* WARNING in kmem_cache_free
@ 2018-04-06 13:24 syzbot
2018-04-06 13:33 ` Dmitry Vyukov
0 siblings, 1 reply; 27+ messages in thread
From: syzbot @ 2018-04-06 13:24 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, syzkaller-bugs, viro
Hello,
syzbot hit the following crash on upstream commit
f2d285669aae656dfeafa0bf25e86bbbc5d22329 (Tue Apr 3 17:45:39 2018 +0000)
Merge tag 'pm-4.17-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=75397ee3df5c70164154
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5265497960480768
Kernel config: https://syzkaller.appspot.com/x/.config?id=686016073509112605
compiler: gcc (GCC) 7.1.1 20170620
user-space arch: i386
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96
WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 cache_from_obj mm/slab.h:376
[inline]
WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 kmem_cache_free+0x226/0x2a0
mm/slab.c:3736
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 11100 Comm: syz-executor3 Not tainted 4.16.0+ #288
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1a7/0x27d lib/dump_stack.c:53
panic+0x1f8/0x42c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x1f4/0x2b0 lib/bug.c:186
fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:991
RIP: 0010:cache_from_obj mm/slab.h:376 [inline]
RIP: 0010:kmem_cache_free+0x226/0x2a0 mm/slab.c:3736
RSP: 0018:ffff8801933a7970 EFLAGS: 00010282
RAX: 000000000000004b RBX: ffff8801dad7e600 RCX: 0000000000000000
RDX: 000000000000004b RSI: ffffc90002a2d000 RDI: ffffed0032674f22
RBP: ffff8801933a7990 R08: ffffed003b604f99 R09: ffffed003b604f99
R10: 0000000000000000 R11: ffffed003b604f98 R12: ffff880199ec2000
R13: ffff8801dad7e600 R14: ffff8801d08585dc R15: 00000000ffffffd8
putname+0xc8/0x130 fs/namei.c:255
filename_lookup+0x315/0x500 fs/namei.c:2324
user_path_at_empty+0x40/0x50 fs/namei.c:2569
user_path include/linux/namei.h:62 [inline]
do_mount+0x15f/0x2b90 fs/namespace.c:2787
C_SYSC_mount fs/compat.c:195 [inline]
compat_SyS_mount+0xd0/0x1070 fs/compat.c:160
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f47c99
RSP: 002b:00000000f5f42c6c EFLAGS: 00000246 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00000000080eff11 RCX: 0000000020000000
RDX: 0000000000000000 RSI: 00000000080d6b6d RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
^ permalink raw reply [flat|nested] 27+ messages in thread* Re: WARNING in kmem_cache_free 2018-04-06 13:24 WARNING in kmem_cache_free syzbot @ 2018-04-06 13:33 ` Dmitry Vyukov 2018-04-08 3:16 ` Use struct page for filename Matthew Wilcox ` (2 more replies) 0 siblings, 3 replies; 27+ messages in thread From: Dmitry Vyukov @ 2018-04-06 13:33 UTC (permalink / raw) To: syzbot; +Cc: linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Fri, Apr 6, 2018 at 3:24 PM, syzbot <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote: > Hello, > > syzbot hit the following crash on upstream commit > f2d285669aae656dfeafa0bf25e86bbbc5d22329 (Tue Apr 3 17:45:39 2018 +0000) > Merge tag 'pm-4.17-rc1' of > git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm > syzbot dashboard link: > https://syzkaller.appspot.com/bug?extid=75397ee3df5c70164154 > > Unfortunately, I don't have any reproducer for this crash yet. > Raw console output: > https://syzkaller.appspot.com/x/log.txt?id=5265497960480768 > Kernel config: https://syzkaller.appspot.com/x/.config?id=686016073509112605 > compiler: gcc (GCC) 7.1.1 20170620 > user-space arch: i386 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > > cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96 /\/\/\/\ Interesting type of bug, I think we see this for the first time. Al, do you see how this can happen? > WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 cache_from_obj mm/slab.h:376 > [inline] > WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 kmem_cache_free+0x226/0x2a0 > mm/slab.c:3736 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 0 PID: 11100 Comm: syz-executor3 Not tainted 4.16.0+ #288 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x1a7/0x27d lib/dump_stack.c:53 > panic+0x1f8/0x42c kernel/panic.c:183 > __warn+0x1dc/0x200 kernel/panic.c:547 > report_bug+0x1f4/0x2b0 lib/bug.c:186 > fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178 > fixup_bug arch/x86/kernel/traps.c:247 [inline] > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 > invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:991 > RIP: 0010:cache_from_obj mm/slab.h:376 [inline] > RIP: 0010:kmem_cache_free+0x226/0x2a0 mm/slab.c:3736 > RSP: 0018:ffff8801933a7970 EFLAGS: 00010282 > RAX: 000000000000004b RBX: ffff8801dad7e600 RCX: 0000000000000000 > RDX: 000000000000004b RSI: ffffc90002a2d000 RDI: ffffed0032674f22 > RBP: ffff8801933a7990 R08: ffffed003b604f99 R09: ffffed003b604f99 > R10: 0000000000000000 R11: ffffed003b604f98 R12: ffff880199ec2000 > R13: ffff8801dad7e600 R14: ffff8801d08585dc R15: 00000000ffffffd8 > putname+0xc8/0x130 fs/namei.c:255 > filename_lookup+0x315/0x500 fs/namei.c:2324 > user_path_at_empty+0x40/0x50 fs/namei.c:2569 > user_path include/linux/namei.h:62 [inline] > do_mount+0x15f/0x2b90 fs/namespace.c:2787 > C_SYSC_mount fs/compat.c:195 [inline] > compat_SyS_mount+0xd0/0x1070 fs/compat.c:160 > do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] > do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392 > entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 > RIP: 0023:0xf7f47c99 > RSP: 002b:00000000f5f42c6c EFLAGS: 00000246 ORIG_RAX: 0000000000000015 > RAX: ffffffffffffffda RBX: 00000000080eff11 RCX: 0000000020000000 > RDX: 0000000000000000 RSI: 00000000080d6b6d RDI: 0000000000000000 > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > Dumping ftrace buffer: > (ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a dumb bot. It may contain errors. > See https://goo.gl/tpsmEJ for details. > Direct all questions to syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. > If you forgot to add the Reported-by tag, once the fix for this bug is > merged > into any tree, please reply to this email with: > #syz fix: exact-commit-title > To mark this as a duplicate of another syzbot report, please reply with: > #syz dup: exact-subject-of-another-report > If it's a one-off invalid bug report, please reply with: > #syz invalid > Note: if the crash happens again, it will cause creation of a new bug > report. > Note: all commands must start from beginning of the line in the email body. > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/001a114467482dbc4b05692df8f9%40google.com. > For more options, visit https://groups.google.com/d/optout. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Use struct page for filename 2018-04-06 13:33 ` Dmitry Vyukov @ 2018-04-08 3:16 ` Matthew Wilcox 2018-04-08 4:42 ` Al Viro 2018-04-08 5:59 ` WARNING in kmem_cache_free Al Viro 2018-04-08 6:01 ` Matthew Wilcox 2 siblings, 1 reply; 27+ messages in thread From: Matthew Wilcox @ 2018-04-08 3:16 UTC (permalink / raw) To: Dmitry Vyukov; +Cc: linux-fsdevel, LKML, Al Viro On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote: > On Fri, Apr 6, 2018 at 3:24 PM, syzbot > <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote: > > cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96 > > Al, do you see how this can happen? I don't see how it happened, but when looking at this bug, I thought "This is very complicated, I think there's a simpler way to handle this". Here's a proposal. It won't apply to any existing tree (depends on a couple of local commits), but I think you'll get the general flavour of it. It's mostly compile-tested (build still running, but fs/ and kernel/ compiled without issue). fs/dcache.c | 7 ---- fs/namei.c | 102 ++++++++++++----------------------------------- include/linux/fs.h | 26 ++++++------ include/linux/mm_types.h | 12 +++++- kernel/auditsc.c | 8 ++-- 5 files changed, 51 insertions(+), 104 deletions(-) diff --git a/fs/dcache.c b/fs/dcache.c index 593079176123..749b82b8fa1c 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -3172,10 +3172,6 @@ static void __init dcache_init(void) d_hash_shift = 32 - d_hash_shift; } -/* SLAB cache for __getname() consumers */ -struct kmem_cache *names_cachep __read_mostly; -EXPORT_SYMBOL(names_cachep); - void __init vfs_caches_init_early(void) { int i; @@ -3189,9 +3185,6 @@ void __init vfs_caches_init_early(void) void __init vfs_caches_init(void) { - names_cachep = kmem_cache_create_usercopy("names_cache", PATH_MAX, 0, - SLAB_HWCACHE_ALIGN|SLAB_PANIC, 0, PATH_MAX, NULL); - dcache_init(); inode_init(); files_init(); diff --git a/fs/namei.c b/fs/namei.c index a09419379f5d..16fb4779d29f 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -122,71 +122,46 @@ * PATH_MAX includes the nul terminator --RR. */ -#define EMBEDDED_NAME_MAX (PATH_MAX - offsetof(struct filename, iname)) +struct filename *alloc_filename(void) +{ + struct page *page = alloc_page(GFP_KERNEL); + + page->filename.name = page_to_virt(page); + return &page->filename; +} + +void putname(struct filename *name) +{ + __free_page(container_of(name, struct page, filename)); +} + +void filename_get(struct filename *name) +{ + page_ref_inc(container_of(name, struct page, filename)); +} struct filename * getname_flags(const char __user *filename, int flags, int *empty) { struct filename *result; - char *kname; int len; result = audit_reusename(filename); if (result) return result; - result = __getname(); + result = alloc_filename(); if (unlikely(!result)) return ERR_PTR(-ENOMEM); - /* - * First, try to embed the struct filename inside the names_cache - * allocation - */ - kname = (char *)result->iname; - result->name = kname; - - len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX); + len = strncpy_from_user((char *)result->name, filename, PATH_MAX); + if (unlikely(len == PATH_MAX)) + len = -ENAMETOOLONG; if (unlikely(len < 0)) { - __putname(result); + putname(result); return ERR_PTR(len); } - /* - * Uh-oh. We have a name that's approaching PATH_MAX. Allocate a - * separate struct filename so we can dedicate the entire - * names_cache allocation for the pathname, and re-do the copy from - * userland. - */ - if (unlikely(len == EMBEDDED_NAME_MAX)) { - const size_t size = offsetof(struct filename, iname[1]); - kname = (char *)result; - - /* - * size is chosen that way we to guarantee that - * result->iname[0] is within the same object and that - * kname can't be equal to result->iname, no matter what. - */ - result = kzalloc(size, GFP_KERNEL); - if (unlikely(!result)) { - __putname(kname); - return ERR_PTR(-ENOMEM); - } - result->name = kname; - len = strncpy_from_user(kname, filename, PATH_MAX); - if (unlikely(len < 0)) { - __putname(kname); - kfree(result); - return ERR_PTR(len); - } - if (unlikely(len == PATH_MAX)) { - __putname(kname); - kfree(result); - return ERR_PTR(-ENAMETOOLONG); - } - } - - result->refcnt = 1; /* The empty path is special. */ if (unlikely(!len)) { if (empty) @@ -215,49 +190,22 @@ getname_kernel(const char * filename) struct filename *result; int len = strlen(filename) + 1; - result = __getname(); + result = alloc_filename(); if (unlikely(!result)) return ERR_PTR(-ENOMEM); - if (len <= EMBEDDED_NAME_MAX) { - result->name = (char *)result->iname; - } else if (len <= PATH_MAX) { - struct filename *tmp; - - tmp = kmalloc(sizeof(*tmp), GFP_KERNEL); - if (unlikely(!tmp)) { - __putname(result); - return ERR_PTR(-ENOMEM); - } - tmp->name = (char *)result; - result = tmp; - } else { - __putname(result); + if (len > PATH_MAX) { + putname(result); return ERR_PTR(-ENAMETOOLONG); } memcpy((char *)result->name, filename, len); result->uptr = NULL; result->aname = NULL; - result->refcnt = 1; audit_getname(result); return result; } -void putname(struct filename *name) -{ - BUG_ON(name->refcnt <= 0); - - if (--name->refcnt > 0) - return; - - if (name->name != name->iname) { - __putname(name->name); - kfree(name); - } else - __putname(name); -} - static int check_acl(struct inode *inode, int mask) { #ifdef CONFIG_FS_POSIX_ACL diff --git a/include/linux/fs.h b/include/linux/fs.h index ab44a19f2ddd..5c93ebc519fe 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2376,15 +2376,6 @@ static inline int break_layout(struct inode *inode, bool wait) #endif /* CONFIG_FILE_LOCKING */ /* fs/open.c */ -struct audit_names; -struct filename { - const char *name; /* pointer to actual string */ - const __user char *uptr; /* original userland pointer */ - struct audit_names *aname; - int refcnt; - const char iname[]; -}; - extern long vfs_truncate(const struct path *, loff_t); extern int do_truncate(struct dentry *, loff_t start, unsigned int time_attrs, struct file *filp); @@ -2399,6 +2390,18 @@ extern struct file *file_open_root(struct dentry *, struct vfsmount *, extern struct file * dentry_open(const struct path *, int, const struct cred *); extern int filp_close(struct file *, fl_owner_t id); +/* fs/namei.c */ +static inline void *__getname(void) +{ + return (void *)__get_free_page(GFP_KERNEL); +} + +static inline void __putname(const void *name) +{ + free_page((unsigned long)name); +} + +void filename_get(struct filename *); extern struct filename *getname_flags(const char __user *, int, int *); extern struct filename *getname(const char __user *); extern struct filename *getname_kernel(const char *); @@ -2421,11 +2424,6 @@ extern int ioctl_preallocate(struct file *filp, void __user *argp); extern void __init vfs_caches_init_early(void); extern void __init vfs_caches_init(void); -extern struct kmem_cache *names_cachep; - -#define __getname() kmem_cache_alloc(names_cachep, GFP_KERNEL) -#define __putname(name) kmem_cache_free(names_cachep, (void *)(name)) - #ifdef CONFIG_BLOCK extern int register_blkdev(unsigned int, const char *); extern void unregister_blkdev(unsigned int, const char *); diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 97ceec1c6e21..a6ca28ef4277 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -25,6 +25,13 @@ struct address_space; struct mem_cgroup; struct hmm; +struct audit_names; + +struct filename { + const char *name; /* pointer to actual string */ + const __user char *uptr; /* original userland pointer */ + struct audit_names *aname; +}; /* * Each physical page in the system has a struct page associated with @@ -188,6 +195,7 @@ struct page { spinlock_t ptl; #endif }; + struct filename filename; }; #ifdef CONFIG_MEMCG diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e80459f7e132..e539550f5983 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1722,7 +1722,7 @@ __audit_reusename(const __user char *uptr) if (!n->name) continue; if (n->name->uptr == uptr) { - n->name->refcnt++; + filename_get(n->name); return n->name; } } @@ -1751,7 +1751,7 @@ void __audit_getname(struct filename *name) n->name = name; n->name_len = AUDIT_NAME_FULL; name->aname = n; - name->refcnt++; + filename_get(name); if (!context->pwd.dentry) get_fs_pwd(current->fs, &context->pwd); @@ -1825,7 +1825,7 @@ void __audit_inode(struct filename *name, const struct dentry *dentry, return; if (name) { n->name = name; - name->refcnt++; + filename_get(name); } out: @@ -1954,7 +1954,7 @@ void __audit_inode_child(struct inode *parent, if (found_parent) { found_child->name = found_parent->name; found_child->name_len = AUDIT_NAME_FULL; - found_child->name->refcnt++; + filename_get(found_child->name); } } ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: Use struct page for filename 2018-04-08 3:16 ` Use struct page for filename Matthew Wilcox @ 2018-04-08 4:42 ` Al Viro 0 siblings, 0 replies; 27+ messages in thread From: Al Viro @ 2018-04-08 4:42 UTC (permalink / raw) To: Matthew Wilcox; +Cc: Dmitry Vyukov, linux-fsdevel, LKML On Sat, Apr 07, 2018 at 08:16:46PM -0700, Matthew Wilcox wrote: > On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote: > > On Fri, Apr 6, 2018 at 3:24 PM, syzbot > > <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote: > > > cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96 > > > > Al, do you see how this can happen? > > I don't see how it happened, but when looking at this bug, I thought > "This is very complicated, I think there's a simpler way to handle this". > > Here's a proposal. It won't apply to any existing tree (depends on a > couple of local commits), but I think you'll get the general flavour > of it. It's mostly compile-tested (build still running, but fs/ and > kernel/ compiled without issue). > +struct audit_names; > + > +struct filename { > + const char *name; /* pointer to actual string */ > + const __user char *uptr; /* original userland pointer */ > + struct audit_names *aname; > +}; > > /* > * Each physical page in the system has a struct page associated with > @@ -188,6 +195,7 @@ struct page { > spinlock_t ptl; > #endif > }; > + struct filename filename; > }; Oh, lovely - extra 24 bytes into each struct page. Plus the delta to performance due to switching from kmem_cache_alloc to alloc_page. Negative one, that is... ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: WARNING in kmem_cache_free 2018-04-06 13:33 ` Dmitry Vyukov 2018-04-08 3:16 ` Use struct page for filename Matthew Wilcox @ 2018-04-08 5:59 ` Al Viro 2018-04-08 6:01 ` Matthew Wilcox 2 siblings, 0 replies; 27+ messages in thread From: Al Viro @ 2018-04-08 5:59 UTC (permalink / raw) To: Dmitry Vyukov; +Cc: syzbot, linux-fsdevel, LKML, syzkaller-bugs On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote: > Interesting type of bug, I think we see this for the first time. > > Al, do you see how this can happen? putname() on something that hasn't come from getname(). Short of reproducer, I don't see what can be done - it can be any kind of memory corruption. We have return filename_lookup(dfd, getname_flags(name, flags, empty), flags, path, NULL); with filename_lookup() hitting putname(name); return retval; on the way out (and seeing refcount 1, at that, so it hasn't ended up in audit context). And object it's trying to free is not something getname_flags() has allocated. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: WARNING in kmem_cache_free 2018-04-06 13:33 ` Dmitry Vyukov 2018-04-08 3:16 ` Use struct page for filename Matthew Wilcox 2018-04-08 5:59 ` WARNING in kmem_cache_free Al Viro @ 2018-04-08 6:01 ` Matthew Wilcox 2018-04-08 10:26 ` Dmitry Vyukov 2 siblings, 1 reply; 27+ messages in thread From: Matthew Wilcox @ 2018-04-08 6:01 UTC (permalink / raw) To: Dmitry Vyukov; +Cc: syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote: > On Fri, Apr 6, 2018 at 3:24 PM, syzbot > <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote: > > Unfortunately, I don't have any reproducer for this crash yet. > > Interesting type of bug, I think we see this for the first time. Can you focus syzbot to try to find a reproducer? This seems to be produced by calling mount() with a pathname that's somewhere between, say, 3950 & 4100 bytes long from a compat 32-bit task. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: WARNING in kmem_cache_free 2018-04-08 6:01 ` Matthew Wilcox @ 2018-04-08 10:26 ` Dmitry Vyukov 2018-04-08 11:18 ` Dmitry Vyukov 0 siblings, 1 reply; 27+ messages in thread From: Dmitry Vyukov @ 2018-04-08 10:26 UTC (permalink / raw) To: Matthew Wilcox; +Cc: syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Sun, Apr 8, 2018 at 8:01 AM, Matthew Wilcox <willy@infradead.org> wrote: > On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote: >> On Fri, Apr 6, 2018 at 3:24 PM, syzbot >> <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote: >> > Unfortunately, I don't have any reproducer for this crash yet. >> >> Interesting type of bug, I think we see this for the first time. > > Can you focus syzbot to try to find a reproducer? This seems to be > produced by calling mount() with a pathname that's somewhere between, > say, 3950 & 4100 bytes long from a compat 32-bit task. Something in the log definitely triggers a very bad heap corruption. This can be reproduced following instructions at: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers and then running: ./syz-execprog -sandbox=namespace -arch=386 -repeat=0 -procs=10 log.txt where log.txt comes from "Raw console output" link. Note that you need to build syzkaller with 'make TARGETARCH=386' and the use bin/linux_386/syz-executor. While running it I got: BUG: KASAN: double-free or invalid-free in free_request_size+0x5b/0x70 block/blk-core.c:769 https://gist.githubusercontent.com/dvyukov/05f4e77a34795d329aa7a2f40265e396/raw/63a29123b79f1fbad3521d0ff034946be68bfd4a/gistfile1.txt Then kernel BUG at mm/slab.c:4407! https://gist.githubusercontent.com/dvyukov/5b3bcc90d326e9da3636aea2c95ace8f/raw/1589504c708994936681d61ba9d70029998b9b1a/gistfile1.txt And then BUG: unable to handle kernel paging request at ffffebe000000020 https://gist.githubusercontent.com/dvyukov/72025b1c68e488f4fda243e0c152f044/raw/d2c171bc55ad3a43cea33095fa2eea48768b1131/gistfile1.txt One interesting thing is that if I run the log once and it does not crash, then when I try to start binary again I am getting: [ 456.837870] Invalid argument reading file caps for /root/syz-executor The binary somehow becomes broken on disk... I guess syzbot did find a reproducer in this log, but did not attribute it to this bug as it causes crashes all over the place. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: WARNING in kmem_cache_free 2018-04-08 10:26 ` Dmitry Vyukov @ 2018-04-08 11:18 ` Dmitry Vyukov 2018-04-08 15:31 ` Stephan Müller 0 siblings, 1 reply; 27+ messages in thread From: Dmitry Vyukov @ 2018-04-08 11:18 UTC (permalink / raw) To: Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Stephan Mueller, Eric Biggers Cc: syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Sun, Apr 8, 2018 at 12:26 PM, Dmitry Vyukov <dvyukov@google.com> wrote: > On Sun, Apr 8, 2018 at 8:01 AM, Matthew Wilcox <willy@infradead.org> wrote: >> On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote: >>> On Fri, Apr 6, 2018 at 3:24 PM, syzbot >>> <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote: >>> > Unfortunately, I don't have any reproducer for this crash yet. >>> >>> Interesting type of bug, I think we see this for the first time. >> >> Can you focus syzbot to try to find a reproducer? This seems to be >> produced by calling mount() with a pathname that's somewhere between, >> say, 3950 & 4100 bytes long from a compat 32-bit task. > > > Something in the log definitely triggers a very bad heap corruption. > > This can be reproduced following instructions at: > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers > > and then running: > ./syz-execprog -sandbox=namespace -arch=386 -repeat=0 -procs=10 log.txt > > where log.txt comes from "Raw console output" link. > > Note that you need to build syzkaller with 'make TARGETARCH=386' and > the use bin/linux_386/syz-executor. > > While running it I got: > BUG: KASAN: double-free or invalid-free in free_request_size+0x5b/0x70 > block/blk-core.c:769 > https://gist.githubusercontent.com/dvyukov/05f4e77a34795d329aa7a2f40265e396/raw/63a29123b79f1fbad3521d0ff034946be68bfd4a/gistfile1.txt > > Then kernel BUG at mm/slab.c:4407! > https://gist.githubusercontent.com/dvyukov/5b3bcc90d326e9da3636aea2c95ace8f/raw/1589504c708994936681d61ba9d70029998b9b1a/gistfile1.txt > > And then BUG: unable to handle kernel paging request at ffffebe000000020 > https://gist.githubusercontent.com/dvyukov/72025b1c68e488f4fda243e0c152f044/raw/d2c171bc55ad3a43cea33095fa2eea48768b1131/gistfile1.txt > > One interesting thing is that if I run the log once and it does not > crash, then when I try to start binary again I am getting: > [ 456.837870] Invalid argument reading file caps for /root/syz-executor > The binary somehow becomes broken on disk... > > I guess syzbot did find a reproducer in this log, but did not > attribute it to this bug as it causes crashes all over the place. Running syz-repro utility on this log, I think I've found the guilty guy: https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt It crashes as: BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0 and: BUG: unable to handle kernel paging request at ffffebe000000020 and with other indications of badly corrupted heap. This points to crypto/drbg.c, so +crypto maintainers. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: WARNING in kmem_cache_free 2018-04-08 11:18 ` Dmitry Vyukov @ 2018-04-08 15:31 ` Stephan Müller 2018-04-08 15:41 ` Dmitry Vyukov 0 siblings, 1 reply; 27+ messages in thread From: Stephan Müller @ 2018-04-08 15:31 UTC (permalink / raw) To: Dmitry Vyukov Cc: Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro Am Sonntag, 8. April 2018, 13:18:06 CEST schrieb Dmitry Vyukov: Hi Dmitry, > > Running syz-repro utility on this log, I think I've found the guilty guy: > https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/ > raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt > I am unable to reproduce it with the code. I am using the current cryptodev-2.6 tree with kazan enabled. Could you please give me your kernel config or a pointer of the used tree? > It crashes as: > BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0 > and: > BUG: unable to handle kernel paging request at ffffebe000000020 > and with other indications of badly corrupted heap. > > This points to crypto/drbg.c, so +crypto maintainers. Ciao Stephan ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: WARNING in kmem_cache_free 2018-04-08 15:31 ` Stephan Müller @ 2018-04-08 15:41 ` Dmitry Vyukov 2018-04-08 19:07 ` [PATCH] crypto: DRBG - guard uninstantion by lock Stephan Müller 0 siblings, 1 reply; 27+ messages in thread From: Dmitry Vyukov @ 2018-04-08 15:41 UTC (permalink / raw) To: Stephan Müller Cc: Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Sun, Apr 8, 2018 at 5:31 PM, Stephan Müller <smueller@chronox.de> wrote: > Am Sonntag, 8. April 2018, 13:18:06 CEST schrieb Dmitry Vyukov: > > Hi Dmitry, > >> >> Running syz-repro utility on this log, I think I've found the guilty guy: >> https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/ >> raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt >> > > I am unable to reproduce it with the code. I am using the current > cryptodev-2.6 tree with kazan enabled. Could you please give me your kernel > config or a pointer of the used tree? Hi, Here is config and kernel commit: https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ You can also find compiler and image here if necessary: https://github.com/google/syzkaller/blob/master/docs/syzbot.md And note that the program needs to be compiled with -m32. The bugs is probably not-compat specific, but the program injects fault into a particular malloc invocation and maybe malloc numbering is affected by compat path. >> It crashes as: >> BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0 >> and: >> BUG: unable to handle kernel paging request at ffffebe000000020 >> and with other indications of badly corrupted heap. >> >> This points to crypto/drbg.c, so +crypto maintainers. > > > Ciao > Stephan > > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/4564679.HlOejCIXXz%40positron.chronox.de. > For more options, visit https://groups.google.com/d/optout. ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-08 15:41 ` Dmitry Vyukov @ 2018-04-08 19:07 ` Stephan Müller 2018-04-08 22:46 ` Theodore Y. Ts'o 0 siblings, 1 reply; 27+ messages in thread From: Stephan Müller @ 2018-04-08 19:07 UTC (permalink / raw) To: Dmitry Vyukov Cc: Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro Am Sonntag, 8. April 2018, 17:41:17 CEST schrieb Dmitry Vyukov: Hi Dmitry, > > Hi, > > Here is config and kernel commit: > https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ > You can also find compiler and image here if necessary: > https://github.com/google/syzkaller/blob/master/docs/syzbot.md > > And note that the program needs to be compiled with -m32. The bugs is > probably not-compat specific, but the program injects fault into a > particular malloc invocation and maybe malloc numbering is affected by > compat path. I am unable to reproduce the issue. But since you mention that you induce errors, I could see that the unlocking of the DRBG context is too soon. Can you please check whether the attached patch fixes the issue? Thanks ---8<--- In the error code path, the uninstantiation must be guarded by a lock to ensure that the modification of the context is fully atomic. Signed-off-by: Stephan Mueller <smueller@chronox.de> Reported-by: syzkaller --- crypto/drbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..68c1949a253f 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, return ret; free_everything: - mutex_unlock(&drbg->drbg_mutex); drbg_uninstantiate(drbg); + mutex_unlock(&drbg->drbg_mutex); return ret; } -- 2.14.3 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-08 19:07 ` [PATCH] crypto: DRBG - guard uninstantion by lock Stephan Müller @ 2018-04-08 22:46 ` Theodore Y. Ts'o 0 siblings, 0 replies; 27+ messages in thread From: Theodore Y. Ts'o @ 2018-04-08 22:46 UTC (permalink / raw) To: Stephan Müller Cc: Dmitry Vyukov, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Sun, Apr 08, 2018 at 09:07:03PM +0200, Stephan Müller wrote: > Can you please check whether the attached patch fixes the issue? > Stephan, FYI, if you incude in your e-mail "#syz test <GIT URL> <BRANCH>" as the first line of your patch and the syzbot e-mail is cc'ed, the syzbot will automatically apply the patch in the e-mail against the git tree/branch specified in the "#syz test" line, and then try to see if the problem it discovered still reproduces --- and then send you e-mail one way or another. So the syzbot will run while the patch goes through the normal e-mail review process, which is kind of neat. :-) Cheers, - Ted ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock @ 2018-04-08 22:46 ` Theodore Y. Ts'o 0 siblings, 0 replies; 27+ messages in thread From: Theodore Y. Ts'o @ 2018-04-08 22:46 UTC (permalink / raw) To: Stephan Müller Cc: Dmitry Vyukov, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Sun, Apr 08, 2018 at 09:07:03PM +0200, Stephan M�ller wrote: > Can you please check whether the attached patch fixes the issue? > Stephan, FYI, if you incude in your e-mail "#syz test <GIT URL> <BRANCH>" as the first line of your patch and the syzbot e-mail is cc'ed, the syzbot will automatically apply the patch in the e-mail against the git tree/branch specified in the "#syz test" line, and then try to see if the problem it discovered still reproduces --- and then send you e-mail one way or another. So the syzbot will run while the patch goes through the normal e-mail review process, which is kind of neat. :-) Cheers, - Ted ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-08 22:46 ` Theodore Y. Ts'o (?) @ 2018-04-09 5:40 ` Stephan Mueller 2018-04-09 7:57 ` Dmitry Vyukov -1 siblings, 1 reply; 27+ messages in thread From: Stephan Mueller @ 2018-04-09 5:40 UTC (permalink / raw) To: Theodore Y. Ts'o Cc: Dmitry Vyukov, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o: Hi Theodore, > > So the syzbot will run while the patch goes through the normal e-mail > review process, which is kind of neat. :-) Thank you very much for the hint. That is a neat feature indeed. As I came late to the party and I missed the original mails, I am wondering about which GIT repo was used and which branch of it. With that, I would be happy to resubmit with the test line. Ciao Stephan ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-09 5:40 ` Stephan Mueller @ 2018-04-09 7:57 ` Dmitry Vyukov 2018-04-10 15:23 ` Dmitry Vyukov 0 siblings, 1 reply; 27+ messages in thread From: Dmitry Vyukov @ 2018-04-09 7:57 UTC (permalink / raw) To: Stephan Mueller Cc: Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Mon, Apr 9, 2018 at 7:40 AM, Stephan Mueller <smueller@chronox.de> wrote: > Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o: > > Hi Theodore, >> >> So the syzbot will run while the patch goes through the normal e-mail >> review process, which is kind of neat. :-) > > Thank you very much for the hint. That is a neat feature indeed. > > As I came late to the party and I missed the original mails, I am wondering > about which GIT repo was used and which branch of it. With that, I would be > happy to resubmit with the test line. All syzbot reported bugs are available here: https://groups.google.com/forum/#!searchin/syzkaller-bugs/"WARNING$20in$20kmem_cache_free" and here: https://syzkaller.appspot.com/ But unfortunately testing won't work in this case, because I manually extracted a reproducer and syzbot does not know about it. This bug seems to lead to assorted silent heap corruptions and different manifestations each time, so it's difficult for syzbot to attribute a reproducer to the bug. When we debug it, it would be nice to understand why the heap corruption is silent and is not detected by KASAN and anything else, to prevent such unpleasant cases in future. I've tested it manually, but unfortunately kernel still crashed within a minute: $ git status HEAD detached at f2d285669aae Changes not staged for commit: (use "git add <file>..." to update what will be committed) (use "git checkout -- <file>..." to discard changes in working directory) modified: crypto/drbg.c $ git diff diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..68c1949a253f 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers, return ret; free_everything: - mutex_unlock(&drbg->drbg_mutex); drbg_uninstantiate(drbg); + mutex_unlock(&drbg->drbg_mutex); return ret; } # ./a.out ... [ 183.647874] FAULT_INJECTION: forcing a failure. [ 183.647874] name failslab, interval 1, probability 0, space 0, times 0 [ 183.648287] Call Trace: [ 183.648297] dump_stack+0x1b9/0x29f [ 183.648306] ? arch_local_irq_restore+0x52/0x52 [ 183.648318] ? __save_stack_trace+0x7e/0xd0 [ 183.651848] should_fail.cold.4+0xa/0x1a [ 183.652411] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 183.653138] ? kasan_kmalloc+0xc4/0xe0 [ 183.653694] ? __kmalloc+0x14e/0x760 [ 183.654206] ? drbg_kcapi_seed+0x776/0x12e0 [ 183.654798] ? crypto_rng_reset+0x7c/0x130 [ 183.655379] ? rng_setkey+0x25/0x30 [ 183.655882] ? alg_setsockopt+0x306/0x3b0 [ 183.656450] ? graph_lock+0x170/0x170 [ 183.656975] ? entry_SYSENTER_compat+0x70/0x7f [ 183.657606] ? find_held_lock+0x36/0x1c0 [ 183.658164] ? __lock_is_held+0xb5/0x140 [ 183.658728] ? check_same_owner+0x320/0x320 [ 183.659321] ? rcu_note_context_switch+0x710/0x710 [ 183.660000] should_failslab+0x124/0x180 [ 