Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3360522imu;
        Mon, 7 Jan 2019 01:47:18 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6gcDacmi97E0dhgDOeKuZ/cbr0pMO7eic+uAE44jx8c6qs4i17cIN47XGm5QCpL0vfLYgQ
X-Received: by 2002:a63:ff62:: with SMTP id s34mr29585467pgk.325.1546854438916;
        Mon, 07 Jan 2019 01:47:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546854438; cv=none;
        d=google.com; s=arc-20160816;
        b=qBz8lwlMjkSGPk3FeP0IBuynamTnpPSKrpTioMhmKh2F+R7buCo9+LmxcvMic3TQ1o
         UI1r3nXBnflNodUyCpHoQIX8fGT+jEEaH7jV+CjygcRYGPTc4j6X3gIK3MG4u+9qOzCv
         6v0MwT7PJx9MCMHSRklEeyKxsNVoM0ikJz99DkJ4/o9J+bhIlajSUyCOCY0c42RTqZoC
         x+tAes1U83Gds5EQbVT6kKMiC551eX2+ZXoB2t2yjNUGSbXDijqm1RBIA36lkujTPMDO
         nlM31RWbRmIYzQAVdSFTo28GEQq8CTRKlyFl1kp5/nytgovEZX5I7cMGemswx2xkg3lS
         blPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=0qAwVWHvQ/pBqnevwsEVcaflQ7iZbyqxoHPDgj61+7Q=;
        b=nYt6HqQo0B/jqZU757MQv2u5MmLcBO12E+Uyk3pOFdXOKdw5hLBeyObnox2QRO6VLl
         PogjFow41pcxG1H8aLG3Gr/8GclZHwOK1PXo/4PVhDV8ojX+9b1Qwr/HkT8gyH7gJDA2
         mSMPTUrKNashpkXlGtE3KOVZWLSLSIdoinapZ07rGHbCTd509juLKmSnt28voDACe7eA
         gEASmLR4JmvGTIyokBdqUvJk1P68ZgXZX/kGQEn+TJCM/rWUzcr0w2rculGuUUftHLKM
         iKItx1lnt3eY8Bf1s+LSCauf/RXqAsk5p2hsjn81VAt+b9DrF0wbk4q6Wrpn52IS64Z5
         35xQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=c5Gjq1hv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 73si2663716pfm.50.2019.01.07.01.47.03;
        Mon, 07 Jan 2019 01:47:18 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=c5Gjq1hv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726649AbfAGJpG (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Mon, 7 Jan 2019 04:45:06 -0500
Received: from mail-io1-f68.google.com ([209.85.166.68]:44743 "EHLO
        mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726538AbfAGJpG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Jan 2019 04:45:06 -0500
Received: by mail-io1-f68.google.com with SMTP id r200so34340716iod.11
        for <linux-kernel@vger.kernel.org>; Mon, 07 Jan 2019 01:45:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=0qAwVWHvQ/pBqnevwsEVcaflQ7iZbyqxoHPDgj61+7Q=;
        b=c5Gjq1hvyMcR9a58adU/zFtlspSwRetGI2E5YUJvqh5wylnffu7+TCesRIfF0WB3zg
         upfeNUIWfaUMFwprMpfhXUeRUba73sbjnkmz8ZRVkwcpEnQSyEv4NpupqKN2KOlUPob+
         mol6zMtj9qFGytuNzSCg/MvomfTG4ErOzUJP4NgW4R6IKs0c/2/iZt8f8ZDXeLwAlUNh
         FuvHIH2C/lr7b7XuPWIw1hDNX9ygfPZjENcLlNDF+jWnnKFjWKLKLqEyLBnfUuL8pp4Y
         mPGIqyaZ1I2/FQUjSLrSlsCV+uBX68p2etuvpx8lmusjoqakzE07nOrVlREI24mH8Pmp
         3+QA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=0qAwVWHvQ/pBqnevwsEVcaflQ7iZbyqxoHPDgj61+7Q=;
        b=h9EzKFJvY8GK72wBsHrhzT7U2K6CJpR+ppGPEx150JvrvuQKrTfzdRUzlJk5WA3DIv
         WuW0Jy0fCHb0auWtueTc/XSHbiq6Wk7FSUacun9HG3WI8KJHs0A11X+OIebalhrNwccA
         7Amg9KObjK850QlcEgWwky7uTBmOT/SGiNa3hxPcidoivZpWD2Q5YwpJVPguzedD+Y6h
         RtoSV3AgWiIYgCpXvLnjcbiUok/qW2NxTDade+Nedsq5NMAf/aPs8XuTFc6gCrKD7m5l
         eN5ss2Si1ekf1osytgdGjTzgb/UX+qMdow3gp/9hV5eR4EClAuq80exWCw3hPkRglKLs
         23SA==
X-Gm-Message-State: AJcUukeG0ubgC4+lDyf4S4U6Dd8hkOm+7NfLii6caX6vbh/EtFkqhVus
        XE0GO6n0VAXk1rLJxpDUEibg8wvCvSPy9jR0XQFUeA==
X-Received: by 2002:a5d:8491:: with SMTP id t17mr42285610iom.11.1546854305073;
 Mon, 07 Jan 2019 01:45:05 -0800 (PST)
MIME-Version: 1.0
References: <000000000000665f2e057cd00db6@google.com> <CACT4Y+Y-Yv0a1DzqsTHRSP52DdKLy0J2fAfsVfZUSNNnAOUnzg@mail.gmail.com>
 <CACT4Y+bxTz6d11v89gpDSEPyB+sJssNGPmEsC9-LVsGbxEpcuA@mail.gmail.com>
 <20181230154648.GB9832@redhat.com> <CACT4Y+Y+ZdBPXGhytZycqcLc_7GOR-VZB8KKuX_qUgxmiVT60w@mail.gmail.com>
 <20190104231013.GB4924@redhat.com>
In-Reply-To: <20190104231013.GB4924@redhat.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Mon, 7 Jan 2019 10:44:53 +0100
