[PATCH 6/7] pipe: simplify round_pipe_size()

From: Eric Biggers <ebigg...@google.com> round_pipe_size() calculates the number of pages the requested size corresponds to, then rounds the page count up to the next power of 2. However, it also rounds everything < PAGE_SIZE up to PAGE_SIZE. Therefore, there's no need to actually

[PATCH 5/7] pipe: reject F_SETPIPE_SZ with size over UINT_MAX

From: Eric Biggers <ebigg...@google.com> A pipe's size is represented as an 'unsigned int'. As expected, writing a value greater than UINT_MAX to /proc/sys/fs/pipe-max-size fails with EINVAL. However, the F_SETPIPE_SZ fcntl silently truncates such values to 32 bits, rather than f

[PATCH 2/7] pipe, sysctl: remove pipe_proc_fn()

From: Eric Biggers <ebigg...@google.com> pipe_proc_fn() is no longer needed, as it only calls through to proc_dopipe_max_size(). Just put proc_dopipe_max_size() in the ctl_table entry directly, and remove the unneeded EXPORT_SYMBOL() and the ENOSYS stub for it. (The reason the ENOSYS stub

[PATCH 7/7] pipe: read buffer limits atomically

From: Eric Biggers <ebigg...@google.com> The pipe buffer limits are accessed without any locking, and may be changed at any time by the sysctl handlers. In theory this could cause problems for expressions like the following: pipe_user_pages_hard && user_bufs > pip

[PATCH 3/7] pipe: actually allow root to exceed the pipe buffer limits

From: Eric Biggers <ebigg...@google.com> pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply to unprivileged users, as documented in both Documentation/sysctl/fs.txt and the pipe(7) man page. However, the capabilities are actually only checked when increasing a pipe'

[PATCH 0/7] pipe: buffer limits fixes and cleanups

treated as N - 1. - F_SETPIPE_SZ accepted values over UINT_MAX. - Reading the pipe buffer limits could be racy. Eric Biggers (7): pipe, sysctl: drop 'min' parameter from pipe-max-size converter pipe, sysctl: remove pipe_proc_fn() pipe: actually allow root to exceed the pipe buffer limits

Re: [PATCH 3/3] encrypted-keys: document new fscrypt key format

Hi André, On Wed, Jan 10, 2018 at 12:44:18PM +, André Draszik wrote: > diff --git a/Documentation/security/keys/fscrypt.rst > b/Documentation/security/keys/fscrypt.rst > new file mode 100644 > index ..e4a29592513e > --- /dev/null > +++ b/Documentation/security/keys/fscrypt.rst >

[PATCH v2 2/7] pipe, sysctl: remove pipe_proc_fn()

From: Eric Biggers <ebigg...@google.com> pipe_proc_fn() is no longer needed, as it only calls through to proc_dopipe_max_size(). Just put proc_dopipe_max_size() in the ctl_table entry directly, and remove the unneeded EXPORT_SYMBOL() and the ENOSYS stub for it. (The reason the ENOSYS stub

[PATCH v2 3/7] pipe: actually allow root to exceed the pipe buffer limits

From: Eric Biggers <ebigg...@google.com> pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply to unprivileged users, as documented in both Documentation/sysctl/fs.txt and the pipe(7) man page. However, the capabilities are actually only checked when increasing a pipe'

[PATCH v2 0/7] pipe: buffer limits fixes and cleanups

Fixed commit message for "pipe: simplify round_pipe_size()" Eric Biggers (7): pipe, sysctl: drop 'min' parameter from pipe-max-size converter pipe, sysctl: remove pipe_proc_fn() pipe: actually allow root to exceed the pipe buffer limits pipe: fix off-by-one error when checkin

[PATCH v2 6/7] pipe: simplify round_pipe_size()

From: Eric Biggers <ebigg...@google.com> round_pipe_size() calculates the number of pages the requested size corresponds to, then rounds the page count up to the next power of 2. However, it also rounds everything < PAGE_SIZE up to PAGE_SIZE. Therefore, there's no need to actually

