[PATCH] netfilter: nft_ct: define nft_ct_get_eval_counter() only when needed

This eliminates an "unused function" compiler warning when CONFIG_NF_CONNTRACK_LABELS is not defined. Signed-off-by: Eric Biggers <ebigge...@gmail.com> --- net/netfilter/nft_ct.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct

Re: [PATCH net-next 1/4] siphash: add cryptographically secure PRF

Hi Jason, just a few comments: On Fri, Jan 06, 2017 at 09:10:52PM +0100, Jason A. Donenfeld wrote: > +#define SIPHASH_ALIGNMENT __alignof__(u64) > +typedef u64 siphash_key_t[2]; I was confused by all the functions passing siphash_key_t "by value" until I saw that it's actually typedefed to

[PATCH] net: socket: don't set sk_uid to garbage value in ->setattr()

From: Eric Biggers <ebigg...@google.com> ->setattr() was recently implemented for socket files to sync the socket inode's uid to the new 'sk_uid' member of struct sock. It does this by copying over the ia_uid member of struct iattr. However, ia_uid is actually only valid when ATTR_U

Re: [PATCH v2 net-next 0/4] Introduce The SipHash PRF

On Sat, Jan 07, 2017 at 03:40:53PM +0100, Jason A. Donenfeld wrote: > This patch series introduces SipHash into the kernel. SipHash is a > cryptographically secure PRF, which serves a variety of functions, and is > introduced in patch #1. The following patch #2 introduces HalfSipHash, > an

Re: [PATCH v2 net-next 3/4] secure_seq: use SipHash in place of MD5

Hi David, On Sat, Jan 07, 2017 at 04:37:36PM -0500, David Miller wrote: > From: "Jason A. Donenfeld" > Date: Sat, 7 Jan 2017 15:40:56 +0100 > > > This gives a clear speed and security improvement. Siphash is both > > faster and is more solid crypto than the aging MD5. [snip] >

[PATCH] net: ibm: emac: remove unused sysrq handler for 'c' key

From: Eric Biggers <ebigg...@google.com> Since commit d6580a9f1523 ("kexec: sysrq: simplify sysrq-c handler"), the sysrq handler for the 'c' key has been sysrq_crash_op. Debugging code in the ibm_emac driver also tries to register a handler for the 'c' key, but this has n

Re: [PATCH v3 net-next 3/4] tls: kernel TLS support

On Tue, Jul 11, 2017 at 11:53:11AM -0700, Dave Watson wrote: > On 07/11/17 08:29 AM, Steffen Klassert wrote: > > Sorry for replying to old mail... > > > +int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx) > > > +{ > > > > ... > > > > > + > > > + if (!sw_ctx->aead_send) { > > > +

Re: [PATCH] once: switch to new jump label API

On Tue, Aug 22, 2017 at 02:44:41PM -0400, Hannes Frederic Sowa wrote: > Eric Biggers <ebigge...@gmail.com> writes: > > > From: Eric Biggers <ebigg...@google.com> > > > > Switch the DO_ONCE() macro from the deprecated jump label API to the new &g

[PATCH] strparser: initialize all callbacks

From: Eric Biggers <ebigg...@google.com> commit bbb03029a899 ("strparser: Generalize strparser") added more function pointers to 'struct strp_callbacks'; however, kcm_attach() was not updated to initialize them. This could cause the ->lock() and/or ->unlock() funct

[PATCH] once: switch to new jump label API

From: Eric Biggers <ebigg...@google.com> Switch the DO_ONCE() macro from the deprecated jump label API to the new one. The new one is more readable, and for DO_ONCE() it also makes the generated code more icache-friendly: now the one-time initialization code is placed out-of-line at th

Re: [PATCH] once: switch to new jump label API

On Fri, Sep 15, 2017 at 09:07:51PM -0700, Eric Biggers wrote: > On Tue, Aug 22, 2017 at 02:44:41PM -0400, Hannes Frederic Sowa wrote: > > Eric Biggers <ebigge...@gmail.com> writes: > > > > > From: Eric Biggers <ebigg...@google.com> > > > > > &g

[PATCH net-next] once: switch to new jump label API

From: Eric Biggers <ebigg...@google.com> Switch the DO_ONCE() macro from the deprecated jump label API to the new one. The new one is more readable, and for DO_ONCE() it also makes the generated code more icache-friendly: now the one-time initialization code is placed out-of-line at th

Re: BUG: unable to handle kernel NULL pointer dereference

On Sun, Dec 03, 2017 at 04:37:01AM -0800, syzbot wrote: > BUG: KASAN: use-after-free in skcipher_request_set_tfm > include/crypto/skcipher.h:499 [inline] > BUG: KASAN: use-after-free in crypto_aead_copy_sgl crypto/algif_aead.c:85 > [inline] > BUG: KASAN: use-after-free in _aead_recvmsg

Re: kernel BUG at net/key/af_key.c:LINE!

