lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZU3F=AyyuNyVia7gT22Z71JKM-K4uap0J-iumF=NjH9A@mail.gmail.com>
Date:   Mon, 17 Dec 2018 19:45:58 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Stefano Brivio <sbrivio@...hat.com>
Cc:     Eric Dumazet <eric.dumazet@...il.com>,
        Arjan van de Ven <arjan@...ux.intel.com>,
        "Paul E. McKenney" <paulmck@...ux.ibm.com>,
        syzbot <syzbot+43f6755d1c2e62743468@...kaller.appspotmail.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Josh Triplett <josh@...htriplett.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...nel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        netdev <netdev@...r.kernel.org>
Subject: Re: WARNING in __rcu_read_unlock

On Mon, Dec 17, 2018 at 12:29 PM Paul E. McKenney <paulmck@...ux.ibm.com> wrote:
> Any chance of a bisection?

Better later then never. Bisection also needs testing :)

syz-bisect -config bisect.cfg -crash dda626cdbd87eafe9a755acbbe102e2b6096b256
searching for guilty commit starting from 2aa55dccf83d
building syzkaller on 7624ddd6
testing commit 2aa55dccf83d7ca9f1da59ae005426c44fbeb890 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: slab-out-of-bounds in tick_sched_handle
run #1: crashed: KASAN: slab-out-of-bounds in tick_sched_handle
run #2: crashed: BUG: Bad page map
run #3: crashed: BUG: Bad page map
run #4: crashed: PANIC: double fault in __udp4_lib_err
run #5: crashed: general protection fault in __bfs
run #6: crashed: KASAN: stack-out-of-bounds Read in __handle_mm_fault
run #7: crashed: no output from test machine
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 2aa55dccf83d v4.19
Bisecting: 7955 revisions left to test after this (roughly 13 steps)
[f8cab69be0a8a756a7409f6d2bd1e6e96ce46482] Merge tag
'linux-kselftest-4.20-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
testing commit f8cab69be0a8a756a7409f6d2bd1e6e96ce46482 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f8cab69be0a8a756a7409f6d2bd1e6e96ce46482
Bisecting: 3957 revisions left to test after this (roughly 12 steps)
[b3491d8430dd25f0a4e00c33d60da22a9bd9d052] Merge tag 'media/v4.20-2'
of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
testing commit b3491d8430dd25f0a4e00c33d60da22a9bd9d052 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b3491d8430dd25f0a4e00c33d60da22a9bd9d052
Bisecting: 1978 revisions left to test after this (roughly 11 steps)
[40df309e4166c69600968c93846aa0b1821e83f0] octeontx2-af: Support to
enable/disable default MCAM entries
testing commit 40df309e4166c69600968c93846aa0b1821e83f0 with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in __bfs
run #1: crashed: KASAN: stack-out-of-bounds Read in copy_page_range
run #2: crashed: general protection fault in __bfs
run #3: crashed: KASAN: slab-out-of-bounds Read in vma_compute_subtree_gap
run #4: crashed: general protection fault in corrupted
run #5: crashed: general protection fault in corrupted
run #6: crashed: BUG: unable to handle kernel paging request in corrupted
run #7: crashed: KASAN: stack-out-of-bounds Read in inet6_fill_ifla6_attrs
# git bisect bad 40df309e4166c69600968c93846aa0b1821e83f0
Bisecting: 989 revisions left to test after this (roughly 10 steps)
[a13511dfa836c8305a737436eed3ba9a8e74a826] Merge
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit a13511dfa836c8305a737436eed3ba9a8e74a826 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good a13511dfa836c8305a737436eed3ba9a8e74a826
Bisecting: 521 revisions left to test after this (roughly 9 steps)
[9ff01193a20d391e8dbce4403dd5ef87c7eaaca6] Linux 4.20-rc3
testing commit 9ff01193a20d391e8dbce4403dd5ef87c7eaaca6 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9ff01193a20d391e8dbce4403dd5ef87c7eaaca6
Bisecting: 260 revisions left to test after this (roughly 8 steps)
[47e3e53ceadc568c038e457661d836f2259ed774] ice: Destroy scheduler tree
in reset path
testing commit 47e3e53ceadc568c038e457661d836f2259ed774 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle
run #1: crashed: KASAN: stack-out-of-bounds in __fget_light
run #2: crashed: BUG: unable to handle kernel paging request in corrupted
run #3: crashed: KASAN: stack-out-of-bounds in anon_vma_interval_tree_remove
run #4: crashed: general protection fault in __udp4_lib_err
run #5: crashed: KASAN: stack-out-of-bounds Read in free_pgd_range
run #6: crashed: general protection fault in change_protection
run #7: crashed: INFO: trying to register non-static key in corrupted
# git bisect bad 47e3e53ceadc568c038e457661d836f2259ed774
Bisecting: 129 revisions left to test after this (roughly 7 steps)
[52358cb5a310990ea5069f986bdab3620e01181f] Merge branch 's390-qeth-next'
testing commit 52358cb5a310990ea5069f986bdab3620e01181f with gcc (GCC) 8.1.0
run #0: crashed: BUG: unable to handle kernel paging request in corrupted
run #1: crashed: general protection fault in vma_interval_tree_insert
run #2: crashed: KASAN: stack-out-of-bounds Read in __call_rcu
run #3: crashed: BUG: unable to handle kernel paging request in corrupted
run #4: crashed: general protection fault in __bfs
run #5: crashed: BUG: unable to handle kernel paging request in
