Re: KASAN: use-after-free Read in l2tp_session_create

Re: KASAN: use-after-free Read in l2tp_session_create

[Dmitry Vyukov]

On Tue, Jan 16, 2018 at 7:29 PM, syzbot
<syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzkaller hit the following crash on
> a8750ddca918032d6349adbf9a4b6555e7db20da
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> Unfortunately, I don't have any reproducer for this bug yet.
>
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.


James,

Did you fix this? You asked syzbot to test a fix for this bug some time ago.
If yes, did you include the Reported-by tag in the commit? This bug is
still considered open by syzbot. But it stopped happening ~4 months
ago:
https://syzkaller.appspot.com/bug?id=6fed0854381422329e78d7e16fb9cf4af8c9aef1
We are also seeing these crashes in 4.4 and 4.9, it would be good to
backport the fix.

Thanks


> ==================================================================
> BUG: KASAN: use-after-free in l2tp_session_create+0xa6d/0xc60
> net/l2tp/l2tp_core.c:1757
> Read of size 4 at addr ffff8801d80ad868 by task syz-executor3/5462
>
> CPU: 0 PID: 5462 Comm: syz-executor3 Not tainted 4.15.0-rc8+ #263
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  print_address_description+0x73/0x250 mm/kasan/report.c:252
>  kasan_report_error mm/kasan/report.c:351 [inline]
>  kasan_report+0x25b/0x340 mm/kasan/report.c:409
>  __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
>  l2tp_session_create+0xa6d/0xc60 net/l2tp/l2tp_core.c:1757
>  pppol2tp_connect+0xed7/0x1dd0 net/l2tp/l2tp_ppp.c:748
>  SYSC_connect+0x213/0x4a0 net/socket.c:1621
>  SyS_connect+0x24/0x30 net/socket.c:1602
>  entry_SYSCALL_64_fastpath+0x29/0xa0
> RIP: 0033:0x452df9
> RSP: 002b:00007f93ec47fc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002a
> RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452df9
> RDX: 000000000000002e RSI: 00000000205fafd2 RDI: 0000000000000018
> RBP: 00000000000005a9 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6878
> R13: 00000000ffffffff R14: 00007f93ec4806d4 R15: 0000000000000000
>
> Allocated by task 5462:
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>  set_track mm/kasan/kasan.c:459 [inline]
>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>  kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3610
>  kmalloc include/linux/slab.h:499 [inline]
>  kzalloc include/linux/slab.h:688 [inline]
>  l2tp_tunnel_create+0x5e1/0x17f0 net/l2tp/l2tp_core.c:1554
>  pppol2tp_connect+0x14b7/0x1dd0 net/l2tp/l2tp_ppp.c:707
>  SYSC_connect+0x213/0x4a0 net/socket.c:1621
>  SyS_connect+0x24/0x30 net/socket.c:1602
>  entry_SYSCALL_64_fastpath+0x29/0xa0
>
> Freed by task 5484:
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>  set_track mm/kasan/kasan.c:459 [inline]
>  kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>  __cache_free mm/slab.c:3488 [inline]
>  kfree+0xd6/0x260 mm/slab.c:3803
>  __rcu_reclaim kernel/rcu/rcu.h:190 [inline]
>  rcu_do_batch kernel/rcu/tree.c:2758 [inline]
>  invoke_rcu_callbacks kernel/rcu/tree.c:3012 [inline]
>  __rcu_process_callbacks kernel/rcu/tree.c:2979 [inline]
>  rcu_process_callbacks+0xe94/0x17f0 kernel/rcu/tree.c:2996
>  __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
>
> The buggy address belongs to the object at ffff8801d80ad780
>  which belongs to the cache kmalloc-512 of size 512
> The buggy address is located 232 bytes inside of
>  512-byte region [ffff8801d80ad780, ffff8801d80ad980)
> The buggy address belongs to the page:
> page:ffffea0007602b40 count:1 mapcount:0 mapping:ffff8801d80ad000 index:0x0
> flags: 0x2fffc0000000100(slab)
> raw: 02fffc0000000100 ffff8801d80ad000 0000000000000000 0000000100000006
> raw: ffffea00070e8760 ffffea00070f8ca0 ffff8801dac00940 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffff8801d80ad700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff8801d80ad780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>
>> ffff8801d80ad800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>
>                                                           ^
>  ffff8801d80ad880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff8801d80ad900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a11405130a984300562e8e7b3%40google.com.
> For more options, visit https://groups.google.com/d/optout.

