Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp607884pxb; Thu, 17 Feb 2022 10:40:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzxxF7NmCWB+Sf3d7EMR1OyO7pUXZYeL3jXxu/Fbucv4CjiZNAfYUKwiUJvReesPxwqfrQb X-Received: by 2002:a17:906:76c3:b0:6bb:44a9:2d8b with SMTP id q3-20020a17090676c300b006bb44a92d8bmr3356971ejn.658.1645123225168; Thu, 17 Feb 2022 10:40:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645123225; cv=none; d=google.com; s=arc-20160816; b=k5JrE3qeWs68l4ndV8Fg2QV4pZnLcLKBkOJyiK8ruv2H4/tLEAS37l1ZJguOEA09zL P0CkUtdL2lWrp5xtCv0nmOFG0BESuNsHxmPNtEVeV622NNrm2pSa5+cD01sfVOS277/R ox6c7198qqC/cLqP/3KpYOLIHEAusJ3V0DmHc3aLsSNYmqNxVlVb3NMBqMBTNR3usq7w fJHhjijZKIl39TgnxbTRGfOiSYirv36UxY5rSZ5y8NTnLtQkRLD2s+thTTtFnbns1kq/ JCGs8tycit81+lLsDohYXSL0bqPuMOmXZT+lWnEyblEGyfwXGnkSC3m10K0AipOOqfk8 z8/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=5szz1MBv04IhvJQTuicCFg9n79Ee81Ajv+vxZc2S/PM=; b=bWMFkazqX9m/f/PTwAd9D6NYFS+JyB8045RpsYB7mbOIteMa9EVxgbQU39ICZspm5A 8Fqs4WOQf0wm+GsN0148wNZRhXbYcQ00rMi6gmoG/y4t/8EQ9Xw0R93yWfFN2kmdWNF3 d6VryjxD7gjgcqloe3WSjVbBC0kVZzY5N0Ksq91g5+YlMT9XrlSbRXvObaRFbA+mBPpv embWs/vQgcVWY9Cpcow49Nv0AveBWRcdsJSFp8QOsvvozZ938RnuN2V5uS5rm+ylAyWA tgrrBmf4elI5xcSFt7eQK3wFarbiU7gKqFKFFBtnGhgEoiKaZ284E0t7cwqsJLsJT+Lg IXgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Ps04vo2S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gy2si2193542ejb.349.2022.02.17.10.40.01; Thu, 17 Feb 2022 10:40:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Ps04vo2S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244470AbiBQSed (ORCPT + 99 others); Thu, 17 Feb 2022 13:34:33 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:59232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244498AbiBQSe0 (ORCPT ); Thu, 17 Feb 2022 13:34:26 -0500 Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D08912C138 for ; Thu, 17 Feb 2022 10:32:55 -0800 (PST) Received: by mail-il1-x135.google.com with SMTP id 9so2206442ily.11 for ; Thu, 17 Feb 2022 10:32:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5szz1MBv04IhvJQTuicCFg9n79Ee81Ajv+vxZc2S/PM=; b=Ps04vo2SWQavePQsV73gJIC/NPh2WNLyzcfayq16ntkFlSX2GTe8l3tSz+/ZOQ9rwr zjo01q4nEDnBnAhJlmw5sXQNDj2G1pcjNSlcwU7ttHkcHvmigK5ilr4BpG1+9IQPOz5g 78kgbQznhJGSMhqaf5gQWhN18EQZoyYiT7n6vBB1NslIhm3kX6QNzUpi9z4YP3tV5dfK 4eBktFr9Auh9VJDfwDeGIjXDGaKeCUpoPmXQdPIsXDrTo7wljGR1K0YRvfL8pIe6WcD+ Vg00xInx0qnd6EqlKxcFdmMFNd1MtCh9blhKdzrCGvgbv6W0sq3zhGc8LZruaHc47DWE ZnPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5szz1MBv04IhvJQTuicCFg9n79Ee81Ajv+vxZc2S/PM=; b=PqR7hbiIi9od0CGayeRe/5i7luZ08HEtuIDUuns+EnJxSdjlS3NYUM1oq2tmjujUpV rUsHXKd8VHSFoGBu+K68huV0chWGII67v+SEcksfn3AInh1P24Qocxd5J0jb3JhIK2T+ 81PWUgMp6Gt+Yv0xGZ7kR7b8cbVLLcRm9NfnhEyVHI+EO8dyttp7gjPcw8SzyvWdKFuB 7vSIRBxyZOZj8sVqh+CLU4c3HJH4Yuljswd6NMTnAj3CeK0h0nyU6T/l0u+CVNvX66sN IADzKj4YUQBG+L5O6lnlXH15v98JZLs9G+3e1PGV8yKr0n9gwUPOhaKoPgfVW8ypykL4 V8+Q== X-Gm-Message-State: AOAM530X+zZ+60nxRD0z9U7Gyvu3wI+v174H/u0fkbjn3/ZMHryLCdww YGAydi3A7OYcmrPRqsTS7v2WlmTiwpWh3kfEv8h3WA== X-Received: by 2002:a05:6e02:1c04:b0:2be:4c61:20f4 with SMTP id l4-20020a056e021c0400b002be4c6120f4mr2814376ilh.245.1645122774541; Thu, 17 Feb 2022 10:32:54 -0800 (PST) MIME-Version: 1.0 References: <00000000000073b3e805d7fed17e@google.com> <462fa505-25a8-fd3f-cc36-5860c6539664@iogearbox.net> In-Reply-To: From: Aleksandr Nogikh Date: Thu, 17 Feb 2022 19:32:43 +0100 Message-ID: Subject: Re: [syzbot] KASAN: vmalloc-out-of-bounds Read in bpf_jit_free To: Song Liu Cc: Daniel Borkmann , syzbot , Andrii Nakryiko , Alexei Starovoitov , bpf , "David S . Miller" , Jesper Dangaard Brouer , John Fastabend , Martin KaFai Lau , KP Singh , Jakub Kicinski , open list , Networking , Song Liu , syzkaller-bugs@googlegroups.com, Yonghong Song Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Song, On Wed, Feb 16, 2022 at 5:27 PM Song Liu wrote: > > Hi Aleksandr, > > Thanks for your kind reply! > > On Wed, Feb 16, 2022 at 1:38 AM Aleksandr