Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1652263pxk; Fri, 25 Sep 2020 23:48:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxpmXk8QyEfzWgdw8VX7WMluMY772VOCGGZGI5kAMpeUElCSkeyq+K782lOvQ7Zv2146iZN X-Received: by 2002:aa7:cb44:: with SMTP id w4mr5292247edt.139.1601102915427; Fri, 25 Sep 2020 23:48:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601102915; cv=none; d=google.com; s=arc-20160816; b=EfNMuZSACOpVRmD9r1t9/LCjjvc05EddQbueErp25GYLgtWotGsibVPcrFL1T06kKc w2XpFo2a0wlMeUwnPY3psuLfDsh48qte0FAd+wsGztAqSQU0wC6rOc5GzpE27BEuXVU6 WmkOxnUbv5CemAEMwV5hJc5t+clHroUTssrMIWAeeS5UOAyfN4yUEl43m4F3JZzpGxzU 1YX/G653/ld6Un0Dts7ctUc7/q9c7N8RkITL3dKytSOnvVFd6WlATjHY5mGEMLyZhaB3 sp7asz01UTov0a00/2NT/i91tvTm1QNLCjHE11YCThz0wJYVfSsyKllMEgFKUokJrQn3 n2vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=0UiAMmLV3chB4WVnJpu5YMg6M65xGLtvRdJzsmaCauk=; b=rO1x/xYPWnd2Fy4c5SNUvRxvGw1u+dUJzbJKCIFdLkOZPaNcaWS1i17msMABBKNU4g 47tZDy8qRu4j/9jO1yGK420/GQWAXJxbwyRCi7J/5fJ5AeLqDCgkSLXOISSr+wSV4jVo eityN1j7EoGjrqBsIaH7inArthXZkrhDzm1q8hxpzmGX0JF0LF5L8prPOPuGNXsVpe8p 47J7hI14wmuuBwIbxxTWo6ZZkzzezsy2SMXrdFL26cwC7e28l0Fa3efn/Tdqr5ncvtDD rDmJ4z8ougdwffhSaWfvAqe4AVYziamGgqDiFHgHCnfhJi0VKN4DTTs9uI6wdzMa0XOF AtKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=msjlhrZA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h19si3307600ejb.619.2020.09.25.23.48.11; Fri, 25 Sep 2020 23:48:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=msjlhrZA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726559AbgIZGrH (ORCPT + 99 others); Sat, 26 Sep 2020 02:47:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726037AbgIZGrH (ORCPT ); Sat, 26 Sep 2020 02:47:07 -0400 Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59F54C0613CE for ; Fri, 25 Sep 2020 23:47:07 -0700 (PDT) Received: by mail-qt1-x843.google.com with SMTP id d1so4227965qtr.6 for ; Fri, 25 Sep 2020 23:47:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0UiAMmLV3chB4WVnJpu5YMg6M65xGLtvRdJzsmaCauk=; b=msjlhrZAS9Z1A4+YKQkGnuOQtxQgvmljON6WA7gkZnZLaOLTD8uriI6oU6Q6s6KVAv 9pD91LJF3BVTWHtI0LW9Olgj6d3bQJsMMal7SlLsN+0ZgqxTWmI/MdJrfIGjzef5juTc xpWQOnaf81Ei/Ap1eiCDjq5HHxL6ZeoJsgONPi+QGLgNVyom/rZTdm4NqgI8B9Bb3yRv F7HX+92PZAQNr87gYeZlX/rgmkWcMAFMov0lBE9o33oQjviGknLYUBHbdeBPwLr6ZTnO t2V2O+s3DAE480cVZ4AcC0mT8xY7+XFpH7pL0WTlM5QtMcrDew1WHdENqU/y8zmc5dvE JeVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0UiAMmLV3chB4WVnJpu5YMg6M65xGLtvRdJzsmaCauk=; b=CJU3Sz3Wwobeg+N6UjijBAD14FcVM19LKG7GEQci+snFppaDfRtGBaisSekWwP4pTJ PECTo6R8Xbq89JITjHhH2HiSBd+z4qKv/ixo08NS4dSSK1ZLBsKdZ/gZh3FxLlOc6dcC jm1iS58FXCMPjpvA0OxBx8mZBSnDg0NDjERDF/GBxi/Ib0jfDYca0+mC7w/rCpcuhKfe NMEWQFz4kO8XOJ9RAJhuyxHlFbvooODO0FMjTbpN4K4tgnKfIghi7P6hSmoYnZk/lBYc w7FFwV03RCGSsVJRCoPrsi3yYl6GwRtVHXMUwajn9uOjnDdIrBw7HfKiGjmm+yk2XMcd Q2Sg== X-Gm-Message-State: AOAM533cQPK7afy/GkehGY/cmLTSKi+v1q3DOlZZDDDaf7KFWrMbrp/Z yXAU452BPDPVaiojawNdbPX+9sebM4sVzQ1NQgHmfQ== X-Received: by 2002:ac8:4806:: with SMTP id g6mr3318476qtq.380.1601102826168; Fri, 25 Sep 2020 23:47:06 -0700 (PDT) MIME-Version: 1.0 References: <00000000000052569205afa67426@google.com> <20200919110831.GD7462@zn.tnic> <20200921221336.GN5901@zn.tnic> <20200923090336.GD28545@zn.tnic> <20200923103431.GF28545@zn.tnic> In-Reply-To: From: Dmitry Vyukov Date: Sat, 26 Sep 2020 08:46:54 +0200 Message-ID: Subject: Re: general protection fault in perf_misc_flags To: Nick Desaulniers Cc: Borislav Petkov , Josh Poimboeuf , syzbot , Arnaldo Carvalho de Melo , Alexander Shishkin , "H. Peter Anvin" , Jiri Olsa , LKML , Mark Rutland , Ingo Molnar , Namhyung Kim , Peter Zijlstra , syzkaller-bugs , Thomas Gleixner , "the arch/x86 maintainers" , clang-built-linux Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Sep 26, 2020 at 2:32 AM 'Nick Desaulniers' via syzkaller-bugs wrote: > > > > On Wed, Sep 23, 2020 at 11:24:48AM +0200, Dmitry Vyukov wrote: > > > > > 3. Run syzkaller locally with custom patches. > > > > > > > > Let's say I wanna build the kernel with clang-10 using your .config and > > > > run it in a vm locally. What are the steps in order to reproduce the > > > > same workload syzkaller runs in the guest on the GCE so that I can at > > > > least try get as close as possible to reproducing locally? > > > > > > It's a random fuzzing workload. You can get this workload by running > > > syzkaller locally: > > > https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md > > These are virtualized guests, right? Has anyone played with getting > `rr` working to record traces of guests in QEMU? > > I had seen the bug that generated this on github: > https://julialang.org/blog/2020/09/rr-memory-magic/ > > That way, even if syzkaller didn't have a reproducer binary, it would > at least have a replayable trace. These are virtualized guests, but they run on GCE, not in QEMU. > Boris, one question I have. Doesn't the kernel mark pages backing > executable code as read only at some point? If that were the case, > then I don't see how the instruction stream could be modified. I > guess static key patching would have to undo that permission mapping > before patching. > > You're right about the length shorter than what I would have expected > from static key patching. That could very well be a write through > dangling int pointer... > > > > > > > The exact clang compiler syzbot used is available here: > > > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#crash-does-not-reproduce > > > > I've marked all other similar ones a dup of this one. Now you can see > > all manifestations on the dashboard: > > https://syzkaller.appspot.com/bug?extid=ce179bc99e64377c24bc > > > > Another possible debugging vector on this: > > The location of crashes does not seem to be completely random and > > evenly spread across kernel code. I think there are many more static > > branches (mm, net), but we have 3 crashes in vdso and 9 in paravirt > > code + these 6 crashes in perf_misc_flags which looks a bit like an > > outlier (?). What's special about paravirt/vdso?.. > > > > -- > Thanks, > ~Nick Desaulniers > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAKwvOdkYEP%3DoRtEu_89JBq2g41PL9_FuFyfeB94XwBKuSz4XLg%40mail.gmail.com.