Re: KASAN: use-after-free Read in l2tp_session_create

[James Chapman]

On 18/07/18 12:00, Dmitry Vyukov wrote:
> On Tue, Jan 16, 2018 at 7:29 PM, syzbot
> <syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com> wrote:
>> Hello,
>>
>> syzkaller hit the following crash on
>> a8750ddca918032d6349adbf9a4b6555e7db20da
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> Unfortunately, I don't have any reproducer for this bug yet.
>>
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>
> James,
>
> Did you fix this? You asked syzbot to test a fix for this bug some time ago.
> If yes, did you include the Reported-by tag in the commit? This bug is
> still considered open by syzbot. But it stopped happening ~4 months
> ago:

Yes, I think this has been fixed now. I think it was fixed by
Guillaume's 6b9f34239b00e6956a267abed2bc559ede556ad6 that was actually
to fix another syzbot bug fbeeb5c3b538e8545644 which looks similar to
this one.

> https://syzkaller.appspot.com/bug?id=6fed0854381422329e78d7e16fb9cf4af8c9aef1
> We are also seeing these crashes in 4.4 and 4.9, it would be good to
> backport the fix.

It looks like 6b9f34239b00e6956a267abed2bc559ede556ad6 hasn't made it to
4.9 or 4.4.


>
> Thanks
>
>
>> ==================================================================
>> BUG: KASAN: use-after-free in l2tp_session_create+0xa6d/0xc60
>> net/l2tp/l2tp_core.c:1757
>> Read of size 4 at addr ffff8801d80ad868 by task syz-executor3/5462
>>
>> CPU: 0 PID: 5462 Comm: syz-executor3 Not tainted 4.15.0-rc8+ #263
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17 [inline]
>>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>>  print_address_description+0x73/0x250 mm/kasan/report.c:252
>>  kasan_report_error mm/kasan/report.c:351 [inline]
>>  kasan_report+0x25b/0x340 mm/kasan/report.c:409
>>  __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
>>  l2tp_session_create+0xa6d/0xc60 net/l2tp/l2tp_core.c:1757
>>  pppol2tp_connect+0xed7/0x1dd0 net/l2tp/l2tp_ppp.c:748
>>  SYSC_connect+0x213/0x4a0 net/socket.c:1621
>>  SyS_connect+0x24/0x30 net/socket.c:1602
>>  entry_SYSCALL_64_fastpath+0x29/0xa0
>> RIP: 0033:0x452df9
>> RSP: 002b:00007f93ec47fc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002a
>> RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452df9
>> RDX: 000000000000002e RSI: 00000000205fafd2 RDI: 0000000000000018
>> RBP: 00000000000005a9 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6878
>> R13: 00000000ffffffff R14: 00007f93ec4806d4 R15: 0000000000000000
>>
>> Allocated by task 5462:
>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>  set_track mm/kasan/kasan.c:459 [inline]
>>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>>  kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3610
>>  kmalloc include/linux/slab.h:499 [inline]
>>  kzalloc include/linux/slab.h:688 [inline]
>>  l2tp_tunnel_create+0x5e1/0x17f0 net/l2tp/l2tp_core.c:1554
>>  pppol2tp_connect+0x14b7/0x1dd0 net/l2tp/l2tp_ppp.c:707
>>  SYSC_connect+0x213/0x4a0 net/socket.c:1621
>>  SyS_connect+0x24/0x30 net/socket.c:1602
>>  entry_SYSCALL_64_fastpath+0x29/0xa0
>>
>> Freed by task 5484:
>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>  set_track mm/kasan/kasan.c:459 [inline]
>>  kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>>  __cache_free mm/slab.c:3488 [inline]
>>  kfree+0xd6/0x260 mm/slab.c:3803
>>  __rcu_reclaim kernel/rcu/rcu.h:190 [inline]
