Re: [syzbot] WARNING in ieee802154_del_seclevel

2021-04-13 Thread Dmitry Vyukov 
On Thu, Apr 1, 2021 at 3:30 PM Alan Stern  wrote:
>
> On Wed, Mar 31, 2021 at 02:03:08PM -0700, syzbot wrote:
> > syzbot has bisected this issue to:
> >
> > commit 416dacb819f59180e4d86a5550052033ebb6d72c
> > Author: Alan Stern 
> > Date:   Wed Aug 21 17:27:12 2019 +
> >
> > HID: hidraw: Fix invalid read in hidraw_ioctl
> >
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=127430fcd0
> > start commit:   6e5a03bc ethernet/netronome/nfp: Fix a use after free in n..
> > git tree:   net
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=117430fcd0
> > console output: https://syzkaller.appspot.com/x/log.txt?x=167430fcd0
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=daeff30c2474a60f
> > dashboard link: https://syzkaller.appspot.com/bug?extid=fbf4fc11a819824e027b
> > syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=13bfe45ed0
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1188e31ad0
> >
> > Reported-by: syzbot+fbf4fc11a819824e0...@syzkaller.appspotmail.com
> > Fixes: 416dacb819f5 ("HID: hidraw: Fix invalid read in hidraw_ioctl")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> It seems likely that the bisection ran off the rails here.  This commit
> could not have caused a problem, although it may have revealed a
> pre-existing problem that previously was hidden.

Hi Alan,

Yes, bisection log shows it was derailed by:
KASAN: use-after-free Read in batadv_iv_ogm_queue_add
and:
BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low!

https://syzkaller.appspot.com/x/bisect.txt?x=127430fcd0


> By the way, what happened to the annotated stack dumps that syzkaller
> used to provide in its bug reports?

Nothing has changed in this respect, they are still in bug reports:
https://lore.kernel.org/lkml/73afff05bbe9a...@google.com/

Re: [syzbot] WARNING in ieee802154_del_seclevel

2021-04-01 Thread Alan Stern 
On Wed, Mar 31, 2021 at 02:03:08PM -0700, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 416dacb819f59180e4d86a5550052033ebb6d72c
> Author: Alan Stern 
> Date:   Wed Aug 21 17:27:12 2019 +
> 
> HID: hidraw: Fix invalid read in hidraw_ioctl
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=127430fcd0
> start commit:   6e5a03bc ethernet/netronome/nfp: Fix a use after free in n..
> git tree:   net
> final oops: https://syzkaller.appspot.com/x/report.txt?x=117430fcd0
> console output: https://syzkaller.appspot.com/x/log.txt?x=167430fcd0
> kernel config:  https://syzkaller.appspot.com/x/.config?x=daeff30c2474a60f
> dashboard link: https://syzkaller.appspot.com/bug?extid=fbf4fc11a819824e027b
> syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=13bfe45ed0
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1188e31ad0
> 
> Reported-by: syzbot+fbf4fc11a819824e0...@syzkaller.appspotmail.com
> Fixes: 416dacb819f5 ("HID: hidraw: Fix invalid read in hidraw_ioctl")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

It seems likely that the bisection ran off the rails here.  This commit 
could not have caused a problem, although it may have revealed a 
pre-existing problem that previously was hidden.

By the way, what happened to the annotated stack dumps that syzkaller 
used to provide in its bug reports?

Alan Stern

Re: [syzbot] WARNING in ieee802154_del_seclevel

2021-03-31 Thread syzbot 
syzbot has bisected this issue to:

commit 416dacb819f59180e4d86a5550052033ebb6d72c
Author: Alan Stern 
Date:   Wed Aug 21 17:27:12 2019 +

HID: hidraw: Fix invalid read in hidraw_ioctl

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=127430fcd0
start commit:   6e5a03bc ethernet/netronome/nfp: Fix a use after free in n..
git tree:   net
final oops: https://syzkaller.appspot.com/x/report.txt?x=117430fcd0
console output: https://syzkaller.appspot.com/x/log.txt?x=167430fcd0
kernel config:  https://syzkaller.appspot.com/x/.config?x=daeff30c2474a60f
dashboard link: https://syzkaller.appspot.com/bug?extid=fbf4fc11a819824e027b
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=13bfe45ed0
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1188e31ad0

Reported-by: syzbot+fbf4fc11a819824e0...@syzkaller.appspotmail.com
Fixes: 416dacb819f5 ("HID: hidraw: Fix invalid read in hidraw_ioctl")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] WARNING in ieee802154_del_seclevel

2021-03-30 Thread syzbot 
syzbot has found a reproducer for the following issue on:

HEAD commit:37f368d8 lan743x: remove redundant intializations of point..
git tree:   net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11ede3bed0
kernel config:  https://syzkaller.appspot.com/x/.config?x=7eff0f22b8563a5f
dashboard link: https://syzkaller.appspot.com/bug?extid=fbf4fc11a819824e027b
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=16d31a11d0
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12ca3611d0

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fbf4fc11a819824e0...@syzkaller.appspotmail.com

[ cut here ]
DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 1 PID: 8394 at kernel/locking/mutex.c:931 __mutex_lock_common 
kernel/locking/mutex.c:931 [inline]
WARNING: CPU: 1 PID: 8394 at kernel/locking/mutex.c:931 
__mutex_lock+0xc0b/0x1120 kernel/locking/mutex.c:1096
Modules linked in:
CPU: 1 PID: 8394 Comm: syz-executor533 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:931 [inline]
RIP: 0010:__mutex_lock+0xc0b/0x1120 kernel/locking/mutex.c:1096
Code: 08 84 d2 0f 85 a3 04 00 00 8b 05 18 cb be 04 85 c0 0f 85 12 f5 ff ff 48 
c7 c6 20 8b 6b 89 48 c7 c7 e0 88 6b 89 e8 b2 3b bd ff <0f> 0b e9 f8 f4 ff ff 65 
48 8b 1c 25 00 f0 01 00 be 08 00 00 00 48
RSP: 0018:c90002a2f3f8 EFLAGS: 00010286
RAX:  RBX:  RCX: 
RDX: 888020b554c0 RSI: 815c51f5 RDI: f52000545e71
RBP: 8880195a4c90 R08:  R09: 
R10: 815bdf8e R11:  R12: 
R13: dc00 R14: c90002a2f5a8 R15: 888014580014
FS:  01f49300() GS:8880b9d0() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7ffc43046ba8 CR3: 11a5a000 CR4: 001506e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 ieee802154_del_seclevel+0x3f/0x70 net/mac802154/cfg.c:382
 rdev_del_seclevel net/ieee802154/rdev-ops.h:284 [inline]
 nl802154_del_llsec_seclevel+0x1a7/0x250 net/ieee802154/nl802154.c:2093
 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x440909
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 
c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:7ffc43047c38 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 004004a0 RCX: 00440909
RDX:  RSI: 22c0 RDI: 0006
RBP:  R08:  R09: 7ffc43047dd8
R10:  R11: 0246 R12: 00403c10
R13: 431bde82d7b634db R14: 004ae018 R15: 004004a0