Re: [PATCH net-next v2 5/5] net: add netlink_ext_ack argument to rtnl_link_ops.slave_validate

On 6/25/17 3:56 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer > --- Acked-by: David Ahern

Re: [PATCH net-next v2 4/5] net: add netlink_ext_ack argument to rtnl_link_ops.slave_changelink

On 6/25/17 3:56 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer <mschif...@universe-factory.net> > --- Acked-by: David Ahern <dsah...@gmail.com>

Re: [PATCH net-next v2 3/5] net: add netlink_ext_ack argument to rtnl_link_ops.validate

On 6/25/17 3:56 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer <mschif...@universe-factory.net> > --- Acked-by: David Ahern <dsah...@gmail.com>

Re: [PATCH net-next v2 4/5] net: add netlink_ext_ack argument to rtnl_link_ops.slave_changelink

On 6/25/17 3:56 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer > --- Acked-by: David Ahern

Re: [PATCH net-next v2 3/5] net: add netlink_ext_ack argument to rtnl_link_ops.validate

On 6/25/17 3:56 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer > --- Acked-by: David Ahern

Re: [PATCH net-next v2 2/5] net: add netlink_ext_ack argument to rtnl_link_ops.changelink

On 6/25/17 3:56 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer <mschif...@universe-factory.net> Acked-by: David Ahern <dsah...@gmail.com>

Re: [PATCH net-next v2 2/5] net: add netlink_ext_ack argument to rtnl_link_ops.changelink

On 6/25/17 3:56 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer Acked-by: David Ahern

Re: [PATCH net-next v2 1/5] net: add netlink_ext_ack argument to rtnl_link_ops.newlink

On 6/25/17 3:55 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer <mschif...@universe-factory.net> > --- Acked-by: David Ahern <dsah...@gmail.com>

Re: [PATCH net-next v2 1/5] net: add netlink_ext_ack argument to rtnl_link_ops.newlink

On 6/25/17 3:55 PM, Matthias Schiffer wrote: > Add support for extended error reporting. > > Signed-off-by: Matthias Schiffer > --- Acked-by: David Ahern

Re: [PATCH net-next] net: add netlink_ext_ack support to rtnl_link_ops

On 6/24/17 5:35 AM, Matthias Schiffer wrote: > The following functions are extended with a netlink_ext_ack argument to > allow extended error reporting: > > * validate > * newlink > * changelink > * slave_validate > * slave_changelink I would prefer separate patches for validate, slave_validate,

Re: [PATCH net-next] net: add netlink_ext_ack support to rtnl_link_ops

On 6/24/17 5:35 AM, Matthias Schiffer wrote: > The following functions are extended with a netlink_ext_ack argument to > allow extended error reporting: > > * validate > * newlink > * changelink > * slave_validate > * slave_changelink I would prefer separate patches for validate, slave_validate,

Re: net/ipv6: use-after-free in ip6_dst_ifdown

On 5/31/17 4:49 PM, Cong Wang wrote: == BUG: KASAN: use-after-free in ip6_dst_ifdown+0x3cc/0x400 net/ipv6/route.c:422 Read of size 8 at addr 88006afa4ad8 by task syz-executor6/23554 >>> >>> >>> This one is

Re: net/ipv6: use-after-free in ip6_dst_ifdown

On 5/31/17 4:49 PM, Cong Wang wrote: == BUG: KASAN: use-after-free in ip6_dst_ifdown+0x3cc/0x400 net/ipv6/route.c:422 Read of size 8 at addr 88006afa4ad8 by task syz-executor6/23554 >>> >>> >>> This one is

Re: [PATCH v1] samples/bpf: Add a .gitignore for binaries

On 5/17/17 1:18 AM, Alexander Alemayhu wrote: > I have looked into this but found it to be not easy and all attempts to > change the Makefile has resulted in obscure errors :/ > > Getting clang to output in a different directory was easy[0], but I guess > this is not the right approach either.