>>  rcu_do_batch kernel/rcu/tree.c:2758 [inline]
>>  invoke_rcu_callbacks kernel/rcu/tree.c:3012 [inline]
>>  __rcu_process_callbacks kernel/rcu/tree.c:2979 [inline]
>>  rcu_process_callbacks+0xe94/0x17f0 kernel/rcu/tree.c:2996
>>  __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
>>
>> The buggy address belongs to the object at ffff8801d80ad780
>>  which belongs to the cache kmalloc-512 of size 512
>> The buggy address is located 232 bytes inside of
>>  512-byte region [ffff8801d80ad780, ffff8801d80ad980)
>> The buggy address belongs to the page:
>> page:ffffea0007602b40 count:1 mapcount:0 mapping:ffff8801d80ad000 index:0x0
>> flags: 0x2fffc0000000100(slab)
>> raw: 02fffc0000000100 ffff8801d80ad000 0000000000000000 0000000100000006
>> raw: ffffea00070e8760 ffffea00070f8ca0 ffff8801dac00940 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>>  ffff8801d80ad700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>  ffff8801d80ad780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> ffff8801d80ad800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>                                                           ^
>>  ffff8801d80ad880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>  ffff8801d80ad900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report.
>> If you forgot to add the Reported-by tag, once the fix for this bug is
>> merged
>> into any tree, please reply to this email with:
>> #syz fix: exact-commit-title
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>> Note: all commands must start from beginning of the line in the email body.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/syzkaller-bugs/001a11405130a984300562e8e7b3%40google.com.
>> For more options, visit https://groups.google.com/d/optout.

Re: KASAN: use-after-free Read in l2tp_session_create

[Dmitry Vyukov]

On Fri, Jul 20, 2018 at 9:53 AM, James Chapman <jchapman@katalix.com> wrote:
> On 18/07/18 12:00, Dmitry Vyukov wrote:
>> On Tue, Jan 16, 2018 at 7:29 PM, syzbot
>> <syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com> wrote:
>>> Hello,
>>>
>>> syzkaller hit the following crash on
>>> a8750ddca918032d6349adbf9a4b6555e7db20da
>>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
>>> compiler: gcc (GCC) 7.1.1 20170620
>>> .config is attached
>>> Raw console output is attached.
>>> Unfortunately, I don't have any reproducer for this bug yet.
>>>
>>>
>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> Reported-by: syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com
>>> It will help syzbot understand when the bug is fixed. See footer for
>>> details.
>>> If you forward the report, please keep this part and the footer.
>>
>> James,
>>
>> Did you fix this? You asked syzbot to test a fix for this bug some time ago.
>> If yes, did you include the Reported-by tag in the commit? This bug is
>> still considered open by syzbot. But it stopped happening ~4 months
>> ago:
>
> Yes, I think this has been fixed now. I think it was fixed by
> Guillaume's 6b9f34239b00e6956a267abed2bc559ede556ad6 that was actually
> to fix another syzbot bug fbeeb5c3b538e8545644 which looks similar to
> this one.
>
>> https://syzkaller.appspot.com/bug?id=6fed0854381422329e78d7e16fb9cf4af8c9aef1
>> We are also seeing these crashes in 4.4 and 4.9, it would be good to
>> backport the fix.
>
> It looks like 6b9f34239b00e6956a267abed2bc559ede556ad6 hasn't made it to
> 4.9 or 4.4.

