WARNING in kmem_cache_free

WARNING in kmem_cache_free

[syzbot]

Hello,

syzbot hit the following crash on upstream commit
f2d285669aae656dfeafa0bf25e86bbbc5d22329 (Tue Apr 3 17:45:39 2018 +0000)
Merge tag 'pm-4.17-rc1' of  
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=75397ee3df5c70164154

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5265497960480768
Kernel config: https://syzkaller.appspot.com/x/.config?id=686016073509112605
compiler: gcc (GCC) 7.1.1 20170620
user-space arch: i386

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96
WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 cache_from_obj mm/slab.h:376  
[inline]
WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 kmem_cache_free+0x226/0x2a0  
mm/slab.c:3736
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 11100 Comm: syz-executor3 Not tainted 4.16.0+ #288
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x1a7/0x27d lib/dump_stack.c:53
  panic+0x1f8/0x42c kernel/panic.c:183
  __warn+0x1dc/0x200 kernel/panic.c:547
  report_bug+0x1f4/0x2b0 lib/bug.c:186
  fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
  fixup_bug arch/x86/kernel/traps.c:247 [inline]
  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
  invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:991
RIP: 0010:cache_from_obj mm/slab.h:376 [inline]
RIP: 0010:kmem_cache_free+0x226/0x2a0 mm/slab.c:3736
RSP: 0018:ffff8801933a7970 EFLAGS: 00010282
RAX: 000000000000004b RBX: ffff8801dad7e600 RCX: 0000000000000000
RDX: 000000000000004b RSI: ffffc90002a2d000 RDI: ffffed0032674f22
RBP: ffff8801933a7990 R08: ffffed003b604f99 R09: ffffed003b604f99
R10: 0000000000000000 R11: ffffed003b604f98 R12: ffff880199ec2000
R13: ffff8801dad7e600 R14: ffff8801d08585dc R15: 00000000ffffffd8
  putname+0xc8/0x130 fs/namei.c:255
  filename_lookup+0x315/0x500 fs/namei.c:2324
  user_path_at_empty+0x40/0x50 fs/namei.c:2569
  user_path include/linux/namei.h:62 [inline]
  do_mount+0x15f/0x2b90 fs/namespace.c:2787
  C_SYSC_mount fs/compat.c:195 [inline]
  compat_SyS_mount+0xd0/0x1070 fs/compat.c:160
  do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
  do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
  entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f47c99
RSP: 002b:00000000f5f42c6c EFLAGS: 00000246 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00000000080eff11 RCX: 0000000020000000
RDX: 0000000000000000 RSI: 00000000080d6b6d RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

Re: WARNING in kmem_cache_free

[Dmitry Vyukov]

On Fri, Apr 6, 2018 at 3:24 PM, syzbot
<syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> f2d285669aae656dfeafa0bf25e86bbbc5d22329 (Tue Apr 3 17:45:39 2018 +0000)
> Merge tag 'pm-4.17-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
> syzbot dashboard link:
> https://syzkaller.appspot.com/bug?extid=75397ee3df5c70164154
>
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output:
> https://syzkaller.appspot.com/x/log.txt?id=5265497960480768
> Kernel config: https://syzkaller.appspot.com/x/.config?id=686016073509112605
> compiler: gcc (GCC) 7.1.1 20170620
> user-space arch: i386
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96

/\/\/\/\

Interesting type of bug, I think we see this for the first time.

Al, do you see how this can happen?


> WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 cache_from_obj mm/slab.h:376
> [inline]
> WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 kmem_cache_free+0x226/0x2a0
> mm/slab.c:3736
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 0 PID: 11100 Comm: syz-executor3 Not tainted 4.16.0+ #288
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x1a7/0x27d lib/dump_stack.c:53
>  panic+0x1f8/0x42c kernel/panic.c:183
>  __warn+0x1dc/0x200 kernel/panic.c:547
>  report_bug+0x1f4/0x2b0 lib/bug.c:186
>  fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
>  fixup_bug arch/x86/kernel/traps.c:247 [inline]
>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>  invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:991
> RIP: 0010:cache_from_obj mm/slab.h:376 [inline]
> RIP: 0010:kmem_cache_free+0x226/0x2a0 mm/slab.c:3736
> RSP: 0018:ffff8801933a7970 EFLAGS: 00010282
> RAX: 000000000000004b RBX: ffff8801dad7e600 RCX: 0000000000000000
> RDX: 000000000000004b RSI: ffffc90002a2d000 RDI: ffffed0032674f22
> RBP: ffff8801933a7990 R08: ffffed003b604f99 R09: ffffed003b604f99
> R10: 0000000000000000 R11: ffffed003b604f98 R12: ffff880199ec2000
> R13: ffff8801dad7e600 R14: ffff8801d08585dc R15: 00000000ffffffd8
>  putname+0xc8/0x130 fs/namei.c:255
>  filename_lookup+0x315/0x500 fs/namei.c:2324
>  user_path_at_empty+0x40/0x50 fs/namei.c:2569
>  user_path include/linux/namei.h:62 [inline]
>  do_mount+0x15f/0x2b90 fs/namespace.c:2787
>  C_SYSC_mount fs/compat.c:195 [inline]
>  compat_SyS_mount+0xd0/0x1070 fs/compat.c:160
>  do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
>  do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
>  entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
> RIP: 0023:0xf7f47c99
> RSP: 002b:00000000f5f42c6c EFLAGS: 00000246 ORIG_RAX: 0000000000000015
> RAX: ffffffffffffffda RBX: 00000000080eff11 RCX: 0000000020000000
> RDX: 0000000000000000 RSI: 00000000080d6b6d RDI: 0000000000000000
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a114467482dbc4b05692df8f9%40google.com.
> For more options, visit https://groups.google.com/d/optout.

Use struct page for filename

[Matthew Wilcox]

On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:
> On Fri, Apr 6, 2018 at 3:24 PM, syzbot
> <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote:
> > cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96
> 
> Al, do you see how this can happen?

I don't see how it happened, but when looking at this bug, I thought
"This is very complicated, I think there's a simpler way to handle this".

Here's a proposal.  It won't apply to any existing tree (depends on a
couple of local commits), but I think you'll get the general flavour
of it.  It's mostly compile-tested (build still running, but fs/ and
kernel/ compiled without issue).

 fs/dcache.c              |   7 ----
 fs/namei.c               | 102 ++++++++++++-----------------------------------
 include/linux/fs.h       |  26 ++++++------
 include/linux/mm_types.h |  12 +++++-
 kernel/auditsc.c         |   8 ++--
 5 files changed, 51 insertions(+), 104 deletions(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 593079176123..749b82b8fa1c 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3172,10 +3172,6 @@ static void __init dcache_init(void)
 	d_hash_shift = 32 - d_hash_shift;
 }
 
-/* SLAB cache for __getname() consumers */
-struct kmem_cache *names_cachep __read_mostly;
-EXPORT_SYMBOL(names_cachep);
-
 void __init vfs_caches_init_early(void)
 {
 	int i;
@@ -3189,9 +3185,6 @@ void __init vfs_caches_init_early(void)
 
 void __init vfs_caches_init(void)
 {
-	names_cachep = kmem_cache_create_usercopy("names_cache", PATH_MAX, 0,
-			SLAB_HWCACHE_ALIGN|SLAB_PANIC, 0, PATH_MAX, NULL);
-
 	dcache_init();
 	inode_init();
 	files_init();
diff --git a/fs/namei.c b/fs/namei.c
index a09419379f5d..16fb4779d29f 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -122,71 +122,46 @@
  * PATH_MAX includes the nul terminator --RR.
  */
 
-#define EMBEDDED_NAME_MAX	(PATH_MAX - offsetof(struct filename, iname))
+struct filename *alloc_filename(void)
+{
+	struct page *page = alloc_page(GFP_KERNEL);
+
+	page->filename.name = page_to_virt(page);
+	return &page->filename;
+}
+
+void putname(struct filename *name)
+{
+	__free_page(container_of(name, struct page, filename));
+}
+
+void filename_get(struct filename *name)
+{
+	page_ref_inc(container_of(name, struct page, filename));
+}
 
 struct filename *
 getname_flags(const char __user *filename, int flags, int *empty)
 {
 	struct filename *result;
-	char *kname;
 	int len;
 
 	result = audit_reusename(filename);
 	if (result)
 		return result;
 
-	result = __getname();
+	result = alloc_filename();
 	if (unlikely(!result))
 		return ERR_PTR(-ENOMEM);
 
-	/*
-	 * First, try to embed the struct filename inside the names_cache
-	 * allocation
-	 */
-	kname = (char *)result->iname;
-	result->name = kname;
-
-	len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX);
+	len = strncpy_from_user((char *)result->name, filename, PATH_MAX);
+	if (unlikely(len == PATH_MAX))
+		len = -ENAMETOOLONG;
 	if (unlikely(len < 0)) {
-		__putname(result);
+		putname(result);
 		return ERR_PTR(len);
 	}
 
-	/*
-	 * Uh-oh. We have a name that's approaching PATH_MAX. Allocate a
-	 * separate struct filename so we can dedicate the entire
-	 * names_cache allocation for the pathname, and re-do the copy from
-	 * userland.
-	 */
-	if (unlikely(len == EMBEDDED_NAME_MAX)) {
-		const size_t size = offsetof(struct filename, iname[1]);
-		kname = (char *)result;
-
-		/*
-		 * size is chosen that way we to guarantee that
-		 * result->iname[0] is within the same object and that
-		 * kname can't be equal to result->iname, no matter what.
-		 */
-		result = kzalloc(size, GFP_KERNEL);
-		if (unlikely(!result)) {
-			__putname(kname);
-			return ERR_PTR(-ENOMEM);
-		}
-		result->name = kname;
-		len = strncpy_from_user(kname, filename, PATH_MAX);
-		if (unlikely(len < 0)) {
-			__putname(kname);
-			kfree(result);
-			return ERR_PTR(len);
-		}
-		if (unlikely(len == PATH_MAX)) {
-			__putname(kname);
-			kfree(result);
-			return ERR_PTR(-ENAMETOOLONG);
-		}
-	}
-
-	result->refcnt = 1;
 	/* The empty path is special. */
 	if (unlikely(!len)) {
 		if (empty)
@@ -215,49 +190,22 @@ getname_kernel(const char * filename)
 	struct filename *result;
 	int len = strlen(filename) + 1;
 
-	result = __getname();
+	result = alloc_filename();
 	if (unlikely(!result))
 		return ERR_PTR(-ENOMEM);
 
