Reminder: 3 open syzbot bugs in vhost subsystem

Reminder: 3 open syzbot bugs in vhost subsystem

[Eric Biggers]

[This email was generated by a script.  Let me know if you have any suggestions
to make it better, or if you want it re-generated with the latest status.]

Of the currently open syzbot reports against the upstream kernel, I've manually
marked 3 of them as possibly being bugs in the vhost subsystem.  I've listed
these reports below, sorted by an algorithm that tries to list first the reports
most likely to be still valid, important, and actionable.

Of these 3 bugs, 2 were seen in mainline in the last week.

Of these 3 bugs, 2 were bisected to commits from the following person:

	Jason Wang <jasowang@redhat.com>

If you believe a bug is no longer valid, please close the syzbot report by
sending a '#syz fix', '#syz dup', or '#syz invalid' command in reply to the
original thread, as explained at https://goo.gl/tpsmEJ#status

If you believe I misattributed a bug to the vhost subsystem, please let me know,
and if possible forward the report to the correct people or mailing list.

Here are the bugs:

--------------------------------------------------------------------------------
Title:              KASAN: use-after-free Write in tlb_finish_mmu
Last occurred:      5 days ago
Reported:           4 days ago
Branches:           Mainline
Dashboard link:     https://syzkaller.appspot.com/bug?id=d57b94f89e48c85ef7d95acc208209ea4bdc10de
Original thread:    https://lkml.kernel.org/lkml/00000000000045e7a1058e02458a@google.com/T/#u

This bug has a syzkaller reproducer only.

This bug was bisected to:

	commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
	Author: Jason Wang <jasowang@redhat.com>
	Date:   Fri May 24 08:12:18 2019 +0000

	  vhost: access vq metadata through kernel virtual address

No one has replied to the original thread for this bug yet.

If you fix this bug, please add the following tag to the commit:
    Reported-by: syzbot+8267e9af795434ffadad@syzkaller.appspotmail.com

If you send any email or patch for this bug, please reply to the original
thread.  For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/00000000000045e7a1058e02458a@google.com

--------------------------------------------------------------------------------
Title:              KASAN: use-after-free Read in finish_task_switch (2)
Last occurred:      5 days ago
Reported:           4 days ago
Branches:           Mainline
Dashboard link:     https://syzkaller.appspot.com/bug?id=9a98fcad6c8bd31f5c3afbdc6c75de9f082c0ffa
Original thread:    https://lkml.kernel.org/lkml/000000000000490679058e0245ee@google.com/T/#u

This bug has a syzkaller reproducer only.

This bug was bisected to:

	commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
	Author: Jason Wang <jasowang@redhat.com>
	Date:   Fri May 24 08:12:18 2019 +0000

	  vhost: access vq metadata through kernel virtual address

No one has replied to the original thread for this bug yet.

If you fix this bug, please add the following tag to the commit:
    Reported-by: syzbot+7f067c796eee2acbc57a@syzkaller.appspotmail.com

If you send any email or patch for this bug, please reply to the original
thread.  For the git send-email command to use, or tips on how to reply if the
thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000490679058e0245ee@google.com

--------------------------------------------------------------------------------
Title:              memory leak in vhost_net_ioctl
Last occurred:      22 days ago
Reported:           48 days ago
Branches:           Mainline
Dashboard link:     https://syzkaller.appspot.com/bug?id=12ba349d7e26ccfe95317bc376e812ebbae2ee0f
Original thread:    https://lkml.kernel.org/lkml/000000000000188da1058a9c25e3@google.com/T/#u

This bug has a C reproducer.

The original thread for this bug has received 4 replies; the last was 39 days
ago.

If you fix this bug, please add the following tag to the commit:
    Reported-by: syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com

If you send any email or patch for this bug, please consider replying to the
original thread.  For the git send-email command to use, or tips on how to reply
if the thread isn't in your mailbox, see the "Reply instructions" at
https://lkml.kernel.org/r/000000000000188da1058a9c25e3@google.com

Re: Reminder: 3 open syzbot bugs in vhost subsystem

[Jason Wang]