[PATCH v2 1/7] pipe, sysctl: drop 'min' parameter from pipe-max-size converter

From: Eric Biggers <ebigg...@google.com> Before validating the given value against pipe_min_size, do_proc_dopipe_max_size_conv() calls round_pipe_size(), which rounds the value up to pipe_min_size. Therefore, the second check against pipe_min_size is redundant. Remove it. Acked-by: Kee

[PATCH v2 5/7] pipe: reject F_SETPIPE_SZ with size over UINT_MAX

From: Eric Biggers <ebigg...@google.com> A pipe's size is represented as an 'unsigned int'. As expected, writing a value greater than UINT_MAX to /proc/sys/fs/pipe-max-size fails with EINVAL. However, the F_SETPIPE_SZ fcntl silently truncates such values to 32 bits, rather than f

[PATCH v2 4/7] pipe: fix off-by-one error when checking buffer limits

From: Eric Biggers <ebigg...@google.com> With pipe-user-pages-hard set to 'N', users were actually only allowed up to 'N - 1' buffers; and likewise for pipe-user-pages-soft. Fix this to allow up to 'N' buffers, as would be expected. Fixes: b0b91d18e2e9 ("pipe: fix lim

[PATCH v2 7/7] pipe: read buffer limits atomically

From: Eric Biggers <ebigg...@google.com> The pipe buffer limits are accessed without any locking, and may be changed at any time by the sysctl handlers. In theory this could cause problems for expressions like the following: pipe_user_pages_hard && user_bufs > pip

Re: [PATCH 1/3] encrypted-keys: add fscrypt format support

Hi André, On Wed, Jan 10, 2018 at 12:44:16PM +, André Draszik wrote: > This is heavily based on commit 79a73d188726 > ("encrypted-keys: add ecryptfs format support"). > > The 'encrypted' key type defines its own payload format which contains a > symmetric key randomly generated that cannot

Re: [PATCH 1/7] pipe, sysctl: drop 'min' parameter from pipe-max-size converter

On Tue, Jan 09, 2018 at 02:20:45PM -0800, Kees Cook wrote: > On Sun, Jan 7, 2018 at 9:35 PM, Eric Biggers <ebigge...@gmail.com> wrote: > > From: Eric Biggers <ebigg...@google.com> > > > > Before validating the given value against pipe_min_size, > &g

Re: [PATCH 3/7] pipe: actually allow root to exceed the pipe buffer limits

On Tue, Jan 09, 2018 at 02:23:32PM -0800, Kees Cook wrote: > On Sun, Jan 7, 2018 at 9:35 PM, Eric Biggers <ebigge...@gmail.com> wrote: > > From: Eric Biggers <ebigg...@google.com> > > > > pipe-user-pages-hard and pipe-user-pages-soft are only supposed t

Re: [PATCH 6/7] pipe: simplify round_pipe_size()

On Tue, Jan 09, 2018 at 02:27:10PM -0800, Kees Cook wrote: > > > @@ -1054,9 +1048,6 @@ static long pipe_set_size(struct pipe_inode_info > > *pipe, unsigned long arg) > > return -EINVAL; > > nr_pages = size >> PAGE_SHIFT; > > > > - if (!nr_pages) > > -

Re: [PATCH 0/3] eventfd: clean up unneeded cruft

On Sat, Jan 06, 2018 at 07:00:48PM +, Al Viro wrote: > On Sat, Jan 06, 2018 at 06:46:19PM +, Al Viro wrote: > > On Sat, Jan 06, 2018 at 09:45:41AM -0800, Eric Biggers wrote: > > > This series removes some cruft (mainly exported functions) from > > > fs/eventfd

Re: [Resend Patch] KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs()

On Tue, Jan 16, 2018 at 05:34:07PM +0800, Tianyu Lan wrote: > kvm_valid_sregs() should use X86_CR0_PG and X86_CR4_PAE to check bit > status rather than X86_CR0_PG_BIT and X86_CR4_PAE_BIT. This patch is > to fix it. > > Fixes: f29810335965a(KVM/x86: Check input paging mode when cs.l is set) >

