3DKV+MJ3gaMXQSK/HSLKHZxWEaIgl4RSwGYbM+wL7tkjd
         ST3wqVsJfQHHIpkcrwngqRWplNvh+IlTKZ1Y8JWKZy299FtIPCjBPXg3hW8ZZFffwWZn
         DNBLU5HTwMBjSFt4IzqTBj1E6TF+jpZ9YkcxaMVBb+gFO4qfI2HWoeiLXoK/IvTdJLPe
         +2Yik+6GaT8d6+8GFIrPn+/Rbbvw+RbFCNnOS0nBbjpDUW/oPrEU4WPGmnFI1m/0KNOX
         MRkeCeq9/gauz2IponSk1Wna1fsEnlypCbBFUQEhAEj+lrG9ncJa2aTmfjKh5G+K1lmn
         GWTQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Akr9VUNZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n12-v6si19485704pgf.497.2018.05.08.00.53.58;
        Tue, 08 May 2018 00:54:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Akr9VUNZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754451AbeEHHxA (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Tue, 8 May 2018 03:53:00 -0400
Received: from mail-pf0-f172.google.com ([209.85.192.172]:46647 "EHLO
        mail-pf0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754009AbeEHHw6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 May 2018 03:52:58 -0400
Received: by mail-pf0-f172.google.com with SMTP id p12so23542874pff.13
        for <linux-kernel@vger.kernel.org>; Tue, 08 May 2018 00:52:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=18bVvZl8mZS2IMoGGGVnu4zhpIpRagd3RN5B6x5T3Ns=;
        b=Akr9VUNZL9NRT7AJoXgCWCUTNSI1+rT7LKqaBppI84smVuAcVMcMST3DROn8MB7L3S
         NjtTP7Y/2oOigWcimrSHbQBlr8/7e0/T5cqWXrNuraQyWnmrVgTg4JWHmgMgSi1V/wjD
         qQsn2DZM5YbAxcDdfDXyvB4+PaduUlrskbOeDTBpFzy86K+kgLreVsEvkTuinjm0hTcZ
         Aex+Mig5BwgF2lxsUBeGwcBTIymwEqNM4xrkzhWqfiK770P0YlvvLnDVdrv28atr+p7l
         uPryhKPzlgW5UH+qwkgY640+3/S6P2suuxORqDj57UnklGxNSNvixD4QFgC4c7kof3UW
         iYWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=18bVvZl8mZS2IMoGGGVnu4zhpIpRagd3RN5B6x5T3Ns=;
        b=Wct7r4xlYsRsleJHdAY3uao3cNG6+vaVZEKR5q1YREZSKbLHWtLDrV7XyOYioHPLgC
         PJTy0L6P4JUBNVzyckr2whbeLEioXJ3UmQbpOoF4TQ7/RIwndca4FnH+CgpqucStoimc
         ESgmP+VMKSboUWJ8jQJ3pkloe4pwgY9vCIv3XGhFD/ncukSqkmJXOW0hV4cG5mvI5+IY
         G7Hidxn1O9r/qXGc3OmWNgxKjlbHkHfe6OIrvHjJVPuG0qogno/xkk800EgrnSj8dO/q
         Z/XYwa94gTE4Vi6EyJ7HBb3FdhwaaIC+psau/haYUYcw8c7yRq2MXAy0bykLTBnYcszc
         FhnQ==
X-Gm-Message-State: ALQs6tDmNFxaIFrRmvMeNxenj8iw2Qji57CR7uzKROk30/GtrfNTV8t+
        bhE+8leTQUZ/CksokQ6aIBcIWV/i++unmI6Z3rlmOg==
X-Received: by 10.98.31.200 with SMTP id l69mr39267981pfj.49.1525765977177;
 Tue, 08 May 2018 00:52:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.236.149.24 with HTTP; Tue, 8 May 2018 00:52:36 -0700 (PDT)
In-Reply-To: <d7c8e0eb-61ed-1aad-6faa-82a0ef8c25b8@sandeen.net>
References: <f403043cbe8414177d0568e81405@google.com> <20180403043854.GL1150@dastard>
 <CACT4Y+ZadV0xTqhiGTAHmadAnYaSfPKhUy_TFXMza2o_n8+o9w@mail.gmail.com>
 <20180405213844.GE23861@dastard> <20180406161053.GF7500@magnolia>
 <CACT4Y+aaEOffkFA-B-hMzwzSiQwVpkPrc2udC087a55OTnkS4g@mail.gmail.com>
 <95c1400b-94f2-1af4-2d5d-c61c274c28ff@sandeen.net> <CACT4Y+aiwgRg5pk+N7bq9HYpgumTFyqG6-y3EZ8pWkq9-uB1aA@mail.gmail.com>
 <9f8d657c-7f42-7bd9-4477-6c3addf16dee@sandeen.net> <CACT4Y+bUx4jw83Ux7w9URL9bCy1ERLaVGTTwvA9Fe_UtLFeqCw@mail.gmail.com>
 <d7c8e0eb-61ed-1aad-6faa-82a0ef8c25b8@sandeen.net>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Tue, 8 May 2018 09:52:36 +0200
Message-ID: <CACT4Y+YNRt5YSrOYKKFUP25jodpK0xeZhysSGoz2UaiGs_Gx=A@mail.gmail.com>
Subject: Re: WARNING: bad unlock balance in xfs_iunlock
To:     Eric Sandeen <sandeen@sandeen.net>
Cc:     "Darrick J. Wong" <darrick.wong@oracle.com>,
        Dave Chinner <david@fromorbit.com>,
        syzbot <syzbot+84a67953651a971809ba@syzkaller.appspotmail.com>,
        LKML <linux-kernel@vger.kernel.org>, linux-xfs@vger.kernel.org,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        "Theodore Ts'o" <tytso@mit.edu>,
        syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Apr 30, 2018 at 5:14 PM, Eric Sandeen <sandeen@sandeen.net> wrote:
> On 4/30/18 9:02 AM, Dmitry Vyukov wrote:
>> On Mon, Apr 30, 2018 at 3:49 PM, Eric Sandeen <sandeen@sandeen.net> wrote:
>
> ...
>
>>>> It just extracted kernel source file name that looked relevant
>>>> to this crash and run get_maintainers.pl on it.
>>>> Also the image can contain dynamically generated data, which makes it
>>>> impossible to have as a file at all.
>>>
>>> I guess I'm not sure what this means, can you explain?
>>
>> Say, a value that we generally pass to close system call is not static
>> and can't be dumped to a static file. It's whatever a previous open
>> system call has returned. Inside of the program we memorize the return
>> value of open in a variable and then pass it to close. This generally
>> stands for all system calls. Say, an image can contain an uid, and
>> that uid can be obtained from a system call too.
>
> Ok, but that's the syscall side.  You are operating on a static xfs image,
> correct?  We're only asking for the actual filesystem you're operating
> against.

