Received: by 10.192.165.148 with SMTP id m20csp5246597imm; Wed, 9 May 2018 01:44:34 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrSxK62L4mphDtZdzBhvIfjZ/fSUAr6SSTLGxCsjaF+xa8HAF7edj7jmqSk9mLA+X+OhAP+ X-Received: by 2002:a63:a102:: with SMTP id b2-v6mr16228087pgf.75.1525855474580; Wed, 09 May 2018 01:44:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525855474; cv=none; d=google.com; s=arc-20160816; b=TotphCn6dJpHXbJZxmqRoS6HXmPJ/WzH/ySbfoCJ8OWQWKN9BxT96bF4wsjJcK5J2y ZLuCsIoeM1Kkb7bqADf3WuEi6EwkLzkBDQPl3ljwjvZHJC45XeY+RtztZtkFXjEJ45rb mMnYKPwByT5HX4CBXGm8C4fM+SzO4y+Bl7zQo/Olr8hXxlWW3PbVFqAvJfjOGMaFr8bY 2Am0gA+ZB7++Fkm5wc4+7dYL5Peoj9sTPnhS0WfjJlko9mRXFNTxetsiuTSgwdqm9U9k LO35YAwwoOmP3Yplnx6Vs1t9WOHQ9gAKLpveR7w/4I4gyEA7FNB1qqybvsuRR4nfiNQt /R4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=meLKyY/S6zrn/dWcqspeqkbFoFtoeIOAilPHhbZfOIw=; b=QvoC/uB0u1VtogtxDu4/Oe8Id9sLbNw9CgS1c5Diqe+Gxa5OzB52bOMudE340V34AJ r0zWkeQsxiCfBWf7qH+Tx/Y6qTSyDAU7PkGq7HL5aNwlBN2nBoi451dkvuC1UKFx1OOc OaT3mOG/hwCIrN1APo4KoB7HjVXopB9rU5fkiyNqBvRm+1iGMmTyxVyLdGuiUIkSNnl6 OLLyINlnLLURU3k1/fu257669VS+iylnC0fb0aJwwyV92p6lP3N5wLatVmr1hj3jK+mn 86NyKCv8sCVYv16yrbAc1GFS3BIypn3FmUsmZgAtL3HMadDiztHzSOFyrl40Lc/Kph3Y ZUsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=NE4FTl1X; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g187-v6si15179964pgc.644.2018.05.09.01.44.20; Wed, 09 May 2018 01:44:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=NE4FTl1X; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934366AbeEIInd (ORCPT + 99 others); Wed, 9 May 2018 04:43:33 -0400 Received: from mail-pg0-f65.google.com ([74.125.83.65]:42928 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934326AbeEIIn0 (ORCPT ); Wed, 9 May 2018 04:43:26 -0400 Received: by mail-pg0-f65.google.com with SMTP id p9-v6so19456275pgc.9 for ; Wed, 09 May 2018 01:43:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=meLKyY/S6zrn/dWcqspeqkbFoFtoeIOAilPHhbZfOIw=; b=NE4FTl1Xxb/z4bYF3VLtkHxKHmq5UOB1SGpEQNB0pRo33G+v//M/e9zn0iLgCflhOA IHwMMT9+buYxMvvLlPkN5ohUFTZSWEXxqWtHMT1JGoeoCAcS9Yr5WkbYZ+akbDPFUZmP elnYxI951AArHZDuaxOO5ivv1uimKC5L7sQGZnm3tM87VhWK0kQD2oKv3xtJ1mDxfMr3 bwFeh1lLJlSvtW8uh1OU9Z1JRvNgVLmVrvqlz6NByR0EP5doEde/Nk472fLb0hN18q0Z Q3WBM8t2EbK9zeqboDMTayw3T4TOKYGkD+fen9Yc7UG3Hx1Kls6ehzsdMV5bfqUdAlnm RxnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=meLKyY/S6zrn/dWcqspeqkbFoFtoeIOAilPHhbZfOIw=; b=BJj98qVlrHW6HH92QYltOTYrNO9B5kIhuOqb89hd04GK1TEV7ra3IaCCWRyfT9V6AQ igQeC/4h+hSLEeJcemwzqx0Y3KnERFGbm7fiFUFahBi0FGKiZkw4JN5n00vEEiQyrgBl 0C3Va8U/qOg/8YWNY7zfx5JHqa1AsXBBF2cIKoHNOOYfSWUL24SfkHqB3sc1z1HHkkvq EL+u6PpPIneC4Wo2c2gYUOf2NSZfLoR4eBLDjaB2ySP+TK0yA5f8oD7XvgcPgNQQWI3Z f7rpWy6RLQdXla2DD34UJ/fmkCSY+qUl4U5haGhLlAU+vsqhS0vm80SXF1TqUiUSBD46 HOjg== X-Gm-Message-State: ALQs6tAaxzw+vLmgyIw4e1qmjp8JH00VEscQc7XPFZF1d3pnL0AErvz1 0wJomygxbFO5yyoeRPR3kbgZXBjkPA/si0Dh8vnuyg== X-Received: by 10.167.130.208 with SMTP id f16mr28654831pfn.199.1525855405591; Wed, 09 May 2018 01:43:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.236.149.24 with HTTP; Wed, 9 May 2018 01:43:05 -0700 (PDT) In-Reply-To: <9adacfed-0de6-cb94-bf14-3e639678a02a@sandeen.net> References: <20180403043854.GL1150@dastard> <20180405213844.GE23861@dastard> <20180406161053.GF7500@magnolia> <95c1400b-94f2-1af4-2d5d-c61c274c28ff@sandeen.net> <9f8d657c-7f42-7bd9-4477-6c3addf16dee@sandeen.net> <9adacfed-0de6-cb94-bf14-3e639678a02a@sandeen.net> From: Dmitry Vyukov Date: Wed, 9 May 2018 10:43:05 +0200 Message-ID: Subject: Re: WARNING: bad unlock balance in xfs_iunlock To: Eric Sandeen Cc: "Darrick J. Wong" , Dave Chinner , syzbot , LKML , linux-xfs@vger.kernel.org, syzkaller-bugs , "Theodore Ts'o" , syzkaller Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 9, 2018 at 4:48 AM, Eric Sandeen wrote: > > > On 5/8/18 2:52 AM, Dmitry Vyukov wrote: >>> Or put another way, how did you arrive at the fs image values in the reproducer, >>> i.e.: >> Currently they are completely random, nobody taught syzkaller about AGFs, etc. > > So you just combine a few megabytes of purely random bits out of thin air until > you get something that approximates an xfs filesystem? Google must have more > computing power than I was aware of. syzbot uses very few cores for fuzzing of all of the hundreds of kernel subsystems. But syzkaller (the underlying fuzzer) uses coverage-guidance and this makes fuzzing exponentially more efficient than blind techniques. Coverage-guidance is also combined with grammar-based generation techniques, which gives additional synergy (though there are no grammar descriptions for filesystem formats at the moment). Does "xfstests fuzzing infrastructure" use coverage-guidance? If not, it would be useful to add. Among some solutions there are LibFuzzer (https://llvm.org/docs/LibFuzzer.html), AFL (http://lcamtuf.coredump.cx/afl/), kernel-fuzzing (https://github.com/oracle/kernel-fuzzing). I don't know how xfstests fuzzing works, so I can't say what would be more suitable there. >>> oid loop() >>> { >>> memcpy((void*)0x20000000, "xfs", 4); >>> memcpy((void*)0x20000100, "./file0", 8); >>> *(uint64_t*)0x20000200 = 0x20010000; >>> memcpy((void*)0x20010000, >>> "\x58\x46\x53\x42\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00" >>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x9f\x98" >>> "\x99\xff\xcb\xa1\x4e\xe6\xad\x52\x08\x20\x67\x09\xed\x75\x00\x00\x00" >>> "\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x35\xe0\x00\x00\x00\x00" >>> "\x00\x00\x35\xe1\x00\x00\x00\x00\x00\x00\x35\xe2\x00\x00\x00\x01\x00" >>> "\x00\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03\x55\xb4\xa4" >>> "\x02\x00\x01\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" >>> "\x00\x0c\x09\x08\x04\x0c\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00\x40" >>> "\x00\x00\x00\x00\x00\x00\x00\x3d\x00\x00\x00\x00\x00\x00\x0c\xa3\x00" >>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" >>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00" >>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x02\x02", >>> 204); >>> >>> ... >>> >>> The in-memory xfs filesystem it constructs is damaged, is that an intentional >>> part of the fuzzing during the test? >> Yes, invalid inputs is part of testing. >