WARNING in kmem_cache_free

[syzbot]

Hello,

syzbot hit the following crash on upstream commit
f2d285669aae656dfeafa0bf25e86bbbc5d22329 (Tue Apr 3 17:45:39 2018 +0000)
Merge tag 'pm-4.17-rc1' of
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=75397ee3df5c70164154

Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5265497960480768
Kernel config: https://syzkaller.appspot.com/x/.config?id=686016073509112605
compiler: gcc (GCC) 7.1.1 20170620
user-space arch: i386

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+75397e...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96
WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 cache_from_obj mm/slab.h:376
[inline]
WARNING: CPU: 0 PID: 11100 at mm/slab.h:378 kmem_cache_free+0x226/0x2a0
mm/slab.c:3736
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 11100 Comm: syz-executor3 Not tainted 4.16.0+ #288
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1a7/0x27d lib/dump_stack.c:53
panic+0x1f8/0x42c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x1f4/0x2b0 lib/bug.c:186
fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:991
RIP: 0010:cache_from_obj mm/slab.h:376 [inline]
RIP: 0010:kmem_cache_free+0x226/0x2a0 mm/slab.c:3736
RSP: 0018:ffff8801933a7970 EFLAGS: 00010282
RAX: 000000000000004b RBX: ffff8801dad7e600 RCX: 0000000000000000
RDX: 000000000000004b RSI: ffffc90002a2d000 RDI: ffffed0032674f22
RBP: ffff8801933a7990 R08: ffffed003b604f99 R09: ffffed003b604f99
R10: 0000000000000000 R11: ffffed003b604f98 R12: ffff880199ec2000
R13: ffff8801dad7e600 R14: ffff8801d08585dc R15: 00000000ffffffd8
putname+0xc8/0x130 fs/namei.c:255
filename_lookup+0x315/0x500 fs/namei.c:2324
user_path_at_empty+0x40/0x50 fs/namei.c:2569
user_path include/linux/namei.h:62 [inline]
do_mount+0x15f/0x2b90 fs/namespace.c:2787
C_SYSC_mount fs/compat.c:195 [inline]
compat_SyS_mount+0xd0/0x1070 fs/compat.c:160
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f47c99
RSP: 002b:00000000f5f42c6c EFLAGS: 00000246 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00000000080eff11 RCX: 0000000020000000
RDX: 0000000000000000 RSI: 00000000080d6b6d RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[Dmitry Vyukov]

On Fri, Apr 6, 2018 at 3:24 PM, syzbot
<syzbot+75397e...@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> f2d285669aae656dfeafa0bf25e86bbbc5d22329 (Tue Apr 3 17:45:39 2018 +0000)
> Merge tag 'pm-4.17-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
> syzbot dashboard link:
> https://syzkaller.appspot.com/bug?extid=75397ee3df5c70164154
>
> Unfortunately, I don't have any reproducer for this crash yet.
> Raw console output:
> https://syzkaller.appspot.com/x/log.txt?id=5265497960480768
> Kernel config: https://syzkaller.appspot.com/x/.config?id=686016073509112605
> compiler: gcc (GCC) 7.1.1 20170620
> user-space arch: i386
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+75397e...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-96

/\/\/\/\

Interesting type of bug, I think we see this for the first time.

Al, do you see how this can happen?

> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a114467482dbc4b05692df8f9%40google.com.
> For more options, visit https://groups.google.com/d/optout.

[Al Viro]

On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:

> Interesting type of bug, I think we see this for the first time.
>
> Al, do you see how this can happen?

putname() on something that hasn't come from getname(). Short
of reproducer, I don't see what can be done - it can be any
kind of memory corruption. We have
return filename_lookup(dfd, getname_flags(name, flags, empty),
flags, path, NULL);
with filename_lookup() hitting
putname(name);
return retval;
on the way out (and seeing refcount 1, at that, so it hasn't ended
up in audit context). And object it's trying to free is not something
getname_flags() has allocated.

[Matthew Wilcox]

On Fri, Apr 06, 2018 at 03:33:36PM +0200, Dmitry Vyukov wrote:

> On Fri, Apr 6, 2018 at 3:24 PM, syzbot
> <syzbot+75397e...@syzkaller.appspotmail.com> wrote:
> > Unfortunately, I don't have any reproducer for this crash yet.
>

> Interesting type of bug, I think we see this for the first time.

Can you focus syzbot to try to find a reproducer? This seems to be
produced by calling mount() with a pathname that's somewhere between,
say, 3950 & 4100 bytes long from a compat 32-bit task.

[Dmitry Vyukov]

Something in the log definitely triggers a very bad heap corruption.

This can be reproduced following instructions at:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers

and then running:
./syz-execprog -sandbox=namespace -arch=386 -repeat=0 -procs=10 log.txt

where log.txt comes from "Raw console output" link.