Thanks for the update!

Let's tell syzbot that this is fixed:

#syz fix: l2tp: fix races in tunnel creation

Greg H: so this is probably the patch we need.

+Greg KH: I think we need this in stable, we hit this in both 4.4 and 4.9.


>>> ==================================================================
>>> BUG: KASAN: use-after-free in l2tp_session_create+0xa6d/0xc60
>>> net/l2tp/l2tp_core.c:1757
>>> Read of size 4 at addr ffff8801d80ad868 by task syz-executor3/5462
>>>
>>> CPU: 0 PID: 5462 Comm: syz-executor3 Not tainted 4.15.0-rc8+ #263
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>>  __dump_stack lib/dump_stack.c:17 [inline]
>>>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>>>  print_address_description+0x73/0x250 mm/kasan/report.c:252
>>>  kasan_report_error mm/kasan/report.c:351 [inline]
>>>  kasan_report+0x25b/0x340 mm/kasan/report.c:409
>>>  __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
>>>  l2tp_session_create+0xa6d/0xc60 net/l2tp/l2tp_core.c:1757
>>>  pppol2tp_connect+0xed7/0x1dd0 net/l2tp/l2tp_ppp.c:748
>>>  SYSC_connect+0x213/0x4a0 net/socket.c:1621
>>>  SyS_connect+0x24/0x30 net/socket.c:1602
>>>  entry_SYSCALL_64_fastpath+0x29/0xa0
>>> RIP: 0033:0x452df9
>>> RSP: 002b:00007f93ec47fc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002a
>>> RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452df9
>>> RDX: 000000000000002e RSI: 00000000205fafd2 RDI: 0000000000000018
>>> RBP: 00000000000005a9 R08: 0000000000000000 R09: 0000000000000000
>>> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6878
>>> R13: 00000000ffffffff R14: 00007f93ec4806d4 R15: 0000000000000000
>>>
>>> Allocated by task 5462:
>>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>>  set_track mm/kasan/kasan.c:459 [inline]
>>>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>>>  kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3610
>>>  kmalloc include/linux/slab.h:499 [inline]
>>>  kzalloc include/linux/slab.h:688 [inline]
>>>  l2tp_tunnel_create+0x5e1/0x17f0 net/l2tp/l2tp_core.c:1554
>>>  pppol2tp_connect+0x14b7/0x1dd0 net/l2tp/l2tp_ppp.c:707
>>>  SYSC_connect+0x213/0x4a0 net/socket.c:1621
>>>  SyS_connect+0x24/0x30 net/socket.c:1602
>>>  entry_SYSCALL_64_fastpath+0x29/0xa0
>>>
>>> Freed by task 5484:
>>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>>  set_track mm/kasan/kasan.c:459 [inline]
>>>  kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>>>  __cache_free mm/slab.c:3488 [inline]
>>>  kfree+0xd6/0x260 mm/slab.c:3803
>>>  __rcu_reclaim kernel/rcu/rcu.h:190 [inline]
>>>  rcu_do_batch kernel/rcu/tree.c:2758 [inline]
>>>  invoke_rcu_callbacks kernel/rcu/tree.c:3012 [inline]
>>>  __rcu_process_callbacks kernel/rcu/tree.c:2979 [inline]
>>>  rcu_process_callbacks+0xe94/0x17f0 kernel/rcu/tree.c:2996
>>>  __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
>>>
>>> The buggy address belongs to the object at ffff8801d80ad780
>>>  which belongs to the cache kmalloc-512 of size 512
>>> The buggy address is located 232 bytes inside of
>>>  512-byte region [ffff8801d80ad780, ffff8801d80ad980)
>>> The buggy address belongs to the page:
>>> page:ffffea0007602b40 count:1 mapcount:0 mapping:ffff8801d80ad000 index:0x0
>>> flags: 0x2fffc0000000100(slab)
>>> raw: 02fffc0000000100 ffff8801d80ad000 0000000000000000 0000000100000006
>>> raw: ffffea00070e8760 ffffea00070f8ca0 ffff8801dac00940 0000000000000000
>>> page dumped because: kasan: bad access detected
>>>
>>> Memory state around the buggy address:
>>>  ffff8801d80ad700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>  ffff8801d80ad780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>> ffff8801d80ad800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>                                                           ^
>>>  ffff8801d80ad880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>  ffff8801d80ad900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> ==================================================================
>>>
>>>
>>> ---
>>> This bug is generated by a dumb bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for details.
>>> Direct all questions to syzkaller@googlegroups.com.
>>>
>>> syzbot will keep track of this bug report.
>>> If you forgot to add the Reported-by tag, once the fix for this bug is
>>> merged
>>> into any tree, please reply to this email with:
>>> #syz fix: exact-commit-title
>>> To mark this as a duplicate of another syzbot report, please reply with:
>>> #syz dup: exact-subject-of-another-report
>>> If it's a one-off invalid bug report, please reply with:
>>> #syz invalid
>>> Note: if the crash happens again, it will cause creation of a new bug
>>> report.
>>> Note: all commands must start from beginning of the line in the email body.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "syzkaller-bugs" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to syzkaller-bugs+unsubscribe@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/syzkaller-bugs/001a11405130a984300562e8e7b3%40google.com.
>>> For more options, visit https://groups.google.com/d/optout.
>
>