Re: [PATCH] KVM: prevent overlap between user and private memslots

+Cc alex.william...@redhat.com On Fri, Jan 19, 2018 at 05:03:47PM +0800, Wanpeng Li wrote: > 2018-01-19 17:01 GMT+08:00 Wanpeng Li <kernel...@gmail.com>: > > 2018-01-19 16:18 GMT+08:00 Eric Biggers <ebigge...@gmail.com>: > >> From: Eric Biggers <ebigg...@go

[PATCH] NFS: reject request for id_legacy key without auxdata

From: Eric Biggers <ebigg...@google.com> nfs_idmap_legacy_upcall() is supposed to be called with 'aux' pointing to a 'struct idmap', via the call to request_key_with_auxdata() in nfs_idmap_request_key(). However it can also be reached via the request_key() system call in which cas

[PATCH] KVM: prevent overlap between user and private memslots

From: Eric Biggers <ebigg...@google.com> Memslots must not overlap in guest physical memory, since otherwise some guest physical addresses will not uniquely map to a memslot. Yet, the overlap check in __kvm_set_memory_region() allows a memslot that overlaps one of the "private&quo

Re: WARNING in free_loaded_vmcs

On Tue, Nov 21, 2017 at 02:00:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 5a3517e009e979f21977d362212b7729c5165d92 > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: WARNING in do_debug

On Tue, Dec 26, 2017 at 08:08:13AM +0100, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Tue, Dec 26, 2017 at 1:55 AM, Wanpeng Li wrote: > > 2017-12-26 8:22 GMT+08:00 syzbot > > : > >> syzkaller has

Re: BUG: unable to handle kernel NULL pointer dereference in crypto_alg_tested

On Fri, Dec 22, 2017 at 11:33:02PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in __crypto_alg_lookup

On Tue, Dec 19, 2017 at 11:49:02PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in crypto_remove_spawns

On Mon, Nov 27, 2017 at 10:56:46AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 1ea8d039f9edcfefb20d8ddfe136930f6e551529 > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C

Re: WARNING in can_rcv

On Wed, Jan 17, 2018 at 07:39:24AM +0100, Oliver Hartkopp wrote: > > > On 01/16/2018 07:11 PM, Dmitry Vyukov wrote: > > On Tue, Jan 16, 2018 at 7:07 PM, Marc Kleine-Budde > > wrote: > > > On 01/16/2018 06:58 PM, syzbot wrote: > > > > Hello, > > > > > > > > syzkaller hit

Re: KASAN: slab-out-of-bounds Write in sha3_update (2)

On Fri, Dec 22, 2017 at 11:22:38AM -0600, Eric Biggers wrote: > [+Cc keyri...@vger.kernel.org] > > On Fri, Dec 22, 2017 at 07:55:01AM -0800, syzbot wrote: > > Hello, > > > > syzkaller hit the following crash on > > 9035a8961b504d0997369509ab8c6b1f0a4ee33d >

Re: [PATCH 0/1] Re: kernel BUG at fs/userfaultfd.c:LINE!

On Wed, Jan 17, 2018 at 09:56:29AM +0100, Pavel Machek wrote: > Hi! > > > > Andrea Arcangeli (1): > > > userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK > > > fails > > > > > > fs/userfaultfd.c | 20 ++-- > > > 1 file changed, 18 insertions(+), 2

Re: [PATCH 1/3] encrypted-keys: add fscrypt format support

Hi André, On Wed, Jan 17, 2018 at 02:29:29PM +, André Draszik wrote: > Thanks Eric for the review! > > On Wed, 2018-01-10 at 20:00 -0800, Eric Biggers wrote: > > Hi André, > > > > On Wed, Jan 10, 2018 at 12:44:16PM +, André Draszik wrote: > >

Re: dangers of bots on the mailing lists was Re: divide error in ___bpf_prog_run

On Wed, Jan 17, 2018 at 05:18:17PM -0800, Joe Perches wrote: > On Wed, 2018-01-17 at 20:09 -0500, Theodore Ts'o wrote: > > get_maintainer.pl, which is often not accurate > > Examples please. > Well, the primary problem is that place the crash occurs is not necessarily responsible for the bug.