-	if (len <= EMBEDDED_NAME_MAX) {
-		result->name = (char *)result->iname;
-	} else if (len <= PATH_MAX) {
-		struct filename *tmp;
-
-		tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
-		if (unlikely(!tmp)) {
-			__putname(result);
-			return ERR_PTR(-ENOMEM);
-		}
-		tmp->name = (char *)result;
-		result = tmp;
-	} else {
-		__putname(result);
+	if (len > PATH_MAX) {
+		putname(result);
 		return ERR_PTR(-ENAMETOOLONG);
 	}
 	memcpy((char *)result->name, filename, len);
 	result->uptr = NULL;
 	result->aname = NULL;
-	result->refcnt = 1;
 	audit_getname(result);
 
 	return result;
 }
 
-void putname(struct filename *name)
-{
-	BUG_ON(name->refcnt <= 0);
-
-	if (--name->refcnt > 0)
-		return;
-
-	if (name->name != name->iname) {
-		__putname(name->name);
-		kfree(name);
-	} else
-		__putname(name);
-}
-
 static int check_acl(struct inode *inode, int mask)
 {
 #ifdef CONFIG_FS_POSIX_ACL
diff --git a/include/linux/fs.h b/include/linux/fs.h
index ab44a19f2ddd..5c93ebc519fe 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2376,15 +2376,6 @@ static inline int break_layout(struct inode *inode, bool wait)
 #endif /* CONFIG_FILE_LOCKING */
 
 /* fs/open.c */
-struct audit_names;
-struct filename {
-	const char		*name;	/* pointer to actual string */
-	const __user char	*uptr;	/* original userland pointer */
-	struct audit_names	*aname;
-	int			refcnt;
-	const char		iname[];
-};
-
 extern long vfs_truncate(const struct path *, loff_t);
 extern int do_truncate(struct dentry *, loff_t start, unsigned int time_attrs,
 		       struct file *filp);
@@ -2399,6 +2390,18 @@ extern struct file *file_open_root(struct dentry *, struct vfsmount *,
 extern struct file * dentry_open(const struct path *, int, const struct cred *);
 extern int filp_close(struct file *, fl_owner_t id);
 
+/* fs/namei.c */
+static inline void *__getname(void)
+{
+	return (void *)__get_free_page(GFP_KERNEL);
+}
+
+static inline void __putname(const void *name)
+{
+	free_page((unsigned long)name);
+}
+
+void filename_get(struct filename *);
 extern struct filename *getname_flags(const char __user *, int, int *);
 extern struct filename *getname(const char __user *);
 extern struct filename *getname_kernel(const char *);
@@ -2421,11 +2424,6 @@ extern int ioctl_preallocate(struct file *filp, void __user *argp);
 extern void __init vfs_caches_init_early(void);
 extern void __init vfs_caches_init(void);
 
-extern struct kmem_cache *names_cachep;
-
-#define __getname()		kmem_cache_alloc(names_cachep, GFP_KERNEL)
-#define __putname(name)		kmem_cache_free(names_cachep, (void *)(name))
-
 #ifdef CONFIG_BLOCK
 extern int register_blkdev(unsigned int, const char *);
 extern void unregister_blkdev(unsigned int, const char *);
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 97ceec1c6e21..a6ca28ef4277 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -25,6 +25,13 @@
 struct address_space;
 struct mem_cgroup;
 struct hmm;
+struct audit_names;
+
+struct filename {
+	const char		*name;	/* pointer to actual string */
+	const __user char	*uptr;	/* original userland pointer */
+	struct audit_names	*aname;
+};
 
 /*
  * Each physical page in the system has a struct page associated with
@@ -188,6 +195,7 @@ struct page {
 			spinlock_t ptl;
 #endif
 		};
+		struct filename filename;
 	};
 
 #ifdef CONFIG_MEMCG
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e80459f7e132..e539550f5983 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1722,7 +1722,7 @@ __audit_reusename(const __user char *uptr)
 		if (!n->name)
 			continue;
 		if (n->name->uptr == uptr) {
-			n->name->refcnt++;
+			filename_get(n->name);
 			return n->name;
 		}
 	}
@@ -1751,7 +1751,7 @@ void __audit_getname(struct filename *name)
 	n->name = name;
 	n->name_len = AUDIT_NAME_FULL;
 	name->aname = n;
-	name->refcnt++;
+	filename_get(name);
 
 	if (!context->pwd.dentry)
 		get_fs_pwd(current->fs, &context->pwd);
@@ -1825,7 +1825,7 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
 		return;
 	if (name) {
 		n->name = name;
-		name->refcnt++;
+		filename_get(name);
 	}
 
 out:
@@ -1954,7 +1954,7 @@ void __audit_inode_child(struct inode *parent,
 		if (found_parent) {
 			found_child->name = found_parent->name;
 			found_child->name_len = AUDIT_NAME_FULL;
-			found_child->name->refcnt++;
+			filename_get(found_child->name);
 		}
 	}
 

Re: Use struct page for filename

[Al Viro]

On Sat, Apr 07, 2018 at 08:16:46PM -0700, Matthew Wilcox wrote:
> On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:
> > On Fri, Apr 6, 2018 at 3:24 PM, syzbot
> > <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote:
> > > cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96
> > 
> > Al, do you see how this can happen?
> 
> I don't see how it happened, but when looking at this bug, I thought
> "This is very complicated, I think there's a simpler way to handle this".
> 
> Here's a proposal.  It won't apply to any existing tree (depends on a
> couple of local commits), but I think you'll get the general flavour
> of it.  It's mostly compile-tested (build still running, but fs/ and
> kernel/ compiled without issue).

> +struct audit_names;
> +
> +struct filename {
> +	const char		*name;	/* pointer to actual string */
> +	const __user char	*uptr;	/* original userland pointer */
> +	struct audit_names	*aname;
> +};
>  
>  /*
>   * Each physical page in the system has a struct page associated with
> @@ -188,6 +195,7 @@ struct page {
>  			spinlock_t ptl;
>  #endif
>  		};
> +		struct filename filename;
>  	};

Oh, lovely - extra 24 bytes into each struct page.  Plus the delta to
performance due to switching from kmem_cache_alloc to alloc_page.
Negative one, that is...

Re: WARNING in kmem_cache_free

[Al Viro]

On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:

> Interesting type of bug, I think we see this for the first time.
> 
> Al, do you see how this can happen?

putname() on something that hasn't come from getname().  Short
of reproducer, I don't see what can be done - it can be any
kind of memory corruption.  We have
        return filename_lookup(dfd, getname_flags(name, flags, empty),
                               flags, path, NULL);
with filename_lookup() hitting
        putname(name);
        return retval;
on the way out (and seeing refcount 1, at that, so it hasn't ended
up in audit context).  And object it's trying to free is not something
getname_flags() has allocated.

Re: WARNING in kmem_cache_free

[Matthew Wilcox]

On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:
> On Fri, Apr 6, 2018 at 3:24 PM, syzbot
> <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote:
> > Unfortunately, I don't have any reproducer for this crash yet.
> 
> Interesting type of bug, I think we see this for the first time.

Can you focus syzbot to try to find a reproducer?  This seems to be
produced by calling mount() with a pathname that's somewhere between,
say, 3950 & 4100 bytes long from a compat 32-bit task.

Re: WARNING in kmem_cache_free

[Dmitry Vyukov]

On Sun, Apr 8, 2018 at 8:01 AM, Matthew Wilcox <willy@infradead.org> wrote:
> On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:
>> On Fri, Apr 6, 2018 at 3:24 PM, syzbot
>> <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote:
>> > Unfortunately, I don't have any reproducer for this crash yet.
>>
>> Interesting type of bug, I think we see this for the first time.
>
> Can you focus syzbot to try to find a reproducer?  This seems to be
> produced by calling mount() with a pathname that's somewhere between,
> say, 3950 & 4100 bytes long from a compat 32-bit task.


Something in the log definitely triggers a very bad heap corruption.

This can be reproduced following instructions at:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers

and then running:
./syz-execprog -sandbox=namespace -arch=386 -repeat=0 -procs=10 log.txt

where log.txt comes from "Raw console output" link.

Note that you need to build syzkaller with 'make TARGETARCH=386' and
the use bin/linux_386/syz-executor.

While running it I got:
BUG: KASAN: double-free or invalid-free in free_request_size+0x5b/0x70
block/blk-core.c:769
https://gist.githubusercontent.com/dvyukov/05f4e77a34795d329aa7a2f40265e396/raw/63a29123b79f1fbad3521d0ff034946be68bfd4a/gistfile1.txt

Then kernel BUG at mm/slab.c:4407!
https://gist.githubusercontent.com/dvyukov/5b3bcc90d326e9da3636aea2c95ace8f/raw/1589504c708994936681d61ba9d70029998b9b1a/gistfile1.txt

And then BUG: unable to handle kernel paging request at ffffebe000000020
https://gist.githubusercontent.com/dvyukov/72025b1c68e488f4fda243e0c152f044/raw/d2c171bc55ad3a43cea33095fa2eea48768b1131/gistfile1.txt

One interesting thing is that if I run the log once and it does not
crash, then when I try to start binary again I am getting:
[  456.837870] Invalid argument reading file caps for /root/syz-executor
The binary somehow becomes broken on disk...

I guess syzbot did find a reproducer in this log, but did not
attribute it to this bug as it causes crashes all over the place.

Re: WARNING in kmem_cache_free

[Dmitry Vyukov]

On Sun, Apr 8, 2018 at 12:26 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Sun, Apr 8, 2018 at 8:01 AM, Matthew Wilcox <willy@infradead.org> wrote:
>> On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:
>>> On Fri, Apr 6, 2018 at 3:24 PM, syzbot
>>> <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote:
>>> > Unfortunately, I don't have any reproducer for this crash yet.
>>>
>>> Interesting type of bug, I think we see this for the first time.
>>
>> Can you focus syzbot to try to find a reproducer?  This seems to be
>> produced by calling mount() with a pathname that's somewhere between,
>> say, 3950 & 4100 bytes long from a compat 32-bit task.
>
>
> Something in the log definitely triggers a very bad heap corruption.
>
> This can be reproduced following instructions at:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
>
> and then running:
> ./syz-execprog -sandbox=namespace -arch=386 -repeat=0 -procs=10 log.txt
>
> where log.txt comes from "Raw console output" link.
>
> Note that you need to build syzkaller with 'make TARGETARCH=386' and
> the use bin/linux_386/syz-executor.
>
> While running it I got:
> BUG: KASAN: double-free or invalid-free in free_request_size+0x5b/0x70
> block/blk-core.c:769
> https://gist.githubusercontent.com/dvyukov/05f4e77a34795d329aa7a2f40265e396/raw/63a29123b79f1fbad3521d0ff034946be68bfd4a/gistfile1.txt
>
> Then kernel BUG at mm/slab.c:4407!
> https://gist.githubusercontent.com/dvyukov/5b3bcc90d326e9da3636aea2c95ace8f/raw/1589504c708994936681d61ba9d70029998b9b1a/gistfile1.txt
>
> And then BUG: unable to handle kernel paging request at ffffebe000000020
> https://gist.githubusercontent.com/dvyukov/72025b1c68e488f4fda243e0c152f044/raw/d2c171bc55ad3a43cea33095fa2eea48768b1131/gistfile1.txt
>
> One interesting thing is that if I run the log once and it does not
> crash, then when I try to start binary again I am getting:
> [  456.837870] Invalid argument reading file caps for /root/syz-executor
> The binary somehow becomes broken on disk...
>
> I guess syzbot did find a reproducer in this log, but did not
> attribute it to this bug as it causes crashes all over the place.



