On 4/25/17 10:38 AM, Andrey Konovalov wrote:
> I'll keep fuzzing in the meantime to make sure.
> Maybe I'll be able to collect more reports or even another reproducer.
start a new email thread for each stack trace. I'll write a debug patch
for the trace you hit today.
On Tue, Apr 25, 2017 at 6:36 PM, Andrey Konovalov wrote:
> On Tue, Apr 25, 2017 at 5:56 PM, David Ahern wrote:
>> On 3/4/17 11:57 AM, Dmitry Vyukov wrote:
>>> ==
>>> BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0
>>> ne
On Tue, Apr 25, 2017 at 5:56 PM, David Ahern wrote:
> On 3/4/17 11:57 AM, Dmitry Vyukov wrote:
>> ==
>> BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0
>> net/ipv6/route.c:3551 at addr 88007e523694
>> Read of size 4 b
On 3/7/17 2:21 AM, Dmitry Vyukov wrote:
> [ cut here ]
> WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991
> fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991 net/ipv6/ip6_fib.c:991
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 2 PID: 3990 Comm: kworker/2:4 Not
On 3/4/17 11:57 AM, Dmitry Vyukov wrote:
> ==
> BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0
> net/ipv6/route.c:3551 at addr 88007e523694
> Read of size 4 by task syz-executor3/24426
> CPU: 2 PID: 24426 Comm: syz-ex
On 4/18/17 2:43 PM, Andrey Konovalov wrote:
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: [#1] SMP KASAN
> Modules linked in:
> CPU: 1 PID: 4035 Comm: a.out Not tainted 4.11.0-rc7+ #250
> Hardware name: QEM
On Fri, 2017-04-21 at 08:27 -0600, David Ahern wrote:
> On 4/20/17 10:09 AM, Andrey Konovalov wrote:
> > On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov
> > wrote:
> >> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern
> >> wrote:
> >>> On 4/20/17 9:28 AM, Andrey Konovalov wrote:
> This one s
On 4/21/17 10:47 AM, Eric Dumazet wrote:
> On Fri, 2017-04-21 at 08:27 -0600, David Ahern wrote:
>> On 4/20/17 10:09 AM, Andrey Konovalov wrote:
>>> On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov
>>> wrote:
On Thu, Apr 20, 2017 at 5:35 PM, David Ahern
wrote:
> On 4/20/17 9:28 A
On 4/20/17 10:09 AM, Andrey Konovalov wrote:
> On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov
> wrote:
>> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern
>> wrote:
>>> On 4/20/17 9:28 AM, Andrey Konovalov wrote:
This one seems to be much closer to what Dmitry reported intially.
>>> does no
On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov wrote:
> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote:
>> On 4/20/17 9:28 AM, Andrey Konovalov wrote:
>>> This one seems to be much closer to what Dmitry reported intially.
>>
>> does not repro here; I ran in a loop and nothing.
Here's stra
On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote:
> On 4/20/17 9:28 AM, Andrey Konovalov wrote:
>> This one seems to be much closer to what Dmitry reported intially.
>
> does not repro here; I ran in a loop and nothing.
You use the attached config, right?
>
> can you send output of "sysctl -a
On 4/20/17 9:28 AM, Andrey Konovalov wrote:
> This one seems to be much closer to what Dmitry reported intially.
does not repro here; I ran in a loop and nothing.
can you send output of "sysctl -a --pattern 'net.ipv6'"
On Thu, Apr 20, 2017 at 5:28 PM, Andrey Konovalov wrote:
> I've extracted a reproducer for another bug.
It works for me as is, but you might need to run it in a loop.
>
> This one seems to be much closer to what Dmitry reported intially.
>
> [ cut here ]
> WARNING: CPU: 1
On Thu, Apr 20, 2017 at 10:35 AM, Dmitry Vyukov wrote:
> On Thu, Apr 20, 2017 at 1:51 AM, David Ahern wrote:
>> On 4/19/17 5:47 PM, Cong Wang wrote:
>>> On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov
>>> wrote:
Anyway, I just finished simplifying the reproducer. Give this one a try
On Thu, Apr 20, 2017 at 1:51 AM, David Ahern wrote:
> On 4/19/17 5:47 PM, Cong Wang wrote:
>> On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov
>> wrote:
>>>
>>> Anyway, I just finished simplifying the reproducer. Give this one a try.