Re: [PATCH v2 1/2] fscrypt: add support for the encrypted key type

Y. Ts'o" <ty...@mit.edu> > Cc: Jaegeuk Kim <jaeg...@kernel.org> > Cc: linux-fscr...@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: Eric Biggers <ebigg...@google.com> > > --- > changes in v2: > * dropped the previously added 'fscrypt' en

Re: [PATCH v3] fscrypt: add support for the encrypted key type

On Thu, Jan 18, 2018 at 01:13:59PM +, André Draszik wrote: > -static int validate_user_key(struct fscrypt_info *crypt_info, > +static inline struct key *fscrypt_get_encrypted_key(const char *description) > +{ > + if (IS_ENABLED(CONFIG_ENCRYPTED_KEYS)) > + return

Re: [PATCH v3] fscrypt: add support for the encrypted key type

On Thu, Jan 18, 2018 at 01:13:59PM +, André Draszik wrote: > fscrypt uses a master key for each directory policy from > which all further keys for that policy are derived, and > at the moment such a master key has to be inserted into > a kernel keyring as a 'logon' key by user-space. > >

Re: BUG: unable to handle kernel NULL pointer dereference in irq_bypass_register_consumer

On Sun, Dec 17, 2017 at 06:37:02PM +0800, Wanpeng Li wrote: > 2017-12-17 17:56 GMT+08:00 syzbot > : > > Hello, > > > > syzkaller hit the following crash on > > 41d8c16909ebda40f7b4982a7f5e2ad102705ade > >

Re: general protection fault in proc_flush_task

On Wed, Nov 29, 2017 at 10:23:00PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 0c86a6bd85ff0629cd2c5141027fc1c8bb6cde9c > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in proc_flush_task

On Tue, Dec 19, 2017 at 11:49:02PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:LINE

On Mon, Nov 06, 2017 at 12:51:57PM +0100, David Hildenbrand wrote: > On 31.10.2017 12:34, syzbot wrote: > > Hello, > > > > syzkaller hit the following crash on > > 91dfed74eabcdae9378131546c446442c29bf769 > > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > > compiler:

Re: Re: KASAN: use-after-free Write in irq_bypass_register_consumer

On Sat, Dec 16, 2017 at 04:37:02PM +0800, Lan, Tianyu wrote: > The root cause is that kvm_irqfd_assign() and kvm_irqfd_deassign() can't > be run in parallel. Some data structure(e.g, irqfd->consumer) will be > crashed because irqfd may be freed in deassign path before they are used > in assign

Re: KASAN: null-ptr-deref Write in linear_transfer

On Fri, Jan 05, 2018 at 02:58:02AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 30a7acd573899fd8b8ac39236eff6468b195ac7d > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: soft lockup (2)

On Fri, Jan 05, 2018 at 09:47:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > e1915c8195b38393005be9b74bfa6a3a367c83b3 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw

Re: general protection fault in __lock_acquire (2)

On Thu, Nov 02, 2017 at 03:55:00AM -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > fa8785e862ef644f742558f1a8c91eca6f3f0004 > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

[PATCH] Revert "kernel/relay.c: fix potential memory leak"

From: Eric Biggers <ebigg...@google.com> This reverts commit ba62bafe942b159a6109cbec780d36496e06b6c5. This commit introduced a double free bug, because 'chan' is already freed by the line: kref_put(>kref, relay_destroy_channel); This bug was found by syzkaller, using the BLKT

Re: general protection fault in lockdep_invariant_state (2)

On Wed, Nov 08, 2017 at 12:16:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 5a3517e009e979f21977d362212b7729c5165d92 > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: KASAN: stack-out-of-bounds Read in write_mmio