Note that you need to build syzkaller with 'make TARGETARCH=386' and
the use bin/linux_386/syz-executor.

While running it I got:
BUG: KASAN: double-free or invalid-free in free_request_size+0x5b/0x70
block/blk-core.c:769
https://gist.githubusercontent.com/dvyukov/05f4e77a34795d329aa7a2f40265e396/raw/63a29123b79f1fbad3521d0ff034946be68bfd4a/gistfile1.txt

Then kernel BUG at mm/slab.c:4407!
https://gist.githubusercontent.com/dvyukov/5b3bcc90d326e9da3636aea2c95ace8f/raw/1589504c708994936681d61ba9d70029998b9b1a/gistfile1.txt

And then BUG: unable to handle kernel paging request at ffffebe000000020
https://gist.githubusercontent.com/dvyukov/72025b1c68e488f4fda243e0c152f044/raw/d2c171bc55ad3a43cea33095fa2eea48768b1131/gistfile1.txt

One interesting thing is that if I run the log once and it does not
crash, then when I try to start binary again I am getting:
[ 456.837870] Invalid argument reading file caps for /root/syz-executor
The binary somehow becomes broken on disk...

I guess syzbot did find a reproducer in this log, but did not
attribute it to this bug as it causes crashes all over the place.

[Dmitry Vyukov]

Running syz-repro utility on this log, I think I've found the guilty guy:
https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt

It crashes as:
BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
and:

BUG: unable to handle kernel paging request at ffffebe000000020

and with other indications of badly corrupted heap.

This points to crypto/drbg.c, so +crypto maintainers.

[Stephan Müller]

Am Sonntag, 8. April 2018, 13:18:06 CEST schrieb Dmitry Vyukov:

Hi Dmitry,

>
> Running syz-repro utility on this log, I think I've found the guilty guy:
> https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/
> raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
>

I am unable to reproduce it with the code. I am using the current
cryptodev-2.6 tree with kazan enabled. Could you please give me your kernel
config or a pointer of the used tree?

> It crashes as:
> BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
> and:
> BUG: unable to handle kernel paging request at ffffebe000000020
> and with other indications of badly corrupted heap.
>
> This points to crypto/drbg.c, so +crypto maintainers.

Ciao
Stephan

[Dmitry Vyukov]

On Sun, Apr 8, 2018 at 5:31 PM, Stephan Müller <smue...@chronox.de> wrote:
> Am Sonntag, 8. April 2018, 13:18:06 CEST schrieb Dmitry Vyukov:
>
> Hi Dmitry,
>
>>
>> Running syz-repro utility on this log, I think I've found the guilty guy:
>> https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/
>> raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
>>
>
> I am unable to reproduce it with the code. I am using the current
> cryptodev-2.6 tree with kazan enabled. Could you please give me your kernel
> config or a pointer of the used tree?

Hi,

Here is config and kernel commit:
https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ
You can also find compiler and image here if necessary:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md

And note that the program needs to be compiled with -m32. The bugs is
probably not-compat specific, but the program injects fault into a
particular malloc invocation and maybe malloc numbering is affected by
compat path.

>> It crashes as:
>> BUG: KASAN: use-after-free in drbg_kcapi_seed+0x1178/0x12e0
>> and:
>> BUG: unable to handle kernel paging request at ffffebe000000020
>> and with other indications of badly corrupted heap.
>>
>> This points to crypto/drbg.c, so +crypto maintainers.
>
>
> Ciao
> Stephan
>
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/4564679.HlOejCIXXz%40positron.chronox.de.

[Stephan Müller]

Am Sonntag, 8. April 2018, 17:41:17 CEST schrieb Dmitry Vyukov:

Hi Dmitry,
>

> Hi,
>
> Here is config and kernel commit:
> https://groups.google.com/d/msg/syzkaller-bugs/PINYyzoaG1s/ntZPOZdcCAAJ
> You can also find compiler and image here if necessary:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md
>
> And note that the program needs to be compiled with -m32. The bugs is
> probably not-compat specific, but the program injects fault into a
> particular malloc invocation and maybe malloc numbering is affected by
> compat path.

I am unable to reproduce the issue. But since you mention that you induce errors, I could see that the unlocking of the DRBG context is too soon.

Can you please check whether the attached patch fixes the issue?

Thanks

---8<---

In the error code path, the uninstantiation must be guarded by a lock to
ensure that the modification of the context is fully atomic.

Signed-off-by: Stephan Mueller <smue...@chronox.de>
Reported-by: syzkaller
---
crypto/drbg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..68c1949a253f 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state *drbg, struct drbg_string *pers,
return ret;

free_everything:
- mutex_unlock(&drbg->drbg_mutex);
drbg_uninstantiate(drbg);
+ mutex_unlock(&drbg->drbg_mutex);
return ret;
}

--
2.14.3

[Theodore Y. Ts'o]

On Sun, Apr 08, 2018 at 09:07:03PM +0200, Stephan Müller wrote:
> Can you please check whether the attached patch fixes the issue?
>

Stephan,

FYI, if you incude in your e-mail "#syz test <GIT URL> <BRANCH>" as
the first line of your patch and the syzbot e-mail is cc'ed, the
syzbot will automatically apply the patch in the e-mail against the
git tree/branch specified in the "#syz test" line, and then try to see
if the problem it discovered still reproduces --- and then send you
e-mail one way or another.