Message-ID: <CACT4Y+amB9JGJbX8Coybj0b9yEGhcODCJ5K7azVHNrJT1bVNhg@mail.gmail.com>
Subject: Re: KASAN: use-after-free Read in handle_userfault (2)
To:     Andrea Arcangeli <aarcange@redhat.com>
Cc:     syzbot+cbc64b24b2b2d54c07a9@syzkaller.appspotmail.com,
        Sasha Levin <Alexander.Levin@microsoft.com>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Peter Xu <peterx@redhat.com>,
        Mike Rapoport <rppt@linux.vnet.ibm.com>,
        Mike Kravetz <mike.kravetz@oracle.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Jan 5, 2019 at 12:10 AM Andrea Arcangeli <aarcange@redhat.com> wrote:
>
> On Wed, Jan 02, 2019 at 02:37:58PM +0100, Dmitry Vyukov wrote:
> > If we are proceeding with "mm: some enhancements to the page fault
> > mechanism", that's good as it will eliminate at least part of this
> > output.
>
> Agreed.
>
> > There are 2 types of debug configs: ones add additional checks for
> > machines and another add verbose output for humans. CONFIG_DEBUG_VM
> > seems to be more of the first type of debug config -- additional
> > checks for machines. I've seen some of the second type debug configs
> > are prefixed with DEBUG_VERBOSE or something along these lines. Maybe
> > it makes sense to split this out of CONFIG_DEBUG_VM. Since it's a
> > "gray" check (rather then white/black check), it can't be used in
> > CI/fuzzing setups anyways -- not possible to analyse thousands of
> > cases manually (though maybe we actually hitting some that can be
> > classified as kernel bugs).
>
> The problem with the DEBUG_VERBOSE is that if the kernel needs a
> rebuild it's only marginally better than having to ask the developer
> to add a one liner dump_stack before rebuilding the kernel.
>
> Next time we need it, it may be simpler to figure a dynamic tracing
> trick than to ask a rebuild.
>
> In addition of pursuing the VM_FAULT_RETRY improvements from Peter,
> it'd be fine to drop it for now to avoid confusing the machines.
>
> > Yes, the problem is way more general. As you noted it applies to 100K
> > of EINVAL|EFAULT|ENOMEM, it's super hard to figure out what/where
> > exactly goes wrong in the kernel getting only -22. But at the same
>
> What stands out for this location is that it's the bailout point
> of all non uffd compatible syscalls.
>
> The chances such annotation turns out to be useful is much higher than
> a random -EINVAL location, but in principle it's the same kind of
> issue and I agree it'd be unpractical to annotate them manually.
>
> > time we can't have all of these 100K places dump stacks. I don't know
> > what's a good solution for this. Manually annotating 100K places does
> > not look like the right way to go. Maybe kprobes can do this? In some
> > cases I used CONFIG_KCOV  and kcovtrace
> > (https://github.com/google/syzkaller/blob/master/tools/kcovtrace/kcovtrace.c)
> > to collect kernel trace from a failing syscall.
>
> If there is a de facto standard to search for a "syscall bailout call
> trace" that can provide us that very same dump_stack, that should work
> for this uffd issue too indeed.
>
> KCOV may or may not be enabled in enterprise -debug kernels, but the
> main limitation of the kcovtrace.c seems to be the lack of threading
> support and the privilege inheritance through fork. While it's not
> mandatory, the uffd manager is practically always implemented as a
> thread of some process so whatever alternative to dump_stack() should
> work with threads.
>
> I think kprobes/ebpf should work provided debug info is available
> (which is not always guaranteed), otherwise to obtain it without debug
> info, it'd require a ftrace static trace point to use with the
> function graph tracer I guess.

OK, not sure what are the action points here now besides marking this
bug report as dup:

#syz dup: KASAN: use-after-free Read in neigh_mark_dead