Nogikh wrote: > > > > Hi Song, > > > > Is syzkaller not doing something you expect it to do with this config? > > I fixed sshkey in the config, and added a suppression for hsr_node_get_first. > However, I haven't got a repro overnight. Oh, that's unfortunately not a very reliable thing. The bug has so far happened only once on syzbot, so it must be pretty rare. Maybe you'll have more luck with your local setup :) You can try to run syz-repro on the log file that is available on the syzbot dashboard: https://github.com/google/syzkaller/blob/master/tools/syz-repro/repro.go Syzbot has already done it and apparently failed to succeed, but this is also somewhat probabilistic, especially when the bug is due to some rare race condition. So trying it several times might help. Also you might want to hack your local syzkaller copy a bit: https://github.com/google/syzkaller/blob/master/syz-manager/manager.go#L804 Here you can drop the limit on the maximum number of repro attempts and make needLocalRepro only return true if crash.Title matches the title of this particular bug. With this change your local syzkaller instance won't waste time reproducing other bugs. There's also a way to focus syzkaller on some specific kernel functions/source files: https://github.com/google/syzkaller/blob/master/pkg/mgrconfig/config.go#L125 -- Best Regards, Aleksandr > > > > > On Wed, Feb 16, 2022 at 2:38 AM Song Liu wrote: > > > > > > On Mon, Feb 14, 2022 at 10:41 PM Song Liu wrote: > > > > > > > > On Mon, Feb 14, 2022 at 3:52 PM Daniel Borkmann wrote: > > > > > > > > > > Song, ptal. > > > > > > > > > > On 2/14/22 7:45 PM, syzbot wrote: > > > > > > Hello, > > > > > > > > > > > > syzbot found the following issue on: > > > > > > > > > > > > HEAD commit: e5313968c41b Merge branch 'Split bpf_sk_lookup remote_port.. > > > > > > git tree: bpf-next > > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10baced8700000 > > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=c40b67275bfe2a58 > > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=2f649ec6d2eea1495a8f > > > > > > How do I run the exact same syzkaller? I am doing something like > > > > > > ./bin/syz-manager -config qemu.cfg > > > > > > with the cfg file like: > > > > > > { > > > "target": "linux/amd64", > > > "http": ":56741", > > > "workdir": "workdir", > > > "kernel_obj": "linux", > > > "image": "./pkg/mgrconfig/testdata/stretch.img", > > > > This image location looks suspicious - we store some dummy data for > > tests in that folder. > > Instances now run on buildroot-based images, generated with > > https://github.com/google/syzkaller/blob/master/tools/create-buildroot-image.sh > > Thanks for the information. I will give it a try. > > > > > > "syzkaller": ".", > > > "disable_syscalls": ["keyctl", "add_key", "request_key"], > > > > For our bpf instances, instead of disable_syscalls we use enable_syscalls: > > > > "enable_syscalls": [ > > "bpf", "mkdir", "mount$bpf", "unlink", "close", > > "perf_event_open*", "ioctl$PERF*", "getpid", "gettid", > > "socketpair", "sendmsg", "recvmsg", "setsockopt$sock_attach_bpf", > > "socket$kcm", "ioctl$sock_kcm*", "syz_clone", > > "mkdirat$cgroup*", "openat$cgroup*", "write$cgroup*", > > "openat$tun", "write$tun", "ioctl$TUN*", "ioctl$SIOCSIFHWADDR", > > "openat$ppp", "syz_open_procfs$namespace" > > ] > > I will try with the same list. Thanks! > > Song > > > > > > "suppressions": ["some known bug"], > > > "procs": 8, > > > > We usually run with "procs": 6, but it's not that important. > > > > > "type": "qemu", > > > "vm": { > > > "count": 16, > > > "cpu": 2, > > > "mem": 2048, > > > "kernel": "linux/arch/x86/boot/bzImage" > > > } > > > } > > > > Otherwise I don't see any really significant differences. > > > > -- > > Best Regards > > Aleksandr > > > > > > > > Is this correct? I am using stretch.img from syzkaller site, and the > > > .config from > > > the link above. > > > > > > Thanks, > > > Song > > >