Not necessary. Image can be dynamically generate too, all inputs to
kernel are generally dynamically generated.


> (When I say "image" I am talking only about the filesystem itself, not any
> other syzkaller state)

OK, let's do it this way. For the first 10 bugs, ask me, and I will do
it manually.
I am all for automation. And syzbot is already more automated than
most kernel testing systems. But, as I said, this is really
not-trivial, large amount of work, and is specific to one out of
dozens of kernel subsystems.


> Ok, backing up more: When you are testing against an xfs filesystem image, where
> does that image come from?  How is it generated?  A quick look at the syzkaller
> tree didn't make that clear to me.
>
> the xfs.repro file you provided at
> https://drive.google.com/file/d/1jzhGGe5SBJcqfsjxCLHoh4Kazke1oTfC/view
>
> is strange, it doesn't even contain AGF blocks; they aren't fuzzed or corrupted,
> they are completely zeroed out.  I don't know if that's part of the fuzzing,
> or what - what steps led to that image?
>
> Or put another way, how did you arrive at the fs image values in the reproducer,
> i.e.:

Currently they are completely random, nobody taught syzkaller about AGFs, etc.

> oid loop()
> {
>   memcpy((void*)0x20000000, "xfs", 4);
>   memcpy((void*)0x20000100, "./file0", 8);
>   *(uint64_t*)0x20000200 = 0x20010000;
>   memcpy((void*)0x20010000,
>          "\x58\x46\x53\x42\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00"
>          "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9f\x98"
>          "\x99\xff\xcb\xa1\x4e\xe6\xad\x52\x08\x20\x67\x09\xed\x75\x00\x00\x00"
>          "\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x35\xe0\x00\x00\x00\x00"
>          "\x00\x00\x35\xe1\x00\x00\x00\x00\x00\x00\x35\xe2\x00\x00\x00\x01\x00"
>          "\x00\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03\x55\xb4\xa4"
>          "\x02\x00\x01\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
>          "\x00\x0c\x09\x08\x04\x0c\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00\x40"
>          "\x00\x00\x00\x00\x00\x00\x00\x3d\x00\x00\x00\x00\x00\x00\x0c\xa3\x00"
>          "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
>          "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"
>          "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x02\x02",
>          204);
>
> ...
>
> The in-memory xfs filesystem it constructs is damaged, is that an intentional
> part of the fuzzing during the test?

Yes, invalid inputs is part of testing.