183.660561] __kmalloc+0x2c8/0x760 [ 183.661046] ? graph_lock+0x170/0x170 [ 183.661569] ? drbg_kcapi_seed+0x882/0x12e0 [ 183.662161] drbg_kcapi_seed+0x882/0x12e0 [ 183.662731] ? drbg_seed+0x10a0/0x10a0 [ 183.663267] ? lock_downgrade+0x8e0/0x8e0 [ 183.663833] ? lock_acquire+0x1dc/0x520 [ 183.664385] ? lock_release+0xa10/0xa10 [ 183.664934] ? check_same_owner+0x320/0x320 [ 183.665530] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 183.666292] ? __check_object_size+0x95/0x5d9 [ 183.666904] ? sock_kmalloc+0x14e/0x1d0 [ 183.667444] ? mark_held_locks+0xc9/0x160 [ 183.668020] ? __might_sleep+0x95/0x190 [ 183.668567] crypto_rng_reset+0x7c/0x130 [ 183.669124] rng_setkey+0x25/0x30 [ 183.669598] ? rng_sock_destruct+0x90/0x90 [ 183.670176] alg_setsockopt+0x306/0x3b0 [ 183.670724] __compat_sys_setsockopt+0x315/0x7c0 [ 183.671375] ? __compat_sys_getsockopt+0x7f0/0x7f0 [ 183.672057] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.672813] ? ksys_write+0x1a6/0x250 [ 183.673333] ? SyS_read+0x30/0x30 [ 183.673811] compat_SyS_setsockopt+0x34/0x50 [ 183.674416] ? scm_detach_fds_compat+0x440/0x440 [ 183.675079] do_fast_syscall_32+0x41f/0x10dc [ 183.675725] ? do_page_fault+0xee/0x8a7 [ 183.676284] ? do_int80_syscall_32+0xa70/0xa70 [ 183.676925] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 183.677590] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.678348] ? syscall_return_slowpath+0x30f/0x5c0 [ 183.679026] ? sysret32_from_system_call+0x5/0x3c [ 183.679694] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 183.680380] entry_SYSENTER_compat+0x70/0x7f [ 183.681000] RIP: 0023:0xf7f0ecb9 [ 183.681488] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX: 000000000000016e [ 183.682606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117 [ 183.683620] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000 [ 183.684602] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000 [ 183.685622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 183.686642] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 183.687712] CPU: 0 PID: 5506 Comm: a.out Not tainted 4.16.0+ #4 [ 183.688602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 183.689764] BUG: unable to handle kernel [ 183.689776] Call Trace: [ 183.689782] NULL pointer dereference [ 183.690367] dump_stack+0x1b9/0x29f [ 183.690709] at 0000000000000106 [ 183.691237] ? arch_local_irq_restore+0x52/0x52 [ 183.691721] PGD 64a50067 [ 183.692164] should_fail.cold.4+0xa/0x1a [ 183.692747] P4D 64a50067 [ 183.693110] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 183.693620] PUD 61a17067 [ 183.693981] ? graph_lock+0x170/0x170 [ 183.694622] PMD 0 [ 183.694980] ? find_held_lock+0x36/0x1c0 [ 183.695766] ? __lock_is_held+0xb5/0x140 [ 183.696285] Oops: 0000 [#1] SMP KASAN [ 183.696852] ? check_same_owner+0x320/0x320 [ 183.697337] Modules linked in: [ 183.697962] ? rcu_note_context_switch+0x710/0x710 [ 183.697973] CPU: 2 PID: 4054 Comm: a.out Not tainted 4.16.0+ #4 [ 183.698436] ? drbg_init_hash_kernel+0x300/0x300 [ 183.699060] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 183.699942] should_failslab+0x124/0x180 [ 183.700559] RIP: 0010:qlist_free_all+0x37/0x160 [ 183.701763] __kmalloc+0x2c8/0x760 [ 183.702292] RSP: 0018:ffff880062de7050 EFLAGS: 00010246 [ 183.702976] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 183.703437] RAX: ffff88000040008c RBX: 0000000000000282 RCX: 0000000000000000 [ 183.704205] ? drbg_kcapi_seed+0x776/0x12e0 [ 183.704804] RDX: ffffea0000010000 RSI: ffff88007ffdc39f RDI: 0000000000000282 [ 183.704812] RBP: ffff880062de7088 R08: ffff88006bb1ce78 R09: 0000000000000006 [ 183.705824] drbg_kcapi_seed+0x776/0x12e0 [ 183.706369] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 183.706377] R13: 000000000000000a R14: ffff88000040008c R15: ffffffff88b172a0 [ 183.707382] ? drbg_seed+0x10a0/0x10a0 [ 183.708311] FS: 0000000000000000(0000) GS:ffff88006c900000(0063) knlGS:0000000009fbd840 [ 183.708839] ? lock_downgrade+0x8e0/0x8e0 [ 183.709760] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 183.710760] ? lock_acquire+0x1dc/0x520 [ 183.711252] CR2: 0000000000000106 CR3: 00000000651d8002 CR4: 00000000001606e0 [ 183.711257] Call Trace: [ 183.712390] ? lock_release+0xa10/0xa10 [ 183.712922] quarantine_reduce+0x141/0x170 [ 183.713733] ? check_same_owner+0x320/0x320 [ 183.714246] kasan_kmalloc+0x99/0xe0 [ 183.715244] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 183.715586] kasan_slab_alloc+0x12/0x20 [ 183.716143] ? __check_object_size+0x95/0x5d9 [ 183.716683] kmem_cache_alloc_node+0x131/0x780 [ 183.717282] ? sock_kmalloc+0x14e/0x1d0 [ 183.717760] ? do_raw_spin_unlock+0x1f9/0x2e0 [ 183.718520] ? mark_held_locks+0xc9/0x160 [ 183.719029] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 183.719654] ? __might_sleep+0x95/0x190 [ 183.720280] copy_process.part.39+0x16c4/0x6ee0 [ 183.720828] crypto_rng_reset+0x7c/0x130 [ 183.721434] ? trace_hardirqs_on+0xd/0x10 [ 183.722007] rng_setkey+0x25/0x30 [ 183.722596] ? debug_object_active_state+0x2e7/0x4e0 [ 183.723145] ? rng_sock_destruct+0x90/0x90 [ 183.723745] ? kasan_check_read+0x11/0x20 [ 183.724308] alg_setsockopt+0x306/0x3b0 [ 183.724845] ? rcu_is_watching+0x85/0x140 [ 183.725324] __compat_sys_setsockopt+0x315/0x7c0 [ 183.725972] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 183.726560] ? __compat_sys_getsockopt+0x7f0/0x7f0 [ 183.727091] ? __call_rcu.constprop.68+0x396/0xbb0 [ 183.727643] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.728173] ? __cleanup_sighand+0x70/0x70 [ 183.728827] ? ksys_write+0x1a6/0x250 [ 183.729485] ? note_gp_changes+0x540/0x540 [ 183.730161] ? SyS_read+0x30/0x30 [ 183.730797] ? lock_downgrade+0x8e0/0x8e0 [ 183.731558] compat_SyS_setsockopt+0x34/0x50 [ 183.732109] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 183.732636] ? scm_detach_fds_compat+0x440/0x440 [ 183.733180] ? tty_kref_put.part.14+0x81/0x250 [ 183.733657] do_fast_syscall_32+0x41f/0x10dc [ 183.734190] ? __cleanup_sighand+0x58/0x70 [ 183.734798] ? do_page_fault+0xee/0x8a7 [ 183.735505] ? do_raw_write_trylock+0x1b0/0x1b0 [ 183.736162] ? do_int80_syscall_32+0xa70/0xa70 [ 183.736745] ? print_usage_bug+0xc0/0xc0 [ 183.737367] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 183.737907] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 183.738459] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.739057] ? call_rcu_sched+0x12/0x20 [ 183.739700] ? syscall_return_slowpath+0x30f/0x5c0 [ 183.740220] ? release_task.part.15+0xf70/0x1b90 [ 183.740882] ? sysret32_from_system_call+0x5/0x3c [ 183.741522] ? __lock_acquire+0x7f5/0x5130 [ 183.742290] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 183.742798] ? rcu_is_watching+0x85/0x140 [ 183.743480] entry_SYSENTER_compat+0x70/0x7f [ 183.744099] ? find_held_lock+0x36/0x1c0 [ 183.744769] RIP: 0023:0xf7f0ecb9 [ 183.745327] ? debug_check_no_locks_freed+0x310/0x310 [ 183.745990] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 [ 183.746525] ? lock_downgrade+0x8e0/0x8e0 [ 183.747126] ORIG_RAX: 000000000000016e [ 183.747653] ? find_held_lock+0x36/0x1c0 [ 183.748117] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117 [ 183.748800] ? print_usage_bug+0xc0/0xc0 [ 183.749530] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000 [ 183.749538] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000 [ 183.750087] ? lock_downgrade+0x8e0/0x8e0 [ 183.750632] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 183.751152] ? lock_downgrade+0x8e0/0x8e0 [ 183.752156] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 183.752170] CPU: 3 PID: 5504 Comm: a.out Not tainted 4.16.0+ #4 [ 183.752693] ? __lock_acquire+0x7f5/0x5130 [ 183.753653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 183.754595] ? graph_lock+0x170/0x170 [ 183.755167] Call Trace: [ 183.756102] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 183.756639] dump_stack+0x1b9/0x29f [ 183.757562] ? debug_check_no_locks_freed+0x310/0x310 [ 183.758333] ? arch_local_irq_restore+0x52/0x52 [ 183.758872] ? find_held_lock+0x36/0x1c0 [ 183.759218] FAULT_INJECTION: forcing a failure. [ 183.759218] name failslab, interval 1, probability 0, space 0, times 0 [ 183.759966] ? __save_stack_trace+0x7e/0xd0 [ 183.760453] ? lock_downgrade+0x8e0/0x8e0 [ 183.760788] should_fail.cold.4+0xa/0x1a [ 183.761427] ? do_raw_spin_unlock+0x1f9/0x2e0 [ 183.761933] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 183.762593] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 183.763216] ? kasan_kmalloc+0xc4/0xe0 [ 183.763742] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 183.765288] ? __kmalloc+0x14e/0x760 [ 183.765844] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 183.766423] ? drbg_kcapi_seed+0x776/0x12e0 [ 183.766945] ? trace_hardirqs_on+0xd/0x10 [ 183.767556] ? crypto_rng_reset+0x7c/0x130 [ 183.768227] ? graph_lock+0x170/0x170 [ 183.768845] ? rng_setkey+0x25/0x30 [ 183.769368] ? add_wait_queue+0x2a0/0x2a0 [ 183.770026] ? alg_setsockopt+0x306/0x3b0 [ 183.770501] ? kasan_check_write+0x14/0x20 [ 183.771198] ? graph_lock+0x170/0x170 [ 183.771758] ? do_raw_read_lock+0x3f/0x80 [ 183.772336] ? entry_SYSENTER_compat+0x70/0x7f [ 183.772887] _do_fork+0x291/0x12a0 [ 183.773416] ? find_held_lock+0x36/0x1c0 [ 183.773881] ? fork_idle+0x1a0/0x1a0 [ 183.774458] ? __lock_is_held+0xb5/0x140 [ 183.774989] ? lock_release+0xa10/0xa10 [ 183.775581] ? check_same_owner+0x320/0x320 [ 183.776070] ? check_same_owner+0x320/0x320 [ 183.776650] ? rcu_note_context_switch+0x710/0x710 [ 183.777234] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 183.777725] should_failslab+0x124/0x180 [ 183.778246] ? put_pid.part.2+0x1bc/0x230 [ 183.778792] __kmalloc+0x2c8/0x760 [ 183.779311] ? __might_sleep+0x95/0x190 [ 183.779871] ? graph_lock+0x170/0x170 [ 183.780426] ? __might_fault+0x1a3/0x1e0 [ 183.781007] ? drbg_kcapi_seed+0x882/0x12e0 [ 183.781643] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.782423] drbg_kcapi_seed+0x882/0x12e0 [ 183.782942] ? kernel_wait4+0x2d8/0x3d0 [ 183.783520] ? drbg_seed+0x10a0/0x10a0 [ 183.783980] ? SyS_waitid+0x40/0x40 [ 183.784539] ? lock_downgrade+0x8e0/0x8e0 [ 183.785026] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.785596] ? lock_acquire+0x1dc/0x520 [ 183.786146] ? task_stopped_code+0x190/0x190 [ 183.786922] ? lock_release+0xa10/0xa10 [ 183.787451] compat_SyS_x86_clone+0x37/0x50 [ 183.788020] ? check_same_owner+0x320/0x320 [ 183.788517] ? compat_SyS_x86_fallocate+0x60/0x60 [ 183.789028] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 183.789556] do_fast_syscall_32+0x41f/0x10dc [ 183.790334] ? __check_object_size+0x95/0x5d9 [ 183.790841] ? do_page_fault+0xee/0x8a7 [ 183.791460] ? sock_kmalloc+0x14e/0x1d0 [ 183.791971] ? do_int80_syscall_32+0xa70/0xa70 [ 183.792583] ? mark_held_locks+0xc9/0x160 [ 183.793137] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 183.793820] ? __might_sleep+0x95/0x190 [ 183.794528] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.795147] crypto_rng_reset+0x7c/0x130 [ 183.795737] ? syscall_return_slowpath+0x30f/0x5c0 [ 183.796291] rng_setkey+0x25/0x30 [ 183.796803] ? sysret32_from_system_call+0x5/0x3c [ 183.797442] ? rng_sock_destruct+0x90/0x90 [ 183.797997] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 183.798658] alg_setsockopt+0x306/0x3b0 [ 183.799166] entry_SYSENTER_compat+0x70/0x7f [ 183.799971] __compat_sys_setsockopt+0x315/0x7c0 [ 183.800486] RIP: 0023:0xf7f0ecb9 [ 183.801190] ? __compat_sys_getsockopt+0x7f0/0x7f0 [ 183.801631] RSP: 002b:00000000ffeb1ec0 EFLAGS: 00000246 [ 