Running syz-repro utility on this log, I think I've found the guilty guy:
https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt

It crashes as:
BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
and:
BUG: unable to handle kernel paging request at ffffebe000000020
and with other indications of badly corrupted heap.

This points to crypto/drbg.c, so +crypto maintainers.

Re: WARNING in kmem_cache_free

[Stephan Müller]

Am Sonntag, 8. April 2018, 13:18:06 CEST schrieb Dmitry Vyukov:

Hi Dmitry,

> 
> Running syz-repro utility on this log, I think I've found the guilty guy:
> https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/
> raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
> 

I am unable to reproduce it with the code. I am using the current 
cryptodev-2.6 tree with kazan enabled. Could you please give me your kernel 
config or a pointer of the used tree?

> It crashes as:
> BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
> and:
> BUG: unable to handle kernel paging request at ffffebe000000020
> and with other indications of badly corrupted heap.
> 
> This points to crypto/drbg.c, so +crypto maintainers.


Ciao
Stephan

Re: WARNING in kmem_cache_free

[Dmitry Vyukov]

On Sun, Apr 8, 2018 at 5:31 PM, Stephan Müller <smueller@chronox.de> wrote:
> Am Sonntag, 8. April 2018, 13:18:06 CEST schrieb Dmitry Vyukov:
>
> Hi Dmitry,
>
>>
>> Running syz-repro utility on this log, I think I've found the guilty guy:
>> https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/
>> raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
>>
>
> I am unable to reproduce it with the code. I am using the current
> cryptodev-2.6 tree with kazan enabled. Could you please give me your kernel
> config or a pointer of the used tree?

Hi,

Here is config and kernel commit:
https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ
You can also find compiler and image here if necessary:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md

And note that the program needs to be compiled with -m32. The bugs is
probably not-compat specific, but the program injects fault into a
particular malloc invocation and maybe malloc numbering is affected by
compat path.


>> It crashes as:
>> BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
>> and:
>> BUG: unable to handle kernel paging request at ffffebe000000020
>> and with other indications of badly corrupted heap.
>>
>> This points to crypto/drbg.c, so +crypto maintainers.
>
>
> Ciao
> Stephan
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/4564679.HlOejCIXXz%40positron.chronox.de.
> For more options, visit https://groups.google.com/d/optout.

[PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Müller]

Am Sonntag, 8. April 2018, 17:41:17 CEST schrieb Dmitry Vyukov:

Hi Dmitry,
> 
> Hi,
> 
> Here is config and kernel commit:
> https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ
> You can also find compiler and image here if necessary:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md
> 
> And note that the program needs to be compiled with -m32. The bugs is
> probably not-compat specific, but the program injects fault into a
> particular malloc invocation and maybe malloc numbering is affected by
> compat path.

I am unable to reproduce the issue. But since you mention that you induce errors, I could see that the unlocking of the DRBG context is too soon.

Can you please check whether the attached patch fixes the issue?

Thanks

---8<---

In the error code path, the uninstantiation must be guarded by a lock to
ensure that the modification of the context is fully atomic.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzkaller
---
 crypto/drbg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..68c1949a253f 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
 	return ret;
 
 free_everything:
-	mutex_unlock(&drbg->drbg_mutex);
 	drbg_uninstantiate(drbg);
+	mutex_unlock(&drbg->drbg_mutex);
 	return ret;
 }
 
-- 
2.14.3

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Theodore Y. Ts'o]

On Sun, Apr 08, 2018 at 09:07:03PM +0200, Stephan Müller wrote:
> Can you please check whether the attached patch fixes the issue?
> 

Stephan,

FYI, if you incude in your e-mail "#syz test <GIT URL> <BRANCH>" as
the first line of your patch and the syzbot e-mail is cc'ed, the
syzbot will automatically apply the patch in the e-mail against the
git tree/branch specified in the "#syz test" line, and then try to see
if the problem it discovered still reproduces --- and then send you
e-mail one way or another.

So the syzbot will run while the patch goes through the normal e-mail
review process, which is kind of neat.  :-)

Cheers,

					- Ted

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Mueller]

Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o:

Hi Theodore,
> 
> So the syzbot will run while the patch goes through the normal e-mail
> review process, which is kind of neat.  :-)

Thank you very much for the hint. That is a neat feature indeed.

As I came late to the party and I missed the original mails, I am wondering 
about which GIT repo was used and which branch of it. With that, I would be 
happy to resubmit with the test line.

Ciao
Stephan

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Dmitry Vyukov]

On Mon, Apr 9, 2018 at 7:40 AM, Stephan Mueller <smueller@chronox.de> wrote:
> Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o:
>
> Hi Theodore,
>>
>> So the syzbot will run while the patch goes through the normal e-mail
>> review process, which is kind of neat.  :-)
>
> Thank you very much for the hint. That is a neat feature indeed.
>
> As I came late to the party and I missed the original mails, I am wondering
> about which GIT repo was used and which branch of it. With that, I would be
> happy to resubmit with the test line.

All syzbot reported bugs are available here:
https://groups.google.com/forum/#!searchin/syzkaller-bugs/"WARNING$20in$20kmem_cache_free"
and here:
https://syzkaller.appspot.com/

But unfortunately testing won't work in this case, because I manually
extracted a reproducer and syzbot does not know about it. This bug
seems to lead to assorted silent heap corruptions and different
manifestations each time, so it's difficult for syzbot to attribute a
reproducer to the bug. When we debug it, it would be nice to
understand why the heap corruption is silent and is not detected by
KASAN and anything else, to prevent such unpleasant cases in future.

I've tested it manually, but unfortunately kernel still crashed within a minute:

$ git status
HEAD detached at f2d285669aae
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

modified:   crypto/drbg.c

$ git diff
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..68c1949a253f 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state
*drbg, struct drbg_string *pers,
        return ret;

 free_everything:
-       mutex_unlock(&drbg->drbg_mutex);
        drbg_uninstantiate(drbg);
+       mutex_unlock(&drbg->drbg_mutex);
        return ret;
 }

