Re: KASAN: stack-out-of-bounds Read in __free_filter

2018-04-11 Thread Dmitry Vyukov 
On Wed, Apr 11, 2018 at 4:58 PM, Steven Rostedt  wrote:
> On Wed, 11 Apr 2018 16:51:02 +0200
> Dmitry Vyukov  wrote:
>
>> Hi Steve,
>>
>> Instructions for asking syzbot to test a patch are here:
>>
>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot
>
> I'll just add reported-by and add the patch. It does fix a bug,
> regardless. I have other things I need to work on to spend any more
> time on this one.


This will work too.

Thanks for the quick fix!

Re: KASAN: stack-out-of-bounds Read in __free_filter

2018-04-11 Thread Dmitry Vyukov 
On Wed, Apr 11, 2018 at 4:58 PM, Steven Rostedt  wrote:
> On Wed, 11 Apr 2018 16:51:02 +0200
> Dmitry Vyukov  wrote:
>
>> Hi Steve,
>>
>> Instructions for asking syzbot to test a patch are here:
>>
>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot
>
> I'll just add reported-by and add the patch. It does fix a bug,
> regardless. I have other things I need to work on to spend any more
> time on this one.


This will work too.

Thanks for the quick fix!

Re: KASAN: stack-out-of-bounds Read in __free_filter

2018-04-11 Thread Steven Rostedt 
On Wed, 11 Apr 2018 16:51:02 +0200
Dmitry Vyukov  wrote:

> Hi Steve,
> 
> Instructions for asking syzbot to test a patch are here:
> 
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot

I'll just add reported-by and add the patch. It does fix a bug,
regardless. I have other things I need to work on to spend any more
time on this one.

-- Steve

Re: KASAN: stack-out-of-bounds Read in __free_filter

2018-04-11 Thread Steven Rostedt 
On Wed, 11 Apr 2018 16:51:02 +0200
Dmitry Vyukov  wrote:

> Hi Steve,
> 
> Instructions for asking syzbot to test a patch are here:
> 
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot

I'll just add reported-by and add the patch. It does fix a bug,
regardless. I have other things I need to work on to spend any more
time on this one.

-- Steve

Re: KASAN: stack-out-of-bounds Read in __free_filter

2018-04-11 Thread Dmitry Vyukov 
On Wed, Apr 11, 2018 at 4:47 PM, Steven Rostedt  wrote:
> On Wed, 11 Apr 2018 05:02:02 -0700
> syzbot  wrote:
>
>> Hello,
>>
>> syzbot hit the following crash on upstream commit
>> b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +)
>> Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
>> syzbot dashboard link:
>> https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568
>>
>> So far this crash happened 6 times on upstream.
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104
>> syzkaller reproducer:
>> https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600
>> Raw console output:
>> https://syzkaller.appspot.com/x/log.txt?id=5352489637380096
>> Kernel config:
>> https://syzkaller.appspot.com/x/.config?id=-1223000601505858474
>> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+dadcc936587643d7f...@syzkaller.appspotmail.com
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>
> Can you try this patch?

Hi Steve,

Instructions for asking syzbot to test a patch are here:

https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot

> -- Steve
>
> diff --git a/kernel/trace/trace_events_filter.c 
> b/kernel/trace/trace_events_filter.c
> index 33b7720e2aa1..5c07ae2ac5d7 100644
> --- a/kernel/trace/trace_events_filter.c
> +++ b/kernel/trace/trace_events_filter.c
> @@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call 
> *call,
>  struct event_filter **filterp)
>  {
> struct filter_parse_error *pe = NULL;
> -   struct event_filter *filter = NULL;
> int err;
>
> -   err = create_filter_start(filter_string, set_str, , );
> +   err = create_filter_start(filter_string, set_str, , filterp);
> if (err)
> return err;
>
> -   err = process_preds(call, filter_string, filter, pe);
> +   err = process_preds(call, filter_string, *filterp, pe);
> if (err && set_str)
> -   append_filter_err(pe, filter);
> +   append_filter_err(pe, *filterp);
>
> -   *filterp = filter;
> return err;
>  }
>
> @@ -1740,24 +1738,22 @@ static int create_system_filter(struct 
> trace_subsystem_dir *dir,
> struct trace_array *tr,
> char *filter_str, struct event_filter 
> **filterp)
>  {
> -   struct event_filter *filter = NULL;
> struct filter_parse_error *pe = NULL;
> int err;
>
> -   err = create_filter_start(filter_str, true, , );
> +   err = create_filter_start(filter_str, true, , filterp);
> if (!err) {
> err = process_system_preds(dir, tr, pe, filter_str);
> if (!err) {
> /* System filters just show a default message */
> -   kfree(filter->filter_string);
> -   filter->filter_string = NULL;
> +   kfree((*filterp)->filter_string);
> +   (*filterp)->filter_string = NULL;
> } else {
> -   append_filter_err(pe, filter);
> +   append_filter_err(pe, *filterp);
> }
> }
> create_filter_finish(pe);
>
> -   *filterp = filter;
> return err;
>  }
>
> @@ -1765,7 +1761,7 @@ static int create_system_filter(struct 
> trace_subsystem_dir *dir,
>  int apply_event_filter(struct trace_event_file *file, char *filter_string)
>  {
> struct trace_event_call *call = file->event_call;
> -   struct event_filter *filter;
> +   struct event_filter *filter = NULL;
> int err;
>
> if (!strcmp(strstrip(filter_string), "0")) {
> @@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct 
> trace_subsystem_dir *dir,
>  {
> struct event_subsystem *system = dir->subsystem;
> struct trace_array *tr = dir->tr;
> -   struct event_filter *filter;
> +   struct event_filter *filter = NULL;
> int err = 0;
>
> mutex_lock(_mutex);
> @@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, 
> int event_id,
>   char *filter_str)
>  {
> int err;
> -   struct event_filter *filter;
> +   struct event_filter *filter = NULL;
> struct trace_event_call *call;
>
> mutex_lock(_mutex);
>
> --
> You received this message because you are subscribed to the Google Groups 
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to syzkaller-bugs+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
>

Re: KASAN: stack-out-of-bounds Read in __free_filter

2018-04-11 Thread Dmitry Vyukov 
On Wed, Apr 11, 2018 at 4:47 PM, Steven Rostedt  wrote:
> On Wed, 11 Apr 2018 05:02:02 -0700
> syzbot  wrote:
>
>> Hello,
>>
>> syzbot hit the following crash on upstream commit
>> b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +)
>> Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
>> syzbot dashboard link:
>> https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568
>>
>> So far this crash happened 6 times on upstream.
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104
>> syzkaller reproducer:
>> https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600
>> Raw console output:
>> https://syzkaller.appspot.com/x/log.txt?id=5352489637380096
>> Kernel config:
>> https://syzkaller.appspot.com/x/.config?id=-1223000601505858474
>> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+dadcc936587643d7f...@syzkaller.appspotmail.com
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>
> Can you try this patch?

Hi Steve,

Instructions for asking syzbot to test a patch are here:

https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot

> -- Steve
>
> diff --git a/kernel/trace/trace_events_filter.c 
> b/kernel/trace/trace_events_filter.c
> index 33b7720e2aa1..5c07ae2ac5d7 100644
> --- a/kernel/trace/trace_events_filter.c
> +++ b/kernel/trace/trace_events_filter.c
> @@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call 
> *call,
>  struct event_filter **filterp)
>  {
> struct filter_parse_error *pe = NULL;
> -   struct event_filter *filter = NULL;
> int err;
>
> -   err = create_filter_start(filter_string, set_str, , );
> +   err = create_filter_start(filter_string, set_str, , filterp);
> if (err)
> return err;
>
> -   err = process_preds(call, filter_string, filter, pe);
> +   err = process_preds(call, filter_string, *filterp, pe);
> if (err && set_str)
> -   append_filter_err(pe, filter);
> +   append_filter_err(pe, *filterp);
>
> -   *filterp = filter;
> return err;
>  }
>
> @@ -1740,24 +1738,22 @@ static int create_system_filter(struct 
> trace_subsystem_dir *dir,
> struct trace_array *tr,
> char *filter_str, struct event_filter 
> **filterp)
>  {
> -   struct event_filter *filter = NULL;
> struct filter_parse_error *pe = NULL;
> int err;
>
> -   err = create_filter_start(filter_str, true, , );
> +   err = create_filter_start(filter_str, true, , filterp);
> if (!err) {
> err = process_system_preds(dir, tr, pe, filter_str);
> if (!err) {
> /* System filters just show a default message */
> -   kfree(filter->filter_string);
> -   filter->filter_string = NULL;
> +   kfree((*filterp)->filter_string);
> +   (*filterp)->filter_string = NULL;
> } else {
> -   append_filter_err(pe, filter);
> +   append_filter_err(pe, *filterp);
> }
> }
> create_filter_finish(pe);
>
> -   *filterp = filter;
> return err;
>  }
>
> @@ -1765,7 +1761,7 @@ static int create_system_filter(struct 
> trace_subsystem_dir *dir,
>  int apply_event_filter(struct trace_event_file *file, char *filter_string)
>  {
> struct trace_event_call *call = file->event_call;
> -   struct event_filter *filter;
> +   struct event_filter *filter = NULL;
> int err;
>
> if (!strcmp(strstrip(filter_string), "0")) {
> @@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct 
> trace_subsystem_dir *dir,
>  {
> struct event_subsystem *system = dir->subsystem;
> struct trace_array *tr = dir->tr;
> -   struct event_filter *filter;
> +   struct event_filter *filter = NULL;
> int err = 0;
>
> mutex_lock(_mutex);
> @@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, 
> int event_id,
>   char *filter_str)
>  {
> int err;
> -   struct event_filter *filter;
> +   struct event_filter *filter = NULL;
> struct trace_event_call *call;
>
> mutex_lock(_mutex);
>
> --
> You received this message because you are subscribed to the Google Groups 
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to syzkaller-bugs+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/syzkaller-bugs/20180411104702.7f24401f%40gandalf.local.home.
> For

Re: KASAN: stack-out-of-bounds Read in __free_filter

2018-04-11 Thread Steven Rostedt 
On Wed, 11 Apr 2018 05:02:02 -0700
syzbot  wrote:

> Hello,
> 
> syzbot hit the following crash on upstream commit
> b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +)
> Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
> syzbot dashboard link:  
> https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568
> 
> So far this crash happened 6 times on upstream.
> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104
> syzkaller reproducer:  
> https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600
> Raw console output:  
> https://syzkaller.appspot.com/x/log.txt?id=5352489637380096
> Kernel config:  
> https://syzkaller.appspot.com/x/.config?id=-1223000601505858474
> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+dadcc936587643d7f...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for  
> details.
> If you forward the report, please keep this part and the footer.
>

Can you try this patch?

-- Steve

diff --git a/kernel/trace/trace_events_filter.c 
b/kernel/trace/trace_events_filter.c
index 33b7720e2aa1..5c07ae2ac5d7 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call *call,
 struct event_filter **filterp)
 {
struct filter_parse_error *pe = NULL;
-   struct event_filter *filter = NULL;
int err;
 
-   err = create_filter_start(filter_string, set_str, , );
+   err = create_filter_start(filter_string, set_str, , filterp);
if (err)
return err;
 
-   err = process_preds(call, filter_string, filter, pe);
+   err = process_preds(call, filter_string, *filterp, pe);
if (err && set_str)
-   append_filter_err(pe, filter);
+   append_filter_err(pe, *filterp);
 
-   *filterp = filter;
return err;
 }
 
@@ -1740,24 +1738,22 @@ static int create_system_filter(struct 
trace_subsystem_dir *dir,
struct trace_array *tr,
char *filter_str, struct event_filter **filterp)
 {
-   struct event_filter *filter = NULL;
struct filter_parse_error *pe = NULL;
int err;
 
-   err = create_filter_start(filter_str, true, , );
+   err = create_filter_start(filter_str, true, , filterp);
if (!err) {
err = process_system_preds(dir, tr, pe, filter_str);
if (!err) {
/* System filters just show a default message */
-   kfree(filter->filter_string);
-   filter->filter_string = NULL;
+   kfree((*filterp)->filter_string);
+   (*filterp)->filter_string = NULL;
} else {
-   append_filter_err(pe, filter);
+   append_filter_err(pe, *filterp);
}
}
create_filter_finish(pe);
 
-   *filterp = filter;
return err;
 }
 
@@ -1765,7 +1761,7 @@ static int create_system_filter(struct 
trace_subsystem_dir *dir,
 int apply_event_filter(struct trace_event_file *file, char *filter_string)
 {
struct trace_event_call *call = file->event_call;
-   struct event_filter *filter;
+   struct event_filter *filter = NULL;
int err;
 
if (!strcmp(strstrip(filter_string), "0")) {
@@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct 
trace_subsystem_dir *dir,
 {
struct event_subsystem *system = dir->subsystem;
struct trace_array *tr = dir->tr;
-   struct event_filter *filter;
+   struct event_filter *filter = NULL;
int err = 0;
 
mutex_lock(_mutex);
@@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, 
int event_id,
  char *filter_str)
 {
int err;
-   struct event_filter *filter;
+   struct event_filter *filter = NULL;
struct trace_event_call *call;
 
mutex_lock(_mutex);