So the syzbot will run while the patch goes through the normal e-mail
review process, which is kind of neat. :-)

Cheers,

- Ted

[Stephan Mueller]

Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o:

Hi Theodore,

>
> So the syzbot will run while the patch goes through the normal e-mail
> review process, which is kind of neat. :-)

Thank you very much for the hint. That is a neat feature indeed.

As I came late to the party and I missed the original mails, I am wondering
about which GIT repo was used and which branch of it. With that, I would be
happy to resubmit with the test line.

Ciao
Stephan

[Dmitry Vyukov]

All syzbot reported bugs are available here:
https://groups.google.com/forum/#!searchin/syzkaller-bugs/"WARNING$20in$20kmem_cache_free"
and here:
https://syzkaller.appspot.com/

But unfortunately testing won't work in this case, because I manually
extracted a reproducer and syzbot does not know about it. This bug
seems to lead to assorted silent heap corruptions and different
manifestations each time, so it's difficult for syzbot to attribute a
reproducer to the bug. When we debug it, it would be nice to
understand why the heap corruption is silent and is not detected by
KASAN and anything else, to prevent such unpleasant cases in future.

I've tested it manually, but unfortunately kernel still crashed within a minute:

$ git status
HEAD detached at f2d285669aae
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)

modified: crypto/drbg.c

$ git diff

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..68c1949a253f 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,8 +1510,8 @@ static int drbg_instantiate(struct drbg_state
*drbg, struct drbg_string *pers,
return ret;

free_everything:
- mutex_unlock(&drbg->drbg_mutex);
drbg_uninstantiate(drbg);
+ mutex_unlock(&drbg->drbg_mutex);
return ret;
}

# ./a.out
...
[ 183.647874] FAULT_INJECTION: forcing a failure.
[ 183.647874] name failslab, interval 1, probability 0, space 0, times 0
[ 183.648287] Call Trace:
[ 183.648297] dump_stack+0x1b9/0x29f
[ 183.648306] ? arch_local_irq_restore+0x52/0x52
[ 183.648318] ? __save_stack_trace+0x7e/0xd0
[ 183.651848] should_fail.cold.4+0xa/0x1a
[ 183.652411] ? fault_create_debugfs_attr+0x1f0/0x1f0
[ 183.653138] ? kasan_kmalloc+0xc4/0xe0
[ 183.653694] ? __kmalloc+0x14e/0x760
[ 183.654206] ? drbg_kcapi_seed+0x776/0x12e0
[ 183.654798] ? crypto_rng_reset+0x7c/0x130
[ 183.655379] ? rng_setkey+0x25/0x30
[ 183.655882] ? alg_setsockopt+0x306/0x3b0
[ 183.656450] ? graph_lock+0x170/0x170
[ 183.656975] ? entry_SYSENTER_compat+0x70/0x7f
[ 183.657606] ? find_held_lock+0x36/0x1c0
[ 183.658164] ? __lock_is_held+0xb5/0x140
[ 183.658728] ? check_same_owner+0x320/0x320
[ 183.659321] ? rcu_note_context_switch+0x710/0x710
[ 183.660000] should_failslab+0x124/0x180
[ 183.660561] __kmalloc+0x2c8/0x760
[ 183.661046] ? graph_lock+0x170/0x170
[ 183.661569] ? drbg_kcapi_seed+0x882/0x12e0
[ 183.662161] drbg_kcapi_seed+0x882/0x12e0
[ 183.662731] ? drbg_seed+0x10a0/0x10a0
[ 183.663267] ? lock_downgrade+0x8e0/0x8e0
[ 183.663833] ? lock_acquire+0x1dc/0x520
[ 183.664385] ? lock_release+0xa10/0xa10
[ 183.664934] ? check_same_owner+0x320/0x320
[ 183.665530] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 183.666292] ? __check_object_size+0x95/0x5d9
[ 183.666904] ? sock_kmalloc+0x14e/0x1d0
[ 183.667444] ? mark_held_locks+0xc9/0x160
[ 183.668020] ? __might_sleep+0x95/0x190
[ 183.668567] crypto_rng_reset+0x7c/0x130
[ 183.669124] rng_setkey+0x25/0x30
[ 183.669598] ? rng_sock_destruct+0x90/0x90
[ 183.670176] alg_setsockopt+0x306/0x3b0
[ 183.670724] __compat_sys_setsockopt+0x315/0x7c0
[ 183.671375] ? __compat_sys_getsockopt+0x7f0/0x7f0
[ 183.672057] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.672813] ? ksys_write+0x1a6/0x250
[ 183.673333] ? SyS_read+0x30/0x30
[ 183.673811] compat_SyS_setsockopt+0x34/0x50
[ 183.674416] ? scm_detach_fds_compat+0x440/0x440
[ 183.675079] do_fast_syscall_32+0x41f/0x10dc
[ 183.675725] ? do_page_fault+0xee/0x8a7
[ 183.676284] ? do_int80_syscall_32+0xa70/0xa70
[ 183.676925] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 183.677590] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.678348] ? syscall_return_slowpath+0x30f/0x5c0
[ 183.679026] ? sysret32_from_system_call+0x5/0x3c
[ 183.679694] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 183.680380] entry_SYSENTER_compat+0x70/0x7f
[ 183.681000] RIP: 0023:0xf7f0ecb9
[ 183.681488] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
000000000000016e
[ 183.682606] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[ 183.683620] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[ 183.684602] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[ 183.685622] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 183.686642] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 183.687712] CPU: 0 PID: 5506 Comm: a.out Not tainted 4.16.0+ #4
[ 183.688602] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[ 183.689764] BUG: unable to handle kernel
[ 183.689776] Call Trace:
[ 183.689782] NULL pointer dereference
[ 183.690367] dump_stack+0x1b9/0x29f
[ 183.690709] at 0000000000000106
[ 183.691237] ? arch_local_irq_restore+0x52/0x52
[ 183.691721] PGD 64a50067
[ 183.692164] should_fail.cold.4+0xa/0x1a
[ 183.692747] P4D 64a50067
[ 183.693110] ? fault_create_debugfs_attr+0x1f0/0x1f0
[ 183.693620] PUD 61a17067
[ 183.693981] ? graph_lock+0x170/0x170
[ 183.694622] PMD 0
[ 183.694980] ? find_held_lock+0x36/0x1c0
[ 183.695766] ? __lock_is_held+0xb5/0x140
[ 183.696285] Oops: 0000 [#1] SMP KASAN
[ 183.696852] ? check_same_owner+0x320/0x320
[ 183.697337] Modules linked in:
[ 183.697962] ? rcu_note_context_switch+0x710/0x710
[ 183.697973] CPU: 2 PID: 4054 Comm: a.out Not tainted 4.16.0+ #4
[ 183.698436] ? drbg_init_hash_kernel+0x300/0x300
[ 183.699060] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[ 183.699942] should_failslab+0x124/0x180
[ 183.700559] RIP: 0010:qlist_free_all+0x37/0x160
[ 183.701763] __kmalloc+0x2c8/0x760
[ 183.702292] RSP: 0018:ffff880062de7050 EFLAGS: 00010246
[ 183.702976] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 183.703437] RAX: ffff88000040008c RBX: 0000000000000282 RCX: 0000000000000000
[ 183.704205] ? drbg_kcapi_seed+0x776/0x12e0
[ 183.704804] RDX: ffffea0000010000 RSI: ffff88007ffdc39f RDI: 0000000000000282
[ 183.704812] RBP: ffff880062de7088 R08: ffff88006bb1ce78 R09: 0000000000000006
[ 183.705824] drbg_kcapi_seed+0x776/0x12e0
[ 183.706369] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 183.706377] R13: 000000000000000a R14: ffff88000040008c R15: ffffffff88b172a0
[ 183.707382] ? drbg_seed+0x10a0/0x10a0
[ 183.708311] FS: 0000000000000000(0000) GS:ffff88006c900000(0063)
knlGS:0000000009fbd840
[ 183.708839] ? lock_downgrade+0x8e0/0x8e0
[ 183.709760] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 183.710760] ? lock_acquire+0x1dc/0x520
[ 183.711252] CR2: 0000000000000106 CR3: 00000000651d8002 CR4: 00000000001606e0
[ 183.711257] Call Trace:
[ 183.712390] ? lock_release+0xa10/0xa10
[ 183.712922] quarantine_reduce+0x141/0x170
[ 183.713733] ? check_same_owner+0x320/0x320
[ 183.714246] kasan_kmalloc+0x99/0xe0
[ 183.715244] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 183.715586] kasan_slab_alloc+0x12/0x20
[ 183.716143] ? __check_object_size+0x95/0x5d9
[ 183.716683] kmem_cache_alloc_node+0x131/0x780
[ 183.717282] ? sock_kmalloc+0x14e/0x1d0
[ 183.717760] ? do_raw_spin_unlock+0x1f9/0x2e0
[ 183.718520] ? mark_held_locks+0xc9/0x160
[ 183.719029] ? do_raw_spin_trylock+0x1b0/0x1b0
[ 183.719654] ? __might_sleep+0x95/0x190
[ 183.720280] copy_process.part.39+0x16c4/0x6ee0
[ 183.720828] crypto_rng_reset+0x7c/0x130
[ 183.721434] ? trace_hardirqs_on+0xd/0x10
[ 183.722007] rng_setkey+0x25/0x30
[ 183.722596] ? debug_object_active_state+0x2e7/0x4e0
[ 183.723145] ? rng_sock_destruct+0x90/0x90
[ 183.723745] ? kasan_check_read+0x11/0x20
[ 183.724308] alg_setsockopt+0x306/0x3b0
[ 183.724845] ? rcu_is_watching+0x85/0x140
[ 183.725324] __compat_sys_setsockopt+0x315/0x7c0
[ 183.725972] ? rcu_bh_force_quiescent_state+0x20/0x20
[ 183.726560] ? __compat_sys_getsockopt+0x7f0/0x7f0
[ 183.727091] ? __call_rcu.constprop.68+0x396/0xbb0
[ 183.727643] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.728173] ? __cleanup_sighand+0x70/0x70
[ 183.728827] ? ksys_write+0x1a6/0x250
[ 183.729485] ? note_gp_changes+0x540/0x540
[ 183.730161] ? SyS_read+0x30/0x30
[ 183.730797] ? lock_downgrade+0x8e0/0x8e0
[ 183.731558] compat_SyS_setsockopt+0x34/0x50
[ 183.732109] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 183.732636] ? scm_detach_fds_compat+0x440/0x440
[ 183.733180] ? tty_kref_put.part.14+0x81/0x250
[ 183.733657] do_fast_syscall_32+0x41f/0x10dc
[ 183.734190] ? __cleanup_sighand+0x58/0x70
[ 183.734798] ? do_page_fault+0xee/0x8a7
[ 183.735505] ? do_raw_write_trylock+0x1b0/0x1b0
[ 183.736162] ? do_int80_syscall_32+0xa70/0xa70
[ 183.736745] ? print_usage_bug+0xc0/0xc0
[ 183.737367] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 183.737907] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 183.738459] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.739057] ? call_rcu_sched+0x12/0x20
[ 183.739700] ? syscall_return_slowpath+0x30f/0x5c0
[ 183.740220] ? release_task.part.15+0xf70/0x1b90
[ 183.740882] ? sysret32_from_system_call+0x5/0x3c
[ 183.741522] ? __lock_acquire+0x7f5/0x5130
[ 183.742290] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 183.742798] ? rcu_is_watching+0x85/0x140
[ 183.743480] entry_SYSENTER_compat+0x70/0x7f
[ 183.744099] ? find_held_lock+0x36/0x1c0
[ 183.744769] RIP: 0023:0xf7f0ecb9
[ 183.745327] ? debug_check_no_locks_freed+0x310/0x310
[ 183.745990] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
[ 183.746525] ? lock_downgrade+0x8e0/0x8e0
[ 183.747126] ORIG_RAX: 000000000000016e
[ 183.747653] ? find_held_lock+0x36/0x1c0
[ 183.748117] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[ 183.748800] ? print_usage_bug+0xc0/0xc0
[ 183.749530] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[ 183.749538] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[ 183.750087] ? lock_downgrade+0x8e0/0x8e0
[ 183.750632] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 183.751152] ? lock_downgrade+0x8e0/0x8e0
[ 183.752156] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 183.752170] CPU: 3 PID: 5504 Comm: a.out Not tainted 4.16.0+ #4
[ 183.752693] ? __lock_acquire+0x7f5/0x5130
[ 183.753653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[ 183.754595] ? graph_lock+0x170/0x170
[ 183.755167] Call Trace:
[ 183.756102] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 183.756639] dump_stack+0x1b9/0x29f
[ 183.757562] ? debug_check_no_locks_freed+0x310/0x310
[ 183.758333] ? arch_local_irq_restore+0x52/0x52
[ 183.758872] ? find_held_lock+0x36/0x1c0
[ 183.759218] FAULT_INJECTION: forcing a failure.
[ 183.759218] name failslab, interval 1, probability 0, space 0, times 0
[ 183.759966] ? __save_stack_trace+0x7e/0xd0
[ 183.760453] ? lock_downgrade+0x8e0/0x8e0
[ 183.760788] should_fail.cold.4+0xa/0x1a
[ 183.761427] ? do_raw_spin_unlock+0x1f9/0x2e0
[ 183.761933] ? fault_create_debugfs_attr+0x1f0/0x1f0
[ 183.762593] ? do_raw_spin_trylock+0x1b0/0x1b0
[ 183.763216] ? kasan_kmalloc+0xc4/0xe0
[ 183.763742] ? _raw_spin_unlock_irqrestore+0x74/0xc0
[ 183.765288] ? __kmalloc+0x14e/0x760
[ 183.765844] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 183.766423] ? drbg_kcapi_seed+0x776/0x12e0
[ 183.766945] ? trace_hardirqs_on+0xd/0x10
[ 183.767556] ? crypto_rng_reset+0x7c/0x130
[ 183.768227] ? graph_lock+0x170/0x170
[ 183.768845] ? rng_setkey+0x25/0x30
[ 183.769368] ? add_wait_queue+0x2a0/0x2a0
[ 183.770026] ? alg_setsockopt+0x306/0x3b0
[ 183.770501] ? kasan_check_write+0x14/0x20
[ 183.771198] ? graph_lock+0x170/0x170
[ 183.771758] ? do_raw_read_lock+0x3f/0x80
[ 183.772336] ? entry_SYSENTER_compat+0x70/0x7f
[ 183.772887] _do_fork+0x291/0x12a0
[ 183.773416] ? find_held_lock+0x36/0x1c0
[ 183.773881] ? fork_idle+0x1a0/0x1a0
[ 183.774458] ? __lock_is_held+0xb5/0x140
[ 183.774989] ? lock_release+0xa10/0xa10
[ 183.775581] ? check_same_owner+0x320/0x320
[ 183.776070] ? check_same_owner+0x320/0x320
[ 183.776650] ? rcu_note_context_switch+0x710/0x710
[ 183.777234] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[ 183.777725] should_failslab+0x124/0x180
[ 183.778246] ? put_pid.part.2+0x1bc/0x230
[ 183.778792] __kmalloc+0x2c8/0x760
[ 183.779311] ? __might_sleep+0x95/0x190
[ 183.779871] ? graph_lock+0x170/0x170
[ 183.780426] ? __might_fault+0x1a3/0x1e0
[ 183.781007] ? drbg_kcapi_seed+0x882/0x12e0
[ 183.781643] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.782423] drbg_kcapi_seed+0x882/0x12e0
[ 183.782942] ? kernel_wait4+0x2d8/0x3d0
[ 183.783520] ? drbg_seed+0x10a0/0x10a0
[ 183.783980] ? SyS_waitid+0x40/0x40
[ 183.784539] ? lock_downgrade+0x8e0/0x8e0
[ 183.785026] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.785596] ? lock_acquire+0x1dc/0x520
[ 183.786146] ? task_stopped_code+0x190/0x190
[ 183.786922] ? lock_release+0xa10/0xa10
[ 183.787451] compat_SyS_x86_clone+0x37/0x50
[ 183.788020] ? check_same_owner+0x320/0x320
[ 183.788517] ? compat_SyS_x86_fallocate+0x60/0x60
[ 183.789028] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 183.789556] do_fast_syscall_32+0x41f/0x10dc
[ 183.790334] ? __check_object_size+0x95/0x5d9
[ 183.790841] ? do_page_fault+0xee/0x8a7
[ 183.791460] ? sock_kmalloc+0x14e/0x1d0
[ 183.791971] ? do_int80_syscall_32+0xa70/0xa70
[ 183.792583] ? mark_held_locks+0xc9/0x160
[ 183.793137] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 183.793820] ? __might_sleep+0x95/0x190
[ 183.794528] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.795147] crypto_rng_reset+0x7c/0x130
[ 183.795737] ? syscall_return_slowpath+0x30f/0x5c0
[ 183.796291] rng_setkey+0x25/0x30
[ 183.796803] ? sysret32_from_system_call+0x5/0x3c
[ 183.797442] ? rng_sock_destruct+0x90/0x90
[ 183.797997] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 183.798658] alg_setsockopt+0x306/0x3b0
[ 183.799166] entry_SYSENTER_compat+0x70/0x7f
[ 183.799971] __compat_sys_setsockopt+0x315/0x7c0
[ 183.800486] RIP: 0023:0xf7f0ecb9
[ 183.801190] ? __compat_sys_getsockopt+0x7f0/0x7f0
[ 183.801631] RSP: 002b:00000000ffeb1ec0 EFLAGS: 00000246
[ 183.802312] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.802850] ORIG_RAX: 0000000000000078
[ 183.803534] ? ksys_write+0x1a6/0x250
[ 183.804067] RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000
[ 183.804693] ? SyS_read+0x30/0x30
[ 183.805295] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000009fbd8a8
[ 183.805768] compat_SyS_setsockopt+0x34/0x50
[ 183.806404] RBP: 00000000ffeb1ef8 R08: 0000000000000000 R09: 0000000000000000
[ 183.807154] ? scm_detach_fds_compat+0x440/0x440
[ 183.807861] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 183.808421] do_fast_syscall_32+0x41f/0x10dc
[ 183.808900] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 183.808905] Code:
[ 183.809928] ? do_page_fault+0xee/0x8a7
[ 183.810365] 55
[ 183.811385] ? do_int80_syscall_32+0xa70/0xa70
[ 183.811949] 48
[ 183.812992] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 183.813590] 89
[ 183.814630] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.815191] e5
[ 183.816214] ? syscall_return_slowpath+0x30f/0x5c0
[ 183.816487] 41
[ 183.817066] ? sysret32_from_system_call+0x5/0x3c
[ 183.817313] 57
[ 183.817958] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 183.818200] 49
[ 183.818869] entry_SYSENTER_compat+0x70/0x7f
[ 183.819109] c7
[ 183.819894] RIP: 0023:0xf7f0ecb9
[ 183.820135] c7
[ 183.820821] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296
[ 183.821065] a0
[ 183.821738] ORIG_RAX: 000000000000016e
[ 183.821984] 72
[ 183.822657] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[ 183.822900] b1
[ 183.823513] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[ 183.823760] 88
[ 183.824230] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[ 183.824238] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 183.824492] 41
[ 183.825238] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 183.825250] CPU: 0 PID: 5512 Comm: a.out Not tainted 4.16.0+ #4
[ 183.825490] 56
[ 183.826073] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.10.2-1 04/01/2014
[ 183.826204] FAULT_INJECTION: forcing a failure.
[ 183.826204] name failslab, interval 1, probability 0, space 0, times 0
[ 183.826315] 41
[ 183.827333] Call Trace:
[ 183.827583] 55
[ 183.828608] dump_stack+0x1b9/0x29f
[ 183.828844] 41
[ 183.829864] ? arch_local_irq_restore+0x52/0x52
[ 183.830780] 54
[ 183.831054] ? __save_stack_trace+0x7e/0xd0
[ 183.831979] 49
[ 183.832860] should_fail.cold.4+0xa/0x1a
[ 183.833097] 89
[ 183.834277] ? fault_create_debugfs_attr+0x1f0/0x1f0
[ 183.835690] f4
[ 183.835964] ? kasan_kmalloc+0xc4/0xe0
[ 183.836300] 53
[ 183.836568] ? __kmalloc+0x14e/0x760
[ 183.836577] ? drbg_kcapi_seed+0x776/0x12e0
[ 183.837061] 48
[ 183.837329] ? crypto_rng_reset+0x7c/0x130
[ 183.837338] ? rng_setkey+0x25/0x30
[ 183.837931] 83
[ 183.838200] ? alg_setsockopt+0x306/0x3b0
[ 183.838748] ec
[ 183.839015] ? __compat_sys_setsockopt+0x315/0x7c0
[ 183.839026] ? do_fast_syscall_32+0x41f/0x10dc
[ 183.839536] 10
[ 183.839814] ? entry_SYSENTER_compat+0x70/0x7f
[ 183.840457] 48
[ 183.840728] ? check_same_owner+0x320/0x320
[ 183.841224] 89
[ 183.841495] ? kasan_check_write+0x14/0x20
[ 183.841969] 7d
[ 183.842572] ? kasan_unpoison_shadow+0x35/0x50
[ 183.842811] c8
[ 183.843405] ? lock_acquire+0x1dc/0x520
[ 183.843867] 4d
[ 183.844142] ? fs_reclaim_acquire+0x20/0x20
[ 183.844665] 89
[ 183.844935] ? lock_downgrade+0x8e0/0x8e0
[ 183.845555] e5
[ 183.846234] ? lock_release+0xa10/0xa10
[ 183.846474] 4d
[ 183.847130] ? drbg_init_sym_kernel+0x516/0x74a
[ 183.847139] ? check_same_owner+0x320/0x320
[ 183.847380] 85
[ 183.847991] ? rcu_note_context_switch+0x710/0x710
[ 183.848229] e4
[ 183.848824] should_failslab+0x124/0x180
[ 183.849063] 0f
[ 183.849707] __kmalloc+0x2c8/0x760
[ 183.849946] 84
[ 183.850505] ? lock_acquire+0x1dc/0x520
[ 183.850744] c8
[ 183.851350] ? __fget+0x3e3/0x650
[ 183.851593] 00
[ 183.852177] ? drbg_kcapi_seed+0x882/0x12e0
[ 183.852416] 00
[ 183.852972] drbg_kcapi_seed+0x882/0x12e0
[ 183.853213] 00
[ 183.853867] ? drbg_seed+0x10a0/0x10a0
[ 183.854414] <49>
[ 183.854688] ? lock_acquire+0x1dc/0x520
[ 183.855313] 63
[ 183.855591] ? __might_fault+0x12b/0x1e0
[ 183.856105] 95
[ 183.856375] ? lock_downgrade+0x8e0/0x8e0
[ 183.856821] fc
[ 183.857090] ? lock_acquire+0x1dc/0x520
[ 183.857590] 00
[ 183.857858] ? lock_release+0xa10/0xa10
[ 183.858319] 00
[ 183.858589] ? check_same_owner+0x320/0x320
[ 183.859131] 00
[ 183.859401] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 183.859928] 4c
[ 183.860200] ? __check_object_size+0x95/0x5d9
[ 183.860689] 8b
[ 183.860983] ? sock_kmalloc+0x14e/0x1d0
[ 183.861482] 30
[ 183.861748] ? do_raw_spin_unlock+0x1f9/0x2e0
[ 183.861758] ? __might_sleep+0x95/0x190
[ 183.862269] 48
[ 183.862539] crypto_rng_reset+0x7c/0x130
[ 183.863079] 29
[ 183.863348] rng_setkey+0x25/0x30
[ 183.863878] d0
[ 183.864150] ? rng_sock_destruct+0x90/0x90
[ 183.864654] 49
[ 183.864924] alg_setsockopt+0x306/0x3b0
[ 183.865488] 83
[ 183.865758] __compat_sys_setsockopt+0x315/0x7c0
[ 183.866488] 3f
[ 183.866758] ? __compat_sys_getsockopt+0x7f0/0x7f0
[ 183.867324] 00
[ 183.867598] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.868098] 48
[ 183.868369] ? ksys_write+0x1a6/0x250
[ 183.868941] 89
[ 183.869500] ? SyS_read+0x30/0x30
[ 183.869740] c6
[ 183.870312] compat_SyS_setsockopt+0x34/0x50
[ 183.870551] 0f
[ 183.871043] ? scm_detach_fds_compat+0x440/0x440
[ 183.871289] RIP: qlist_free_all+0x37/0x160 RSP: ffff880062de7050
[ 183.871893] do_fast_syscall_32+0x41f/0x10dc
[ 183.872134] CR2: 0000000000000106
[ 183.872695] ? do_page_fault+0xee/0x8a7
[ 183.872988] ---[ end trace 0fa4e77a7b3c174f ]---
[ 183.873604] ? do_int80_syscall_32+0xa70/0xa70
[ 183.873611] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 183.873622] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 183.873871] Kernel panic - not syncing: Fatal exception
[ 183.874560] ? syscall_return_slowpath+0x30f/0x5c0
[ 183.885552] ? prepare_exit_to_usermode+0x390/0x390
[ 183.886255] ? prepare_exit_to_usermode+0x285/0x390
[ 183.886953] ? perf_trace_sys_enter+0xaf0/0xaf0
[ 183.887609] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 183.888289] entry_SYSENTER_compat+0x70/0x7f
[ 183.888906] RIP: 0023:0xf7f0ecb9
[ 183.889376] RSP: 002b:00000000ffeb1e9c EFLAGS: 00000296 ORIG_RAX:
000000000000016e
[ 183.890447] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000117
[ 183.891452] RDX: 0000000000000001 RSI: 00000000205b1fd0 RDI: 0000000000000000
[ 183.892463] RBP: 0000000020000040 R08: 0000000000000000 R09: 0000000000000000
[ 183.893471] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 183.894481] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 183.895514] Kernel Offset: disabled
[ 183.896034] Rebooting in 86400 seconds..

