linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: Matthew Wilcox <willy@infradead.org>
Cc: syzbot <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	syzkaller-bugs@googlegroups.com,
	Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: WARNING in kmem_cache_free
Date: Sun, 8 Apr 2018 12:26:54 +0200	[thread overview]
Message-ID: <CACT4Y+YKnor5e6kT7KeEn3L3gut4M_tCPp7WbjmSTf=44icGxg@mail.gmail.com> (raw)
In-Reply-To: <20180408060140.GB16007@bombadil.infradead.org>

On Sun, Apr 8, 2018 at 8:01 AM, Matthew Wilcox <willy@infradead.org> wrote:
> On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:
>> On Fri, Apr 6, 2018 at 3:24 PM, syzbot
>> <syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com> wrote:
>> > Unfortunately, I don't have any reproducer for this crash yet.
>>
>> Interesting type of bug, I think we see this for the first time.
>
> Can you focus syzbot to try to find a reproducer?  This seems to be
> produced by calling mount() with a pathname that's somewhere between,
> say, 3950 & 4100 bytes long from a compat 32-bit task.


Something in the log definitely triggers a very bad heap corruption.

This can be reproduced following instructions at:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers

and then running:
./syz-execprog -sandbox=namespace -arch=386 -repeat=0 -procs=10 log.txt

where log.txt comes from "Raw console output" link.

Note that you need to build syzkaller with 'make TARGETARCH=386' and
the use bin/linux_386/syz-executor.

While running it I got:
BUG: KASAN: double-free or invalid-free in free_request_size+0x5b/0x70
block/blk-core.c:769
https://gist.githubusercontent.com/dvyukov/05f4e77a34795d329aa7a2f40265e396/raw/63a29123b79f1fbad3521d0ff034946be68bfd4a/gistfile1.txt

Then kernel BUG at mm/slab.c:4407!
https://gist.githubusercontent.com/dvyukov/5b3bcc90d326e9da3636aea2c95ace8f/raw/1589504c708994936681d61ba9d70029998b9b1a/gistfile1.txt

And then BUG: unable to handle kernel paging request at ffffebe000000020
https://gist.githubusercontent.com/dvyukov/72025b1c68e488f4fda243e0c152f044/raw/d2c171bc55ad3a43cea33095fa2eea48768b1131/gistfile1.txt

One interesting thing is that if I run the log once and it does not
crash, then when I try to start binary again I am getting:
[  456.837870] Invalid argument reading file caps for /root/syz-executor
The binary somehow becomes broken on disk...

I guess syzbot did find a reproducer in this log, but did not
attribute it to this bug as it causes crashes all over the place.

  reply	other threads:[~2018-04-08 10:27 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-06 13:24 WARNING in kmem_cache_free syzbot
2018-04-06 13:33 ` Dmitry Vyukov
2018-04-08  3:16   ` Use struct page for filename Matthew Wilcox
2018-04-08  4:42     ` Al Viro
2018-04-08  5:59   ` WARNING in kmem_cache_free Al Viro
2018-04-08  6:01   ` Matthew Wilcox
2018-04-08 10:26     ` Dmitry Vyukov [this message]
2018-04-08 11:18       ` Dmitry Vyukov
2018-04-08 15:31         ` Stephan Müller
2018-04-08 15:41           ` Dmitry Vyukov
2018-04-08 19:07             ` [PATCH] crypto: DRBG - guard uninstantion by lock Stephan Müller
2018-04-08 22:46               ` Theodore Y. Ts'o
2018-04-09  5:40                 ` Stephan Mueller
2018-04-09  7:57                   ` Dmitry Vyukov
2018-04-10 15:23                     ` Dmitry Vyukov
2018-04-10 15:35                       ` Stephan Mueller
2018-04-11 12:29                         ` Dmitry Vyukov
2018-04-11 12:59                           ` Stephan Mueller
2018-04-11 14:26                           ` Stephan Müller
2018-04-11 14:31                             ` [PATCH] crypto: drbg - set freed buffers to NULL Stephan Müller
2018-04-11 17:29                               ` Eric Biggers
2018-04-12  6:40                               ` Stephan Müller
2018-04-20 16:54                                 ` Herbert Xu
2018-04-11 17:09                             ` [PATCH] crypto: DRBG - guard uninstantion by lock Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+YKnor5e6kT7KeEn3L3gut4M_tCPp7WbjmSTf=44icGxg@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+75397ee3df5c70164154@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).