Re: [PATCH v1] samples/bpf: Add a .gitignore for binaries

On 5/17/17 1:18 AM, Alexander Alemayhu wrote: > I have looked into this but found it to be not easy and all attempts to > change the Makefile has resulted in obscure errors :/ > > Getting clang to output in a different directory was easy[0], but I guess > this is not the right approach either.

Re: [PATCH v1] samples/bpf: Add a .gitignore for binaries

On 5/13/17 3:30 AM, Mickaël Salaün wrote: > > On 13/02/2017 02:43, David Ahern wrote: >> On 2/12/17 2:23 PM, Mickaël Salaün wrote: >>> diff --git a/samples/bpf/.gitignore b/samples/bpf/.gitignore >>> new file mode 100644 >>> index ..a7562a5ef4c2

Re: [PATCH v1] samples/bpf: Add a .gitignore for binaries

On 5/13/17 3:30 AM, Mickaël Salaün wrote: > > On 13/02/2017 02:43, David Ahern wrote: >> On 2/12/17 2:23 PM, Mickaël Salaün wrote: >>> diff --git a/samples/bpf/.gitignore b/samples/bpf/.gitignore >>> new file mode 100644 >>> index ..a7562a5ef4c2

Re: [PATCH] net: ipv6: Truncate single route when it doesn't fit into dump buffer.

On 5/12/17 8:24 AM, David Miller wrote: > From: Jan Moskyto Matejka > Date: Fri, 12 May 2017 13:15:10 +0200 > >> -int rt6_dump_route(struct rt6_info *rt, void *p_arg); >> +int rt6_dump_route(struct rt6_info *rt, void *p_arg, int truncate); > > Please use "bool" and "true"/"false"

Re: [PATCH] net: ipv6: Truncate single route when it doesn't fit into dump buffer.

On 5/12/17 8:24 AM, David Miller wrote: > From: Jan Moskyto Matejka > Date: Fri, 12 May 2017 13:15:10 +0200 > >> -int rt6_dump_route(struct rt6_info *rt, void *p_arg); >> +int rt6_dump_route(struct rt6_info *rt, void *p_arg, int truncate); > > Please use "bool" and "true"/"false" for boolean

Re: net/ipv6: GPF in rt6_device_match

On 5/3/17 9:55 PM, Cong Wang wrote: > Why not add a printk and play with my patch to see the difference? I have other things to do. If you believe your patch fixes the problem, send it and let Andrey verify.

Re: net/ipv6: GPF in rt6_device_match

On 5/3/17 9:55 PM, Cong Wang wrote: > Why not add a printk and play with my patch to see the difference? I have other things to do. If you believe your patch fixes the problem, send it and let Andrey verify.

Re: net/ipv6: GPF in rt6_device_match

On 5/3/17 5:35 PM, Cong Wang wrote: > Ah, we need: > > @@ -4024,7 +4027,7 @@ static struct pernet_operations ip6_route_net_late_ops > = { > > static struct notifier_block ip6_route_dev_notifier = { > .notifier_call = ip6_route_dev_notify, > - .priority = 0, > + .priority =

Re: net/ipv6: GPF in rt6_device_match

On 5/3/17 5:35 PM, Cong Wang wrote: > Ah, we need: > > @@ -4024,7 +4027,7 @@ static struct pernet_operations ip6_route_net_late_ops > = { > > static struct notifier_block ip6_route_dev_notifier = { > .notifier_call = ip6_route_dev_notify, > - .priority = 0, > + .priority =

Re: net/ipv6: GPF in rt6_device_match

On 5/3/17 4:02 PM, Cong Wang wrote: > On Wed, May 3, 2017 at 11:22 AM, David Ahern <dsah...@gmail.com> wrote: >> On 5/3/17 11:02 AM, Cong Wang wrote: >>> A quick glance shows we need to simply check local->rt6i_idev >>> since we do the same check for sprt right