183.802312] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.802850] ORIG_RAX: 0000000000000078 [ 183.803534] ? ksys_write+0x1a6/0x250 [ 183.804067] RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000 [ 183.804693] ? SyS_read+0x30/0x30 [ 183.805295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000009fbd8a8 [ 183.805768] compat_SyS_setsockopt+0x34/0x50 [ 183.806404] RBP: 00000000ffeb1ef8 R08: 0000000000000000 R09: 0000000000000000 [ 183.807154] ? scm_detach_fds_compat+0x440/0x440 [ 183.807861] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 183.808421] do_fast_syscall_32+0x41f/0x10dc [ 183.808900] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 183.808905] Code: [ 183.809928] ? do_page_fault+0xee/0x8a7 [ 183.810365] 55 [ 183.811385] ? do_int80_syscall_32+0xa70/0xa70 [ 183.811949] 48 [ 183.812992] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 183.813590] 89 [ 183.814630] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.815191] e5 [ 183.816214] ? syscall_return_slowpath+0x30f/0x5c0 [ 183.816487] 41 [ 183.817066] ? sysret32_from_system_call+0x5/0x3c [ 183.817313] 57 [ 183.817958] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 183.818200] 49 [ 183.818869] entry_SYSENTER_compat+0x70/0x7f [ 183.819109] c7 [ 183.819894] RIP: 0023:0xf7f0ecb9 [ 183.820135] c7 [ 183.820821] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 [ 183.821065] a0 [ 183.821738] ORIG_RAX: 000000000000016e [ 183.821984] 72 [ 183.822657] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117 [ 183.822900] b1 [ 183.823513] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000 [ 183.823760] 88 [ 183.824230] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000 [ 183.824238] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 183.824492] 41 [ 183.825238] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 183.825250] CPU: 0 PID: 5512 Comm: a.out Not tainted 4.16.0+ #4 [ 183.825490] 56 [ 183.826073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 183.826204] FAULT_INJECTION: forcing a failure. [ 183.826204] name failslab, interval 1, probability 0, space 0, times 0 [ 183.826315] 41 [ 183.827333] Call Trace: [ 183.827583] 55 [ 183.828608] dump_stack+0x1b9/0x29f [ 183.828844] 41 [ 183.829864] ? arch_local_irq_restore+0x52/0x52 [ 183.830780] 54 [ 183.831054] ? __save_stack_trace+0x7e/0xd0 [ 183.831979] 49 [ 183.832860] should_fail.cold.4+0xa/0x1a [ 183.833097] 89 [ 183.834277] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 183.835690] f4 [ 183.835964] ? kasan_kmalloc+0xc4/0xe0 [ 183.836300] 53 [ 183.836568] ? __kmalloc+0x14e/0x760 [ 183.836577] ? drbg_kcapi_seed+0x776/0x12e0 [ 183.837061] 48 [ 183.837329] ? crypto_rng_reset+0x7c/0x130 [ 183.837338] ? rng_setkey+0x25/0x30 [ 183.837931] 83 [ 183.838200] ? alg_setsockopt+0x306/0x3b0 [ 183.838748] ec [ 183.839015] ? __compat_sys_setsockopt+0x315/0x7c0 [ 183.839026] ? do_fast_syscall_32+0x41f/0x10dc [ 183.839536] 10 [ 183.839814] ? entry_SYSENTER_compat+0x70/0x7f [ 183.840457] 48 [ 183.840728] ? check_same_owner+0x320/0x320 [ 183.841224] 89 [ 183.841495] ? kasan_check_write+0x14/0x20 [ 183.841969] 7d [ 183.842572] ? kasan_unpoison_shadow+0x35/0x50 [ 183.842811] c8 [ 183.843405] ? lock_acquire+0x1dc/0x520 [ 183.843867] 4d [ 183.844142] ? fs_reclaim_acquire+0x20/0x20 [ 183.844665] 89 [ 183.844935] ? lock_downgrade+0x8e0/0x8e0 [ 183.845555] e5 [ 183.846234] ? lock_release+0xa10/0xa10 [ 183.846474] 4d [ 183.847130] ? drbg_init_sym_kernel+0x516/0x74a [ 183.847139] ? check_same_owner+0x320/0x320 [ 183.847380] 85 [ 183.847991] ? rcu_note_context_switch+0x710/0x710 [ 183.848229] e4 [ 183.848824] should_failslab+0x124/0x180 [ 183.849063] 0f [ 183.849707] __kmalloc+0x2c8/0x760 [ 183.849946] 84 [ 183.850505] ? lock_acquire+0x1dc/0x520 [ 183.850744] c8 [ 183.851350] ? __fget+0x3e3/0x650 [ 183.851593] 00 [ 183.852177] ? drbg_kcapi_seed+0x882/0x12e0 [ 183.852416] 00 [ 183.852972] drbg_kcapi_seed+0x882/0x12e0 [ 183.853213] 00 [ 183.853867] ? drbg_seed+0x10a0/0x10a0 [ 183.854414] <49> [ 183.854688] ? lock_acquire+0x1dc/0x520 [ 183.855313] 63 [ 183.855591] ? __might_fault+0x12b/0x1e0 [ 183.856105] 95 [ 183.856375] ? lock_downgrade+0x8e0/0x8e0 [ 183.856821] fc [ 183.857090] ? lock_acquire+0x1dc/0x520 [ 183.857590] 00 [ 183.857858] ? lock_release+0xa10/0xa10 [ 183.858319] 00 [ 183.858589] ? check_same_owner+0x320/0x320 [ 183.859131] 00 [ 183.859401] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 183.859928] 4c [ 183.860200] ? __check_object_size+0x95/0x5d9 [ 183.860689] 8b [ 183.860983] ? sock_kmalloc+0x14e/0x1d0 [ 183.861482] 30 [ 183.861748] ? do_raw_spin_unlock+0x1f9/0x2e0 [ 183.861758] ? __might_sleep+0x95/0x190 [ 183.862269] 48 [ 183.862539] crypto_rng_reset+0x7c/0x130 [ 183.863079] 29 [ 183.863348] rng_setkey+0x25/0x30 [ 183.863878] d0 [ 183.864150] ? rng_sock_destruct+0x90/0x90 [ 183.864654] 49 [ 183.864924] alg_setsockopt+0x306/0x3b0 [ 183.865488] 83 [ 183.865758] __compat_sys_setsockopt+0x315/0x7c0 [ 183.866488] 3f [ 183.866758] ? __compat_sys_getsockopt+0x7f0/0x7f0 [ 183.867324] 00 [ 183.867598] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.868098] 48 [ 183.868369] ? ksys_write+0x1a6/0x250 [ 183.868941] 89 [ 183.869500] ? SyS_read+0x30/0x30 [ 183.869740] c6 [ 183.870312] compat_SyS_setsockopt+0x34/0x50 [ 183.870551] 0f [ 183.871043] ? scm_detach_fds_compat+0x440/0x440 [ 183.871289] RIP: qlist_free_all+0x37/0x160 RSP: ffff880062de7050 [ 183.871893] do_fast_syscall_32+0x41f/0x10dc [ 183.872134] CR2: 0000000000000106 [ 183.872695] ? do_page_fault+0xee/0x8a7 [ 183.872988] ---[ end trace 0fa4e77a7b3c174f ]--- [ 183.873604] ? do_int80_syscall_32+0xa70/0xa70 [ 183.873611] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 183.873622] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 183.873871] Kernel panic - not syncing: Fatal exception [ 183.874560] ? syscall_return_slowpath+0x30f/0x5c0 [ 183.885552] ? prepare_exit_to_usermode+0x390/0x390 [ 183.886255] ? prepare_exit_to_usermode+0x285/0x390 [ 183.886953] ? perf_trace_sys_enter+0xaf0/0xaf0 [ 183.887609] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 183.888289] entry_SYSENTER_compat+0x70/0x7f [ 183.888906] RIP: 0023:0xf7f0ecb9 [ 183.889376] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX: 000000000000016e [ 183.890447] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117 [ 183.891452] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000 [ 183.892463] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000 [ 183.893471] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 183.894481] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 183.895514] Kernel Offset: disabled [ 183.896034] Rebooting in 86400 seconds.. ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-09 7:57 ` Dmitry Vyukov @ 2018-04-10 15:23 ` Dmitry Vyukov 2018-04-10 15:35 ` Stephan Mueller 0 siblings, 1 reply; 27+ messages in thread From: Dmitry Vyukov @ 2018-04-10 15:23 UTC (permalink / raw) To: Stephan Mueller Cc: Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Mon, Apr 9, 2018 at 9:57 AM, Dmitry Vyukov <dvyukov@google.com> wrote: > On Mon, Apr 9, 2018 at 7:40 AM, Stephan Mueller <smueller@chronox.de> wrote: >> Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o: >> >> Hi Theodore, >>> >>> So the syzbot will run while the patch goes through the normal e-mail >>> review process, which is kind of neat. :-) >> >> Thank you very much for the hint. That is a neat feature indeed. >> >> As I came late to the party and I missed the original mails, I am wondering >> about which GIT repo was used and which branch of it. With that, I would be >> happy to resubmit with the test line. > > All syzbot reported bugs are available here: > https://groups.google.com/forum/#!searchin/syzkaller-bugs/"WARNING$20in$20kmem_cache_free" > and here: > https://syzkaller.appspot.com/ > > But unfortunately testing won't work in this case, because I manually > extracted a reproducer and syzbot does not know about it. This bug > seems to lead to assorted silent heap corruptions and different > manifestations each time, so it's difficult for syzbot to attribute a > reproducer to the bug. When we debug it, it would be nice to > understand why the heap corruption is silent and is not detected by > KASAN and anything else, to prevent such unpleasant cases in future. > > I've tested it manually, but unfortunately kernel still crashed within a minute: Stephan, Do you have any hypothesis as to why this is not detected by KASAN and causes silent corruptions? We generally try to understand such cases and improve KASAN so that it catches such cases more reliably and they do not cause splashes of random crashes on syzbot. Thanks > $ git status > HEAD detached at f2d285669aae > Changes not staged for commit: > (use "git add <file>..." to update what will be committed) > (use "git checkout -- <file>..." to discard changes in working directory) > > modified: crypto/drbg.c > > $ git diff > diff --git a/crypto/drbg.c b/crypto/drbg.c > index 4faa2781c964..68c1949a253f 100644 > --- a/crypto/drbg.c > +++ b/crypto/drbg.c > @@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state > *drbg, struct drbg_string *pers, > return ret; > > free_everything: > - mutex_unlock(&drbg->drbg_mutex); > drbg_uninstantiate(drbg); > + mutex_unlock(&drbg->drbg_mutex); > return ret; > } > > # ./a.out > ... > [ 183.647874] FAULT_INJECTION: forcing a failure. > [ 183.647874] name failslab, interval 1, probability 0, space 0, times 0 > [ 183.648287] Call Trace: > [ 183.648297] dump_stack+0x1b9/0x29f > [ 183.648306] ? arch_local_irq_restore+0x52/0x52 > [ 183.648318] ? __save_stack_trace+0x7e/0xd0 > [ 183.651848] should_fail.cold.4+0xa/0x1a > [ 183.652411] ? fault_create_debugfs_attr+0x1f0/0x1f0 > [ 183.653138] ? kasan_kmalloc+0xc4/0xe0 > [ 183.653694] ? __kmalloc+0x14e/0x760 > [ 183.654206] ? drbg_kcapi_seed+0x776/0x12e0 > [ 183.654798] ? crypto_rng_reset+0x7c/0x130 > [ 183.655379] ? rng_setkey+0x25/0x30 > [ 183.655882] ? alg_setsockopt+0x306/0x3b0 > [ 183.656450] ? graph_lock+0x170/0x170 > [ 183.656975] ? entry_SYSENTER_compat+0x70/0x7f > [ 183.657606] ? find_held_lock+0x36/0x1c0 > [ 183.658164] ? __lock_is_held+0xb5/0x140 > [ 183.658728] ? check_same_owner+0x320/0x320 > [ 183.659321] ? rcu_note_context_switch+0x710/0x710 > [ 183.660000] should_failslab+0x124/0x180 > [ 183.660561] __kmalloc+0x2c8/0x760 > [ 183.661046] ? graph_lock+0x170/0x170 > [ 183.661569] ? drbg_kcapi_seed+0x882/0x12e0 > [ 183.662161] drbg_kcapi_seed+0x882/0x12e0 > [ 183.662731] ? drbg_seed+0x10a0/0x10a0 > [ 183.663267] ? lock_downgrade+0x8e0/0x8e0 > [ 183.663833] ? lock_acquire+0x1dc/0x520 > [ 183.664385] ? lock_release+0xa10/0xa10 > [ 183.664934] ? check_same_owner+0x320/0x320 > [ 183.665530] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 > [ 183.666292] ? __check_object_size+0x95/0x5d9 > [ 183.666904] ? sock_kmalloc+0x14e/0x1d0 > [ 183.667444] ? mark_held_locks+0xc9/0x160 > [ 183.668020] ? __might_sleep+0x95/0x190 > [ 183.668567] crypto_rng_reset+0x7c/0x130 > [ 183.669124] rng_setkey+0x25/0x30 > [ 183.669598] ? rng_sock_destruct+0x90/0x90 > [ 183.670176] alg_setsockopt+0x306/0x3b0 > [ 183.670724] __compat_sys_setsockopt+0x315/0x7c0 > [ 183.671375] ? __compat_sys_getsockopt+0x7f0/0x7f0 > [ 183.672057] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.672813] ? ksys_write+0x1a6/0x250 > [ 183.673333] ? SyS_read+0x30/0x30 > [ 183.673811] compat_SyS_setsockopt+0x34/0x50 > [ 183.674416] ? scm_detach_fds_compat+0x440/0x440 > [ 183.675079] do_fast_syscall_32+0x41f/0x10dc > [ 183.675725] ? do_page_fault+0xee/0x8a7 > [ 183.676284] ? do_int80_syscall_32+0xa70/0xa70 > [ 183.676925] ? trace_hardirqs_on_thunk+0x1a/0x1c > [ 183.677590] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.678348] ? syscall_return_slowpath+0x30f/0x5c0 > [ 183.679026] ? sysret32_from_system_call+0x5/0x3c > [ 183.679694] ? trace_hardirqs_off_thunk+0x1a/0x1c > [ 183.680380] entry_SYSENTER_compat+0x70/0x7f > [ 183.681000] RIP: 0023:0xf7f0ecb9 > [ 183.681488] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX: > 000000000000016e > [ 183.682606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117 > [ 183.683620] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000 > [ 183.684602] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000 > [ 183.685622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > [ 183.686642] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > [ 183.687712] CPU: 0 PID: 5506 Comm: a.out Not tainted 4.16.0+ #4 > [ 183.688602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.10.2-1 04/01/2014 > [ 183.689764] BUG: unable to handle kernel > [ 183.689776] Call Trace: > [ 183.689782] NULL pointer dereference > [ 183.690367] dump_stack+0x1b9/0x29f > [ 183.690709] at 0000000000000106 > [ 183.691237] ? arch_local_irq_restore+0x52/0x52 > [ 183.691721] PGD 64a50067 > [ 183.692164] should_fail.cold.4+0xa/0x1a > [ 183.692747] P4D 64a50067 > [ 183.693110] ? fault_create_debugfs_attr+0x1f0/0x1f0 > [ 183.693620] PUD 61a17067 > [ 183.693981] ? graph_lock+0x170/0x170 > [ 183.694622] PMD 0 > [ 183.694980] ? find_held_lock+0x36/0x1c0 > [ 183.695766] ? __lock_is_held+0xb5/0x140 > [ 183.696285] Oops: 0000 [#1] SMP KASAN > [ 183.696852] ? check_same_owner+0x320/0x320 > [ 183.697337] Modules linked in: > [ 183.697962] ? rcu_note_context_switch+0x710/0x710 > [ 183.697973] CPU: 2 PID: 4054 Comm: a.out Not tainted 4.16.0+ #4 > [ 183.698436] ? drbg_init_hash_kernel+0x300/0x300 > [ 183.699060] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.10.2-1 04/01/2014 > [ 183.699942] should_failslab+0x124/0x180 > [ 183.700559] RIP: 0010:qlist_free_all+0x37/0x160 > [ 183.701763] __kmalloc+0x2c8/0x760 > [ 183.702292] RSP: 0018:ffff880062de7050 EFLAGS: 00010246 > [ 183.702976] ? trace_hardirqs_on_thunk+0x1a/0x1c > [ 183.703437] RAX: ffff88000040008c RBX: 0000000000000282 RCX: 0000000000000000 > [ 183.704205] ? drbg_kcapi_seed+0x776/0x12e0 > [ 183.704804] RDX: ffffea0000010000 RSI: ffff88007ffdc39f RDI: 0000000000000282 > [ 183.704812] RBP: ffff880062de7088 R08: ffff88006bb1ce78 R09: 0000000000000006 > [ 183.705824] drbg_kcapi_seed+0x776/0x12e0 > [ 183.706369] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > [ 183.706377] R13: 000000000000000a R14: ffff88000040008c R15: ffffffff88b172a0 > [ 183.707382] ? drbg_seed+0x10a0/0x10a0 > [ 183.708311] FS: 0000000000000000(0000) GS:ffff88006c900000(0063) > knlGS:0000000009fbd840 > [ 183.708839] ? lock_downgrade+0x8e0/0x8e0 > [ 183.709760] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > [ 183.710760] ? lock_acquire+0x1dc/0x520 > [ 183.711252] CR2: 0000000000000106 CR3: 00000000651d8002 CR4: 00000000001606e0 > [ 183.711257] Call Trace: > [ 183.712390] ? lock_release+0xa10/0xa10 > [ 183.712922] quarantine_reduce+0x141/0x170 > [ 183.713733] ? check_same_owner+0x320/0x320 > [ 183.714246] kasan_kmalloc+0x99/0xe0 > [ 183.715244] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 > [ 183.715586] kasan_slab_alloc+0x12/0x20 > [ 183.716143] ? __check_object_size+0x95/0x5d9 > [ 183.716683] kmem_cache_alloc_node+0x131/0x780 > [ 183.717282] ? sock_kmalloc+0x14e/0x1d0 > [ 183.717760] ? do_raw_spin_unlock+0x1f9/0x2e0 > [ 183.718520] ? mark_held_locks+0xc9/0x160 > [ 183.719029] ? do_raw_spin_trylock+0x1b0/0x1b0 > [ 183.719654] ? __might_sleep+0x95/0x190 > [ 183.720280] copy_process.part.39+0x16c4/0x6ee0 > [ 183.720828] crypto_rng_reset+0x7c/0x130 > [ 183.721434] ? trace_hardirqs_on+0xd/0x10 > [ 183.722007] rng_setkey+0x25/0x30 > [ 183.722596] ? debug_object_active_state+0x2e7/0x4e0 > [ 183.723145] ? rng_sock_destruct+0x90/0x90 > [ 183.723745] ? kasan_check_read+0x11/0x20 > [ 183.724308] alg_setsockopt+0x306/0x3b0 > [ 183.724845] ? rcu_is_watching+0x85/0x140 > [ 183.725324] __compat_sys_setsockopt+0x315/0x7c0 > [ 183.725972] ? rcu_bh_force_quiescent_state+0x20/0x20 > [ 183.726560] ? __compat_sys_getsockopt+0x7f0/0x7f0 > [ 183.727091] ? __call_rcu.constprop.68+0x396/0xbb0 > [ 183.727643] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.728173] ? __cleanup_sighand+0x70/0x70 > [ 183.728827] ? ksys_write+0x1a6/0x250 > [ 183.729485] ? note_gp_changes+0x540/0x540 > [ 183.730161] ? SyS_read+0x30/0x30 > [ 183.730797] ? lock_downgrade+0x8e0/0x8e0 > [ 183.731558] compat_SyS_setsockopt+0x34/0x50 > [ 183.732109] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 > [ 183.732636] ? scm_detach_fds_compat+0x440/0x440 > [ 183.733180] ? tty_kref_put.part.14+0x81/0x250 > [ 183.733657] do_fast_syscall_32+0x41f/0x10dc > [ 183.734190] ? __cleanup_sighand+0x58/0x70 > [ 183.734798] ? do_page_fault+0xee/0x8a7 > [ 183.735505] ? do_raw_write_trylock+0x1b0/0x1b0 > [ 183.736162] ? do_int80_syscall_32+0xa70/0xa70 > [ 183.736745] ? print_usage_bug+0xc0/0xc0 > [ 183.737367] ? trace_hardirqs_on_thunk+0x1a/0x1c > [ 183.737907] ? trace_hardirqs_on_caller+0x421/0x5c0 > [ 183.738459] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.739057] ? call_rcu_sched+0x12/0x20 > [ 183.739700] ? syscall_return_slowpath+0x30f/0x5c0 > [ 183.740220] ? release_task.part.15+0xf70/0x1b90 > [ 183.740882] ? sysret32_from_system_call+0x5/0x3c > [ 183.741522] ? __lock_acquire+0x7f5/0x5130 > [ 183.742290] ? trace_hardirqs_off_thunk+0x1a/0x1c > [ 183.742798] ? rcu_is_watching+0x85/0x140 > [ 183.743480] entry_SYSENTER_compat+0x70/0x7f > [ 183.744099] ? find_held_lock+0x36/0x1c0 > [ 183.744769] RIP: 0023:0xf7f0ecb9 > [ 183.745327] ? debug_check_no_locks_freed+0x310/0x310 > [ 183.745990] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 > [ 183.746525] ? lock_downgrade+0x8e0/0x8e0 > [ 183.747126] ORIG_RAX: 000000000000016e > [ 183.747653] ? find_held_lock+0x36/0x1c0 > [ 183.748117] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117 > [ 183.748800] ? print_usage_bug+0xc0/0xc0 > [ 183.749530] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000 > [ 183.749538] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000 > [ 183.750087] ? lock_downgrade+0x8e0/0x8e0 > [ 183.750632] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > [ 183.751152] ? lock_downgrade+0x8e0/0x8e0 > [ 183.752156] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > [ 183.752170] CPU: 3 PID: 5504 Comm: a.out Not tainted 4.16.0+ #4 > [ 183.752693] ? __lock_acquire+0x7f5/0x5130 > [ 183.753653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.10.2-1 04/01/2014 > [ 183.754595] ? graph_lock+0x170/0x170 > [ 183.755167] Call Trace: > [ 183.756102] ? trace_hardirqs_on_caller+0x421/0x5c0 > [ 183.756639] dump_stack+0x1b9/0x29f > [ 183.757562] ? debug_check_no_locks_freed+0x310/0x310 > [ 183.758333] ? arch_local_irq_restore+0x52/0x52 > [ 183.758872] ? find_held_lock+0x36/0x1c0 > [ 183.759218] FAULT_INJECTION: forcing a failure. > [ 183.759218] name failslab, interval 1, probability 0, space 0, times 0 > [ 183.759966] ? __save_stack_trace+0x7e/0xd0 > [ 183.760453] ? lock_downgrade+0x8e0/0x8e0 > [ 183.760788] should_fail.cold.4+0xa/0x1a > [ 183.761427] ? do_raw_spin_unlock+0x1f9/0x2e0 > [ 183.761933] ? fault_create_debugfs_attr+0x1f0/0x1f0 > [ 183.762593] ? do_raw_spin_trylock+0x1b0/0x1b0 > [ 183.763216] ? kasan_kmalloc+0xc4/0xe0 > [ 183.763742] ? _raw_spin_unlock_irqrestore+0x74/0xc0 > [ 183.765288] ? __kmalloc+0x14e/0x760 > [ 183.765844] ? trace_hardirqs_on_caller+0x421/0x5c0 > [ 183.766423] ? drbg_kcapi_seed+0x776/0x12e0 > [ 183.766945] ? trace_hardirqs_on+0xd/0x10 > [ 183.767556] ? crypto_rng_reset+0x7c/0x130 > [ 183.768227] ? graph_lock+0x170/0x170 > [ 183.768845] ? rng_setkey+0x25/0x30 > [ 183.769368] ? add_wait_queue+0x2a0/0x2a0 > [ 183.770026] ? alg_setsockopt+0x306/0x3b0 > [ 183.770501] ? kasan_check_write+0x14/0x20 > [ 183.771198] ? graph_lock+0x170/0x170 > [ 183.771758] ? do_raw_read_lock+0x3f/0x80 > [ 183.772336] ? entry_SYSENTER_compat+0x70/0x7f > [ 183.772887] _do_fork+0x291/0x12a0 > [ 183.773416] ? find_held_lock+0x36/0x1c0 > [ 183.773881] ? fork_idle+0x1a0/0x1a0 > [ 183.774458] ? __lock_is_held+0xb5/0x140 > [ 183.774989] ? lock_release+0xa10/0xa10 > [ 183.775581] ? check_same_owner+0x320/0x320 > [ 183.776070] ? check_same_owner+0x320/0x320 > [ 183.776650] ? rcu_note_context_switch+0x710/0x710 > [ 183.777234] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 > [ 183.777725] should_failslab+0x124/0x180 > [ 183.778246] ? put_pid.part.2+0x1bc/0x230 > [ 183.778792] __kmalloc+0x2c8/0x760 > [ 183.779311] ? __might_sleep+0x95/0x190 > [ 183.779871] ? graph_lock+0x170/0x170 > [ 183.780426] ? __might_fault+0x1a3/0x1e0 > [ 183.781007] ? drbg_kcapi_seed+0x882/0x12e0 > [ 183.781643] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.782423] drbg_kcapi_seed+0x882/0x12e0 > [ 183.782942] ? kernel_wait4+0x2d8/0x3d0 > [ 183.783520] ? drbg_seed+0x10a0/0x10a0 > [ 183.783980] ? SyS_waitid+0x40/0x40 > [ 183.784539] ? lock_downgrade+0x8e0/0x8e0 > [ 183.785026] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.785596] ? lock_acquire+0x1dc/0x520 > [ 183.786146] ? task_stopped_code+0x190/0x190 > [ 183.786922] ? lock_release+0xa10/0xa10 > [ 183.787451] compat_SyS_x86_clone+0x37/0x50 > [ 183.788020] ? check_same_owner+0x320/0x320 > [ 183.788517] ? compat_SyS_x86_fallocate+0x60/0x60 > [ 183.789028] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 > [ 183.789556] do_fast_syscall_32+0x41f/0x10dc > [ 183.790334] ? __check_object_size+0x95/0x5d9 > [ 183.790841] ? do_page_fault+0xee/0x8a7 > [ 183.791460] ? sock_kmalloc+0x14e/0x1d0 > [ 183.791971] ? do_int80_syscall_32+0xa70/0xa70 > [ 183.792583] ? mark_held_locks+0xc9/0x160 > [ 183.793137] ? trace_hardirqs_on_thunk+0x1a/0x1c > [ 183.793820] ? __might_sleep+0x95/0x190 > [ 183.794528] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.795147] crypto_rng_reset+0x7c/0x130 > [ 183.795737] ? syscall_return_slowpath+0x30f/0x5c0 > [ 183.796291] rng_setkey+0x25/0x30 > [ 183.796803] ? sysret32_from_system_call+0x5/0x3c > [ 183.797442] ? rng_sock_destruct+0x90/0x90 > [ 183.797997] ? trace_hardirqs_off_thunk+0x1a/0x1c > [ 183.798658] alg_setsockopt+0x306/0x3b0 > [ 183.799166] entry_SYSENTER_compat+0x70/0x7f > [ 183.799971] __compat_sys_setsockopt+0x315/0x7c0 > [ 183.800486] RIP: 0023:0xf7f0ecb9 > [ 183.801190] ? __compat_sys_getsockopt+0x7f0/0x7f0 > [ 183.801631] RSP: 002b:00000000ffeb1ec0 EFLAGS: 00000246 > [ 183.802312] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.802850] ORIG_RAX: 0000000000000078 > [ 183.803534] ? ksys_write+0x1a6/0x250 > [ 183.804067] RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000 > [ 183.804693] ? SyS_read+0x30/0x30 > [ 183.805295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000009fbd8a8 > [ 183.805768] compat_SyS_setsockopt+0x34/0x50 > [ 183.806404] RBP: 00000000ffeb1ef8 R08: 0000000000000000 R09: 0000000000000000 > [ 183.807154] ? scm_detach_fds_compat+0x440/0x440 > [ 183.807861] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > [ 183.808421] do_fast_syscall_32+0x41f/0x10dc > [ 183.808900] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > [ 183.808905] Code: > [ 183.809928] ? do_page_fault+0xee/0x8a7 > [ 183.810365] 55 > [ 183.811385] ? do_int80_syscall_32+0xa70/0xa70 > [ 183.811949] 48 > [ 183.812992] ? trace_hardirqs_on_thunk+0x1a/0x1c > [ 183.813590] 89 > [ 183.814630] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.815191] e5 > [ 183.816214] ? syscall_return_slowpath+0x30f/0x5c0 > [ 183.816487] 41 > [ 183.817066] ? sysret32_from_system_call+0x5/0x3c > [ 183.817313] 57 > [ 183.817958] ? trace_hardirqs_off_thunk+0x1a/0x1c > [ 183.818200] 49 > [ 183.818869] entry_SYSENTER_compat+0x70/0x7f > [ 183.819109] c7 > [ 183.819894] RIP: 0023:0xf7f0ecb9 > [ 183.820135] c7 > [ 183.820821] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 > [ 183.821065] a0 > [ 183.821738] ORIG_RAX: 000000000000016e > [ 183.821984] 72 > [ 183.822657] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117 > [ 183.822900] b1 > [ 183.823513] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000 > [ 183.823760] 88 > [ 183.824230] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000 > [ 183.824238] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > [ 183.824492] 41 > [ 183.825238] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > [ 183.825250] CPU: 0 PID: 5512 Comm: a.out Not tainted 4.16.0+ #4 > [ 183.825490] 56 > [ 183.826073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.10.2-1 04/01/2014 > [ 183.826204] FAULT_INJECTION: forcing a failure. > [ 183.826204] name failslab, interval 1, probability 0, space 0, times 0 > [ 183.826315] 41 > [ 183.827333] Call Trace: > [ 183.827583] 55 > [ 183.828608] dump_stack+0x1b9/0x29f > [ 183.828844] 41 > [ 183.829864] ? arch_local_irq_restore+0x52/0x52 > [ 183.830780] 54 > [ 183.831054] ? __save_stack_trace+0x7e/0xd0 > [ 183.831979] 49 > [ 183.832860] should_fail.cold.4+0xa/0x1a > [ 183.833097] 89 > [ 183.834277] ? fault_create_debugfs_attr+0x1f0/0x1f0 > [ 183.835690] f4 > [ 183.835964] ? kasan_kmalloc+0xc4/0xe0 > [ 183.836300] 53 > [ 183.836568] ? __kmalloc+0x14e/0x760 > [ 183.836577] ? drbg_kcapi_seed+0x776/0x12e0 > [ 183.837061] 48 > [ 183.837329] ? crypto_rng_reset+0x7c/0x130 > [ 183.837338] ? rng_setkey+0x25/0x30 > [ 183.837931] 83 > [ 183.838200] ? alg_setsockopt+0x306/0x3b0 > [ 183.838748] ec > [ 183.839015] ? __compat_sys_setsockopt+0x315/0x7c0 > [ 183.839026] ? do_fast_syscall_32+0x41f/0x10dc > [ 183.839536] 10 > [ 183.839814] ? entry_SYSENTER_compat+0x70/0x7f > [ 183.840457] 48 > [ 183.840728] ? check_same_owner+0x320/0x320 > [ 183.841224] 89 > [ 183.841495] ? kasan_check_write+0x14/0x20 > [ 183.841969] 7d > [ 183.842572] ? kasan_unpoison_shadow+0x35/0x50 > [ 183.842811] c8 > [ 183.843405] ? lock_acquire+0x1dc/0x520 > [ 183.843867] 4d > [ 183.844142] ? fs_reclaim_acquire+0x20/0x20 > [ 183.844665] 89 > [ 183.844935] ? lock_downgrade+0x8e0/0x8e0 > [ 183.845555] e5 > [ 183.846234] ? lock_release+0xa10/0xa10 > [ 183.846474] 4d > [ 183.847130] ? drbg_init_sym_kernel+0x516/0x74a > [ 183.847139] ? check_same_owner+0x320/0x320 > [ 183.847380] 85 > [ 183.847991] ? rcu_note_context_switch+0x710/0x710 > [ 183.848229] e4 > [ 183.848824] should_failslab+0x124/0x180 > [ 183.849063] 0f > [ 183.849707] __kmalloc+0x2c8/0x760 > [ 183.849946] 84 > [ 183.850505] ? lock_acquire+0x1dc/0x520 > [ 183.850744] c8 > [ 183.851350] ? __fget+0x3e3/0x650 > [ 183.851593] 00 > [ 183.852177] ? drbg_kcapi_seed+0x882/0x12e0 > [ 183.852416] 00 > [ 183.852972] drbg_kcapi_seed+0x882/0x12e0 > [ 183.853213] 00 > [ 183.853867] ? drbg_seed+0x10a0/0x10a0 > [ 183.854414] <49> > [ 183.854688] ? lock_acquire+0x1dc/0x520 > [ 183.855313] 63 > [ 183.855591] ? __might_fault+0x12b/0x1e0 > [ 183.856105] 95 > [ 183.856375] ? lock_downgrade+0x8e0/0x8e0 > [ 183.856821] fc > [ 183.857090] ? lock_acquire+0x1dc/0x520 > [ 183.857590] 00 > [ 183.857858] ? lock_release+0xa10/0xa10 > [ 183.858319] 00 > [ 183.858589] ? check_same_owner+0x320/0x320 > [ 183.859131] 00 > [ 183.859401] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 > [ 183.859928] 4c > [ 183.860200] ? __check_object_size+0x95/0x5d9 > [ 183.860689] 8b > [ 183.860983] ? sock_kmalloc+0x14e/0x1d0 > [ 183.861482] 30 > [ 183.861748] ? do_raw_spin_unlock+0x1f9/0x2e0 > [ 183.861758] ? __might_sleep+0x95/0x190 > [ 183.862269] 48 > [ 183.862539] crypto_rng_reset+0x7c/0x130 > [ 183.863079] 29 > [ 183.863348] rng_setkey+0x25/0x30 > [ 183.863878] d0 > [ 183.864150] ? rng_sock_destruct+0x90/0x90 > [ 183.864654] 49 > [ 183.864924] alg_setsockopt+0x306/0x3b0 > [ 183.865488] 83 > [ 183.865758] __compat_sys_setsockopt+0x315/0x7c0 > [ 183.866488] 3f > [ 183.866758] ? __compat_sys_getsockopt+0x7f0/0x7f0 > [ 183.867324] 00 > [ 183.867598] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.868098] 48 > [ 183.868369] ? ksys_write+0x1a6/0x250 > [ 183.868941] 89 > [ 183.869500] ? SyS_read+0x30/0x30 > [ 183.869740] c6 > [ 183.870312] compat_SyS_setsockopt+0x34/0x50 > [ 183.870551] 0f > [ 183.871043] ? scm_detach_fds_compat+0x440/0x440 > [ 183.871289] RIP: qlist_free_all+0x37/0x160 RSP: ffff880062de7050 > [ 183.871893] do_fast_syscall_32+0x41f/0x10dc > [ 183.872134] CR2: 0000000000000106 > [ 183.872695] ? do_page_fault+0xee/0x8a7 > [ 183.872988] ---[ end trace 0fa4e77a7b3c174f ]--- > [ 183.873604] ? do_int80_syscall_32+0xa70/0xa70 > [ 183.873611] ? trace_hardirqs_on_thunk+0x1a/0x1c > [ 183.873622] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 > [ 183.873871] Kernel panic - not syncing: Fatal exception > [ 183.874560] ? syscall_return_slowpath+0x30f/0x5c0 > [ 183.885552] ? prepare_exit_to_usermode+0x390/0x390 > [ 183.886255] ? prepare_exit_to_usermode+0x285/0x390 > [ 183.886953] ? perf_trace_sys_enter+0xaf0/0xaf0 > [ 183.887609] ? trace_hardirqs_off_thunk+0x1a/0x1c > [ 183.888289] entry_SYSENTER_compat+0x70/0x7f > [ 183.888906] RIP: 0023:0xf7f0ecb9 > [ 183.889376] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX: > 000000000000016e > [ 183.890447] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117 > [ 183.891452] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000 > [ 183.892463] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000 > [ 183.893471] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > [ 183.894481] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > [ 183.895514] Kernel Offset: disabled > [ 183.896034] Rebooting in 86400 seconds.. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-10 15:23 ` Dmitry Vyukov @ 2018-04-10 15:35 ` Stephan Mueller 2018-04-11 12:29 ` Dmitry Vyukov 0 siblings, 1 reply; 27+ messages in thread From: Stephan Mueller @ 2018-04-10 15:35 UTC (permalink / raw) To: Dmitry Vyukov Cc: Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro Am Dienstag, 10. April 2018, 17:23:46 CEST schrieb Dmitry Vyukov: Hi Dmitry, > Stephan, > > Do you have any hypothesis as to why this is not detected by KASAN and > causes silent corruptions? > We generally try to understand such cases and improve KASAN so that it > catches such cases more reliably and they do not cause splashes of > random crashes on syzbot. I do not have any hypothesis at this point. I know that you induce some fault. As you mentioned the drbg_kcapi_seed function, I was looking through the error code paths to see whether some error handlers trip over each other. But all is guesswork so far. And I am not even sure whether the bug is in the DRBG code base. Looking into the trace you sent, I see a NULL pointer dereference. At one point there is also the drbg_init_hash_kernel that is called. But nowhere I see any smoking gun. Could you please give me a description of the fault you are inducing? Ciao Stephan ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-10 15:35 ` Stephan Mueller @ 2018-04-11 12:29 ` Dmitry Vyukov 2018-04-11 12:59 ` Stephan Mueller 2018-04-11 14:26 ` Stephan Müller 0 siblings, 2 replies; 27+ messages in thread From: Dmitry Vyukov @ 2018-04-11 12:29 UTC (permalink / raw) To: Stephan Mueller Cc: Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Tue, Apr 10, 2018 at 5:35 PM, Stephan Mueller <smueller@chronox.de> wrote: > Am Dienstag, 10. April 2018, 17:23:46 CEST schrieb Dmitry Vyukov: > > Hi Dmitry, > >> Stephan, >> >> Do you have any hypothesis as to why this is not detected by KASAN and >> causes silent corruptions? >> We generally try to understand such cases and improve KASAN so that it >> catches such cases more reliably and they do not cause splashes of >> random crashes on syzbot. > > I do not have any hypothesis at this point. I know that you induce some fault. > As you mentioned the drbg_kcapi_seed function, I was looking through the error > code paths to see whether some error handlers trip over each other. But all is > guesswork so far. And I am not even sure whether the bug is in the DRBG code > base. > > Looking into the trace you sent, I see a NULL pointer dereference. At one > point there is also the drbg_init_hash_kernel that is called. But nowhere I > see any smoking gun. > > Could you please give me a description of the fault you are inducing? Hi Stephan, What do you mean by description of the fault? It's kernel standard FAULT_INJECTION facility, it injects faults mainly into kmalloc/slab_alloc (also in a bunch of other things, but in this case this seems to be kmalloc). In the repro you can see that it's injecting a fault into 8-th malloc in the setsockopt syscall. I wonder why you can't reproduce it. I can trigger it reliably in a qemu. Let's try this: I have upstream kernel on b284d4d5a6785f8cd07eda2646a95782373cd01e. Here is my config: https://gist.githubusercontent.com/dvyukov/f843ea09bc5b9439a820c8e809a5501d/raw/ad330e9b6b710f57f63b61590747b48230e5cb61/gistfile1.txt Here is the compiler: https://storage.googleapis.com/syzkaller/gcc-8.0.1-20180301.tar.gz Build as: make -jN CC=that/gcc/bin/gcc Then I start qemu as: qemu-system-x86_64 -hda wheezy.img -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic -nographic -kernel arch/x86/boot/bzImage -append "kvm-intel.nested=1 kvm-intel.unrestricted_guest=1 kvm-intel.ept=1 kvm-intel.flexpriority=1 kvm-intel.vpid=1 kvm-intel.emulate_invalid_guest_state=1 kvm-intel.eptad=1 kvm-intel.enable_shadow_vmcs=1 kvm-intel.pml=1 kvm-intel.enable_apicv=1 console=ttyS0 root=/dev/sda earlyprintk=serial slub_debug=UZ vsyscall=native rodata=n oops=panic panic_on_warn=1 panic=86400" -enable-kvm -pidfile vm_pid -m 2G -smp 4 -cpu host You can find the wheezy.img and ssh key for it here: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#crash-does-not-reproduce Then I compile this program: https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt as: gcc prog.c -static -m32 Run in the qemu and within a minute it gives me the crash. ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-11 12:29 ` Dmitry Vyukov @ 2018-04-11 12:59 ` Stephan Mueller 2018-04-11 14:26 ` Stephan Müller 1 sibling, 0 replies; 27+ messages in thread From: Stephan Mueller @ 2018-04-11 12:59 UTC (permalink / raw) To: Dmitry Vyukov Cc: Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro Am Mittwoch, 11. April 2018, 14:29:45 CEST schrieb Dmitry Vyukov: Hi Dmitry, > > What do you mean by description of the fault? > It's kernel standard FAULT_INJECTION facility, it injects faults > mainly into kmalloc/slab_alloc (also in a bunch of other things, but > in this case this seems to be kmalloc). In the repro you can see that > it's injecting a fault into 8-th malloc in the setsockopt syscall. I am now able to reproduce it. I think I have a smoking gun, but let me test it first. Ciao Stephan ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-11 12:29 ` Dmitry Vyukov 2018-04-11 12:59 ` Stephan Mueller @ 2018-04-11 14:26 ` Stephan Müller 2018-04-11 14:31 ` [PATCH] crypto: drbg - set freed buffers to NULL Stephan Müller 2018-04-11 17:09 ` [PATCH] crypto: DRBG - guard uninstantion by lock Dmitry Vyukov 1 sibling, 2 replies; 27+ messages in thread From: Stephan Müller @ 2018-04-11 14:26 UTC (permalink / raw) To: Dmitry Vyukov Cc: Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro Hi Dimitry, This fix prevents the kernel from crashing when injecting the fault. Stack traces are yet shown but I guess that is expected every time a fault is injected. As to why KASAN did not notice this one, I am not sure. Maybe it is because I use two buffer pointers to point to (almost) the same memory (one that is aligned and one pointing to the complete buffer)? ---8<--- During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Signed-off-by: Stephan Mueller <smueller@chronox.de> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..466a112a4446 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL; -- 2.14.3 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH] crypto: drbg - set freed buffers to NULL 2018-04-11 14:26 ` Stephan Müller @ 2018-04-11 14:31 ` Stephan Müller 2018-04-11 17:29 ` Eric Biggers 2018-04-12 6:40 ` Stephan Müller 2018-04-11 17:09 ` [PATCH] crypto: DRBG - guard uninstantion by lock Dmitry Vyukov 1 sibling, 2 replies; 27+ messages in thread From: Stephan Müller @ 2018-04-11 14:31 UTC (permalink / raw) To: Stephan Müller Cc: Dmitry Vyukov, Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro Sorry, this time with the proper subject line. ---8<--- During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Signed-off-by: Stephan Mueller <smueller@chronox.de> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..466a112a4446 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL; -- 2.14.3 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: drbg - set freed buffers to NULL 2018-04-11 14:31 ` [PATCH] crypto: drbg - set freed buffers to NULL Stephan Müller @ 2018-04-11 17:29 ` Eric Biggers 2018-04-12 6:40 ` Stephan Müller 1 sibling, 0 replies; 27+ messages in thread From: Eric Biggers @ 2018-04-11 17:29 UTC (permalink / raw) To: Stephan Müller Cc: Dmitry Vyukov, Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Wed, Apr 11, 2018 at 04:31:01PM +0200, Stephan Müller wrote: > Sorry, this time with the proper subject line. > > ---8<--- > > During freeing of the internal buffers used by the DRBG, set the pointer > to NULL. It is possible that the context with the freed buffers is > reused. In case of an error during initialization where the pointers > do not yet point to allocated memory, the NULL value prevents a double > free. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com > --- > crypto/drbg.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/crypto/drbg.c b/crypto/drbg.c > index 4faa2781c964..466a112a4446 100644 > --- a/crypto/drbg.c > +++ b/crypto/drbg.c > @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) > if (!drbg) > return; > kzfree(drbg->Vbuf); > + drbg->Vbuf = NULL; > drbg->V = NULL; > kzfree(drbg->Cbuf); > + drbg->Cbuf = NULL; > drbg->C = NULL; > kzfree(drbg->scratchpadbuf); > drbg->scratchpadbuf = NULL; Can you please add Fixes and Cc stable? - Eric ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: drbg - set freed buffers to NULL @ 2018-04-11 17:29 ` Eric Biggers 0 siblings, 0 replies; 27+ messages in thread From: Eric Biggers @ 2018-04-11 17:29 UTC (permalink / raw) To: Stephan Müller Cc: Dmitry Vyukov, Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Wed, Apr 11, 2018 at 04:31:01PM +0200, Stephan M�ller wrote: > Sorry, this time with the proper subject line. > > ---8<--- > > During freeing of the internal buffers used by the DRBG, set the pointer > to NULL. It is possible that the context with the freed buffers is > reused. In case of an error during initialization where the pointers > do not yet point to allocated memory, the NULL value prevents a double > free. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com > --- > crypto/drbg.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/crypto/drbg.c b/crypto/drbg.c > index 4faa2781c964..466a112a4446 100644 > --- a/crypto/drbg.c > +++ b/crypto/drbg.c > @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) > if (!drbg) > return; > kzfree(drbg->Vbuf); > + drbg->Vbuf = NULL; > drbg->V = NULL; > kzfree(drbg->Cbuf); > + drbg->Cbuf = NULL; > drbg->C = NULL; > kzfree(drbg->scratchpadbuf); > drbg->scratchpadbuf = NULL; Can you please add Fixes and Cc stable? - Eric ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH] crypto: drbg - set freed buffers to NULL 2018-04-11 14:31 ` [PATCH] crypto: drbg - set freed buffers to NULL Stephan Müller 2018-04-11 17:29 ` Eric Biggers @ 2018-04-12 6:40 ` Stephan Müller 2018-04-20 16:54 ` Herbert Xu 1 sibling, 1 reply; 27+ messages in thread From: Stephan Müller @ 2018-04-12 6:40 UTC (permalink / raw) To: Herbert Xu Cc: Dmitry Vyukov, Theodore Y. Ts'o, Matthew Wilcox, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro Add the Fixes, CC stable tags. ---8<--- During freeing of the internal buffers used by the DRBG, set the pointer to NULL. It is possible that the context with the freed buffers is reused. In case of an error during initialization where the pointers do not yet point to allocated memory, the NULL value prevents a double free. Cc: stable@vger.kernel.org Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") Signed-off-by: Stephan Mueller <smueller@chronox.de> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com --- crypto/drbg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/drbg.c b/crypto/drbg.c index 4faa2781c964..466a112a4446 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) if (!drbg) return; kzfree(drbg->Vbuf); + drbg->Vbuf = NULL; drbg->V = NULL; kzfree(drbg->Cbuf); + drbg->Cbuf = NULL; drbg->C = NULL; kzfree(drbg->scratchpadbuf); drbg->scratchpadbuf = NULL; -- 2.14.3 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: drbg - set freed buffers to NULL 2018-04-12 6:40 ` Stephan Müller @ 2018-04-20 16:54 ` Herbert Xu 0 siblings, 0 replies; 27+ messages in thread From: Herbert Xu @ 2018-04-20 16:54 UTC (permalink / raw) To: Stephan Müller Cc: Dmitry Vyukov, Theodore Y. Ts'o, Matthew Wilcox, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Thu, Apr 12, 2018 at 08:40:55AM +0200, Stephan Müller wrote: > Add the Fixes, CC stable tags. > > ---8<--- > > During freeing of the internal buffers used by the DRBG, set the pointer > to NULL. It is possible that the context with the freed buffers is > reused. In case of an error during initialization where the pointers > do not yet point to allocated memory, the NULL value prevents a double > free. > > Cc: stable@vger.kernel.org > Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") > Signed-off-by: Stephan Mueller <smueller@chronox.de> > Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com Patch applied. Thanks. -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: drbg - set freed buffers to NULL @ 2018-04-20 16:54 ` Herbert Xu 0 siblings, 0 replies; 27+ messages in thread From: Herbert Xu @ 2018-04-20 16:54 UTC (permalink / raw) To: Stephan Müller Cc: Dmitry Vyukov, Theodore Y. Ts'o, Matthew Wilcox, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Thu, Apr 12, 2018 at 08:40:55AM +0200, Stephan M�ller wrote: > Add the Fixes, CC stable tags. > > ---8<--- > > During freeing of the internal buffers used by the DRBG, set the pointer > to NULL. It is possible that the context with the freed buffers is > reused. In case of an error during initialization where the pointers > do not yet point to allocated memory, the NULL value prevents a double > free. > > Cc: stable@vger.kernel.org > Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers") > Signed-off-by: Stephan Mueller <smueller@chronox.de> > Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com Patch applied. Thanks. -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH] crypto: DRBG - guard uninstantion by lock 2018-04-11 14:26 ` Stephan Müller 2018-04-11 14:31 ` [PATCH] crypto: drbg - set freed buffers to NULL Stephan Müller @ 2018-04-11 17:09 ` Dmitry Vyukov 1 sibling, 0 replies; 27+ messages in thread From: Dmitry Vyukov @ 2018-04-11 17:09 UTC (permalink / raw) To: Stephan Müller Cc: Theodore Y. Ts'o, Matthew Wilcox, Herbert Xu, David Miller, linux-crypto, Eric Biggers, syzbot, linux-fsdevel, LKML, syzkaller-bugs, Al Viro On Wed, Apr 11, 2018 at 4:26 PM, Stephan Müller <smueller@chronox.de> wrote: > Hi Dimitry, > > This fix prevents the kernel from crashing when injecting the fault. Good! > Stack traces are yet shown but I guess that is expected every time > a fault is injected. Yes, nothing to fix here. > As to why KASAN did not notice this one, I am not sure. Maybe it is > because I use two buffer pointers to point to (almost) the same memory > (one that is aligned and one pointing to the complete buffer)? After looking at the fix, I figured out what happened with KASAN. Filed https://bugzilla.kernel.org/show_bug.cgi?id=199359. In short, tricky interplay between kzfree, ksize and double-free detection. If KASAN worked as intended it would give a nice "double-free in this stack for object allocated in this stack and previously freed in this stack", which would probably make debugging much simpler. > ---8<--- > > During freeing of the internal buffers used by the DRBG, set the pointer > to NULL. It is possible that the context with the freed buffers is > reused. In case of an error during initialization where the pointers > do not yet point to allocated memory, the NULL value prevents a double > free. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com > --- > crypto/drbg.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/crypto/drbg.c b/crypto/drbg.c > index 4faa2781c964..466a112a4446 100644 > --- a/crypto/drbg.c > +++ b/crypto/drbg.c > @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) > if (!drbg) > return; > kzfree(drbg->Vbuf); > + drbg->Vbuf = NULL; > drbg->V = NULL; > kzfree(drbg->Cbuf); > + drbg->Cbuf = NULL; > drbg->C = NULL; > kzfree(drbg->scratchpadbuf); > drbg->scratchpadbuf = NULL; > -- > 2.14.3 > > > > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/2186798.qrgUIDAn9S%40positron.chronox.de. > For more options, visit https://groups.google.com/d/optout. ^ permalink raw reply [flat|nested] 27+ messages in thread
end of thread, other threads:[~2018-04-20 16:55 UTC | newest] Thread overview: 27+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-04-06 13:24 WARNING in kmem_cache_free syzbot 2018-04-06 13:33 ` Dmitry Vyukov 2018-04-08 3:16 ` Use struct page for filename Matthew Wilcox 2018-04-08 4:42 ` Al Viro 2018-04-08 5:59 ` WARNING in kmem_cache_free Al Viro 2018-04-08 6:01 ` Matthew Wilcox 2018-04-08 10:26 ` Dmitry Vyukov 2018-04-08 11:18 ` Dmitry Vyukov 2018-04-08 15:31 ` Stephan Müller 2018-04-08 15:41 ` Dmitry Vyukov 2018-04-08 19:07 ` [PATCH] crypto: DRBG - guard uninstantion by lock Stephan Müller 2018-04-08 22:46 ` Theodore Y. Ts'o 2018-04-08 22:46 ` Theodore Y. Ts'o 2018-04-09 5:40 ` Stephan Mueller 2018-04-09 7:57 ` Dmitry Vyukov 2018-04-10 15:23 ` Dmitry Vyukov 2018-04-10 15:35 ` Stephan Mueller 2018-04-11 12:29 ` Dmitry Vyukov 2018-04-11 12:59 ` Stephan Mueller 2018-04-11 14:26 ` Stephan Müller 2018-04-11 14:31 ` [PATCH] crypto: drbg - set freed buffers to NULL Stephan Müller 2018-04-11 17:29 ` Eric Biggers 2018-04-11 17:29 ` Eric Biggers 2018-04-12 6:40 ` Stephan Müller 2018-04-20 16:54 ` Herbert Xu 2018-04-20 16:54 ` Herbert Xu 2018-04-11 17:09 ` [PATCH] crypto: DRBG - guard uninstantion by lock Dmitry Vyukov
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.