On Mon, Dec 11, 2017 at 07:00:03PM +0800, Wanpeng Li wrote: > 2017-12-09 19:39 GMT+08:00 Tianyu Lan : > > 2017-12-09 17:15 GMT+08:00 syzbot > > : > >> syzkaller has found reproducer for the following

Re: [PATCH v3] fscrypt: add support for the encrypted key type

On Thu, Jan 25, 2018 at 04:37:48PM -0800, Eric Biggers wrote: > On Thu, Jan 18, 2018 at 01:13:59PM +, André Draszik wrote: > > -static int validate_user_key(struct fscrypt_info *crypt_info, > > +static inline struct key *fscrypt_get_encrypted_key(const char &

Re: WARNING: bad unlock balance in ipmr_mfc_seq_stop

On Fri, Dec 15, 2017 at 11:52:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > a638349bf6c29433b938141f99225b160551ff48 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: sleeping function called from invalid context at net/core/sock.c:LINE (2)

On Fri, Dec 01, 2017 at 03:19:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 43f462f1c2e111d2882b48baeeff774ae42e7c56 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: suspicious RCU usage at ./include/linux/inetdevice.h:LINE

On Thu, Nov 02, 2017 at 03:53:38AM -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > ce43f4fd6f103681c7485c2b1967179647e73555 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in fib6_add (2)

On Wed, Jan 03, 2018 at 10:53:02AM -0800, 'Wei Wang' via syzkaller-bugs wrote: > On Wed, Jan 3, 2018 at 8:16 AM, David Ahern wrote: > > [ +wei...@google.com ] > > > > On 1/2/18 3:58 PM, syzbot wrote: > >> Hello, > >> > >> syzkaller hit the following crash on > >>

Re: kernel BUG at fs/userfaultfd.c:LINE!

On Fri, Dec 22, 2017 at 01:37:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel paging request in check_memory_region

On Sun, Jan 14, 2018 at 01:22:13AM +0100, Daniel Borkmann wrote: > On 01/13/2018 08:29 AM, Dmitry Vyukov wrote: > > On Fri, Jan 12, 2018 at 11:58 PM, syzbot > > wrote: > >> Hello, > >> > >> syzkaller hit the following crash on > >>

Re: KASAN: use-after-free Read in __bpf_prog_put

On Thu, Jan 11, 2018 at 11:48:28AM +0100, Daniel Borkmann wrote: > Hi Dmitry, > > On 01/11/2018 11:22 AM, Dmitry Vyukov wrote: > > On Thu, Jan 11, 2018 at 11:17 AM, syzbot > > wrote: > >> Hello, > >> > >> syzkaller hit the following crash on

Re: KASAN: slab-out-of-bounds Read in xfrm_hash_rebuild

On Thu, Dec 21, 2017 at 05:48:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > 8f36e00065436412a02d1f50ad77375bdb506300 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw

Re: KASAN: use-after-free Read in __xfrm_state_lookup

On Wed, Nov 01, 2017 at 10:55:01AM -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 33ad61d0f799656e8987e9c80e6e15151bb857f3 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: KASAN: use-after-free Read in sctp_association_free

On Thu, Nov 02, 2017 at 08:07:27PM +0800, Xin Long wrote: > On Thu, Nov 2, 2017 at 1:55 AM, syzbot > > wrote: > > Hello, > > > > syzkaller hit the following crash on > > 25a5d23b47994cdb451dcd2bc8ac310a1492f71b > >

Re: KASAN: stack-out-of-bounds Read in rds_sendmsg

On Thu, Dec 21, 2017 at 08:44:32AM -0800, Santosh Shilimkar wrote: > +Avinash > > On 12/21/2017 1:10 AM, syzbot wrote: > > syzkaller has found reproducer for the following crash on > > [..] > > > > > audit: type=1400 audit(1513847224.110:7): avc:  denied  { map } for > > pid=3157

Re: BUG: unable to handle kernel NULL pointer dereference in free_pipe_info

Hi Goldwyn, On Tue, Jan 30, 2018 at 09:52:02PM -0600, Goldwyn Rodrigues wrote: > > > On 01/30/2018 04:13 PM, Eric Biggers wrote: > > On Tue, Dec 19, 2017 at 12:39:01AM -0800, syzbot wrote: > >> Hello, > >> > >> syzkaller hit the following crash on >