# ./a.out
...
[  183.647874] FAULT_INJECTION: forcing a failure.
[  183.647874] name failslab, interval 1, probability 0, space 0, times 0
[  183.648287] Call Trace:
[  183.648297]  dump_stack+0x1b9/0x29f
[  183.648306]  ? arch_local_irq_restore+0x52/0x52
[  183.648318]  ? __save_stack_trace+0x7e/0xd0
[  183.651848]  should_fail.cold.4+0xa/0x1a
[  183.652411]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  183.653138]  ? kasan_kmalloc+0xc4/0xe0
[  183.653694]  ? __kmalloc+0x14e/0x760
[  183.654206]  ? drbg_kcapi_seed+0x776/0x12e0
[  183.654798]  ? crypto_rng_reset+0x7c/0x130
[  183.655379]  ? rng_setkey+0x25/0x30
[  183.655882]  ? alg_setsockopt+0x306/0x3b0
[  183.656450]  ? graph_lock+0x170/0x170
[  183.656975]  ? entry_SYSENTER_compat+0x70/0x7f
[  183.657606]  ? find_held_lock+0x36/0x1c0
[  183.658164]  ? __lock_is_held+0xb5/0x140
[  183.658728]  ? check_same_owner+0x320/0x320
[  183.659321]  ? rcu_note_context_switch+0x710/0x710
[  183.660000]  should_failslab+0x124/0x180
[  183.660561]  __kmalloc+0x2c8/0x760
[  183.661046]  ? graph_lock+0x170/0x170
[  183.661569]  ? drbg_kcapi_seed+0x882/0x12e0
[  183.662161]  drbg_kcapi_seed+0x882/0x12e0
[  183.662731]  ? drbg_seed+0x10a0/0x10a0
[  183.663267]  ? lock_downgrade+0x8e0/0x8e0
[  183.663833]  ? lock_acquire+0x1dc/0x520
[  183.664385]  ? lock_release+0xa10/0xa10
[  183.664934]  ? check_same_owner+0x320/0x320
[  183.665530]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.666292]  ? __check_object_size+0x95/0x5d9
[  183.666904]  ? sock_kmalloc+0x14e/0x1d0
[  183.667444]  ? mark_held_locks+0xc9/0x160
[  183.668020]  ? __might_sleep+0x95/0x190
[  183.668567]  crypto_rng_reset+0x7c/0x130
[  183.669124]  rng_setkey+0x25/0x30
[  183.669598]  ? rng_sock_destruct+0x90/0x90
[  183.670176]  alg_setsockopt+0x306/0x3b0
[  183.670724]  __compat_sys_setsockopt+0x315/0x7c0
[  183.671375]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[  183.672057]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.672813]  ? ksys_write+0x1a6/0x250
[  183.673333]  ? SyS_read+0x30/0x30
[  183.673811]  compat_SyS_setsockopt+0x34/0x50
[  183.674416]  ? scm_detach_fds_compat+0x440/0x440
[  183.675079]  do_fast_syscall_32+0x41f/0x10dc
[  183.675725]  ? do_page_fault+0xee/0x8a7
[  183.676284]  ? do_int80_syscall_32+0xa70/0xa70
[  183.676925]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.677590]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.678348]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.679026]  ? sysret32_from_system_call+0x5/0x3c
[  183.679694]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.680380]  entry_SYSENTER_compat+0x70/0x7f
[  183.681000] RIP: 0023:0xf7f0ecb9
[  183.681488] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
000000000000016e
[  183.682606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[  183.683620] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[  183.684602] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[  183.685622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.686642] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.687712] CPU: 0 PID: 5506 Comm: a.out Not tainted 4.16.0+ #4
[  183.688602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[  183.689764] BUG: unable to handle kernel
[  183.689776] Call Trace:
[  183.689782] NULL pointer dereference
[  183.690367]  dump_stack+0x1b9/0x29f
[  183.690709]  at 0000000000000106
[  183.691237]  ? arch_local_irq_restore+0x52/0x52
[  183.691721] PGD 64a50067
[  183.692164]  should_fail.cold.4+0xa/0x1a
[  183.692747] P4D 64a50067
[  183.693110]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  183.693620] PUD 61a17067
[  183.693981]  ? graph_lock+0x170/0x170
[  183.694622] PMD 0
[  183.694980]  ? find_held_lock+0x36/0x1c0
[  183.695766]  ? __lock_is_held+0xb5/0x140
[  183.696285] Oops: 0000 [#1] SMP KASAN
[  183.696852]  ? check_same_owner+0x320/0x320
[  183.697337] Modules linked in:
[  183.697962]  ? rcu_note_context_switch+0x710/0x710
[  183.697973] CPU: 2 PID: 4054 Comm: a.out Not tainted 4.16.0+ #4
[  183.698436]  ? drbg_init_hash_kernel+0x300/0x300
[  183.699060] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[  183.699942]  should_failslab+0x124/0x180
[  183.700559] RIP: 0010:qlist_free_all+0x37/0x160
[  183.701763]  __kmalloc+0x2c8/0x760
[  183.702292] RSP: 0018:ffff880062de7050 EFLAGS: 00010246
[  183.702976]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.703437] RAX: ffff88000040008c RBX: 0000000000000282 RCX: 0000000000000000
[  183.704205]  ? drbg_kcapi_seed+0x776/0x12e0
[  183.704804] RDX: ffffea0000010000 RSI: ffff88007ffdc39f RDI: 0000000000000282
[  183.704812] RBP: ffff880062de7088 R08: ffff88006bb1ce78 R09: 0000000000000006
[  183.705824]  drbg_kcapi_seed+0x776/0x12e0
[  183.706369] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.706377] R13: 000000000000000a R14: ffff88000040008c R15: ffffffff88b172a0
[  183.707382]  ? drbg_seed+0x10a0/0x10a0
[  183.708311] FS:  0000000000000000(0000) GS:ffff88006c900000(0063)
knlGS:0000000009fbd840
[  183.708839]  ? lock_downgrade+0x8e0/0x8e0
[  183.709760] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  183.710760]  ? lock_acquire+0x1dc/0x520
[  183.711252] CR2: 0000000000000106 CR3: 00000000651d8002 CR4: 00000000001606e0
[  183.711257] Call Trace:
[  183.712390]  ? lock_release+0xa10/0xa10
[  183.712922]  quarantine_reduce+0x141/0x170
[  183.713733]  ? check_same_owner+0x320/0x320
[  183.714246]  kasan_kmalloc+0x99/0xe0
[  183.715244]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.715586]  kasan_slab_alloc+0x12/0x20
[  183.716143]  ? __check_object_size+0x95/0x5d9
[  183.716683]  kmem_cache_alloc_node+0x131/0x780
[  183.717282]  ? sock_kmalloc+0x14e/0x1d0
[  183.717760]  ? do_raw_spin_unlock+0x1f9/0x2e0
[  183.718520]  ? mark_held_locks+0xc9/0x160
[  183.719029]  ? do_raw_spin_trylock+0x1b0/0x1b0
[  183.719654]  ? __might_sleep+0x95/0x190
[  183.720280]  copy_process.part.39+0x16c4/0x6ee0
[  183.720828]  crypto_rng_reset+0x7c/0x130
[  183.721434]  ? trace_hardirqs_on+0xd/0x10
[  183.722007]  rng_setkey+0x25/0x30
[  183.722596]  ? debug_object_active_state+0x2e7/0x4e0
[  183.723145]  ? rng_sock_destruct+0x90/0x90
[  183.723745]  ? kasan_check_read+0x11/0x20
[  183.724308]  alg_setsockopt+0x306/0x3b0
[  183.724845]  ? rcu_is_watching+0x85/0x140
[  183.725324]  __compat_sys_setsockopt+0x315/0x7c0
[  183.725972]  ? rcu_bh_force_quiescent_state+0x20/0x20
[  183.726560]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[  183.727091]  ? __call_rcu.constprop.68+0x396/0xbb0
[  183.727643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.728173]  ? __cleanup_sighand+0x70/0x70
[  183.728827]  ? ksys_write+0x1a6/0x250
[  183.729485]  ? note_gp_changes+0x540/0x540
[  183.730161]  ? SyS_read+0x30/0x30
[  183.730797]  ? lock_downgrade+0x8e0/0x8e0
[  183.731558]  compat_SyS_setsockopt+0x34/0x50
[  183.732109]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  183.732636]  ? scm_detach_fds_compat+0x440/0x440
[  183.733180]  ? tty_kref_put.part.14+0x81/0x250
[  183.733657]  do_fast_syscall_32+0x41f/0x10dc
[  183.734190]  ? __cleanup_sighand+0x58/0x70
[  183.734798]  ? do_page_fault+0xee/0x8a7
[  183.735505]  ? do_raw_write_trylock+0x1b0/0x1b0
[  183.736162]  ? do_int80_syscall_32+0xa70/0xa70
[  183.736745]  ? print_usage_bug+0xc0/0xc0
[  183.737367]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.737907]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  183.738459]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.739057]  ? call_rcu_sched+0x12/0x20
[  183.739700]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.740220]  ? release_task.part.15+0xf70/0x1b90
[  183.740882]  ? sysret32_from_system_call+0x5/0x3c
[  183.741522]  ? __lock_acquire+0x7f5/0x5130
[  183.742290]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.742798]  ? rcu_is_watching+0x85/0x140
[  183.743480]  entry_SYSENTER_compat+0x70/0x7f
[  183.744099]  ? find_held_lock+0x36/0x1c0
[  183.744769] RIP: 0023:0xf7f0ecb9
[  183.745327]  ? debug_check_no_locks_freed+0x310/0x310
[  183.745990] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
[  183.746525]  ? lock_downgrade+0x8e0/0x8e0
[  183.747126]  ORIG_RAX: 000000000000016e
[  183.747653]  ? find_held_lock+0x36/0x1c0
[  183.748117] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[  183.748800]  ? print_usage_bug+0xc0/0xc0
[  183.749530] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[  183.749538] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[  183.750087]  ? lock_downgrade+0x8e0/0x8e0
[  183.750632] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.751152]  ? lock_downgrade+0x8e0/0x8e0
[  183.752156] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.752170] CPU: 3 PID: 5504 Comm: a.out Not tainted 4.16.0+ #4
[  183.752693]  ? __lock_acquire+0x7f5/0x5130
[  183.753653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[  183.754595]  ? graph_lock+0x170/0x170
[  183.755167] Call Trace:
[  183.756102]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  183.756639]  dump_stack+0x1b9/0x29f
[  183.757562]  ? debug_check_no_locks_freed+0x310/0x310
[  183.758333]  ? arch_local_irq_restore+0x52/0x52
[  183.758872]  ? find_held_lock+0x36/0x1c0
[  183.759218] FAULT_INJECTION: forcing a failure.
[  183.759218] name failslab, interval 1, probability 0, space 0, times 0
[  183.759966]  ? __save_stack_trace+0x7e/0xd0
[  183.760453]  ? lock_downgrade+0x8e0/0x8e0
[  183.760788]  should_fail.cold.4+0xa/0x1a
[  183.761427]  ? do_raw_spin_unlock+0x1f9/0x2e0
[  183.761933]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  183.762593]  ? do_raw_spin_trylock+0x1b0/0x1b0
[  183.763216]  ? kasan_kmalloc+0xc4/0xe0
[  183.763742]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
[  183.765288]  ? __kmalloc+0x14e/0x760
[  183.765844]  ? trace_hardirqs_on_caller+0x421/0x5c0
[  183.766423]  ? drbg_kcapi_seed+0x776/0x12e0
[  183.766945]  ? trace_hardirqs_on+0xd/0x10
[  183.767556]  ? crypto_rng_reset+0x7c/0x130
[  183.768227]  ? graph_lock+0x170/0x170
[  183.768845]  ? rng_setkey+0x25/0x30
[  183.769368]  ? add_wait_queue+0x2a0/0x2a0
[  183.770026]  ? alg_setsockopt+0x306/0x3b0
[  183.770501]  ? kasan_check_write+0x14/0x20
[  183.771198]  ? graph_lock+0x170/0x170
[  183.771758]  ? do_raw_read_lock+0x3f/0x80
[  183.772336]  ? entry_SYSENTER_compat+0x70/0x7f
[  183.772887]  _do_fork+0x291/0x12a0
[  183.773416]  ? find_held_lock+0x36/0x1c0
[  183.773881]  ? fork_idle+0x1a0/0x1a0
[  183.774458]  ? __lock_is_held+0xb5/0x140
[  183.774989]  ? lock_release+0xa10/0xa10
[  183.775581]  ? check_same_owner+0x320/0x320
[  183.776070]  ? check_same_owner+0x320/0x320
[  183.776650]  ? rcu_note_context_switch+0x710/0x710
[  183.777234]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  183.777725]  should_failslab+0x124/0x180
[  183.778246]  ? put_pid.part.2+0x1bc/0x230
[  183.778792]  __kmalloc+0x2c8/0x760
[  183.779311]  ? __might_sleep+0x95/0x190
[  183.779871]  ? graph_lock+0x170/0x170
[  183.780426]  ? __might_fault+0x1a3/0x1e0
[  183.781007]  ? drbg_kcapi_seed+0x882/0x12e0
[  183.781643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.782423]  drbg_kcapi_seed+0x882/0x12e0
[  183.782942]  ? kernel_wait4+0x2d8/0x3d0
[  183.783520]  ? drbg_seed+0x10a0/0x10a0
[  183.783980]  ? SyS_waitid+0x40/0x40
[  183.784539]  ? lock_downgrade+0x8e0/0x8e0
[  183.785026]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.785596]  ? lock_acquire+0x1dc/0x520
[  183.786146]  ? task_stopped_code+0x190/0x190
[  183.786922]  ? lock_release+0xa10/0xa10
[  183.787451]  compat_SyS_x86_clone+0x37/0x50
[  183.788020]  ? check_same_owner+0x320/0x320
[  183.788517]  ? compat_SyS_x86_fallocate+0x60/0x60
[  183.789028]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.789556]  do_fast_syscall_32+0x41f/0x10dc
[  183.790334]  ? __check_object_size+0x95/0x5d9
[  183.790841]  ? do_page_fault+0xee/0x8a7
[  183.791460]  ? sock_kmalloc+0x14e/0x1d0
[  183.791971]  ? do_int80_syscall_32+0xa70/0xa70
[  183.792583]  ? mark_held_locks+0xc9/0x160
[  183.793137]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.793820]  ? __might_sleep+0x95/0x190
[  183.794528]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.795147]  crypto_rng_reset+0x7c/0x130
[  183.795737]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.796291]  rng_setkey+0x25/0x30
[  183.796803]  ? sysret32_from_system_call+0x5/0x3c
[  183.797442]  ? rng_sock_destruct+0x90/0x90
[  183.797997]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.798658]  alg_setsockopt+0x306/0x3b0
[  183.799166]  entry_SYSENTER_compat+0x70/0x7f
[  183.799971]  __compat_sys_setsockopt+0x315/0x7c0
[  183.800486] RIP: 0023:0xf7f0ecb9
[  183.801190]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[  183.801631] RSP: 002b:00000000ffeb1ec0 EFLAGS: 00000246
[  183.802312]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.802850]  ORIG_RAX: 0000000000000078
[  183.803534]  ? ksys_write+0x1a6/0x250
[  183.804067] RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000
[  183.804693]  ? SyS_read+0x30/0x30
[  183.805295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000009fbd8a8
[  183.805768]  compat_SyS_setsockopt+0x34/0x50
[  183.806404] RBP: 00000000ffeb1ef8 R08: 0000000000000000 R09: 0000000000000000
[  183.807154]  ? scm_detach_fds_compat+0x440/0x440
[  183.807861] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.808421]  do_fast_syscall_32+0x41f/0x10dc
[  183.808900] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.808905] Code:
[  183.809928]  ? do_page_fault+0xee/0x8a7
[  183.810365] 55
[  183.811385]  ? do_int80_syscall_32+0xa70/0xa70
[  183.811949] 48
[  183.812992]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.813590] 89
[  183.814630]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.815191] e5
[  183.816214]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.816487] 41
[  183.817066]  ? sysret32_from_system_call+0x5/0x3c
[  183.817313] 57
[  183.817958]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.818200] 49
[  183.818869]  entry_SYSENTER_compat+0x70/0x7f
[  183.819109] c7
[  183.819894] RIP: 0023:0xf7f0ecb9
[  183.820135] c7
[  183.820821] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
[  183.821065] a0
[  183.821738]  ORIG_RAX: 000000000000016e
[  183.821984] 72
[  183.822657] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[  183.822900] b1
[  183.823513] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[  183.823760] 88
[  183.824230] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[  183.824238] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.824492] 41
[  183.825238] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.825250] CPU: 0 PID: 5512 Comm: a.out Not tainted 4.16.0+ #4
[  183.825490] 56
[  183.826073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[  183.826204] FAULT_INJECTION: forcing a failure.
[  183.826204] name failslab, interval 1, probability 0, space 0, times 0
[  183.826315] 41
[  183.827333] Call Trace:
[  183.827583] 55
[  183.828608]  dump_stack+0x1b9/0x29f
[  183.828844] 41
[  183.829864]  ? arch_local_irq_restore+0x52/0x52
[  183.830780] 54
[  183.831054]  ? __save_stack_trace+0x7e/0xd0
[  183.831979] 49
[  183.832860]  should_fail.cold.4+0xa/0x1a
[  183.833097] 89
[  183.834277]  ? fault_create_debugfs_attr+0x1f0/0x1f0
[  183.835690] f4
[  183.835964]  ? kasan_kmalloc+0xc4/0xe0
[  183.836300] 53
[  183.836568]  ? __kmalloc+0x14e/0x760
[  183.836577]  ? drbg_kcapi_seed+0x776/0x12e0
[  183.837061] 48
[  183.837329]  ? crypto_rng_reset+0x7c/0x130
[  183.837338]  ? rng_setkey+0x25/0x30
[  183.837931] 83
[  183.838200]  ? alg_setsockopt+0x306/0x3b0
[  183.838748] ec
[  183.839015]  ? __compat_sys_setsockopt+0x315/0x7c0
[  183.839026]  ? do_fast_syscall_32+0x41f/0x10dc
[  183.839536] 10
[  183.839814]  ? entry_SYSENTER_compat+0x70/0x7f
[  183.840457] 48
[  183.840728]  ? check_same_owner+0x320/0x320
[  183.841224] 89
[  183.841495]  ? kasan_check_write+0x14/0x20
[  183.841969] 7d
[  183.842572]  ? kasan_unpoison_shadow+0x35/0x50
[  183.842811] c8
[  183.843405]  ? lock_acquire+0x1dc/0x520
[  183.843867] 4d
[  183.844142]  ? fs_reclaim_acquire+0x20/0x20
[  183.844665] 89
[  183.844935]  ? lock_downgrade+0x8e0/0x8e0
[  183.845555] e5
[  183.846234]  ? lock_release+0xa10/0xa10
[  183.846474] 4d
[  183.847130]  ? drbg_init_sym_kernel+0x516/0x74a
[  183.847139]  ? check_same_owner+0x320/0x320
[  183.847380] 85
[  183.847991]  ? rcu_note_context_switch+0x710/0x710
[  183.848229] e4
[  183.848824]  should_failslab+0x124/0x180
[  183.849063] 0f
[  183.849707]  __kmalloc+0x2c8/0x760
[  183.849946] 84
[  183.850505]  ? lock_acquire+0x1dc/0x520
[  183.850744] c8
[  183.851350]  ? __fget+0x3e3/0x650
[  183.851593] 00
[  183.852177]  ? drbg_kcapi_seed+0x882/0x12e0
[  183.852416] 00
[  183.852972]  drbg_kcapi_seed+0x882/0x12e0
[  183.853213] 00
[  183.853867]  ? drbg_seed+0x10a0/0x10a0
[  183.854414] <49>
[  183.854688]  ? lock_acquire+0x1dc/0x520
[  183.855313] 63
[  183.855591]  ? __might_fault+0x12b/0x1e0
[  183.856105] 95
[  183.856375]  ? lock_downgrade+0x8e0/0x8e0
[  183.856821] fc
[  183.857090]  ? lock_acquire+0x1dc/0x520
[  183.857590] 00
[  183.857858]  ? lock_release+0xa10/0xa10
[  183.858319] 00
[  183.858589]  ? check_same_owner+0x320/0x320
[  183.859131] 00
[  183.859401]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  183.859928] 4c
[  183.860200]  ? __check_object_size+0x95/0x5d9
[  183.860689] 8b
[  183.860983]  ? sock_kmalloc+0x14e/0x1d0
[  183.861482] 30
[  183.861748]  ? do_raw_spin_unlock+0x1f9/0x2e0
[  183.861758]  ? __might_sleep+0x95/0x190
[  183.862269] 48
[  183.862539]  crypto_rng_reset+0x7c/0x130
[  183.863079] 29
[  183.863348]  rng_setkey+0x25/0x30
[  183.863878] d0
[  183.864150]  ? rng_sock_destruct+0x90/0x90
[  183.864654] 49
[  183.864924]  alg_setsockopt+0x306/0x3b0
[  183.865488] 83
[  183.865758]  __compat_sys_setsockopt+0x315/0x7c0
[  183.866488] 3f
[  183.866758]  ? __compat_sys_getsockopt+0x7f0/0x7f0
[  183.867324] 00
[  183.867598]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.868098] 48
[  183.868369]  ? ksys_write+0x1a6/0x250
[  183.868941] 89
[  183.869500]  ? SyS_read+0x30/0x30
[  183.869740] c6
[  183.870312]  compat_SyS_setsockopt+0x34/0x50
[  183.870551] 0f
[  183.871043]  ? scm_detach_fds_compat+0x440/0x440
[  183.871289] RIP: qlist_free_all+0x37/0x160 RSP: ffff880062de7050
[  183.871893]  do_fast_syscall_32+0x41f/0x10dc
[  183.872134] CR2: 0000000000000106
[  183.872695]  ? do_page_fault+0xee/0x8a7
[  183.872988] ---[ end trace 0fa4e77a7b3c174f ]---
[  183.873604]  ? do_int80_syscall_32+0xa70/0xa70
[  183.873611]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  183.873622]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  183.873871] Kernel panic - not syncing: Fatal exception
[  183.874560]  ? syscall_return_slowpath+0x30f/0x5c0
[  183.885552]  ? prepare_exit_to_usermode+0x390/0x390
[  183.886255]  ? prepare_exit_to_usermode+0x285/0x390
[  183.886953]  ? perf_trace_sys_enter+0xaf0/0xaf0
[  183.887609]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  183.888289]  entry_SYSENTER_compat+0x70/0x7f
[  183.888906] RIP: 0023:0xf7f0ecb9
[  183.889376] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
000000000000016e
[  183.890447] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[  183.891452] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[  183.892463] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[  183.893471] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  183.894481] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  183.895514] Kernel Offset: disabled
[  183.896034] Rebooting in 86400 seconds..