__cgroup_account_cputime_field
run #6: crashed: WARNING in anon_vma_interval_tree_verify
run #7: crashed: general protection fault in rb_first
# git bisect bad 52358cb5a310990ea5069f986bdab3620e01181f
Bisecting: 65 revisions left to test after this (roughly 6 steps)
[2e7ad56aa54778de863998579fc6b5ff52838571] net/wan/fsl_ucc_hdlc: add BQL support
testing commit 2e7ad56aa54778de863998579fc6b5ff52838571 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2e7ad56aa54778de863998579fc6b5ff52838571
Bisecting: 32 revisions left to test after this (roughly 5 steps)
[b592843c6723a850be70bf9618578082f3b73851] net: sched: add an offload
dump helper
testing commit b592843c6723a850be70bf9618578082f3b73851 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b592843c6723a850be70bf9618578082f3b73851
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[a07966447f39fe43e37d05c9bfc92b1493267a59] geneve: ICMP error lookup handler
testing commit a07966447f39fe43e37d05c9bfc92b1493267a59 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good a07966447f39fe43e37d05c9bfc92b1493267a59
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[04087d9a89bef97998c71c21e3ecfca0cc7c52f3] openvswitch: remove BUG_ON
from get_dpdev
testing commit 04087d9a89bef97998c71c21e3ecfca0cc7c52f3 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: kernel stack regs has bad 'bp' value
run #1: crashed: BUG: unable to handle kernel paging request in corrupted
run #2: crashed: general protection fault in corrupted
run #3: crashed: general protection fault in __bfs
run #4: crashed: general protection fault in corrupted
run #5: crashed: general protection fault in rb_insert_color
run #6: crashed: BUG: corrupted list in __pagevec_lru_add_fn
run #7: crashed: general protection fault in validate_mm
# git bisect bad 04087d9a89bef97998c71c21e3ecfca0cc7c52f3
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[e7cc082455cb49ea937a3ec4ab3d001b0b5f137b] udp: Support for error
handlers of tunnels with arbitrary destination port
testing commit e7cc082455cb49ea937a3ec4ab3d001b0b5f137b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good e7cc082455cb49ea937a3ec4ab3d001b0b5f137b
Bisecting: 1 revision left to test after this (roughly 1 step)
[56fd865f46b894681dd7e7f83761243add7a71a3] selftests: pmtu: Introduce
FoU and GUE PMTU exceptions tests
testing commit 56fd865f46b894681dd7e7f83761243add7a71a3 with gcc (GCC) 8.1.0
run #0: crashed: WARNING in unlink_anon_vmas
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference
in corrupted
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference
in corrupted
run #3: crashed: KASAN: stack-out-of-bounds Read in update_min_vruntime
run #4: crashed: BUG: unable to handle kernel paging request in corrupted
run #5: crashed: PANIC: double fault in corrupted
run #6: crashed: WARNING in unlink_anon_vmas
run #7: crashed: WARNING in unlink_anon_vmas
# git bisect bad 56fd865f46b894681dd7e7f83761243add7a71a3
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e] fou, fou6: ICMP error
handlers for FoU and GUE
testing commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e with gcc (GCC) 8.1.0
run #0: crashed: kernel BUG at include/linux/swapops.h:LINE!
run #1: crashed: general protection fault in __bfs
run #2: crashed: INFO: trying to register non-static key in corrupted
run #3: crashed: lost connection to test machine
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference
in corrupted
run #5: crashed: kernel BUG at include/linux/swapops.h:LINE!
run #6: crashed: no output from test machine
run #7: crashed: lost connection to test machine
# git bisect bad b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e
b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e is the first bad commit
commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e
Author: Stefano Brivio <sbrivio@...hat.com>
Date:   Thu Nov 8 12:19:23 2018 +0100

    fou, fou6: ICMP error handlers for FoU and GUE

    As the destination port in FoU and GUE receiving sockets doesn't
    necessarily match the remote destination port, we can't associate errors
    to the encapsulating tunnels with a socket lookup -- we need to blindly
    try them instead. This means we don't even know if we are handling errors
    for FoU or GUE without digging into the packets.

    Hence, implement a single handler for both, one for IPv4 and one for IPv6,
    that will check whether the packet that generated the ICMP error used a
    direct IP encapsulation or if it had a GUE header, and send the error to
    the matching protocol handler, if any.

    Signed-off-by: Stefano Brivio <sbrivio@...hat.com>
    Reviewed-by: Sabrina Dubroca <sd@...asysnail.net>
    Signed-off-by: David S. Miller <davem@...emloft.net>

:040000 040000 cabdcb7779c24a357486aae139cb31cdd625bc53
6bc9db712d9698330234b7c8c934dcfc71cfb657 M net
revisions tested: 16, total time: 3h25m25.893971693s (build:
1h23m29.053198068s, test: 1h59m23.409063298s)
first bad commit: b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e fou, fou6:
ICMP error handlers for FoU and GUE
cc: ["sbrivio@...hat.com" "sd@...asysnail.net"]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