Re: WARNING in __switch_to (2)

On Thu, Jan 04, 2018 at 08:58:00PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 37759fa6d0fa9e4d6036d19ac12f555bfc0aeafd > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C

Re: [PATCH] KVM: prevent overlap between user and private memslots

On Fri, Jan 19, 2018 at 10:57:16AM -0800, Eric Biggers wrote: > +Cc alex.william...@redhat.com > > On Fri, Jan 19, 2018 at 05:03:47PM +0800, Wanpeng Li wrote: > > 2018-01-19 17:01 GMT+08:00 Wanpeng Li <kernel...@gmail.com>: > > > 2018-01-19 16:18 GMT+08:00 Eri

Re: general protection fault in __list_del_entry_valid (2)

On Sun, Dec 17, 2017 at 07:47:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > 82bcf1def3b5f1251177ad47c44f7e17af039b4b > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached.

Re: general protection fault in __rds_rdma_map

On Mon, Nov 27, 2017 at 10:30:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > e1d1ea549b57790a3d8cf6300e6ef86118d692a3 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: binder epoll bug (was KASAN: use-after-free Read in __lock_acquire (2))

On Tue, Dec 12, 2017 at 04:05:17PM -0800, Eric Biggers wrote: > [+Cc binder maintainers and list] > [-Cc lockdep maintainers, USB maintainers, and other random people] > > On Sat, Dec 02, 2017 at 08:08:01AM -0800, syzbot wrote: > > BUG: KASAN: use-after-free in __lock_acq

Re: BUG: unable to handle kernel NULL pointer dereference in sctp_cmp_addr_exact

On Tue, Dec 19, 2017 at 11:49:03PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in neigh_fill_info

On Tue, Dec 19, 2017 at 10:41:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in tc_fill_qdisc

On Tue, Dec 19, 2017 at 04:49:02AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: spinlock bad magic (2)

On Mon, Dec 18, 2017 at 06:01:30PM +0100, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Mon, Dec 18, 2017 at 5:46 PM, Santosh Shilimkar > wrote: > > On 12/18/2017 4:36 AM, syzbot wrote: > >> > >> Hello, > >> > >> syzkaller hit the following crash on > >>

Re: WARNING in inet_sock_destruct

On Sun, Nov 05, 2017 at 01:05:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 7f9ad2ace17a3521a80831208d431170ef71591f > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in crypto_destroy_tfm

On Sat, Dec 23, 2017 at 01:58:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: WARNING in fpu__copy

On Tue, Dec 19, 2017 at 11:49:02PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: WARNING: bad unlock balance detected!

On Thu, Dec 14, 2017 at 11:37:00PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 50c4c4e268a2d7a3e58ebb698ac74da0de40ae36 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: WARNING in xfrm_state_fini

On Mon, Nov 27, 2017 at 09:37:07AM -0800, Cong Wang wrote: > On Mon, Nov 27, 2017 at 3:55 AM, Steffen Klassert > wrote: > > On Tue, Nov 21, 2017 at 06:44:04PM -0800, Cong Wang wrote: > >> User-space uses proto==0 as a wildcard, but xfrm_id_proto_match() > >> doesn't

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (3)

On Wed, Dec 13, 2017 at 06:18:05AM +0100, Steffen Klassert wrote: > On Tue, Dec 12, 2017 at 01:00:31PM -0800, Eric Biggers wrote: > > Hi Steffen, > > > > On Fri, Dec 01, 2017 at 08:27:43AM +0100, Steffen Klassert wrote: > > > On Wed, Nov 22, 2017 at

Re: BUG: unable to handle kernel paging request in hmac_init_tfm

On Mon, Dec 18, 2017 at 11:36:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in addrconf_ifdown

On Tue, Dec 19, 2017 at 11:50:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in addrconf_notify

On Tue, Dec 19, 2017 at 11:48:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in blk_throtl_update_limit_valid