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Dmitry Vyukov]

On Mon, Apr 9, 2018 at 9:57 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Mon, Apr 9, 2018 at 7:40 AM, Stephan Mueller <smueller@chronox.de> wrote:
>> Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o:
>>
>> Hi Theodore,
>>>
>>> So the syzbot will run while the patch goes through the normal e-mail
>>> review process, which is kind of neat.  :-)
>>
>> Thank you very much for the hint. That is a neat feature indeed.
>>
>> As I came late to the party and I missed the original mails, I am wondering
>> about which GIT repo was used and which branch of it. With that, I would be
>> happy to resubmit with the test line.
>
> All syzbot reported bugs are available here:
> https://groups.google.com/forum/#!searchin/syzkaller-bugs/"WARNING$20in$20kmem_cache_free"
> and here:
> https://syzkaller.appspot.com/
>
> But unfortunately testing won't work in this case, because I manually
> extracted a reproducer and syzbot does not know about it. This bug
> seems to lead to assorted silent heap corruptions and different
> manifestations each time, so it's difficult for syzbot to attribute a
> reproducer to the bug. When we debug it, it would be nice to
> understand why the heap corruption is silent and is not detected by
> KASAN and anything else, to prevent such unpleasant cases in future.
>
> I've tested it manually, but unfortunately kernel still crashed within a minute:

Stephan,

Do you have any hypothesis as to why this is not detected by KASAN and
causes silent corruptions?
We generally try to understand such cases and improve KASAN so that it
catches such cases more reliably and they do not cause splashes of
random crashes on syzbot.