Re: net/ipv6: GPF in rt6_device_match

On 5/3/17 4:02 PM, Cong Wang wrote: > On Wed, May 3, 2017 at 11:22 AM, David Ahern wrote: >> On 5/3/17 11:02 AM, Cong Wang wrote: >>> A quick glance shows we need to simply check local->rt6i_idev >>> since we do the same check for sprt right above. >> >

Re: net/ipv6: GPF in rt6_device_match

On 5/3/17 11:02 AM, Cong Wang wrote: > A quick glance shows we need to simply check local->rt6i_idev > since we do the same check for sprt right above. As I recall, rt6i_idev is set for all routes except null_entry and it is not set on null_entry only because of initialization order. > > diff

Re: net/ipv6: GPF in rt6_device_match

On 5/3/17 11:02 AM, Cong Wang wrote: > A quick glance shows we need to simply check local->rt6i_idev > since we do the same check for sprt right above. As I recall, rt6i_idev is set for all routes except null_entry and it is not set on null_entry only because of initialization order. > > diff

Re: net/ipv6: use-after-free in __call_rcu/in6_dev_finish_destroy_rcu

On 5/2/17 10:58 AM, Andrey Konovalov wrote: > Do you have a patch that I could test? not yet. > > I also reported another issue recently, that might also be related to this > one: > https://groups.google.com/forum/#!topic/syzkaller/Rt0pgY4wfiw different problem. I can still trigger this one

Re: net/ipv6: use-after-free in __call_rcu/in6_dev_finish_destroy_rcu

On 5/2/17 10:58 AM, Andrey Konovalov wrote: > Do you have a patch that I could test? not yet. > > I also reported another issue recently, that might also be related to this > one: > https://groups.google.com/forum/#!topic/syzkaller/Rt0pgY4wfiw different problem. I can still trigger this one

Re: net/ipv6: use-after-free in __call_rcu/in6_dev_finish_destroy_rcu

On 4/26/17 9:15 AM, Andrey Konovalov wrote: > +David > > I've enabled CONFIG_DEBUG_OBJECTS_RCU_HEAD and this is what I get. > > Apparently the rcu warning is related to the fib6_del_route bug I've > been trying to reproduce: >

Re: net/ipv6: use-after-free in __call_rcu/in6_dev_finish_destroy_rcu

On 4/26/17 9:15 AM, Andrey Konovalov wrote: > +David > > I've enabled CONFIG_DEBUG_OBJECTS_RCU_HEAD and this is what I get. > > Apparently the rcu warning is related to the fib6_del_route bug I've > been trying to reproduce: >

Re: perf report warnings on tracepoint events hidden by ui

On 4/27/17 8:49 PM, Steven Rostedt wrote: > On Thu, 27 Apr 2017 20:13:43 -0600 > David Ahern <dsah...@gmail.com> wrote: > >> On 4/27/17 7:41 PM, Steven Rostedt wrote: >>> On Thu, 27 Apr 2017 19:31:12 -0500 >>> David Carrillo-Cisneros <davi...@goog

Re: perf report warnings on tracepoint events hidden by ui

On 4/27/17 8:49 PM, Steven Rostedt wrote: > On Thu, 27 Apr 2017 20:13:43 -0600 > David Ahern wrote: > >> On 4/27/17 7:41 PM, Steven Rostedt wrote: >>> On Thu, 27 Apr 2017 19:31:12 -0500 >>> David Carrillo-Cisneros wrote: >>> >>>>

Re: perf report warnings on tracepoint events hidden by ui

On 4/27/17 7:41 PM, Steven Rostedt wrote: > On Thu, 27 Apr 2017 19:31:12 -0500 > David Carrillo-Cisneros wrote: > >> When processing tracepoint events, perf report outputs warnings about >> field not founds. The warnings are usually hidden by perf report UI >> and appear when

Re: perf report warnings on tracepoint events hidden by ui

On 4/27/17 7:41 PM, Steven Rostedt wrote: > On Thu, 27 Apr 2017 19:31:12 -0500 > David Carrillo-Cisneros wrote: > >> When processing tracepoint events, perf report outputs warnings about >> field not founds. The warnings are usually hidden by perf report UI >> and appear when using the --stdio