On Tue, Dec 19, 2017 at 06:42:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in snmp6_unregister_dev

On Tue, Dec 19, 2017 at 12:35:02AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel paging request in aead_accept_parent_nokey

On Sun, Dec 17, 2017 at 09:51:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 41d8c16909ebda40f7b4982a7f5e2ad102705ade > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in sctp_stream_free

On Sun, Nov 05, 2017 at 01:35:02AM -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 2a171788ba7bb61995e98e8163204fc7880f63b2 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in find_entry

On Fri, Jan 05, 2018 at 10:31:04PM +0100, Luis R. Rodriguez wrote: > On Fri, Dec 22, 2017 at 11:33:02PM -0800, syzbot wrote: > > Hello, > > > > syzkaller hit the following crash on > > 6084b576dca2e898f5c101baef151f7bfdbb606d > >

Re: WARNING in usercopy_warn

On Fri, Jan 19, 2018 at 06:58:01AM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on linux-next commit > b625c1ff82272e26c76570d3c7123419ec345b20 > > So far this crash happened 5 times on linux-next, mmots. > C reproducer is attached. > syzkaller reproducer is attached. > Raw

Re: BUG: unable to handle kernel NULL pointer dereference in ipv6_get_lladdr

On Tue, Dec 19, 2017 at 08:38:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in qdisc_match_from_root

On Tue, Dec 19, 2017 at 05:43:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: [rds-devel] BUG: unable to handle kernel NULL pointer dereference in rds_send_xmit

On Mon, Dec 18, 2017 at 12:22:51PM -0500, Sowmini Varadhan wrote: > > From: Santosh Shilimkar > > Date: Mon, 18 Dec 2017 08:28:05 -0800 > : > > > Looks like another one tripping on empty transport. Mostly below > > > should > > > address it but we will test it if

Re: general protection fault in insert_header

On Wed, Dec 20, 2017 at 12:52:00PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in af_alg_alloc_tsgl

On Tue, Dec 19, 2017 at 01:03:00PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in binder_deferred_func

On Tue, Dec 19, 2017 at 08:25:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in inet6_fill_ifinfo

On Mon, Dec 18, 2017 at 11:54:00PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in __wake_up_common

On Sat, Dec 23, 2017 at 03:01:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in rb_insert_color

On Wed, Dec 20, 2017 at 09:05:39AM +0100, Dmitry Vyukov wrote: > On Wed, Dec 20, 2017 at 8:59 AM, Eric Biggers <ebigge...@gmail.com> wrote: > > On Wed, Dec 20, 2017 at 08:50:40AM +0100, Dmitry Vyukov wrote: > >> > > >> > The line number in lib/rbtr

Re: BUG: unable to handle kernel NULL pointer dereference in ip_mc_up

On Tue, Dec 19, 2017 at 12:40:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in free_pipe_info

On Tue, Dec 19, 2017 at 12:39:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in sctp_stream_free

On Fri, Dec 22, 2017 at 01:31:26PM +0800, Xin Long wrote: > On Thu, Dec 21, 2017 at 9:13 PM, Marcelo Ricardo Leitner > wrote: > > On Wed, Dec 20, 2017 at 12:51:01PM -0800, syzbot wrote: > > > > from the log: > > [ 89.451366] FAULT_INJECTION: forcing a failure.^M > > [

Re: WARNING in _copy_to_user

On Fri, Dec 01, 2017 at 03:30:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > df8ba95c572a187ed2aa7403e97a7a7f58c01f00 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

[PATCH] binder: check for binder_thread allocation failure in binder_poll()

From: Eric Biggers <ebigg...@google.com> If the kzalloc() in binder_get_thread() fails, binder_poll() dereferences the resulting NULL pointer. Fix it by returning POLLERR if the memory allocation failed. This bug was found by syzkaller using fault injection. Reported-by: syzbot &

Re: WARNING in refcount_inc (2)

On Tue, Dec 19, 2017 at 11:26:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw

<    1   2   3   4   5   6   7   8   9   10   >