Thanks



> $ git status
> HEAD detached at f2d285669aae
> Changes not staged for commit:
>   (use "git add <file>..." to update what will be committed)
>   (use "git checkout -- <file>..." to discard changes in working directory)
>
> modified:   crypto/drbg.c
>
> $ git diff
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 4faa2781c964..68c1949a253f 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state
> *drbg, struct drbg_string *pers,
>         return ret;
>
>  free_everything:
> -       mutex_unlock(&drbg->drbg_mutex);
>         drbg_uninstantiate(drbg);
> +       mutex_unlock(&drbg->drbg_mutex);
>         return ret;
>  }
>
> # ./a.out
> ...
> [  183.647874] FAULT_INJECTION: forcing a failure.
> [  183.647874] name failslab, interval 1, probability 0, space 0, times 0
> [  183.648287] Call Trace:
> [  183.648297]  dump_stack+0x1b9/0x29f
> [  183.648306]  ? arch_local_irq_restore+0x52/0x52
> [  183.648318]  ? __save_stack_trace+0x7e/0xd0
> [  183.651848]  should_fail.cold.4+0xa/0x1a
> [  183.652411]  ? fault_create_debugfs_attr+0x1f0/0x1f0
> [  183.653138]  ? kasan_kmalloc+0xc4/0xe0
> [  183.653694]  ? __kmalloc+0x14e/0x760
> [  183.654206]  ? drbg_kcapi_seed+0x776/0x12e0
> [  183.654798]  ? crypto_rng_reset+0x7c/0x130
> [  183.655379]  ? rng_setkey+0x25/0x30
> [  183.655882]  ? alg_setsockopt+0x306/0x3b0
> [  183.656450]  ? graph_lock+0x170/0x170
> [  183.656975]  ? entry_SYSENTER_compat+0x70/0x7f
> [  183.657606]  ? find_held_lock+0x36/0x1c0
> [  183.658164]  ? __lock_is_held+0xb5/0x140
> [  183.658728]  ? check_same_owner+0x320/0x320
> [  183.659321]  ? rcu_note_context_switch+0x710/0x710
> [  183.660000]  should_failslab+0x124/0x180
> [  183.660561]  __kmalloc+0x2c8/0x760
> [  183.661046]  ? graph_lock+0x170/0x170
> [  183.661569]  ? drbg_kcapi_seed+0x882/0x12e0
> [  183.662161]  drbg_kcapi_seed+0x882/0x12e0
> [  183.662731]  ? drbg_seed+0x10a0/0x10a0
> [  183.663267]  ? lock_downgrade+0x8e0/0x8e0
> [  183.663833]  ? lock_acquire+0x1dc/0x520
> [  183.664385]  ? lock_release+0xa10/0xa10
> [  183.664934]  ? check_same_owner+0x320/0x320
> [  183.665530]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [  183.666292]  ? __check_object_size+0x95/0x5d9
> [  183.666904]  ? sock_kmalloc+0x14e/0x1d0
> [  183.667444]  ? mark_held_locks+0xc9/0x160
> [  183.668020]  ? __might_sleep+0x95/0x190
> [  183.668567]  crypto_rng_reset+0x7c/0x130
> [  183.669124]  rng_setkey+0x25/0x30
> [  183.669598]  ? rng_sock_destruct+0x90/0x90
> [  183.670176]  alg_setsockopt+0x306/0x3b0
> [  183.670724]  __compat_sys_setsockopt+0x315/0x7c0
> [  183.671375]  ? __compat_sys_getsockopt+0x7f0/0x7f0
> [  183.672057]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.672813]  ? ksys_write+0x1a6/0x250
> [  183.673333]  ? SyS_read+0x30/0x30
> [  183.673811]  compat_SyS_setsockopt+0x34/0x50
> [  183.674416]  ? scm_detach_fds_compat+0x440/0x440
> [  183.675079]  do_fast_syscall_32+0x41f/0x10dc
> [  183.675725]  ? do_page_fault+0xee/0x8a7
> [  183.676284]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.676925]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.677590]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.678348]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.679026]  ? sysret32_from_system_call+0x5/0x3c
> [  183.679694]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.680380]  entry_SYSENTER_compat+0x70/0x7f
> [  183.681000] RIP: 0023:0xf7f0ecb9
> [  183.681488] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
> 000000000000016e
> [  183.682606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
> [  183.683620] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
> [  183.684602] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
> [  183.685622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.686642] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.687712] CPU: 0 PID: 5506 Comm: a.out Not tainted 4.16.0+ #4
> [  183.688602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1 04/01/2014
> [  183.689764] BUG: unable to handle kernel
> [  183.689776] Call Trace:
> [  183.689782] NULL pointer dereference
> [  183.690367]  dump_stack+0x1b9/0x29f
> [  183.690709]  at 0000000000000106
> [  183.691237]  ? arch_local_irq_restore+0x52/0x52
> [  183.691721] PGD 64a50067
> [  183.692164]  should_fail.cold.4+0xa/0x1a
> [  183.692747] P4D 64a50067
> [  183.693110]  ? fault_create_debugfs_attr+0x1f0/0x1f0
> [  183.693620] PUD 61a17067
> [  183.693981]  ? graph_lock+0x170/0x170
> [  183.694622] PMD 0
> [  183.694980]  ? find_held_lock+0x36/0x1c0
> [  183.695766]  ? __lock_is_held+0xb5/0x140
> [  183.696285] Oops: 0000 [#1] SMP KASAN
> [  183.696852]  ? check_same_owner+0x320/0x320
> [  183.697337] Modules linked in:
> [  183.697962]  ? rcu_note_context_switch+0x710/0x710
> [  183.697973] CPU: 2 PID: 4054 Comm: a.out Not tainted 4.16.0+ #4
> [  183.698436]  ? drbg_init_hash_kernel+0x300/0x300
> [  183.699060] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1 04/01/2014
> [  183.699942]  should_failslab+0x124/0x180
> [  183.700559] RIP: 0010:qlist_free_all+0x37/0x160
> [  183.701763]  __kmalloc+0x2c8/0x760
> [  183.702292] RSP: 0018:ffff880062de7050 EFLAGS: 00010246
> [  183.702976]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.703437] RAX: ffff88000040008c RBX: 0000000000000282 RCX: 0000000000000000
> [  183.704205]  ? drbg_kcapi_seed+0x776/0x12e0
> [  183.704804] RDX: ffffea0000010000 RSI: ffff88007ffdc39f RDI: 0000000000000282
> [  183.704812] RBP: ffff880062de7088 R08: ffff88006bb1ce78 R09: 0000000000000006
> [  183.705824]  drbg_kcapi_seed+0x776/0x12e0
> [  183.706369] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.706377] R13: 000000000000000a R14: ffff88000040008c R15: ffffffff88b172a0
> [  183.707382]  ? drbg_seed+0x10a0/0x10a0
> [  183.708311] FS:  0000000000000000(0000) GS:ffff88006c900000(0063)
> knlGS:0000000009fbd840
> [  183.708839]  ? lock_downgrade+0x8e0/0x8e0
> [  183.709760] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
> [  183.710760]  ? lock_acquire+0x1dc/0x520
> [  183.711252] CR2: 0000000000000106 CR3: 00000000651d8002 CR4: 00000000001606e0
> [  183.711257] Call Trace:
> [  183.712390]  ? lock_release+0xa10/0xa10
> [  183.712922]  quarantine_reduce+0x141/0x170
> [  183.713733]  ? check_same_owner+0x320/0x320
> [  183.714246]  kasan_kmalloc+0x99/0xe0
> [  183.715244]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [  183.715586]  kasan_slab_alloc+0x12/0x20
> [  183.716143]  ? __check_object_size+0x95/0x5d9
> [  183.716683]  kmem_cache_alloc_node+0x131/0x780
> [  183.717282]  ? sock_kmalloc+0x14e/0x1d0
> [  183.717760]  ? do_raw_spin_unlock+0x1f9/0x2e0
> [  183.718520]  ? mark_held_locks+0xc9/0x160
> [  183.719029]  ? do_raw_spin_trylock+0x1b0/0x1b0
> [  183.719654]  ? __might_sleep+0x95/0x190
> [  183.720280]  copy_process.part.39+0x16c4/0x6ee0
> [  183.720828]  crypto_rng_reset+0x7c/0x130
> [  183.721434]  ? trace_hardirqs_on+0xd/0x10
> [  183.722007]  rng_setkey+0x25/0x30
> [  183.722596]  ? debug_object_active_state+0x2e7/0x4e0
> [  183.723145]  ? rng_sock_destruct+0x90/0x90
> [  183.723745]  ? kasan_check_read+0x11/0x20
> [  183.724308]  alg_setsockopt+0x306/0x3b0
> [  183.724845]  ? rcu_is_watching+0x85/0x140
> [  183.725324]  __compat_sys_setsockopt+0x315/0x7c0
> [  183.725972]  ? rcu_bh_force_quiescent_state+0x20/0x20
> [  183.726560]  ? __compat_sys_getsockopt+0x7f0/0x7f0
> [  183.727091]  ? __call_rcu.constprop.68+0x396/0xbb0
> [  183.727643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.728173]  ? __cleanup_sighand+0x70/0x70
> [  183.728827]  ? ksys_write+0x1a6/0x250
> [  183.729485]  ? note_gp_changes+0x540/0x540
> [  183.730161]  ? SyS_read+0x30/0x30
> [  183.730797]  ? lock_downgrade+0x8e0/0x8e0
> [  183.731558]  compat_SyS_setsockopt+0x34/0x50
> [  183.732109]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
> [  183.732636]  ? scm_detach_fds_compat+0x440/0x440
> [  183.733180]  ? tty_kref_put.part.14+0x81/0x250
> [  183.733657]  do_fast_syscall_32+0x41f/0x10dc
> [  183.734190]  ? __cleanup_sighand+0x58/0x70
> [  183.734798]  ? do_page_fault+0xee/0x8a7
> [  183.735505]  ? do_raw_write_trylock+0x1b0/0x1b0
> [  183.736162]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.736745]  ? print_usage_bug+0xc0/0xc0
> [  183.737367]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.737907]  ? trace_hardirqs_on_caller+0x421/0x5c0
> [  183.738459]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.739057]  ? call_rcu_sched+0x12/0x20
> [  183.739700]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.740220]  ? release_task.part.15+0xf70/0x1b90
> [  183.740882]  ? sysret32_from_system_call+0x5/0x3c
> [  183.741522]  ? __lock_acquire+0x7f5/0x5130
> [  183.742290]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.742798]  ? rcu_is_watching+0x85/0x140
> [  183.743480]  entry_SYSENTER_compat+0x70/0x7f
> [  183.744099]  ? find_held_lock+0x36/0x1c0
> [  183.744769] RIP: 0023:0xf7f0ecb9
> [  183.745327]  ? debug_check_no_locks_freed+0x310/0x310
> [  183.745990] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
> [  183.746525]  ? lock_downgrade+0x8e0/0x8e0
> [  183.747126]  ORIG_RAX: 000000000000016e
> [  183.747653]  ? find_held_lock+0x36/0x1c0
> [  183.748117] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
> [  183.748800]  ? print_usage_bug+0xc0/0xc0
> [  183.749530] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
> [  183.749538] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
> [  183.750087]  ? lock_downgrade+0x8e0/0x8e0
> [  183.750632] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.751152]  ? lock_downgrade+0x8e0/0x8e0
> [  183.752156] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.752170] CPU: 3 PID: 5504 Comm: a.out Not tainted 4.16.0+ #4
> [  183.752693]  ? __lock_acquire+0x7f5/0x5130
> [  183.753653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1 04/01/2014
> [  183.754595]  ? graph_lock+0x170/0x170
> [  183.755167] Call Trace:
> [  183.756102]  ? trace_hardirqs_on_caller+0x421/0x5c0
> [  183.756639]  dump_stack+0x1b9/0x29f
> [  183.757562]  ? debug_check_no_locks_freed+0x310/0x310
> [  183.758333]  ? arch_local_irq_restore+0x52/0x52
> [  183.758872]  ? find_held_lock+0x36/0x1c0
> [  183.759218] FAULT_INJECTION: forcing a failure.
> [  183.759218] name failslab, interval 1, probability 0, space 0, times 0
> [  183.759966]  ? __save_stack_trace+0x7e/0xd0
> [  183.760453]  ? lock_downgrade+0x8e0/0x8e0
> [  183.760788]  should_fail.cold.4+0xa/0x1a
> [  183.761427]  ? do_raw_spin_unlock+0x1f9/0x2e0
