Re: KASAN: stack-out-of-bounds Read in __free_filter
On Wed, Apr 11, 2018 at 4:58 PM, Steven Rostedtwrote: > On Wed, 11 Apr 2018 16:51:02 +0200 > Dmitry Vyukov wrote: > >> Hi Steve, >> >> Instructions for asking syzbot to test a patch are here: >> >> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot > > I'll just add reported-by and add the patch. It does fix a bug, > regardless. I have other things I need to work on to spend any more > time on this one. This will work too. Thanks for the quick fix!
Re: KASAN: stack-out-of-bounds Read in __free_filter
On Wed, Apr 11, 2018 at 4:58 PM, Steven Rostedt wrote: > On Wed, 11 Apr 2018 16:51:02 +0200 > Dmitry Vyukov wrote: > >> Hi Steve, >> >> Instructions for asking syzbot to test a patch are here: >> >> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot > > I'll just add reported-by and add the patch. It does fix a bug, > regardless. I have other things I need to work on to spend any more > time on this one. This will work too. Thanks for the quick fix!
Re: KASAN: stack-out-of-bounds Read in __free_filter
On Wed, 11 Apr 2018 16:51:02 +0200 Dmitry Vyukovwrote: > Hi Steve, > > Instructions for asking syzbot to test a patch are here: > > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot I'll just add reported-by and add the patch. It does fix a bug, regardless. I have other things I need to work on to spend any more time on this one. -- Steve
Re: KASAN: stack-out-of-bounds Read in __free_filter
On Wed, 11 Apr 2018 16:51:02 +0200 Dmitry Vyukov wrote: > Hi Steve, > > Instructions for asking syzbot to test a patch are here: > > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot I'll just add reported-by and add the patch. It does fix a bug, regardless. I have other things I need to work on to spend any more time on this one. -- Steve
Re: KASAN: stack-out-of-bounds Read in __free_filter
On Wed, Apr 11, 2018 at 4:47 PM, Steven Rostedtwrote: > On Wed, 11 Apr 2018 05:02:02 -0700 > syzbot wrote: > >> Hello, >> >> syzbot hit the following crash on upstream commit >> b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +) >> Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client >> syzbot dashboard link: >> https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568 >> >> So far this crash happened 6 times on upstream. >> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104 >> syzkaller reproducer: >> https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600 >> Raw console output: >> https://syzkaller.appspot.com/x/log.txt?id=5352489637380096 >> Kernel config: >> https://syzkaller.appspot.com/x/.config?id=-1223000601505858474 >> compiler: gcc (GCC) 8.0.1 20180301 (experimental) >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+dadcc936587643d7f...@syzkaller.appspotmail.com >> It will help syzbot understand when the bug is fixed. See footer for >> details. >> If you forward the report, please keep this part and the footer. >> > > Can you try this patch? Hi Steve, Instructions for asking syzbot to test a patch are here: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot > -- Steve > > diff --git a/kernel/trace/trace_events_filter.c > b/kernel/trace/trace_events_filter.c > index 33b7720e2aa1..5c07ae2ac5d7 100644 > --- a/kernel/trace/trace_events_filter.c > +++ b/kernel/trace/trace_events_filter.c > @@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call > *call, > struct event_filter **filterp) > { > struct filter_parse_error *pe = NULL; > - struct event_filter *filter = NULL; > int err; > > - err = create_filter_start(filter_string, set_str, , ); > + err = create_filter_start(filter_string, set_str, , filterp); > if (err) > return err; > > - err = process_preds(call, filter_string, filter, pe); > + err = process_preds(call, filter_string, *filterp, pe); > if (err && set_str) > - append_filter_err(pe, filter); > + append_filter_err(pe, *filterp); > > - *filterp = filter; > return err; > } > > @@ -1740,24 +1738,22 @@ static int create_system_filter(struct > trace_subsystem_dir *dir, > struct trace_array *tr, > char *filter_str, struct event_filter > **filterp) > { > - struct event_filter *filter = NULL; > struct filter_parse_error *pe = NULL; > int err; > > - err = create_filter_start(filter_str, true, , ); > + err = create_filter_start(filter_str, true, , filterp); > if (!err) { > err = process_system_preds(dir, tr, pe, filter_str); > if (!err) { > /* System filters just show a default message */ > - kfree(filter->filter_string); > - filter->filter_string = NULL; > + kfree((*filterp)->filter_string); > + (*filterp)->filter_string = NULL; > } else { > - append_filter_err(pe, filter); > + append_filter_err(pe, *filterp); > } > } > create_filter_finish(pe); > > - *filterp = filter; > return err; > } > > @@ -1765,7 +1761,7 @@ static int create_system_filter(struct > trace_subsystem_dir *dir, > int apply_event_filter(struct trace_event_file *file, char *filter_string) > { > struct trace_event_call *call = file->event_call; > - struct event_filter *filter; > + struct event_filter *filter = NULL; > int err; > > if (!strcmp(strstrip(filter_string), "0")) { > @@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct > trace_subsystem_dir *dir, > { > struct event_subsystem *system = dir->subsystem; > struct trace_array *tr = dir->tr; > - struct event_filter *filter; > + struct event_filter *filter = NULL; > int err = 0; > > mutex_lock(_mutex); > @@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, > int event_id, > char *filter_str) > { > int err; > - struct event_filter *filter; > + struct event_filter *filter = NULL; > struct trace_event_call *call; > > mutex_lock(_mutex); > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit >
Re: KASAN: stack-out-of-bounds Read in __free_filter
On Wed, Apr 11, 2018 at 4:47 PM, Steven Rostedt wrote: > On Wed, 11 Apr 2018 05:02:02 -0700 > syzbot wrote: > >> Hello, >> >> syzbot hit the following crash on upstream commit >> b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +) >> Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client >> syzbot dashboard link: >> https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568 >> >> So far this crash happened 6 times on upstream. >> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104 >> syzkaller reproducer: >> https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600 >> Raw console output: >> https://syzkaller.appspot.com/x/log.txt?id=5352489637380096 >> Kernel config: >> https://syzkaller.appspot.com/x/.config?id=-1223000601505858474 >> compiler: gcc (GCC) 8.0.1 20180301 (experimental) >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+dadcc936587643d7f...@syzkaller.appspotmail.com >> It will help syzbot understand when the bug is fixed. See footer for >> details. >> If you forward the report, please keep this part and the footer. >> > > Can you try this patch? Hi Steve, Instructions for asking syzbot to test a patch are here: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot > -- Steve > > diff --git a/kernel/trace/trace_events_filter.c > b/kernel/trace/trace_events_filter.c > index 33b7720e2aa1..5c07ae2ac5d7 100644 > --- a/kernel/trace/trace_events_filter.c > +++ b/kernel/trace/trace_events_filter.c > @@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call > *call, > struct event_filter **filterp) > { > struct filter_parse_error *pe = NULL; > - struct event_filter *filter = NULL; > int err; > > - err = create_filter_start(filter_string, set_str, , ); > + err = create_filter_start(filter_string, set_str, , filterp); > if (err) > return err; > > - err = process_preds(call, filter_string, filter, pe); > + err = process_preds(call, filter_string, *filterp, pe); > if (err && set_str) > - append_filter_err(pe, filter); > + append_filter_err(pe, *filterp); > > - *filterp = filter; > return err; > } > > @@ -1740,24 +1738,22 @@ static int create_system_filter(struct > trace_subsystem_dir *dir, > struct trace_array *tr, > char *filter_str, struct event_filter > **filterp) > { > - struct event_filter *filter = NULL; > struct filter_parse_error *pe = NULL; > int err; > > - err = create_filter_start(filter_str, true, , ); > + err = create_filter_start(filter_str, true, , filterp); > if (!err) { > err = process_system_preds(dir, tr, pe, filter_str); > if (!err) { > /* System filters just show a default message */ > - kfree(filter->filter_string); > - filter->filter_string = NULL; > + kfree((*filterp)->filter_string); > + (*filterp)->filter_string = NULL; > } else { > - append_filter_err(pe, filter); > + append_filter_err(pe, *filterp); > } > } > create_filter_finish(pe); > > - *filterp = filter; > return err; > } > > @@ -1765,7 +1761,7 @@ static int create_system_filter(struct > trace_subsystem_dir *dir, > int apply_event_filter(struct trace_event_file *file, char *filter_string) > { > struct trace_event_call *call = file->event_call; > - struct event_filter *filter; > + struct event_filter *filter = NULL; > int err; > > if (!strcmp(strstrip(filter_string), "0")) { > @@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct > trace_subsystem_dir *dir, > { > struct event_subsystem *system = dir->subsystem; > struct trace_array *tr = dir->tr; > - struct event_filter *filter; > + struct event_filter *filter = NULL; > int err = 0; > > mutex_lock(_mutex); > @@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, > int event_id, > char *filter_str) > { > int err; > - struct event_filter *filter; > + struct event_filter *filter = NULL; > struct trace_event_call *call; > > mutex_lock(_mutex); > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/20180411104702.7f24401f%40gandalf.local.home. > For
Re: KASAN: stack-out-of-bounds Read in __free_filter
On Wed, 11 Apr 2018 05:02:02 -0700 syzbotwrote: > Hello, > > syzbot hit the following crash on upstream commit > b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +) > Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client > syzbot dashboard link: > https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568 > > So far this crash happened 6 times on upstream. > C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104 > syzkaller reproducer: > https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600 > Raw console output: > https://syzkaller.appspot.com/x/log.txt?id=5352489637380096 > Kernel config: > https://syzkaller.appspot.com/x/.config?id=-1223000601505858474 > compiler: gcc (GCC) 8.0.1 20180301 (experimental) > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+dadcc936587643d7f...@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > Can you try this patch? -- Steve diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c index 33b7720e2aa1..5c07ae2ac5d7 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call *call, struct event_filter **filterp) { struct filter_parse_error *pe = NULL; - struct event_filter *filter = NULL; int err; - err = create_filter_start(filter_string, set_str, , ); + err = create_filter_start(filter_string, set_str, , filterp); if (err) return err; - err = process_preds(call, filter_string, filter, pe); + err = process_preds(call, filter_string, *filterp, pe); if (err && set_str) - append_filter_err(pe, filter); + append_filter_err(pe, *filterp); - *filterp = filter; return err; } @@ -1740,24 +1738,22 @@ static int create_system_filter(struct trace_subsystem_dir *dir, struct trace_array *tr, char *filter_str, struct event_filter **filterp) { - struct event_filter *filter = NULL; struct filter_parse_error *pe = NULL; int err; - err = create_filter_start(filter_str, true, , ); + err = create_filter_start(filter_str, true, , filterp); if (!err) { err = process_system_preds(dir, tr, pe, filter_str); if (!err) { /* System filters just show a default message */ - kfree(filter->filter_string); - filter->filter_string = NULL; + kfree((*filterp)->filter_string); + (*filterp)->filter_string = NULL; } else { - append_filter_err(pe, filter); + append_filter_err(pe, *filterp); } } create_filter_finish(pe); - *filterp = filter; return err; } @@ -1765,7 +1761,7 @@ static int create_system_filter(struct trace_subsystem_dir *dir, int apply_event_filter(struct trace_event_file *file, char *filter_string) { struct trace_event_call *call = file->event_call; - struct event_filter *filter; + struct event_filter *filter = NULL; int err; if (!strcmp(strstrip(filter_string), "0")) { @@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct trace_subsystem_dir *dir, { struct event_subsystem *system = dir->subsystem; struct trace_array *tr = dir->tr; - struct event_filter *filter; + struct event_filter *filter = NULL; int err = 0; mutex_lock(_mutex); @@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, int event_id, char *filter_str) { int err; - struct event_filter *filter; + struct event_filter *filter = NULL; struct trace_event_call *call; mutex_lock(_mutex);
Re: KASAN: stack-out-of-bounds Read in __free_filter
On Wed, 11 Apr 2018 05:02:02 -0700 syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +) > Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client > syzbot dashboard link: > https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568 > > So far this crash happened 6 times on upstream. > C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104 > syzkaller reproducer: > https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600 > Raw console output: > https://syzkaller.appspot.com/x/log.txt?id=5352489637380096 > Kernel config: > https://syzkaller.appspot.com/x/.config?id=-1223000601505858474 > compiler: gcc (GCC) 8.0.1 20180301 (experimental) > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+dadcc936587643d7f...@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > Can you try this patch? -- Steve diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c index 33b7720e2aa1..5c07ae2ac5d7 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call *call, struct event_filter **filterp) { struct filter_parse_error *pe = NULL; - struct event_filter *filter = NULL; int err; - err = create_filter_start(filter_string, set_str, , ); + err = create_filter_start(filter_string, set_str, , filterp); if (err) return err; - err = process_preds(call, filter_string, filter, pe); + err = process_preds(call, filter_string, *filterp, pe); if (err && set_str) - append_filter_err(pe, filter); + append_filter_err(pe, *filterp); - *filterp = filter; return err; } @@ -1740,24 +1738,22 @@ static int create_system_filter(struct trace_subsystem_dir *dir, struct trace_array *tr, char *filter_str, struct event_filter **filterp) { - struct event_filter *filter = NULL; struct filter_parse_error *pe = NULL; int err; - err = create_filter_start(filter_str, true, , ); + err = create_filter_start(filter_str, true, , filterp); if (!err) { err = process_system_preds(dir, tr, pe, filter_str); if (!err) { /* System filters just show a default message */ - kfree(filter->filter_string); - filter->filter_string = NULL; + kfree((*filterp)->filter_string); + (*filterp)->filter_string = NULL; } else { - append_filter_err(pe, filter); + append_filter_err(pe, *filterp); } } create_filter_finish(pe); - *filterp = filter; return err; } @@ -1765,7 +1761,7 @@ static int create_system_filter(struct trace_subsystem_dir *dir, int apply_event_filter(struct trace_event_file *file, char *filter_string) { struct trace_event_call *call = file->event_call; - struct event_filter *filter; + struct event_filter *filter = NULL; int err; if (!strcmp(strstrip(filter_string), "0")) { @@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct trace_subsystem_dir *dir, { struct event_subsystem *system = dir->subsystem; struct trace_array *tr = dir->tr; - struct event_filter *filter; + struct event_filter *filter = NULL; int err = 0; mutex_lock(_mutex); @@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, int event_id, char *filter_str) { int err; - struct event_filter *filter; + struct event_filter *filter = NULL; struct trace_event_call *call; mutex_lock(_mutex);