On Wed, Nov 15, 2017 at 12:29:19PM +0100, Steffen Klassert wrote: > On Fri, Nov 10, 2017 at 02:14:06PM +1100, Herbert Xu wrote: > > On Fri, Nov 10, 2017 at 01:30:38PM +1100, Herbert Xu wrote: > > > > > > I found the problem. This crap is coming from clone_policy. Now > > > let me where this

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (3)

Hi Steffen, On Fri, Dec 01, 2017 at 08:27:43AM +0100, Steffen Klassert wrote: > On Wed, Nov 22, 2017 at 08:05:00AM -0800, syzbot wrote: > > syzkaller has found reproducer for the following crash on > > 0c86a6bd85ff0629cd2c5141027fc1c8bb6cde9c > >

[PATCH] libceph: don't WARN() if user tries to add invalid key

From: Eric Biggers <ebigg...@google.com> The WARN_ON(!key->len) in set_secret() in net/ceph/crypto.c is hit if a user tries to add a key of type "ceph" with an invalid payload as follows (assuming CONFIG_CEPH_LIB=y): echo -e -n '\x01\x00\x00\x00\x00\x00\x00\

Re: WARNING: suspicious RCU usage in tipc_bearer_find

On Fri, Feb 09, 2018 at 12:00:01PM -0800, syzbot wrote: > syzbot has found reproducer for the following crash on net-next commit > 617aebe6a97efa539cc4b8a52adccd89596e6be0 (Sun Feb 4 00:25:42 2018 +) > Merge tag 'usercopy-v4.16-rc1' of > git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Re: KASAN: use-after-free Read in remove_wait_queue (2)

[+ppp list and maintainer] On Wed, Feb 28, 2018 at 08:59:02AM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > f3afe530d644488a074291da04a69a296ab63046 (Tue Feb 27 22:02:39 2018 +) > Merge branch 'fixes-v4.16-rc4' of >

Re: KASAN: use-after-free Read in work_is_static_object

On Mon, Jan 08, 2018 at 12:58:11PM +0100, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Mon, Jan 8, 2018 at 12:55 PM, Dmitry Vyukov wrote: > > On Mon, Jan 8, 2018 at 12:43 PM, syzbot > > wrote: > >> Hello, > >> > >>

Re: BUG: please report to d...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_his

On Sat, May 05, 2018 at 05:57:02PM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:c1c07416cdd4 Merge tag 'kbuild-fixes-v4.17' of git://git.k.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13d5de4780 >

Re: KASAN: use-after-free Read in __dev_queue_xmit

On Wed, Jan 03, 2018 at 10:53:14PM -0800, Eric Dumazet wrote: > On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote: > > Note: all commands must start from beginning of the line in the email body. > > > > I guess skb_probe_transport_header() should be hardened to reject malicious > > packets

Re: KASAN: use-after-free Read in ip6_xmit

On Thu, Jan 04, 2018 at 02:58:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 0e08c463db387a2adcb0243b15ab868a73f87807 > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: KASAN: out-of-bounds Read in ip6_xmit

On Sun, Jan 28, 2018 at 11:24:01AM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on net-next commit > 6bb46bc57c8e9ce947cc605e555b7204b44d2b10 (Fri Jan 26 16:00:23 2018 +) > Merge branch 'cxgb4-fix-dump-collection-when-firmware-crashed' > > Unfortunately, I don't have any

Re: BUG: please report to d...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_his

On Wed, May 09, 2018 at 07:23:41AM +0200, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Wed, May 9, 2018 at 7:05 AM, Eric Biggers <ebigge...@gmail.com> wrote: > > On Sat, May 05, 2018 at 05:57:02PM -0700, syzbot wrote: > >> Hello, > >> > >> syzbot fo

Re: KASAN: use-after-free Read in sit_tunnel_xmit

On Thu, Feb 15, 2018 at 04:22:28PM -0800, Cong Wang wrote: > On Tue, Feb 13, 2018 at 10:48 AM, Dmitry Vyukov wrote: > > On Mon, Oct 30, 2017 at 7:41 PM, Cong Wang wrote: > >> On Mon, Oct 30, 2017 at 8:34 AM, syzbot > >>

Re: KASAN: use-after-free Read in sctp_packet_transmit

On Fri, Jan 05, 2018 at 02:07:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 8a4816cad00bf14642f0ed6043b32d29a05006ce > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel paging request in cgroup_mt_destroy_v1

On Wed, Jan 31, 2018 at 05:58:01PM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 3da90b159b146672f830bcd2489dd3a1f4e9e089 (Wed Jan 31 03:07:32 2018 +) > Merge tag 'f2fs-for-4.16-rc1' of > git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs > >

Re: INFO: trying to register non-static key in del_timer_sync

On Sun, Jan 28, 2018 at 10:58:01AM -0800, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > c4e0ca7fa24137e372d6135fe16e8df8e123f116 (Fri Jan 26 23:10:50 2018 +) > Merge tag 'riscv-for-linus-4.15-maintainers' of >

[PATCH] net/smc: check for missing nlattrs in SMC_PNETID messages

From: Eric Biggers <ebigg...@google.com> It's possible to crash the kernel in several different ways by sending messages to the SMC_PNETID generic netlink family that are missing the expected attributes: - Missing SMC_PNETID_NAME => null pointer dereference when comparing names.

Re: general protection fault in rds_ib_get_mr

On Wed, Mar 21, 2018 at 09:00:01AM -0700, syzbot wrote: > Hello, > > syzbot hit the following crash on upstream commit > 3215b9d57a2c75c4305a3956ca303d7004485200 (Wed Mar 21 00:44:27 2018 +) > Merge tag 'clk-fixes-for-linus' of > git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux >

Re: [PATCH] ppp: remove the PPPIOCDETACH ioctl

On Wed, May 23, 2018 at 11:56:36AM -0400, David Miller wrote: > From: Guillaume Nault > Date: Wed, 23 May 2018 15:57:08 +0200 > > > I'd rather add > > + if (cmd == PPPIOCDETACH) { > > + err = -EINVAL; > > + goto out; > > + } > > > > Making

[PATCH v2] ppp: remove the PPPIOCDETACH ioctl

From: Eric Biggers <ebigg...@google.com> The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file before f_count has reached 0, which is fundamentally a bad idea. It does check 'f_count < 2', which excludes concurrent operations on the file since they wou

[PATCH] ppp: remove the PPPIOCDETACH ioctl

From: Eric Biggers <ebigg...@google.com> The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file before f_count has reached 0, which is fundamentally a bad idea. It does check 'f_count < 2', which excludes concurrent operations on the file since they wou

Re: KASAN: use-after-free Read in remove_wait_queue (2)

On Fri, May 18, 2018 at 06:02:23PM +0200, Guillaume Nault wrote: > On Sun, May 13, 2018 at 11:11:55PM -0700, Eric Biggers wrote: > > [+ppp list and maintainer] > > > > This is a bug in ppp_generic.c; it still happens on Linus' tree and it's > > easily > >

[PATCH net] KEYS: DNS: fix parsing multiple options

From: Eric Biggers My recent fix for dns_resolver_preparse() printing very long strings was incomplete, as shown by syzbot which still managed to hit the WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key: precision 50001 too large WARNING: CPU: 7 PID:

Re: [PATCH net] KEYS: DNS: fix parsing multiple options

Hi Simon, On Mon, Jun 11, 2018 at 11:40:23AM +0200, Simon Horman wrote: > On Fri, Jun 08, 2018 at 09:20:37AM -0700, Eric Biggers wrote: > > From: Eric Biggers > > > > My recent fix for dns_resolver_preparse() printing very long strings was > > incomplete, as shown by

Re: [PATCH net] KEYS: DNS: fix parsing multiple options

On Thu, Jun 14, 2018 at 05:14:30PM +0100, David Howells wrote: > The fix seems to work, but the use of kstrtoul(): > > ret = kstrtoul(eq, 10, ); > > is incorrect since the buffer can't been modified to block out the next > argument if there is one, so the following fails: > > perl

Re: KMSAN reports use of uninitialized memory in pfkey_sendmsg()

On Fri, Dec 29, 2017 at 05:49:34PM +0100, Dmitry Vyukov wrote: > On Fri, Dec 29, 2017 at 5:48 PM, Alexander Potapenko > wrote: > > Hi all, > > > > KMSAN reports a use of uninitialized value on the following program: > > > > == > > // autogenerated by

[PATCH] af_key: fix buffer overread in verify_address_len()

From: Eric Biggers <ebigg...@google.com> If a message sent to a PF_KEY socket ended with one of the extensions that takes a 'struct sadb_address' but there were not enough bytes remaining in the message for the ->sa_family member of the 'struct sockaddr' which is supposed

[PATCH] af_key: fix buffer overread in parse_exthdrs()

From: Eric Biggers <ebigg...@google.com> If a message sent to a PF_KEY socket ended with an incomplete extension header (fewer than 4 bytes remaining), then parse_exthdrs() read past the end of the message, into uninitialized memory. Fix it by returning -EINVAL in this case. Repr

Re: WARNING in can_rcv

On Wed, Jan 17, 2018 at 07:39:24AM +0100, Oliver Hartkopp wrote: > > > On 01/16/2018 07:11 PM, Dmitry Vyukov wrote: > > On Tue, Jan 16, 2018 at 7:07 PM, Marc Kleine-Budde > > wrote: > > > On 01/16/2018 06:58 PM, syzbot wrote: > > > > Hello, > > > > > > > > syzkaller hit

Re: dangers of bots on the mailing lists was Re: divide error in ___bpf_prog_run

On Wed, Jan 17, 2018 at 05:18:17PM -0800, Joe Perches wrote: > On Wed, 2018-01-17 at 20:09 -0500, Theodore Ts'o wrote: > > get_maintainer.pl, which is often not accurate > > Examples please. > Well, the primary problem is that place the crash occurs is not necessarily responsible for the bug.

Re: general protection fault in __lock_acquire (2)

On Thu, Nov 02, 2017 at 03:55:00AM -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > fa8785e862ef644f742558f1a8c91eca6f3f0004 > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: WARNING: bad unlock balance in ipmr_mfc_seq_stop

On Fri, Dec 15, 2017 at 11:52:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > a638349bf6c29433b938141f99225b160551ff48 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: suspicious RCU usage at ./include/linux/inetdevice.h:LINE

On Thu, Nov 02, 2017 at 03:53:38AM -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > ce43f4fd6f103681c7485c2b1967179647e73555 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in fib6_add (2)

On Wed, Jan 03, 2018 at 10:53:02AM -0800, 'Wei Wang' via syzkaller-bugs wrote: > On Wed, Jan 3, 2018 at 8:16 AM, David Ahern wrote: > > [ +wei...@google.com ] > > > > On 1/2/18 3:58 PM, syzbot wrote: > >> Hello, > >> > >> syzkaller hit the following crash on > >>

Re: BUG: unable to handle kernel paging request in check_memory_region

On Sun, Jan 14, 2018 at 01:22:13AM +0100, Daniel Borkmann wrote: > On 01/13/2018 08:29 AM, Dmitry Vyukov wrote: > > On Fri, Jan 12, 2018 at 11:58 PM, syzbot > > wrote: > >> Hello, > >> > >> syzkaller hit the following crash on > >>

Re: KASAN: use-after-free Read in __bpf_prog_put

On Thu, Jan 11, 2018 at 11:48:28AM +0100, Daniel Borkmann wrote: > Hi Dmitry, > > On 01/11/2018 11:22 AM, Dmitry Vyukov wrote: > > On Thu, Jan 11, 2018 at 11:17 AM, syzbot > > wrote: > >> Hello, > >> > >> syzkaller hit the following crash on

Re: [PATCH ipsec] xfrm: skip policies marked as dead while rehashing

On Sun, Dec 31, 2017 at 08:50:17AM +0100, Steffen Klassert wrote: > On Wed, Dec 27, 2017 at 11:25:45PM +0100, Florian Westphal wrote: > > syzkaller triggered following KASAN splat: > > > > BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00 > > net/xfrm/xfrm_policy.c:618 > > read of

Re: KASAN: slab-out-of-bounds Read in xfrm_hash_rebuild

On Thu, Dec 21, 2017 at 05:48:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > 8f36e00065436412a02d1f50ad77375bdb506300 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw

Re: KASAN: use-after-free Read in __xfrm_state_lookup

On Wed, Nov 01, 2017 at 10:55:01AM -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 33ad61d0f799656e8987e9c80e6e15151bb857f3 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: KASAN: use-after-free Read in sctp_association_free

On Thu, Nov 02, 2017 at 08:07:27PM +0800, Xin Long wrote: > On Thu, Nov 2, 2017 at 1:55 AM, syzbot > > wrote: > > Hello, > > > > syzkaller hit the following crash on > > 25a5d23b47994cdb451dcd2bc8ac310a1492f71b > >

Re: KASAN: stack-out-of-bounds Read in rds_sendmsg

On Thu, Dec 21, 2017 at 08:44:32AM -0800, Santosh Shilimkar wrote: > +Avinash > > On 12/21/2017 1:10 AM, syzbot wrote: > > syzkaller has found reproducer for the following crash on > > [..] > > > > > audit: type=1400 audit(1513847224.110:7): avc:  denied  { map } for > > pid=3157

Re: general protection fault in __rds_rdma_map

On Mon, Nov 27, 2017 at 10:30:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > e1d1ea549b57790a3d8cf6300e6ef86118d692a3 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in sctp_cmp_addr_exact

On Tue, Dec 19, 2017 at 11:49:03PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in neigh_fill_info

On Tue, Dec 19, 2017 at 10:41:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: spinlock bad magic (2)

On Mon, Dec 18, 2017 at 06:01:30PM +0100, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Mon, Dec 18, 2017 at 5:46 PM, Santosh Shilimkar > wrote: > > On 12/18/2017 4:36 AM, syzbot wrote: > >> > >> Hello, > >> > >> syzkaller hit the following crash on > >>

Re: WARNING in inet_sock_destruct

On Sun, Nov 05, 2017 at 01:05:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 7f9ad2ace17a3521a80831208d431170ef71591f > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: WARNING in xfrm_state_fini

On Mon, Nov 27, 2017 at 09:37:07AM -0800, Cong Wang wrote: > On Mon, Nov 27, 2017 at 3:55 AM, Steffen Klassert > wrote: > > On Tue, Nov 21, 2017 at 06:44:04PM -0800, Cong Wang wrote: > >> User-space uses proto==0 as a wildcard, but xfrm_id_proto_match() > >> doesn't

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (3)

On Wed, Dec 13, 2017 at 06:18:05AM +0100, Steffen Klassert wrote: > On Tue, Dec 12, 2017 at 01:00:31PM -0800, Eric Biggers wrote: > > Hi Steffen, > > > > On Fri, Dec 01, 2017 at 08:27:43AM +0100, Steffen Klassert wrote: > > > On Wed, Nov 22, 2017 at

Re: BUG: unable to handle kernel NULL pointer dereference in addrconf_ifdown

On Tue, Dec 19, 2017 at 11:50:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in addrconf_notify

On Tue, Dec 19, 2017 at 11:48:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in tc_fill_qdisc

On Tue, Dec 19, 2017 at 04:49:02AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in sctp_stream_free

On Sun, Nov 05, 2017 at 01:35:02AM -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 2a171788ba7bb61995e98e8163204fc7880f63b2 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: WARNING: bad unlock balance detected!

On Thu, Dec 14, 2017 at 11:37:00PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 50c4c4e268a2d7a3e58ebb698ac74da0de40ae36 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in ipv6_get_lladdr

On Tue, Dec 19, 2017 at 08:38:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in qdisc_match_from_root

On Tue, Dec 19, 2017 at 05:43:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in ip_mc_up

On Tue, Dec 19, 2017 at 12:40:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: [rds-devel] BUG: unable to handle kernel NULL pointer dereference in rds_send_xmit

On Mon, Dec 18, 2017 at 12:22:51PM -0500, Sowmini Varadhan wrote: > > From: Santosh Shilimkar > > Date: Mon, 18 Dec 2017 08:28:05 -0800 > : > > > Looks like another one tripping on empty transport. Mostly below > > > should > > > address it but we will test it if

Re: WARNING in _copy_to_user

On Fri, Dec 01, 2017 at 03:30:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > df8ba95c572a187ed2aa7403e97a7a7f58c01f00 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in snmp6_unregister_dev

On Tue, Dec 19, 2017 at 12:35:02AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in inet6_fill_ifinfo

On Mon, Dec 18, 2017 at 11:54:00PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: BUG: unable to handle kernel NULL pointer dereference in sctp_stream_free

On Fri, Dec 22, 2017 at 01:31:26PM +0800, Xin Long wrote: > On Thu, Dec 21, 2017 at 9:13 PM, Marcelo Ricardo Leitner > wrote: > > On Wed, Dec 20, 2017 at 12:51:01PM -0800, syzbot wrote: > > > > from the log: > > [ 89.451366] FAULT_INJECTION: forcing a failure.^M > > [

Re: WARNING in refcount_inc (2)

On Tue, Dec 19, 2017 at 11:26:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > 6084b576dca2e898f5c101baef151f7bfdbb606d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw

Re: KASAN: use-after-free Read in map_lookup_elem

On Fri, Jan 12, 2018 at 02:58:02PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 4147d50978df60f34d444c647dde9e5b34a4315e > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C

Re: KASAN: use-after-free Read in refcount_inc_not_zero

On Thu, Dec 14, 2017 at 10:23:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > 82bcf1def3b5f1251177ad47c44f7e17af039b4b > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached.

Re: INFO: trying to register non-static key in pfifo_fast_reset

On Sun, Dec 17, 2017 at 01:56:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 41d8c16909ebda40f7b4982a7f5e2ad102705ade > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: INFO: task hung in bpf_exit_net

On Fri, Dec 22, 2017 at 05:04:37PM -0200, Marcelo Ricardo Leitner wrote: > On Fri, Dec 22, 2017 at 04:28:07PM -0200, Marcelo Ricardo Leitner wrote: > > On Fri, Dec 22, 2017 at 11:58:08AM +0100, Dmitry Vyukov wrote: > > ... > > > > Same with this one, perhaps related to / fixed by: > > > >

Re: suspicious RCU usage at net/tipc/bearer.c:LINE

On Sun, Dec 31, 2017 at 10:58:01AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 5aa90a84589282b87666f92b6c3c917c8080a9bf > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: suspicious RCU usage at net/ipv6/ip6_fib.c:LINE

+wei...@google.com On Tue, Jan 02, 2018 at 03:58:02PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 6bb8824732f69de0f233ae6b1a8158e149627b38 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is

Re: WARNING in reuseport_add_sock

On Fri, Jan 12, 2018 at 03:58:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 30a7acd573899fd8b8ac39236eff6468b195ac7d > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: KASAN: use-after-free Read in tipc_group_size

On Mon, Jan 08, 2018 at 08:11:35PM +, Jon Maloy wrote: > > > > -Original Message- > > From: Cong Wang [mailto:xiyou.wangc...@gmail.com] > > Sent: Monday, January 08, 2018 13:44 > > To: syzbot > > Cc: David Miller

Re: KASAN: slab-out-of-bounds Read in sctp_send_reset_streams

On Sat, Dec 09, 2017 at 02:40:00AM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 328b4ed93b69a6f2083d52f31a240a09e5de386a > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: KASAN: double-free or invalid-free in skb_free_head

On Sun, Dec 17, 2017 at 09:52:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > f3b5ad89de16f5d42e8ad36fbdf85f705c1ae051 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: general protection fault in __netlink_ns_capable

On Thu, Jan 04, 2018 at 10:14:38AM -0800, Andrei Vagin wrote: > On Thu, Jan 04, 2018 at 01:01:17PM +0100, Dmitry Vyukov wrote: > > On Wed, Jan 3, 2018 at 8:37 AM, Andrei Vagin wrote: > > >> > Hello, > > >> > > > >> > syzkaller hit the following crash on > > >> >

Re: [PATCH V4 1/2] ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE

Hi Jason, On Fri, Feb 09, 2018 at 05:45:49PM +0800, Jason Wang wrote: > To avoid slab to warn about exceeded size, fail early if queue > occupies more than KMALLOC_MAX_SIZE. > > Reported-by: syzbot+e4d4f9ddd42955397...@syzkaller.appspotmail.com > Fixes: 2e0ab8ca83c12 ("ptr_ring: array based FIFO

[PATCH net v2] KEYS: DNS: fix parsing multiple options

From: Eric Biggers My recent fix for dns_resolver_preparse() printing very long strings was incomplete, as shown by syzbot which still managed to hit the WARN_ONCE() in set_precision() by adding a crafted "dns_resolver" key: precision 50001 too large WARNING: CPU: 7 PID:

Re: KASAN: use-after-free Read in get_work_pool

On Wed, Feb 14, 2018 at 02:45:05PM +0100, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Wed, Dec 6, 2017 at 1:50 PM, Dmitry Vyukov wrote: > > On Fri, Oct 27, 2017 at 11:18 PM, Cong Wang > > wrote: > >> On Thu, Oct 26, 2017 at 11:00 PM, Dmitry

Re: [PATCH v2] KEYS: DNS: limit the length of option strings

On Wed, Mar 07, 2018 at 03:54:37PM +, David Howells wrote: > Eric Biggers <ebigge...@gmail.com> wrote: > > > Fix it by limiting option strings (combined name + value) to a much more > > reasonable 128 bytes. The exact limit is arbitrary, but currently the &g

[PATCH v2] KEYS: DNS: limit the length of option strings

From: Eric Biggers <ebigg...@google.com> Adding a dns_resolver key whose payload contains a very long option name resulted in that string being printed in full. This hit the WARN_ONCE() in set_precision() during the printk(), because printk() only supports a precision of up to 32767

Re: [PATCH] KEYS: DNS: limit the length of option strings

On Tue, Feb 27, 2018 at 06:34:19PM -0800, Eric Dumazet wrote: > On Tue, 2018-02-27 at 17:49 -0800, Eric Biggers wrote: > > From: Eric Biggers <ebigg...@google.com> > > > > Adding a dns_resolver key whose payload contains a very long option name > > resulted in

Re: [PATCH net] kcm: lock lower socket in kcm_attach

On Mon, Mar 12, 2018 at 02:25:41PM -0700, Tom Herbert wrote: > On Mon, Mar 12, 2018 at 2:09 PM, Eric Biggers <ebigge...@gmail.com> wrote: > > On Mon, Mar 12, 2018 at 02:04:12PM -0700, Tom Herbert wrote: > >> Need to lock lower socket in order to provide mutual exclusio

Re: KASAN: use-after-free Read in strp_data_ready

On Tue, 24 Oct 2017 08:15:01 -0700, syzbot wrote: > Hello, > > syzkaller hit the following crash on > b9f1f1ce866c28e3d9b86202441b220244754a69 > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: [PATCH net] kcm: lock lower socket in kcm_attach

On Mon, Mar 12, 2018 at 02:04:12PM -0700, Tom Herbert wrote: > Need to lock lower socket in order to provide mutual exclusion > with kcm_unattach. > > Fixes: ab7ac4eb9832e32a09f4e804 ("kcm: Kernel Connection Multiplexor module") > Signed-off-by: Tom Herbert > --- Is this

Re: KASAN: use-after-free Read in worker_thread (2)

On Sat, Nov 11, 2017 at 07:56:01AM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > d9e0e63d9a6f88440eb201e1491fcf730272c706 > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw

Re: suspicious RCU usage at ./include/net/inet_sock.h:LINE

On Mon, Dec 25, 2017 at 05:45:00PM -0800, syzbot wrote: > syzkaller has found reproducer for the following crash on > fba961ab29e5ffb055592442808bb0f7962e05da > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw

Re: WARNING in kcm_exit_net (2)

On Wed, Nov 29, 2017 at 10:08:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 1d3b78bbc6e983fabb3fbf91b76339bf66e4a12c > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

Re: WARNING in skb_warn_bad_offload

On Wed, Nov 01, 2017 at 09:50:18PM +0300, 'Dmitry Vyukov' via syzkaller-bugs wrote: > On Wed, Nov 1, 2017 at 9:48 PM, syzbot > > wrote: > > Hello, > > > > syzkaller hit the following crash on > >

Re: BUG: please report to d...@vger.kernel.org => prev = 0, last = 0 at net/dccp/ccids/lib/packet_history.c:LINE/tfrc_rx_hist_sample_rtt()

On Thu, Jan 18, 2018 at 01:34:02AM -0800, syzbot wrote: > syzbot has found reproducer for the following crash on linux-next commit > a362f6d2cdbd089dd7040ba66dcb0ad276a20cf7 (Thu Jan 18 07:07:54 2018 +) > Add linux-next specific files for 20180118 > > So far this crash happened 185 times on

Re: KASAN: use-after-free Read in inet_create

[+RDS list and maintainer] On Sat, Dec 09, 2017 at 12:50:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 82bcf1def3b5f1251177ad47c44f7e17af039b4b > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console

  1   2   >