> [  183.761933]  ? fault_create_debugfs_attr+0x1f0/0x1f0
> [  183.762593]  ? do_raw_spin_trylock+0x1b0/0x1b0
> [  183.763216]  ? kasan_kmalloc+0xc4/0xe0
> [  183.763742]  ? _raw_spin_unlock_irqrestore+0x74/0xc0
> [  183.765288]  ? __kmalloc+0x14e/0x760
> [  183.765844]  ? trace_hardirqs_on_caller+0x421/0x5c0
> [  183.766423]  ? drbg_kcapi_seed+0x776/0x12e0
> [  183.766945]  ? trace_hardirqs_on+0xd/0x10
> [  183.767556]  ? crypto_rng_reset+0x7c/0x130
> [  183.768227]  ? graph_lock+0x170/0x170
> [  183.768845]  ? rng_setkey+0x25/0x30
> [  183.769368]  ? add_wait_queue+0x2a0/0x2a0
> [  183.770026]  ? alg_setsockopt+0x306/0x3b0
> [  183.770501]  ? kasan_check_write+0x14/0x20
> [  183.771198]  ? graph_lock+0x170/0x170
> [  183.771758]  ? do_raw_read_lock+0x3f/0x80
> [  183.772336]  ? entry_SYSENTER_compat+0x70/0x7f
> [  183.772887]  _do_fork+0x291/0x12a0
> [  183.773416]  ? find_held_lock+0x36/0x1c0
> [  183.773881]  ? fork_idle+0x1a0/0x1a0
> [  183.774458]  ? __lock_is_held+0xb5/0x140
> [  183.774989]  ? lock_release+0xa10/0xa10
> [  183.775581]  ? check_same_owner+0x320/0x320
> [  183.776070]  ? check_same_owner+0x320/0x320
> [  183.776650]  ? rcu_note_context_switch+0x710/0x710
> [  183.777234]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
> [  183.777725]  should_failslab+0x124/0x180
> [  183.778246]  ? put_pid.part.2+0x1bc/0x230
> [  183.778792]  __kmalloc+0x2c8/0x760
> [  183.779311]  ? __might_sleep+0x95/0x190
> [  183.779871]  ? graph_lock+0x170/0x170
> [  183.780426]  ? __might_fault+0x1a3/0x1e0
> [  183.781007]  ? drbg_kcapi_seed+0x882/0x12e0
> [  183.781643]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.782423]  drbg_kcapi_seed+0x882/0x12e0
> [  183.782942]  ? kernel_wait4+0x2d8/0x3d0
> [  183.783520]  ? drbg_seed+0x10a0/0x10a0
> [  183.783980]  ? SyS_waitid+0x40/0x40
> [  183.784539]  ? lock_downgrade+0x8e0/0x8e0
> [  183.785026]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.785596]  ? lock_acquire+0x1dc/0x520
> [  183.786146]  ? task_stopped_code+0x190/0x190
> [  183.786922]  ? lock_release+0xa10/0xa10
> [  183.787451]  compat_SyS_x86_clone+0x37/0x50
> [  183.788020]  ? check_same_owner+0x320/0x320
> [  183.788517]  ? compat_SyS_x86_fallocate+0x60/0x60
> [  183.789028]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [  183.789556]  do_fast_syscall_32+0x41f/0x10dc
> [  183.790334]  ? __check_object_size+0x95/0x5d9
> [  183.790841]  ? do_page_fault+0xee/0x8a7
> [  183.791460]  ? sock_kmalloc+0x14e/0x1d0
> [  183.791971]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.792583]  ? mark_held_locks+0xc9/0x160
> [  183.793137]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.793820]  ? __might_sleep+0x95/0x190
> [  183.794528]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.795147]  crypto_rng_reset+0x7c/0x130
> [  183.795737]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.796291]  rng_setkey+0x25/0x30
> [  183.796803]  ? sysret32_from_system_call+0x5/0x3c
> [  183.797442]  ? rng_sock_destruct+0x90/0x90
> [  183.797997]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.798658]  alg_setsockopt+0x306/0x3b0
> [  183.799166]  entry_SYSENTER_compat+0x70/0x7f
> [  183.799971]  __compat_sys_setsockopt+0x315/0x7c0
> [  183.800486] RIP: 0023:0xf7f0ecb9
> [  183.801190]  ? __compat_sys_getsockopt+0x7f0/0x7f0
> [  183.801631] RSP: 002b:00000000ffeb1ec0 EFLAGS: 00000246
> [  183.802312]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.802850]  ORIG_RAX: 0000000000000078
> [  183.803534]  ? ksys_write+0x1a6/0x250
> [  183.804067] RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000
> [  183.804693]  ? SyS_read+0x30/0x30
> [  183.805295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000009fbd8a8
> [  183.805768]  compat_SyS_setsockopt+0x34/0x50
> [  183.806404] RBP: 00000000ffeb1ef8 R08: 0000000000000000 R09: 0000000000000000
> [  183.807154]  ? scm_detach_fds_compat+0x440/0x440
> [  183.807861] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.808421]  do_fast_syscall_32+0x41f/0x10dc
> [  183.808900] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.808905] Code:
> [  183.809928]  ? do_page_fault+0xee/0x8a7
> [  183.810365] 55
> [  183.811385]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.811949] 48
> [  183.812992]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.813590] 89
> [  183.814630]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.815191] e5
> [  183.816214]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.816487] 41
> [  183.817066]  ? sysret32_from_system_call+0x5/0x3c
> [  183.817313] 57
> [  183.817958]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.818200] 49
> [  183.818869]  entry_SYSENTER_compat+0x70/0x7f
> [  183.819109] c7
> [  183.819894] RIP: 0023:0xf7f0ecb9
> [  183.820135] c7
> [  183.820821] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
> [  183.821065] a0
> [  183.821738]  ORIG_RAX: 000000000000016e
> [  183.821984] 72
> [  183.822657] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
> [  183.822900] b1
> [  183.823513] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
> [  183.823760] 88
> [  183.824230] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
> [  183.824238] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.824492] 41
> [  183.825238] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.825250] CPU: 0 PID: 5512 Comm: a.out Not tainted 4.16.0+ #4
> [  183.825490] 56
> [  183.826073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1 04/01/2014
> [  183.826204] FAULT_INJECTION: forcing a failure.
> [  183.826204] name failslab, interval 1, probability 0, space 0, times 0
> [  183.826315] 41
> [  183.827333] Call Trace:
> [  183.827583] 55
> [  183.828608]  dump_stack+0x1b9/0x29f
> [  183.828844] 41
> [  183.829864]  ? arch_local_irq_restore+0x52/0x52
> [  183.830780] 54
> [  183.831054]  ? __save_stack_trace+0x7e/0xd0
> [  183.831979] 49
> [  183.832860]  should_fail.cold.4+0xa/0x1a
> [  183.833097] 89
> [  183.834277]  ? fault_create_debugfs_attr+0x1f0/0x1f0
> [  183.835690] f4
> [  183.835964]  ? kasan_kmalloc+0xc4/0xe0
> [  183.836300] 53
> [  183.836568]  ? __kmalloc+0x14e/0x760
> [  183.836577]  ? drbg_kcapi_seed+0x776/0x12e0
> [  183.837061] 48
> [  183.837329]  ? crypto_rng_reset+0x7c/0x130
> [  183.837338]  ? rng_setkey+0x25/0x30
> [  183.837931] 83
> [  183.838200]  ? alg_setsockopt+0x306/0x3b0
> [  183.838748] ec
> [  183.839015]  ? __compat_sys_setsockopt+0x315/0x7c0
> [  183.839026]  ? do_fast_syscall_32+0x41f/0x10dc
> [  183.839536] 10
> [  183.839814]  ? entry_SYSENTER_compat+0x70/0x7f
> [  183.840457] 48
> [  183.840728]  ? check_same_owner+0x320/0x320
> [  183.841224] 89
> [  183.841495]  ? kasan_check_write+0x14/0x20
> [  183.841969] 7d
> [  183.842572]  ? kasan_unpoison_shadow+0x35/0x50
> [  183.842811] c8
> [  183.843405]  ? lock_acquire+0x1dc/0x520
> [  183.843867] 4d
> [  183.844142]  ? fs_reclaim_acquire+0x20/0x20
> [  183.844665] 89
> [  183.844935]  ? lock_downgrade+0x8e0/0x8e0
> [  183.845555] e5
> [  183.846234]  ? lock_release+0xa10/0xa10
> [  183.846474] 4d
> [  183.847130]  ? drbg_init_sym_kernel+0x516/0x74a
> [  183.847139]  ? check_same_owner+0x320/0x320
> [  183.847380] 85
> [  183.847991]  ? rcu_note_context_switch+0x710/0x710
> [  183.848229] e4
> [  183.848824]  should_failslab+0x124/0x180
> [  183.849063] 0f
> [  183.849707]  __kmalloc+0x2c8/0x760
> [  183.849946] 84
> [  183.850505]  ? lock_acquire+0x1dc/0x520
> [  183.850744] c8
> [  183.851350]  ? __fget+0x3e3/0x650
> [  183.851593] 00
> [  183.852177]  ? drbg_kcapi_seed+0x882/0x12e0
> [  183.852416] 00
> [  183.852972]  drbg_kcapi_seed+0x882/0x12e0
> [  183.853213] 00
> [  183.853867]  ? drbg_seed+0x10a0/0x10a0
> [  183.854414] <49>
> [  183.854688]  ? lock_acquire+0x1dc/0x520
> [  183.855313] 63
> [  183.855591]  ? __might_fault+0x12b/0x1e0
> [  183.856105] 95
> [  183.856375]  ? lock_downgrade+0x8e0/0x8e0
> [  183.856821] fc
> [  183.857090]  ? lock_acquire+0x1dc/0x520
> [  183.857590] 00
> [  183.857858]  ? lock_release+0xa10/0xa10
> [  183.858319] 00
> [  183.858589]  ? check_same_owner+0x320/0x320
> [  183.859131] 00
> [  183.859401]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> [  183.859928] 4c
> [  183.860200]  ? __check_object_size+0x95/0x5d9
> [  183.860689] 8b
> [  183.860983]  ? sock_kmalloc+0x14e/0x1d0
> [  183.861482] 30
> [  183.861748]  ? do_raw_spin_unlock+0x1f9/0x2e0
> [  183.861758]  ? __might_sleep+0x95/0x190
> [  183.862269] 48
> [  183.862539]  crypto_rng_reset+0x7c/0x130
> [  183.863079] 29
> [  183.863348]  rng_setkey+0x25/0x30
> [  183.863878] d0
> [  183.864150]  ? rng_sock_destruct+0x90/0x90
> [  183.864654] 49
> [  183.864924]  alg_setsockopt+0x306/0x3b0
> [  183.865488] 83
> [  183.865758]  __compat_sys_setsockopt+0x315/0x7c0
> [  183.866488] 3f
> [  183.866758]  ? __compat_sys_getsockopt+0x7f0/0x7f0
> [  183.867324] 00
> [  183.867598]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.868098] 48
> [  183.868369]  ? ksys_write+0x1a6/0x250
> [  183.868941] 89
> [  183.869500]  ? SyS_read+0x30/0x30
> [  183.869740] c6
> [  183.870312]  compat_SyS_setsockopt+0x34/0x50
> [  183.870551] 0f
> [  183.871043]  ? scm_detach_fds_compat+0x440/0x440
> [  183.871289] RIP: qlist_free_all+0x37/0x160 RSP: ffff880062de7050
> [  183.871893]  do_fast_syscall_32+0x41f/0x10dc
> [  183.872134] CR2: 0000000000000106
> [  183.872695]  ? do_page_fault+0xee/0x8a7
> [  183.872988] ---[ end trace 0fa4e77a7b3c174f ]---
> [  183.873604]  ? do_int80_syscall_32+0xa70/0xa70
> [  183.873611]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [  183.873622]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> [  183.873871] Kernel panic - not syncing: Fatal exception
> [  183.874560]  ? syscall_return_slowpath+0x30f/0x5c0
> [  183.885552]  ? prepare_exit_to_usermode+0x390/0x390
> [  183.886255]  ? prepare_exit_to_usermode+0x285/0x390
> [  183.886953]  ? perf_trace_sys_enter+0xaf0/0xaf0
> [  183.887609]  ? trace_hardirqs_off_thunk+0x1a/0x1c
> [  183.888289]  entry_SYSENTER_compat+0x70/0x7f
> [  183.888906] RIP: 0023:0xf7f0ecb9
> [  183.889376] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
> 000000000000016e
> [  183.890447] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
> [  183.891452] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
> [  183.892463] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
> [  183.893471] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  183.894481] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [  183.895514] Kernel Offset: disabled
> [  183.896034] Rebooting in 86400 seconds..

