Linux-RISC-V Archive on lore.kernel.org
 help / color / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: Tobias Klauser <tklauser@distanz.ch>
Cc: "Albert Ou" <aou@eecs.berkeley.edu>,
	"Björn Töpel" <bjorn.topel@gmail.com>,
	syzkaller <syzkaller@googlegroups.com>,
	"Palmer Dabbelt" <palmer@dabbelt.com>,
	"Paul Walmsley" <paul.walmsley@sifive.com>,
	linux-riscv <linux-riscv@lists.infradead.org>
Subject: Re: syzkaller on risc-v
Date: Wed, 1 Jul 2020 12:03:44 +0200
Message-ID: <CACT4Y+Yt+f4ryT4YXr_y+-kt=k55Eu=42YNx=Z88dcFZfmYCww@mail.gmail.com> (raw)
In-Reply-To: <20200630151044.ds5junfupcokcei6@distanz.ch>

On Tue, Jun 30, 2020 at 5:10 PM Tobias Klauser <tklauser@distanz.ch> wrote:
>
> On 2020-06-30 at 14:48:31 +0200, Dmitry Vyukov <dvyukov@google.com> wrote:
> [...]
> > 6. I observed lots of what looks like user-space process memory
> > corruptions. There included thousands of panics in our Go programs
> > with things that I would consider "impossible", at least they did not
> > come up before in our syzbot fuzzing. Also some Go runtime
> > "impossible" crashes, e.g.:
> > https://gist.githubusercontent.com/dvyukov/fb489ed93f7180621c71714ee07e53dc/raw/a7d2e98a56da17af2aec79c164cd3a8e154ecf5c/gistfile1.txt
> > Maybe it's a known issue? Should we use tip instead of 1.14? Is it more stable?
> > Though it's not necessary Go b/c kernel contains hundreds of memory
> > corruptions and we observed kernel corrupting user-space processes
> > routinely. This is especially true without KASAN because kernel
> > corruptions are not caught early. However, the ratio and nature of
> > crashes makes me suspect some issue in Go risc-v runtime.
>
> I haven't seen any of these crashes myself when testing the syzkaller
> port, but then again I only ran it for rather brief amounts of time
> (~1h) on my laptop using the riscv defconfig and a few additional
> configs enabled.
>
> AFAIK Go tip has seen quite some improvments to its RISC-V port, so it
> might be worth giving it (or Go 1.14beta1) a try.


No luck. I tried:
go version devel +4b28f5ded3 Tue Jun 30 13:18:16 2020 +0000 linux/amd64
and the log is still full of these crashes we don't see on any other instances:

2020/07/01 11:48:09 vm-2: crash: panic: invalid argument to Intn
2020/07/01 11:48:09 vm-28: crash: panic: invalid argument to Intn
2020/07/01 11:48:10 vm-25: crash: panic: invalid argument to Intn
2020/07/01 11:48:11 vm-35: crash: panic: invalid argument to Intn
2020/07/01 11:48:15 VMs 13, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 391, repro 0
2020/07/01 11:48:16 vm-16: crash: panic: invalid argument to Intn
2020/07/01 11:48:25 vm-6: crash: panic: invalid argument to Intn
2020/07/01 11:48:25 VMs 11, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 393, repro 0
2020/07/01 11:48:29 vm-0: crash: panic: invalid argument to Intn
2020/07/01 11:48:35 VMs 14, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 394, repro 0
2020/07/01 11:48:45 VMs 17, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 394, repro 0
2020/07/01 11:48:55 VMs 19, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 394, repro 0
2020/07/01 11:49:05 VMs 22, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 394, repro 0
2020/07/01 11:49:15 VMs 32, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 394, repro 0
2020/07/01 11:49:25 VMs 33, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 394, repro 0
2020/07/01 11:49:35 VMs 33, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 394, repro 0
2020/07/01 11:49:44 vm-12: crash: panic: invalid argument to Intn
2020/07/01 11:49:45 VMs 35, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 395, repro 0
2020/07/01 11:49:49 vm-32: crash: panic: invalid argument to Intn
2020/07/01 11:49:51 vm-5: crash: panic: invalid argument to Intn
2020/07/01 11:49:52 vm-34: crash: panic: invalid argument to Intn
2020/07/01 11:49:52 vm-9: crash: panic: invalid argument to Intn
2020/07/01 11:49:54 vm-17: crash: panic: invalid argument to Intn
2020/07/01 11:49:55 VMs 32, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 400, repro 0
2020/07/01 11:49:59 vm-22: crash: panic: invalid argument to Intn
2020/07/01 11:50:05 VMs 33, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 401, repro 0
2020/07/01 11:50:15 VMs 33, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 401, repro 0
2020/07/01 11:50:25 VMs 33, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 401, repro 0
2020/07/01 11:50:30 vm-10: crash: panic: invalid argument to Intn
2020/07/01 11:50:35 VMs 32, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 402, repro 0
2020/07/01 11:50:45 VMs 33, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 402, repro 0
2020/07/01 11:50:50 vm-8: crash: panic: invalid argument to Intn
2020/07/01 11:50:54 vm-13: crash: panic: invalid argument to Intn
2020/07/01 11:50:54 vm-37: crash: panic: invalid argument to Intn
2020/07/01 11:50:55 VMs 30, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 405, repro 0
2020/07/01 11:51:05 VMs 30, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 405, repro 0
2020/07/01 11:51:15 VMs 30, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 405, repro 0
2020/07/01 11:51:25 VMs 35, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 405, repro 0
2020/07/01 11:51:26 vm-27: crash: panic: invalid argument to Intn
2020/07/01 11:51:29 vm-31: crash: panic: invalid argument to Intn
2020/07/01 11:51:35 VMs 34, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 407, repro 0
2020/07/01 11:51:36 vm-15: crash: panic: invalid argument to Intn
2020/07/01 11:51:36 vm-23: crash: panic: invalid argument to Intn
2020/07/01 11:51:40 vm-39: crash: panic: invalid argument to Intn
2020/07/01 11:51:42 vm-7: crash: panic: invalid argument to Intn
2020/07/01 11:51:45 vm-4: crash: panic: invalid argument to Intn
2020/07/01 11:51:45 VMs 29, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 412, repro 0
2020/07/01 11:51:52 vm-19: crash: panic: invalid argument to Intn
2020/07/01 11:51:54 vm-26: crash: panic: invalid argument to Intn
2020/07/01 11:51:55 VMs 27, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 414, repro 0
2020/07/01 11:52:03 vm-38: crash: panic: invalid argument to Intn
2020/07/01 11:52:03 vm-36: crash: panic: invalid argument to Intn
2020/07/01 11:52:05 VMs 26, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 416, repro 0
2020/07/01 11:52:07 vm-11: crash: panic: invalid argument to Intn
2020/07/01 11:52:12 vm-33: crash: panic: invalid argument to Intn
2020/07/01 11:52:13 vm-29: crash: panic: invalid argument to Intn
2020/07/01 11:52:15 vm-20: crash: panic: invalid argument to Intn
2020/07/01 11:52:15 VMs 22, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 420, repro 0
2020/07/01 11:52:16 vm-24: crash: panic: invalid argument to Intn
2020/07/01 11:52:17 vm-3: crash: panic: invalid argument to Intn
2020/07/01 11:52:17 vm-30: crash: panic: invalid argument to Intn
2020/07/01 11:52:18 vm-14: crash: panic: invalid argument to Intn
2020/07/01 11:52:20 vm-21: crash: panic: invalid argument to Intn
2020/07/01 11:52:20 vm-18: crash: panic: invalid argument to Intn
2020/07/01 11:52:22 vm-1: crash: panic: invalid argument to Intn
2020/07/01 11:52:25 VMs 18, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 427, repro 0
2020/07/01 11:52:35 VMs 18, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 427, repro 0
2020/07/01 11:52:43 vm-2: crash: panic: invalid argument to Intn
2020/07/01 11:52:44 vm-25: crash: panic: invalid argument to Intn
2020/07/01 11:52:44 vm-35: crash: panic: invalid argument to Intn
2020/07/01 11:52:45 VMs 15, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 430, repro 0
2020/07/01 11:52:46 vm-16: crash: panic: invalid argument to Intn
2020/07/01 11:52:47 vm-28: crash: panic: invalid argument to Intn
2020/07/01 11:52:51 vm-9: crash: panic: invalid argument to Intn
2020/07/01 11:52:54 vm-6: crash: panic: invalid argument to Intn
2020/07/01 11:52:55 VMs 12, executed 153462, corpus cover 79651,
corpus signal 174611, max signal 185505, crashes 434, repro 0
2020/07/01 11:53:00 vm-0: crash: panic: invalid argument to Intn

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

      reply index

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-30 12:48 Dmitry Vyukov
2020-06-30 12:57 ` Andreas Schwab
2020-06-30 13:26   ` Dmitry Vyukov
2020-06-30 13:33     ` Andreas Schwab
2020-06-30 13:40       ` Dmitry Vyukov
2020-06-30 13:45         ` Andreas Schwab
2020-06-30 13:49           ` Dmitry Vyukov
2020-06-30 13:52             ` Andreas Schwab
2020-07-01 10:42     ` Björn Töpel
2020-07-01 10:43       ` Björn Töpel
2020-07-01 11:34         ` Dmitry Vyukov
2020-07-01 13:52         ` Tobias Klauser
2020-06-30 13:03 ` Andreas Schwab
2020-06-30 13:26   ` David Abdurachmanov
2020-06-30 13:37     ` Colin Ian King
2020-06-30 13:57       ` David Abdurachmanov
2020-06-30 14:55         ` Andreas Schwab
2020-06-30 13:07 ` Andreas Schwab
2020-06-30 13:20   ` David Abdurachmanov
2020-06-30 13:23     ` Dmitry Vyukov
2020-06-30 13:30     ` Andreas Schwab
2020-06-30 13:35       ` David Abdurachmanov
2020-06-30 13:43         ` Andreas Schwab
2020-07-02 22:00           ` Aurelien Jarno
2020-06-30 15:10 ` Tobias Klauser
2020-07-01 10:03   ` Dmitry Vyukov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+Yt+f4ryT4YXr_y+-kt=k55Eu=42YNx=Z88dcFZfmYCww@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=aou@eecs.berkeley.edu \
    --cc=bjorn.topel@gmail.com \
    --cc=linux-riscv@lists.infradead.org \
    --cc=palmer@dabbelt.com \
    --cc=paul.walmsley@sifive.com \
    --cc=syzkaller@googlegroups.com \
    --cc=tklauser@distanz.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-RISC-V Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-riscv/0 linux-riscv/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-riscv linux-riscv/ https://lore.kernel.org/linux-riscv \
		linux-riscv@lists.infradead.org
	public-inbox-index linux-riscv

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.infradead.lists.linux-riscv


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git