Re: [PATCH] net: ipv6: check route protocol when deleting routes

On 4/24/17 3:48 AM, Lorenzo Colitti wrote: > For non-stable kernels, it seems that the proper fix would be: > > 1. Ensure that when an RA creates a route, it properly sets > rtm_protocol at time of route creation. > 2. When we dump routes to userspace, we don't overwrite the rtm_protocol. +1

Re: [PATCH] net: ipv6: check route protocol when deleting routes

On 4/24/17 3:48 AM, Lorenzo Colitti wrote: > For non-stable kernels, it seems that the proper fix would be: > > 1. Ensure that when an RA creates a route, it properly sets > rtm_protocol at time of route creation. > 2. When we dump routes to userspace, we don't overwrite the rtm_protocol. +1

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/25/17 10:38 AM, Andrey Konovalov wrote: > I'll keep fuzzing in the meantime to make sure. > Maybe I'll be able to collect more reports or even another reproducer. start a new email thread for each stack trace. I'll write a debug patch for the trace you hit today.

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/25/17 10:38 AM, Andrey Konovalov wrote: > I'll keep fuzzing in the meantime to make sure. > Maybe I'll be able to collect more reports or even another reproducer. start a new email thread for each stack trace. I'll write a debug patch for the trace you hit today.

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 2:21 AM, Dmitry Vyukov wrote: > [ cut here ] > WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 > fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991 net/ipv6/ip6_fib.c:991 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 2 PID: 3990 Comm: kworker/2:4

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 2:21 AM, Dmitry Vyukov wrote: > [ cut here ] > WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 > fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991 net/ipv6/ip6_fib.c:991 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 2 PID: 3990 Comm: kworker/2:4

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 11:57 AM, Dmitry Vyukov wrote: > == > BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0 > net/ipv6/route.c:3551 at addr 88007e523694 > Read of size 4 by task syz-executor3/24426 > CPU: 2 PID: 24426 Comm:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 11:57 AM, Dmitry Vyukov wrote: > == > BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0 > net/ipv6/route.c:3551 at addr 88007e523694 > Read of size 4 by task syz-executor3/24426 > CPU: 2 PID: 24426 Comm:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

ixed by: commit 557c44be917c322860665be3d28376afa84aa936 Author: David Ahern <d...@cumulusnetworks.com> Date: Wed Apr 19 14:19:43 2017 -0700 net: ipv6: RTF_PCPU should not be settable from userspace

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

ixed by: commit 557c44be917c322860665be3d28376afa84aa936 Author: David Ahern Date: Wed Apr 19 14:19:43 2017 -0700 net: ipv6: RTF_PCPU should not be settable from userspace

Re: [PATCH 22/22] perf tools: Fix the code to strip command name

On 4/24/17 1:54 PM, Arnaldo Carvalho de Melo wrote: > From: Jiri Olsa > > Recent commit broke command name strip in perf_event__get_comm_ids > function. It replaced left to right search for '\n' with rtrim, which > actually does right to left search. It occasionally caught

Re: [PATCH 22/22] perf tools: Fix the code to strip command name

On 4/24/17 1:54 PM, Arnaldo Carvalho de Melo wrote: > From: Jiri Olsa > > Recent commit broke command name strip in perf_event__get_comm_ids > function. It replaced left to right search for '\n' with rtrim, which > actually does right to left search. It occasionally caught earlier '\n' > and

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/21/17 10:47 AM, Eric Dumazet wrote: > On Fri, 2017-04-21 at 08:27 -0600, David Ahern wrote: >> On 4/20/17 10:09 AM, Andrey Konovalov wrote: >>> On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov <andreyk...@google.com> >>> wrote: >>>> On

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/21/17 10:47 AM, Eric Dumazet wrote: > On Fri, 2017-04-21 at 08:27 -0600, David Ahern wrote: >> On 4/20/17 10:09 AM, Andrey Konovalov wrote: >>> On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov >>> wrote: >>>> On Thu, Apr 20, 2017 at 5:35 PM, David Ah

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/20/17 10:09 AM, Andrey Konovalov wrote: > On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov <andreyk...@google.com> > wrote: >> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern <d...@cumulusnetworks.com> >> wrote: >>> On 4/20/17 9:28 AM, Andrey Konovalo

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/20/17 10:09 AM, Andrey Konovalov wrote: > On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov > wrote: >> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern >> wrote: >>> On 4/20/17 9:28 AM, Andrey Konovalov wrote: >>>> This one seems to be much closer to

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/20/17 9:28 AM, Andrey Konovalov wrote: > This one seems to be much closer to what Dmitry reported intially. does not repro here; I ran in a loop and nothing. can you send output of "sysctl -a --pattern 'net.ipv6'"

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/20/17 9:28 AM, Andrey Konovalov wrote: > This one seems to be much closer to what Dmitry reported intially. does not repro here; I ran in a loop and nothing. can you send output of "sysctl -a --pattern 'net.ipv6'"

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/19/17 5:47 PM, Cong Wang wrote: > On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov > wrote: >> >> Anyway, I just finished simplifying the reproducer. Give this one a try. > > Thanks for providing such a minimal reproducer! > > The following patch could fix this

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/19/17 5:47 PM, Cong Wang wrote: > On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov > wrote: >> >> Anyway, I just finished simplifying the reproducer. Give this one a try. > > Thanks for providing such a minimal reproducer! > > The following patch could fix this crash, but I am not 100%

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/19/17 10:12 AM, Andrey Konovalov wrote: > That's weird. I usually see this when I have CONFIG_USER_NS disabled. I bungled the movement of .config between servers. reproduced. will investigate.

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/19/17 10:12 AM, Andrey Konovalov wrote: > That's weird. I usually see this when I have CONFIG_USER_NS disabled. I bungled the movement of .config between servers. reproduced. will investigate.

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > Hi! > > I've finally managed to reproduce one of the crashes on commit > 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). > > I'm not sure if this bug has the same root cause as the first one > reported in this thread, but it definitely has to do

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > Hi! > > I've finally managed to reproduce one of the crashes on commit > 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). > > I'm not sure if this bug has the same root cause as the first one > reported in this thread, but it definitely has to do

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > I've finally managed to reproduce one of the crashes on commit > 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). > > I'm not sure if this bug has the same root cause as the first one > reported in this thread, but it definitely has to do with

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > I've finally managed to reproduce one of the crashes on commit > 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). > > I'm not sure if this bug has the same root cause as the first one > reported in this thread, but it definitely has to do with

Re: [PATCH v2 5/5] perf tools: Refactor the code to strip command name with {l,r}trim()

On 4/7/17 8:52 PM, Taeung Song wrote: > After reading command name from /proc//status, > use ltrim() and rtrim() to strip command name, not using > just while loop, isspace() and etc. > > Cc: David Ahern <dsah...@gmail.com> > Cc: Don Zickus <dzic...@redhat.com> >

Re: [PATCH v2 5/5] perf tools: Refactor the code to strip command name with {l,r}trim()

On 4/7/17 8:52 PM, Taeung Song wrote: > After reading command name from /proc//status, > use ltrim() and rtrim() to strip command name, not using > just while loop, isspace() and etc. > > Cc: David Ahern > Cc: Don Zickus > Cc: Jiri Olsa > Cc: Namhyung Kim >

Re: [PATCH v2] Allow user probes on versioned symbols

__compare_symbol_names(namea, nameb); > + > +if (namea_versioning) free((void *)namea); > +if (nameb_versioning) free((void *)nameb); free() should be on the next line. Otherwise LGTM Reviewed-by: David Ahern <dsah...@gmail.com>

Re: [PATCH v2] Allow user probes on versioned symbols

__compare_symbol_names(namea, nameb); > + > +if (namea_versioning) free((void *)namea); > +if (nameb_versioning) free((void *)nameb); free() should be on the next line. Otherwise LGTM Reviewed-by: David Ahern

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/27/17 6:42 AM, Dmitry Vyukov wrote: > A friendly ping. This still happens all the time for us. Haven't looked at this in a couple of weeks. I have syzkaller installed on a machine locally and never was able to reproduce this ipv6 problem. I am using a jessie rootfs; from the syzkaller files

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/27/17 6:42 AM, Dmitry Vyukov wrote: > A friendly ping. This still happens all the time for us. Haven't looked at this in a couple of weeks. I have syzkaller installed on a machine locally and never was able to reproduce this ipv6 problem. I am using a jessie rootfs; from the syzkaller files

Re: change uprobe_events default ? Was: [PATCH] perf: Rename CONFIG_[UK]PROBE_EVENT to CONFIG_[UK]PROBE_EVENTS

On 3/15/17 7:06 PM, Arnaldo Carvalho de Melo wrote: > Added more people to the CC list. > > Em Wed, Mar 15, 2017 at 05:58:19PM -0700, Alexei Starovoitov escreveu: >> On Thu, Feb 16, 2017 at 05:00:50PM +1100, Anton Blanchard wrote: >>> We have uses of CONFIG_UPROBE_EVENT and CONFIG_KPROBE_EVENT as

Re: change uprobe_events default ? Was: [PATCH] perf: Rename CONFIG_[UK]PROBE_EVENT to CONFIG_[UK]PROBE_EVENTS

On 3/15/17 7:06 PM, Arnaldo Carvalho de Melo wrote: > Added more people to the CC list. > > Em Wed, Mar 15, 2017 at 05:58:19PM -0700, Alexei Starovoitov escreveu: >> On Thu, Feb 16, 2017 at 05:00:50PM +1100, Anton Blanchard wrote: >>> We have uses of CONFIG_UPROBE_EVENT and CONFIG_KPROBE_EVENT as

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 2:21 AM, Dmitry Vyukov wrote: > I've commented that warning just to see I can obtain more information. > Then I also got this: > > [ cut here ] > WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 > fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 2:21 AM, Dmitry Vyukov wrote: > I've commented that warning just to see I can obtain more information. > Then I also got this: > > [ cut here ] > WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 > fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >> on this warning: >> >> /* dst.next really should not be set at this point */ >> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) { >> pr_warn("fib6_add: adding rt with bad next -- family %d dst >> flags %x\n", >>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >> on this warning: >> >> /* dst.next really should not be set at this point */ >> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) { >> pr_warn("fib6_add: adding rt with bad next -- family %d dst >> flags %x\n", >>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 1:43 AM, Dmitry Vyukov wrote: > This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel > output from your patch (pr_err). > > [ cut here ] > WARNING: CPU: 1 PID: 30179 at net/ipv6/ip6_fib.c:158 > rt6_rcu_free+0x61/0x70 net/ipv6/ip6_fib.c:158 >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 1:43 AM, Dmitry Vyukov wrote: > This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel > output from your patch (pr_err). > > [ cut here ] > WARNING: CPU: 1 PID: 30179 at net/ipv6/ip6_fib.c:158 > rt6_rcu_free+0x61/0x70 net/ipv6/ip6_fib.c:158 >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 1:43 AM, Dmitry Vyukov wrote: > This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel > output from your patch (pr_err). Is the below supposed to be from the same qemu instance at the time of the crash? cpu1 and cpu2 are both supposedly doing a route insert? > >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 1:43 AM, Dmitry Vyukov wrote: > This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel > output from your patch (pr_err). Is the below supposed to be from the same qemu instance at the time of the crash? cpu1 and cpu2 are both supposedly doing a route insert? > >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/6/17 11:51 AM, Dmitry Vyukov wrote: > We hit it several thousand times, but we get only several dozens of > crashes per day on ~80 VMs. So if you try to reproduce it on a single > machine it can take days for a single crash. > If you are ready to go that route, here are some instructions on >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/6/17 11:51 AM, Dmitry Vyukov wrote: > We hit it several thousand times, but we get only several dozens of > crashes per day on ~80 VMs. So if you try to reproduce it on a single > machine it can take days for a single crash. > If you are ready to go that route, here are some instructions on >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 1:15 PM, Eric Dumazet wrote: > On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: >> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern <d...@cumulusnetworks.com> wrote: >>> On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >>>> I am getting heap out-of-bo

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 1:15 PM, Eric Dumazet wrote: > On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: >> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: >>> On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >>>> I am getting heap out-of-bounds reports in >>>&

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/3/17 6:39 AM, Dmitry Vyukov wrote: > I am getting heap out-of-bounds reports in > fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running > syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all > follow the same pattern: an object of size 216 is allocated from >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/3/17 6:39 AM, Dmitry Vyukov wrote: > I am getting heap out-of-bounds reports in > fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running > syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all > follow the same pattern: an object of size 216 is allocated from >

Re: net: GPF in rt6_nexthop_info

On 2/28/17 3:14 PM, Eric Dumazet wrote: > On Tue, Feb 28, 2017 at 3:09 PM, David Ahern <d...@cumulusnetworks.com> wrote: >> On 2/28/17 5:10 AM, Eric Dumazet wrote: >>> David, rt->rt6i_idev can be NULL. >> >> Do you know of an example where rt6i_idev can be NU

Re: net: GPF in rt6_nexthop_info

On 2/28/17 3:14 PM, Eric Dumazet wrote: > On Tue, Feb 28, 2017 at 3:09 PM, David Ahern wrote: >> On 2/28/17 5:10 AM, Eric Dumazet wrote: >>> David, rt->rt6i_idev can be NULL. >> >> Do you know of an example where rt6i_idev can be NULL - besides the >> n

Re: net: GPF in rt6_nexthop_info

On 2/28/17 5:10 AM, Eric Dumazet wrote: > David, rt->rt6i_idev can be NULL. Do you know of an example where rt6i_idev can be NULL - besides the null_entry rt which is null only because of init order?

Re: net: GPF in rt6_nexthop_info

On 2/28/17 5:10 AM, Eric Dumazet wrote: > David, rt->rt6i_idev can be NULL. Do you know of an example where rt6i_idev can be NULL - besides the null_entry rt which is null only because of init order?

Re: net/ipv6: null-ptr-deref in ip6_route_del/lock_acquire

On 2/27/17 10:11 AM, Cong Wang wrote: > The attached patch fixes this crash, but I am not sure if it is the > best way to fix this bug yet... I'll take a look. I can not reproduce this using route or ip, so the fuzzer is doing something interesting.

Re: net/ipv6: null-ptr-deref in ip6_route_del/lock_acquire

On 2/27/17 10:11 AM, Cong Wang wrote: > The attached patch fixes this crash, but I am not sure if it is the > best way to fix this bug yet... I'll take a look. I can not reproduce this using route or ip, so the fuzzer is doing something interesting.

Re: net/ipv6: null-ptr-deref in ip6_route_del/lock_acquire

On 2/27/17 12:37 PM, Andrey Konovalov wrote: > That's what I thought when I read your message, thanks! > > I was just confused by David saying that the fuzzer is doing something > interesting, when the reproducer is just an ioctl call on a socket. It means I have a cold, recently off a plane and

Re: net/ipv6: null-ptr-deref in ip6_route_del/lock_acquire

On 2/27/17 12:37 PM, Andrey Konovalov wrote: > That's what I thought when I read your message, thanks! > > I was just confused by David saying that the fuzzer is doing something > interesting, when the reproducer is just an ioctl call on a socket. It means I have a cold, recently off a plane and

Re: [PATCH v1] samples/bpf: Add a .gitignore for binaries

On 2/12/17 2:23 PM, Mickaël Salaün wrote: > diff --git a/samples/bpf/.gitignore b/samples/bpf/.gitignore > new file mode 100644 > index ..a7562a5ef4c2 > --- /dev/null > +++ b/samples/bpf/.gitignore > @@ -0,0 +1,32 @@ > +fds_example > +lathist ... Listing each target is going to be a

Re: [PATCH v1] samples/bpf: Add a .gitignore for binaries

On 2/12/17 2:23 PM, Mickaël Salaün wrote: > diff --git a/samples/bpf/.gitignore b/samples/bpf/.gitignore > new file mode 100644 > index ..a7562a5ef4c2 > --- /dev/null > +++ b/samples/bpf/.gitignore > @@ -0,0 +1,32 @@ > +fds_example > +lathist ... Listing each target is going to be a

Re: [PATCH 6/7] perf record: Add switch-output size option argument

On 1/3/17 9:12 AM, Arnaldo Carvalho de Melo wrote: > Em Tue, Jan 03, 2017 at 08:33:35AM -0700, David Ahern escreveu: >> On 1/3/17 1:19 AM, Jiri Olsa wrote: >>> It's now possible to specify the threshold size for >>> perf.data like: >>> >>> $ perf re

Re: [PATCH 6/7] perf record: Add switch-output size option argument

On 1/3/17 9:12 AM, Arnaldo Carvalho de Melo wrote: > Em Tue, Jan 03, 2017 at 08:33:35AM -0700, David Ahern escreveu: >> On 1/3/17 1:19 AM, Jiri Olsa wrote: >>> It's now possible to specify the threshold size for >>> perf.data like: >>> >>> $ perf re

Re: [PATCH 6/7] perf record: Add switch-output size option argument

On 1/3/17 1:19 AM, Jiri Olsa wrote: > It's now possible to specify the threshold size for > perf.data like: > > $ perf record --switch-output=2G ... > > Once it's reached, the current data are dumped in to the > perf.data. file and session does on. How about something like max-file-size

Re: [PATCH 6/7] perf record: Add switch-output size option argument

On 1/3/17 1:19 AM, Jiri Olsa wrote: > It's now possible to specify the threshold size for > perf.data like: > > $ perf record --switch-output=2G ... > > Once it's reached, the current data are dumped in to the > perf.data. file and session does on. How about something like max-file-size

Re: [PATCH] net: fix incorrect original ingress device index in PKTINFO

r IPCB. If iif is the loopback interface, then return the sending interface (e.g., process binds socket to eth0 for Tx which is redirected to loopback in the rtable/dst). >> */ >> +if (pktinfo->ipi_ifindex == LOOPBACK_IFINDEX) >> +pktinfo->ipi_ifindex = inet_iif(skb); >> + >> pktinfo->ipi_spec_dst.s_addr = fib_compute_spec_dst(skb); >> } else { >> pktinfo->ipi_ifindex = 0; The actual change looks ok to me. Acked-by: David Ahern <d...@cumulusnetworks.com>

Re: [PATCH] net: fix incorrect original ingress device index in PKTINFO

interface (e.g., process binds socket to eth0 for Tx which is redirected to loopback in the rtable/dst). >> */ >> +if (pktinfo->ipi_ifindex == LOOPBACK_IFINDEX) >> + pktinfo->ipi_ifindex = inet_iif(skb); >> + >> pktinfo->ipi_spec_dst.s_addr = fib_compute_spec_dst(skb); >> } else { >> pktinfo->ipi_ifindex = 0; The actual change looks ok to me. Acked-by: David Ahern

Re: Potential issues (security and otherwise) with the current cgroup-bpf API

On 12/19/16 6:56 PM, Andy Lutomirski wrote: > On Mon, Dec 19, 2016 at 5:44 PM, David Ahern <dsah...@gmail.com> wrote: >> On 12/19/16 5:25 PM, Andy Lutomirski wrote: >>> net.socket_create_filter = "none": no filter >>> net.socket

<    1   2   3   4   5   6   7   8   9   10   >