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Mueller]

Am Dienstag, 10. April 2018, 17:23:46 CEST schrieb Dmitry Vyukov:

Hi Dmitry,

> Stephan,
> 
> Do you have any hypothesis as to why this is not detected by KASAN and
> causes silent corruptions?
> We generally try to understand such cases and improve KASAN so that it
> catches such cases more reliably and they do not cause splashes of
> random crashes on syzbot.

I do not have any hypothesis at this point. I know that you induce some fault. 
As you mentioned the drbg_kcapi_seed function, I was looking through the error 
code paths to see whether some error handlers trip over each other. But all is 
guesswork so far. And I am not even sure whether the bug is in the DRBG code 
base.

Looking into the trace you sent, I see a NULL pointer dereference. At one 
point there is also the drbg_init_hash_kernel that is called. But nowhere I 
see any smoking gun.

Could you please give me a description of the fault you are inducing?

Ciao
Stephan

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Dmitry Vyukov]

On Tue, Apr 10, 2018 at 5:35 PM, Stephan Mueller <smueller@chronox.de> wrote:
> Am Dienstag, 10. April 2018, 17:23:46 CEST schrieb Dmitry Vyukov:
>
> Hi Dmitry,
>
>> Stephan,
>>
>> Do you have any hypothesis as to why this is not detected by KASAN and
>> causes silent corruptions?
>> We generally try to understand such cases and improve KASAN so that it
>> catches such cases more reliably and they do not cause splashes of
>> random crashes on syzbot.
>
> I do not have any hypothesis at this point. I know that you induce some fault.
> As you mentioned the drbg_kcapi_seed function, I was looking through the error
> code paths to see whether some error handlers trip over each other. But all is
> guesswork so far. And I am not even sure whether the bug is in the DRBG code
> base.
>
> Looking into the trace you sent, I see a NULL pointer dereference. At one
> point there is also the drbg_init_hash_kernel that is called. But nowhere I
> see any smoking gun.
>
> Could you please give me a description of the fault you are inducing?

Hi Stephan,

What do you mean by description of the fault?
It's kernel standard FAULT_INJECTION facility, it injects faults
mainly into kmalloc/slab_alloc (also in a bunch of other things, but
in this case this seems to be kmalloc). In the repro you can see that
it's injecting a fault into 8-th malloc in the setsockopt syscall.

I wonder why you can't reproduce it. I can trigger it reliably in a
qemu. Let's try this:
I have upstream kernel on b284d4d5a6785f8cd07eda2646a95782373cd01e.
Here is my config:
https://gist.githubusercontent.com/dvyukov/f843ea09bc5b9439a820c8e809a5501d/raw/ad330e9b6b710f57f63b61590747b48230e5cb61/gistfile1.txt
Here is the compiler:
https://storage.googleapis.com/syzkaller/gcc-8.0.1-20180301.tar.gz
Build as: make -jN CC=that/gcc/bin/gcc
Then I start qemu as:

qemu-system-x86_64 -hda wheezy.img -net
user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic -nographic -kernel
arch/x86/boot/bzImage -append "kvm-intel.nested=1
kvm-intel.unrestricted_guest=1 kvm-intel.ept=1
kvm-intel.flexpriority=1 kvm-intel.vpid=1
kvm-intel.emulate_invalid_guest_state=1 kvm-intel.eptad=1
kvm-intel.enable_shadow_vmcs=1 kvm-intel.pml=1
kvm-intel.enable_apicv=1 console=ttyS0 root=/dev/sda
earlyprintk=serial slub_debug=UZ vsyscall=native rodata=n oops=panic
panic_on_warn=1 panic=86400" -enable-kvm -pidfile vm_pid -m 2G -smp 4
-cpu host

You can find the wheezy.img and ssh key for it here:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#crash-does-not-reproduce

Then I compile this program:
https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
as: gcc prog.c -static -m32

Run in the qemu and within a minute it gives me the crash.

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Mueller]

Am Mittwoch, 11. April 2018, 14:29:45 CEST schrieb Dmitry Vyukov:

Hi Dmitry,
> 
> What do you mean by description of the fault?
> It's kernel standard FAULT_INJECTION facility, it injects faults
> mainly into kmalloc/slab_alloc (also in a bunch of other things, but
> in this case this seems to be kmalloc). In the repro you can see that
> it's injecting a fault into 8-th malloc in the setsockopt syscall.

I am now able to reproduce it.

I think I have a smoking gun, but let me test it first.

Ciao
Stephan

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Stephan Müller]

Hi Dimitry,

This fix prevents the kernel from crashing when injecting the fault. 
Stack traces are yet shown but I guess that is expected every time
a fault is injected.

As to why KASAN did not notice this one, I am not sure. Maybe it is
because I use two buffer pointers to point to (almost) the same memory
(one that is aligned and one pointing to the complete buffer)?

---8<---

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
---
 crypto/drbg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
-- 
2.14.3

[PATCH] crypto: drbg - set freed buffers to NULL

[Stephan Müller]

Sorry, this time with the proper subject line.

---8<---

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
---
 crypto/drbg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
-- 
2.14.3

Re: [PATCH] crypto: DRBG - guard uninstantion by lock

[Dmitry Vyukov]

On Wed, Apr 11, 2018 at 4:26 PM, Stephan Müller <smueller@chronox.de> wrote:
> Hi Dimitry,
>
> This fix prevents the kernel from crashing when injecting the fault.

Good!

> Stack traces are yet shown but I guess that is expected every time
> a fault is injected.

Yes, nothing to fix here.

> As to why KASAN did not notice this one, I am not sure. Maybe it is
> because I use two buffer pointers to point to (almost) the same memory
> (one that is aligned and one pointing to the complete buffer)?

After looking at the fix, I figured out what happened with KASAN.
Filed https://bugzilla.kernel.org/show_bug.cgi?id=199359. In short,
tricky interplay between kzfree, ksize and double-free detection.
If KASAN worked as intended it would give a nice "double-free in this
stack for object allocated in this stack and previously freed in this
stack", which would probably make debugging much simpler.


> ---8<---
>
> During freeing of the internal buffers used by the DRBG, set the pointer
> to NULL. It is possible that the context with the freed buffers is
> reused. In case of an error during initialization where the pointers
> do not yet point to allocated memory, the NULL value prevents a double
> free.
>
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
> ---
>  crypto/drbg.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 4faa2781c964..466a112a4446 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
>         if (!drbg)
>                 return;
>         kzfree(drbg->Vbuf);
> +       drbg->Vbuf = NULL;
>         drbg->V = NULL;
>         kzfree(drbg->Cbuf);
> +       drbg->Cbuf = NULL;
>         drbg->C = NULL;
>         kzfree(drbg->scratchpadbuf);
>         drbg->scratchpadbuf = NULL;
> --
> 2.14.3
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/2186798.qrgUIDAn9S%40positron.chronox.de.
> For more options, visit https://groups.google.com/d/optout.

Re: [PATCH] crypto: drbg - set freed buffers to NULL

[Eric Biggers]

On Wed, Apr 11, 2018 at 04:31:01PM +0200, Stephan Müller wrote:
> Sorry, this time with the proper subject line.
> 
> ---8<---
> 
> During freeing of the internal buffers used by the DRBG, set the pointer
> to NULL. It is possible that the context with the freed buffers is
> reused. In case of an error during initialization where the pointers
> do not yet point to allocated memory, the NULL value prevents a double
> free.
> 
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
> ---
>  crypto/drbg.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/crypto/drbg.c b/crypto/drbg.c
> index 4faa2781c964..466a112a4446 100644
> --- a/crypto/drbg.c
> +++ b/crypto/drbg.c
> @@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
>  	if (!drbg)
>  		return;
>  	kzfree(drbg->Vbuf);
> +	drbg->Vbuf = NULL;
>  	drbg->V = NULL;
>  	kzfree(drbg->Cbuf);
> +	drbg->Cbuf = NULL;
>  	drbg->C = NULL;
>  	kzfree(drbg->scratchpadbuf);
>  	drbg->scratchpadbuf = NULL;

Can you please add Fixes and Cc stable?

- Eric

[PATCH] crypto: drbg - set freed buffers to NULL

[Stephan Müller]

Add the Fixes, CC stable tags.

---8<---

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Cc: stable@vger.kernel.org
Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com
---
 crypto/drbg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
 	if (!drbg)
 		return;
 	kzfree(drbg->Vbuf);
+	drbg->Vbuf = NULL;
 	drbg->V = NULL;
 	kzfree(drbg->Cbuf);
+	drbg->Cbuf = NULL;
 	drbg->C = NULL;
 	kzfree(drbg->scratchpadbuf);
 	drbg->scratchpadbuf = NULL;
-- 
2.14.3

Re: [PATCH] crypto: drbg - set freed buffers to NULL

[Herbert Xu]

On Thu, Apr 12, 2018 at 08:40:55AM +0200, Stephan Müller wrote:
> Add the Fixes, CC stable tags.
> 
> ---8<---
> 
> During freeing of the internal buffers used by the DRBG, set the pointer
> to NULL. It is possible that the context with the freed buffers is
> reused. In case of an error during initialization where the pointers
> do not yet point to allocated memory, the NULL value prevents a double
> free.
> 
> Cc: stable@vger.kernel.org
> Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
> Signed-off-by: Stephan Mueller <smueller@chronox.de>
> Reported-by: syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt