lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACT4Y+YE6N8MUL-hVps6+BxVoQ0Xi_4AS26j8e+tv=_L2vKuYA@mail.gmail.com>
Date:   Tue, 14 Apr 2020 14:05:21 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Qian Cai <cai@....pw>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Stephen Rothwell <sfr@...b.auug.org.au>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Peter Xu <peterx@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux-MM <linux-mm@...ck.org>, Jens Axboe <axboe@...nel.dk>,
        Christoph Lameter <cl@...ux.com>,
        Johannes Weiner <hannes@...xchg.org>,
        syzkaller <syzkaller@...glegroups.com>,
        Dan Rue <dan.rue@...aro.org>
Subject: Re: [PATCH 0/2] mm: Two small fixes for recent syzbot reports

On Tue, Apr 14, 2020 at 1:59 PM Qian Cai <cai@....pw> wrote:
> > On Apr 14, 2020, at 7:13 AM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
> >
> > How do these use-after-free's and locking bugs get past the
> > unit-testing systems (which syzbot is not) and remain unnoticed for so
> > long?...
> > syzbot uses the dumbest VMs (GCE), so everything it triggers during
> > boot should be triggerable pretty much everywhere.
>
> There are many reasons that any early testing would not be able to catch ALL the syzbot blockers.
>
> The Kconfigs are different. For example, I don’t have openvswitch enabled, so would miss that ovs rcu-list lockdep warning. Same for that use-after-free in net/bluetooth and a warning in sound subsystem.
>
> But, notifying Linux-next ML is a good start, so at least we could ask Paul or Steve to pull out the commit which enabling rcu-list debugging by default with PROVE_RCU.
>
> I learned through that restricted kconfig to some degree of minimal could save a lot of troubles late on especially those options that I have no way to exercise like net/bluetooth and sound currently. It is going to be extra works though because those default options in Linux-next or even defconfigs are not always pleasant and would want to enable something I don’t need if not given human intervention.

We only try to enable what we can reach. There is significant reach
for sound and net/bluetooth even without any hardware. So I would
assume generic testing systems like KernelCI, LKFT, CKI should enable
these as well. Hopefully we don't have all of the sound and
net/bluetooth completely untested in linux-next.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