On 2019/7/24 上午10:38, Eric Biggers wrote:
> [This email was generated by a script.  Let me know if you have any suggestions
> to make it better, or if you want it re-generated with the latest status.]
>
> Of the currently open syzbot reports against the upstream kernel, I've manually
> marked 3 of them as possibly being bugs in the vhost subsystem.  I've listed
> these reports below, sorted by an algorithm that tries to list first the reports
> most likely to be still valid, important, and actionable.
>
> Of these 3 bugs, 2 were seen in mainline in the last week.
>
> Of these 3 bugs, 2 were bisected to commits from the following person:
>
> 	Jason Wang <jasowang@redhat.com>
>
> If you believe a bug is no longer valid, please close the syzbot report by
> sending a '#syz fix', '#syz dup', or '#syz invalid' command in reply to the
> original thread, as explained at https://goo.gl/tpsmEJ#status
>
> If you believe I misattributed a bug to the vhost subsystem, please let me know,
> and if possible forward the report to the correct people or mailing list.
>
> Here are the bugs:
>
> --------------------------------------------------------------------------------
> Title:              KASAN: use-after-free Write in tlb_finish_mmu
> Last occurred:      5 days ago
> Reported:           4 days ago
> Branches:           Mainline
> Dashboard link:     https://syzkaller.appspot.com/bug?id=d57b94f89e48c85ef7d95acc208209ea4bdc10de
> Original thread:    https://lkml.kernel.org/lkml/00000000000045e7a1058e02458a@google.com/T/#u
>
> This bug has a syzkaller reproducer only.
>
> This bug was bisected to:
>
> 	commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
> 	Author: Jason Wang <jasowang@redhat.com>
> 	Date:   Fri May 24 08:12:18 2019 +0000
>
> 	  vhost: access vq metadata through kernel virtual address
>
> No one has replied to the original thread for this bug yet.
>
> If you fix this bug, please add the following tag to the commit:
>      Reported-by: syzbot+8267e9af795434ffadad@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please reply to the original
> thread.  For the git send-email command to use, or tips on how to reply if the
> thread isn't in your mailbox, see the "Reply instructions" at
> https://lkml.kernel.org/r/00000000000045e7a1058e02458a@google.com
>
> --------------------------------------------------------------------------------
> Title:              KASAN: use-after-free Read in finish_task_switch (2)
> Last occurred:      5 days ago
> Reported:           4 days ago
> Branches:           Mainline
> Dashboard link:     https://syzkaller.appspot.com/bug?id=9a98fcad6c8bd31f5c3afbdc6c75de9f082c0ffa
> Original thread:    https://lkml.kernel.org/lkml/000000000000490679058e0245ee@google.com/T/#u
>
> This bug has a syzkaller reproducer only.
>
> This bug was bisected to:
>
> 	commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
> 	Author: Jason Wang <jasowang@redhat.com>
> 	Date:   Fri May 24 08:12:18 2019 +0000
>
> 	  vhost: access vq metadata through kernel virtual address
>
> No one has replied to the original thread for this bug yet.


Hi:

We believe above two bugs are duplicated with the report "WARNING in 
__mmdrop". Can I just dup them with

#syz dup "WARNING in __mmdrop"

(If yes, just wonder how syzbot differ bugs, technically, several 
different bug can hit the same warning).


>
> If you fix this bug, please add the following tag to the commit:
>      Reported-by: syzbot+7f067c796eee2acbc57a@syzkaller.appspotmail.com
>
> If you send any email or patch for this bug, please reply to the original
> thread.  For the git send-email command to use, or tips on how to reply if the
> thread isn't in your mailbox, see the "Reply instructions" at
> https://lkml.kernel.org/r/000000000000490679058e0245ee@google.com
>
> --------------------------------------------------------------------------------
> Title:              memory leak in vhost_net_ioctl
> Last occurred:      22 days ago
> Reported:           48 days ago
> Branches:           Mainline
> Dashboard link:     https://syzkaller.appspot.com/bug?id=12ba349d7e26ccfe95317bc376e812ebbae2ee0f
> Original thread:    https://lkml.kernel.org/lkml/000000000000188da1058a9c25e3@google.com/T/#u
>
> This bug has a C reproducer.
>
> The original thread for this bug has received 4 replies; the last was 39 days
> ago.
>
> If you fix this bug, please add the following tag to the commit:
>      Reported-by: syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com


I do remember it can not be reproduced upstream, let me double check and 
close this one.