Re: KASAN: use-after-free Read in l2tp_session_create

[Greg Kroah-Hartman]

On Fri, Jul 20, 2018 at 10:00:34AM +0200, Dmitry Vyukov wrote:
> On Fri, Jul 20, 2018 at 9:53 AM, James Chapman <jchapman@katalix.com> wrote:
> > On 18/07/18 12:00, Dmitry Vyukov wrote:
> >> On Tue, Jan 16, 2018 at 7:29 PM, syzbot
> >> <syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com> wrote:
> >>> Hello,
> >>>
> >>> syzkaller hit the following crash on
> >>> a8750ddca918032d6349adbf9a4b6555e7db20da
> >>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> >>> compiler: gcc (GCC) 7.1.1 20170620
> >>> .config is attached
> >>> Raw console output is attached.
> >>> Unfortunately, I don't have any reproducer for this bug yet.
> >>>
> >>>
> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >>> Reported-by: syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com
> >>> It will help syzbot understand when the bug is fixed. See footer for
> >>> details.
> >>> If you forward the report, please keep this part and the footer.
> >>
> >> James,
> >>
> >> Did you fix this? You asked syzbot to test a fix for this bug some time ago.
> >> If yes, did you include the Reported-by tag in the commit? This bug is
> >> still considered open by syzbot. But it stopped happening ~4 months
> >> ago:
> >
> > Yes, I think this has been fixed now. I think it was fixed by
> > Guillaume's 6b9f34239b00e6956a267abed2bc559ede556ad6 that was actually
> > to fix another syzbot bug fbeeb5c3b538e8545644 which looks similar to
> > this one.
> >
> >> https://syzkaller.appspot.com/bug?id=6fed0854381422329e78d7e16fb9cf4af8c9aef1
> >> We are also seeing these crashes in 4.4 and 4.9, it would be good to
> >> backport the fix.
> >
> > It looks like 6b9f34239b00e6956a267abed2bc559ede556ad6 hasn't made it to
> > 4.9 or 4.4.
> 
> Thanks for the update!
> 
> Let's tell syzbot that this is fixed:
> 
> #syz fix: l2tp: fix races in tunnel creation
> 
> Greg H: so this is probably the patch we need.
> 
> +Greg KH: I think we need this in stable, we hit this in both 4.4 and 4.9.

It's also needed in 4.14.y.  But it doesn't apply to any of those kernel
trees cleanly, can someone please provide a working backport?

thanks,

greg k-h