>>
>> Thanks for providing such a minimal reproducer!
>>
>> T
On 4/19/17 5:47 PM, Cong Wang wrote:
> On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov
> wrote:
>>
>> Anyway, I just finished simplifying the reproducer. Give this one a try.
>
> Thanks for providing such a minimal reproducer!
>
> The following patch could fix this crash, but I am not 100% su
On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov wrote:
>
> Anyway, I just finished simplifying the reproducer. Give this one a try.
Thanks for providing such a minimal reproducer!
The following patch could fix this crash, but I am not 100% sure if we should
just clear these bits or reject them
On 4/19/17 10:12 AM, Andrey Konovalov wrote:
> That's weird. I usually see this when I have CONFIG_USER_NS disabled.
I bungled the movement of .config between servers. reproduced. will
investigate.
On Wed, Apr 19, 2017 at 6:09 PM, David Ahern wrote:
> On 4/18/17 2:43 PM, Andrey Konovalov wrote:
>> Hi!
>>
>> I've finally managed to reproduce one of the crashes on commit
>> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7).
>>
>> I'm not sure if this bug has the same root cause as the first
On 4/18/17 2:43 PM, Andrey Konovalov wrote:
> Hi!
>
> I've finally managed to reproduce one of the crashes on commit
> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7).
>
> I'm not sure if this bug has the same root cause as the first one
> reported in this thread, but it definitely has to do
On Wed, Apr 19, 2017 at 1:20 AM, David Ahern wrote:
> On 4/18/17 2:43 PM, Andrey Konovalov wrote:
>> I've finally managed to reproduce one of the crashes on commit
>> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7).
>>
>> I'm not sure if this bug has the same root cause as the first one
>> rep
On 4/18/17 2:43 PM, Andrey Konovalov wrote:
> I've finally managed to reproduce one of the crashes on commit
> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7).
>
> I'm not sure if this bug has the same root cause as the first one
> reported in this thread, but it definitely has to do with ipv6
On 3/27/17 6:42 AM, Dmitry Vyukov wrote:
> A friendly ping. This still happens all the time for us.
Haven't looked at this in a couple of weeks. I have syzkaller installed
on a machine locally and never was able to reproduce this ipv6 problem.
I am using a jessie rootfs; from the syzkaller files I
On Wed, Mar 8, 2017 at 12:55 PM, Dmitry Vyukov wrote:
> On Tue, Mar 7, 2017 at 9:00 PM, Dmitry Vyukov wrote:
>> On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote:
> On 3/7/17 11:13 AM, Dmitry Vyukov wrote:
>>> on this warning:
>>>
>>> /* dst.next really should not be set at thi
On Tue, Mar 7, 2017 at 9:00 PM, Dmitry Vyukov wrote:
> On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote:
On 3/7/17 11:13 AM, Dmitry Vyukov wrote:
>> on this warning:
>>
>> /* dst.next really should not be set at this point */
>> if (rt->dst.next && rt->dst.next->ops->famil
On 3/7/17 2:21 AM, Dmitry Vyukov wrote:
> I've commented that warning just to see I can obtain more information.
> Then I also got this:
>
> [ cut here ]
> WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991
> fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991 net/ipv6/ip6_fib.c
On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote:
>>> On 3/7/17 11:13 AM, Dmitry Vyukov wrote:
> on this warning:
>
> /* dst.next really should not be set at this point */
> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) {
> pr_warn("fib6_add: adding rt w
On Tue, Mar 7, 2017 at 8:02 PM, Dmitry Vyukov wrote:
> On Tue, Mar 7, 2017 at 7:43 PM, David Ahern wrote:
>> On 3/7/17 11:13 AM, Dmitry Vyukov wrote:
on this warning:
/* dst.next really should not be set at this point */
if (rt->dst.next && rt->dst.next->ops->family != AF_INET
On Tue, Mar 7, 2017 at 7:43 PM, David Ahern wrote:
> On 3/7/17 11:13 AM, Dmitry Vyukov wrote:
>>> on this warning:
>>>
>>> /* dst.next really should not be set at this point */
>>> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) {
>>> pr_warn("fib6_add: adding rt with bad next -
On 3/7/17 11:13 AM, Dmitry Vyukov wrote:
>> on this warning:
>>
>> /* dst.next really should not be set at this point */
>> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) {
>> pr_warn("fib6_add: adding rt with bad next -- family %d dst
>> flags %x\n",
>> rt->dst.