Thanks


>
> If you send any email or patch for this bug, please consider replying to the
> original thread.  For the git send-email command to use, or tips on how to reply
> if the thread isn't in your mailbox, see the "Reply instructions" at
> https://lkml.kernel.org/r/000000000000188da1058a9c25e3@google.com
>

Re: Re: Reminder: 3 open syzbot bugs in vhost subsystem

[syzbot]

> On 2019/7/24 上午10:38, Eric Biggers wrote:
>> [This email was generated by a script.  Let me know if you have any  
>> suggestions
>> to make it better, or if you want it re-generated with the latest  
>> status.]

>> Of the currently open syzbot reports against the upstream kernel, I've  
>> manually
>> marked 3 of them as possibly being bugs in the vhost subsystem.  I've  
>> listed
>> these reports below, sorted by an algorithm that tries to list first the  
>> reports
>> most likely to be still valid, important, and actionable.

>> Of these 3 bugs, 2 were seen in mainline in the last week.

>> Of these 3 bugs, 2 were bisected to commits from the following person:

>> 	Jason Wang <jasowang@redhat.com>

>> If you believe a bug is no longer valid, please close the syzbot report  
>> by
>> sending a '#syz fix', '#syz dup', or '#syz invalid' command in reply to  
>> the
>> original thread, as explained at https://goo.gl/tpsmEJ#status

>> If you believe I misattributed a bug to the vhost subsystem, please let  
>> me know,
>> and if possible forward the report to the correct people or mailing list.

>> Here are the bugs:

>> --------------------------------------------------------------------------------
>> Title:              KASAN: use-after-free Write in tlb_finish_mmu
>> Last occurred:      5 days ago
>> Reported:           4 days ago
>> Branches:           Mainline
>> Dashboard link:      
>> https://syzkaller.appspot.com/bug?id=d57b94f89e48c85ef7d95acc208209ea4bdc10de
>> Original thread:     
>> https://lkml.kernel.org/lkml/00000000000045e7a1058e02458a@google.com/T/#u

>> This bug has a syzkaller reproducer only.

>> This bug was bisected to:

>> 	commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
>> 	Author: Jason Wang <jasowang@redhat.com>
>> 	Date:   Fri May 24 08:12:18 2019 +0000

>> 	  vhost: access vq metadata through kernel virtual address

>> No one has replied to the original thread for this bug yet.

>> If you fix this bug, please add the following tag to the commit:
>>       Reported-by: syzbot+8267e9af795434ffadad@syzkaller.appspotmail.com

>> If you send any email or patch for this bug, please reply to the original
>> thread.  For the git send-email command to use, or tips on how to reply  
>> if the
>> thread isn't in your mailbox, see the "Reply instructions" at
>> https://lkml.kernel.org/r/00000000000045e7a1058e02458a@google.com

>> --------------------------------------------------------------------------------
>> Title:              KASAN: use-after-free Read in finish_task_switch (2)
>> Last occurred:      5 days ago
>> Reported:           4 days ago
>> Branches:           Mainline
>> Dashboard link:      
>> https://syzkaller.appspot.com/bug?id=9a98fcad6c8bd31f5c3afbdc6c75de9f082c0ffa
>> Original thread:     
>> https://lkml.kernel.org/lkml/000000000000490679058e0245ee@google.com/T/#u

>> This bug has a syzkaller reproducer only.

>> This bug was bisected to:

>> 	commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
>> 	Author: Jason Wang <jasowang@redhat.com>
>> 	Date:   Fri May 24 08:12:18 2019 +0000

>> 	  vhost: access vq metadata through kernel virtual address

>> No one has replied to the original thread for this bug yet.


> Hi:

> We believe above two bugs are duplicated with the report "WARNING in
> __mmdrop". Can I just dup them with

> #syz dup "WARNING in __mmdrop"

I see the command but can't find the corresponding bug.
Please resend the email to syzbot+HASH@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).


> (If yes, just wonder how syzbot differ bugs, technically, several
> different bug can hit the same warning).



>> If you fix this bug, please add the following tag to the commit:
>>       Reported-by: syzbot+7f067c796eee2acbc57a@syzkaller.appspotmail.com

>> If you send any email or patch for this bug, please reply to the original
>> thread.  For the git send-email command to use, or tips on how to reply  
>> if the
>> thread isn't in your mailbox, see the "Reply instructions" at
>> https://lkml.kernel.org/r/000000000000490679058e0245ee@google.com

>> --------------------------------------------------------------------------------
>> Title:              memory leak in vhost_net_ioctl
>> Last occurred:      22 days ago
>> Reported:           48 days ago
>> Branches:           Mainline
>> Dashboard link:      
>> https://syzkaller.appspot.com/bug?id=12ba349d7e26ccfe95317bc376e812ebbae2ee0f
>> Original thread:     
>> https://lkml.kernel.org/lkml/000000000000188da1058a9c25e3@google.com/T/#u

>> This bug has a C reproducer.

>> The original thread for this bug has received 4 replies; the last was 39  
>> days
>> ago.

>> If you fix this bug, please add the following tag to the commit:
>>       Reported-by: syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com


> I do remember it can not be reproduced upstream, let me double check and
> close this one.

> Thanks



>> If you send any email or patch for this bug, please consider replying to  
>> the
>> original thread.  For the git send-email command to use, or tips on how  
>> to reply
>> if the thread isn't in your mailbox, see the "Reply instructions" at
>> https://lkml.kernel.org/r/000000000000188da1058a9c25e3@google.com


> --
> You received this message because you are subscribed to the Google  
> Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an  
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit  
> https://groups.google.com/d/msgid/syzkaller-bugs/fabf96ac-e472-c7fd-07ff-486fe03e6433%40redhat.com.

Re: Reminder: 3 open syzbot bugs in vhost subsystem

[Eric Biggers]

On Wed, Jul 24, 2019 at 11:05:14AM +0800, Jason Wang wrote:
> > --------------------------------------------------------------------------------
> > Title:              KASAN: use-after-free Write in tlb_finish_mmu
> > Last occurred:      5 days ago
> > Reported:           4 days ago
> > Branches:           Mainline
> > Dashboard link:     https://syzkaller.appspot.com/bug?id=d57b94f89e48c85ef7d95acc208209ea4bdc10de
> > Original thread:    https://lkml.kernel.org/lkml/00000000000045e7a1058e02458a@google.com/T/#u
> > 
> > This bug has a syzkaller reproducer only.
> > 
> > This bug was bisected to:
> > 
> > 	commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
> > 	Author: Jason Wang <jasowang@redhat.com>
> > 	Date:   Fri May 24 08:12:18 2019 +0000
> > 
> > 	  vhost: access vq metadata through kernel virtual address
> > 
> > No one has replied to the original thread for this bug yet.
> > 
> > If you fix this bug, please add the following tag to the commit:
> >      Reported-by: syzbot+8267e9af795434ffadad@syzkaller.appspotmail.com
> > 
> > If you send any email or patch for this bug, please reply to the original
> > thread.  For the git send-email command to use, or tips on how to reply if the
> > thread isn't in your mailbox, see the "Reply instructions" at
> > https://lkml.kernel.org/r/00000000000045e7a1058e02458a@google.com
> > 
> > --------------------------------------------------------------------------------
> > Title:              KASAN: use-after-free Read in finish_task_switch (2)
> > Last occurred:      5 days ago
> > Reported:           4 days ago
> > Branches:           Mainline
> > Dashboard link:     https://syzkaller.appspot.com/bug?id=9a98fcad6c8bd31f5c3afbdc6c75de9f082c0ffa
> > Original thread:    https://lkml.kernel.org/lkml/000000000000490679058e0245ee@google.com/T/#u
> > 
> > This bug has a syzkaller reproducer only.
> > 
> > This bug was bisected to:
> > 
> > 	commit 7f466032dc9e5a61217f22ea34b2df932786bbfc
> > 	Author: Jason Wang <jasowang@redhat.com>
> > 	Date:   Fri May 24 08:12:18 2019 +0000
> > 
> > 	  vhost: access vq metadata through kernel virtual address
> > 
> > No one has replied to the original thread for this bug yet.
> 
> 
> Hi:
> 
> We believe above two bugs are duplicated with the report "WARNING in
> __mmdrop". Can I just dup them with
> 
> #syz dup "WARNING in __mmdrop"
> 
> (If yes, just wonder how syzbot differ bugs, technically, several different
> bug can hit the same warning).
> 

Yes, please mark them as duplicates; see https://goo.gl/tpsmEJ#status for
correct syntax.  You need to send the command to the syzbot email address
specific to each bug.  Easiest way is to reply to the original threads.

- Eric