Re: KASAN: stack-out-of-bounds Read in __free_filter

2018-04-11 Thread Steven Rostedt 
On Wed, 11 Apr 2018 05:02:02 -0700
syzbot  wrote:

> Hello,
> 
> syzbot hit the following crash on upstream commit
> b284d4d5a6785f8cd07eda2646a95782373cd01e (Tue Apr 10 19:25:30 2018 +)
> Merge tag 'ceph-for-4.17-rc1' of git://github.com/ceph/ceph-client
> syzbot dashboard link:  
> https://syzkaller.appspot.com/bug?extid=dadcc936587643d7f568
> 
> So far this crash happened 6 times on upstream.
> C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6547381214511104
> syzkaller reproducer:  
> https://syzkaller.appspot.com/x/repro.syz?id=5485642750361600
> Raw console output:  
> https://syzkaller.appspot.com/x/log.txt?id=5352489637380096
> Kernel config:  
> https://syzkaller.appspot.com/x/.config?id=-1223000601505858474
> compiler: gcc (GCC) 8.0.1 20180301 (experimental)
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+dadcc936587643d7f...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for  
> details.
> If you forward the report, please keep this part and the footer.
>

Can you try this patch?

-- Steve

diff --git a/kernel/trace/trace_events_filter.c 
b/kernel/trace/trace_events_filter.c
index 33b7720e2aa1..5c07ae2ac5d7 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1705,18 +1705,16 @@ static int create_filter(struct trace_event_call *call,
 struct event_filter **filterp)
 {
struct filter_parse_error *pe = NULL;
-   struct event_filter *filter = NULL;
int err;
 
-   err = create_filter_start(filter_string, set_str, , );
+   err = create_filter_start(filter_string, set_str, , filterp);
if (err)
return err;
 
-   err = process_preds(call, filter_string, filter, pe);
+   err = process_preds(call, filter_string, *filterp, pe);
if (err && set_str)
-   append_filter_err(pe, filter);
+   append_filter_err(pe, *filterp);
 
-   *filterp = filter;
return err;
 }
 
@@ -1740,24 +1738,22 @@ static int create_system_filter(struct 
trace_subsystem_dir *dir,
struct trace_array *tr,
char *filter_str, struct event_filter **filterp)
 {
-   struct event_filter *filter = NULL;
struct filter_parse_error *pe = NULL;
int err;
 
-   err = create_filter_start(filter_str, true, , );
+   err = create_filter_start(filter_str, true, , filterp);
if (!err) {
err = process_system_preds(dir, tr, pe, filter_str);
if (!err) {
/* System filters just show a default message */
-   kfree(filter->filter_string);
-   filter->filter_string = NULL;
+   kfree((*filterp)->filter_string);
+   (*filterp)->filter_string = NULL;
} else {
-   append_filter_err(pe, filter);
+   append_filter_err(pe, *filterp);
}
}
create_filter_finish(pe);
 
-   *filterp = filter;
return err;
 }
 
@@ -1765,7 +1761,7 @@ static int create_system_filter(struct 
trace_subsystem_dir *dir,
 int apply_event_filter(struct trace_event_file *file, char *filter_string)
 {
struct trace_event_call *call = file->event_call;
-   struct event_filter *filter;
+   struct event_filter *filter = NULL;
int err;
 
if (!strcmp(strstrip(filter_string), "0")) {
@@ -1818,7 +1814,7 @@ int apply_subsystem_event_filter(struct 
trace_subsystem_dir *dir,
 {
struct event_subsystem *system = dir->subsystem;
struct trace_array *tr = dir->tr;
-   struct event_filter *filter;
+   struct event_filter *filter = NULL;
int err = 0;
 
mutex_lock(_mutex);
@@ -2025,7 +2021,7 @@ int ftrace_profile_set_filter(struct perf_event *event, 
int event_id,
  char *filter_str)
 {
int err;
-   struct event_filter *filter;
+   struct event_filter *filter = NULL;
struct trace_event_call *call;
 
mutex_lock(_mutex);