On 3/7/17 1:43 AM, Dmitry Vyukov wrote:
> This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel
> output from your patch (pr_err).
>
> [ cut here ]
> WARNING: CPU: 1 PID: 30179 at net/ipv6/ip6_fib.c:158
> rt6_rcu_free+0x61/0x70 net/ipv6/ip6_fib.c:158
> Kernel
On Tue, Mar 7, 2017 at 7:03 PM, David Ahern wrote:
> On 3/7/17 2:21 AM, Dmitry Vyukov wrote:
>> I've commented that warning just to see I can obtain more information.
>> Then I also got this:
>>
>> [ cut here ]
>> WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991
>> fib6_
On 3/7/17 1:43 AM, Dmitry Vyukov wrote:
> This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel
> output from your patch (pr_err).
Is the below supposed to be from the same qemu instance at the time of
the crash? cpu1 and cpu2 are both supposedly doing a route insert?
>
> ---
On Tue, Mar 7, 2017 at 6:17 PM, 'David Ahern' via syzkaller
wrote:
> On 3/7/17 1:43 AM, Dmitry Vyukov wrote:
>> This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel
>> output from your patch (pr_err).
>
> Is the below supposed to be from the same qemu instance at the time of
> the
On Tue, Mar 7, 2017 at 9:43 AM, Dmitry Vyukov wrote:
> On Tue, Mar 7, 2017 at 12:41 AM, David Ahern wrote:
>> On 3/6/17 11:51 AM, Dmitry Vyukov wrote:
>>> We hit it several thousand times, but we get only several dozens of
>>> crashes per day on ~80 VMs. So if you try to reproduce it on a single
On Tue, Mar 7, 2017 at 12:41 AM, David Ahern wrote:
> On 3/6/17 11:51 AM, Dmitry Vyukov wrote:
>> We hit it several thousand times, but we get only several dozens of
>> crashes per day on ~80 VMs. So if you try to reproduce it on a single
>> machine it can take days for a single crash.
>> If you a
On 3/6/17 11:51 AM, Dmitry Vyukov wrote:
> We hit it several thousand times, but we get only several dozens of
> crashes per day on ~80 VMs. So if you try to reproduce it on a single
> machine it can take days for a single crash.
> If you are ready to go that route, here are some instructions on
>
On Mon, Mar 6, 2017 at 6:31 PM, David Ahern wrote:
> On 3/4/17 1:15 PM, Eric Dumazet wrote:
>> On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote:
>>> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern
>>> wrote:
On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
> I am getting heap out-of-bounds rep
On 3/4/17 1:15 PM, Eric Dumazet wrote:
> On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote:
>> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote:
>>> On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
I am getting heap out-of-bounds reports in
fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_
On Sat, Mar 4, 2017 at 9:15 PM, Eric Dumazet wrote:
>> > On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
>> >> I am getting heap out-of-bounds reports in
>> >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running
>> >> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all
On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote:
> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote:
> > On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
> >> I am getting heap out-of-bounds reports in
> >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running
> >> syzkaller fuzzer
On Sat, Mar 4, 2017 at 7:57 PM, Dmitry Vyukov wrote:
> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote:
>> On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
>>> I am getting heap out-of-bounds reports in
>>> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running
>>> syzkaller fuzzer on 862
On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote:
> On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
>> I am getting heap out-of-bounds reports in
>> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running
>> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all
>> follow th
On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
> I am getting heap out-of-bounds reports in
> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running
> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all
> follow the same pattern: an object of size 216 is allocated from
>
On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote:
> On 3/3/17 6:39 AM, Dmitry Vyukov wrote:
>> I am getting heap out-of-bounds reports in
>> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running
>> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all
>> follow th
45 matches
Mail list logo