[Dmitry Vyukov]

On Mon, Apr 9, 2018 at 9:57 AM, Dmitry Vyukov <dvy...@google.com> wrote:
> On Mon, Apr 9, 2018 at 7:40 AM, Stephan Mueller <smue...@chronox.de> wrote:
>> Am Montag, 9. April 2018, 00:46:03 CEST schrieb Theodore Y. Ts'o:
>>
>> Hi Theodore,
>>>
>>> So the syzbot will run while the patch goes through the normal e-mail
>>> review process, which is kind of neat. :-)
>>
>> Thank you very much for the hint. That is a neat feature indeed.
>>
>> As I came late to the party and I missed the original mails, I am wondering
>> about which GIT repo was used and which branch of it. With that, I would be
>> happy to resubmit with the test line.
>
> All syzbot reported bugs are available here:
> https://groups.google.com/forum/#!searchin/syzkaller-bugs/"WARNING$20in$20kmem_cache_free"
> and here:
> https://syzkaller.appspot.com/
>
> But unfortunately testing won't work in this case, because I manually
> extracted a reproducer and syzbot does not know about it. This bug
> seems to lead to assorted silent heap corruptions and different
> manifestations each time, so it's difficult for syzbot to attribute a
> reproducer to the bug. When we debug it, it would be nice to
> understand why the heap corruption is silent and is not detected by
> KASAN and anything else, to prevent such unpleasant cases in future.
>
> I've tested it manually, but unfortunately kernel still crashed within a minute:

Stephan,

Do you have any hypothesis as to why this is not detected by KASAN and
causes silent corruptions?
We generally try to understand such cases and improve KASAN so that it
catches such cases more reliably and they do not cause splashes of
random crashes on syzbot.

Thanks

[Stephan Mueller]

Am Dienstag, 10. April 2018, 17:23:46 CEST schrieb Dmitry Vyukov:

Hi Dmitry,

> Stephan,
>
> Do you have any hypothesis as to why this is not detected by KASAN and
> causes silent corruptions?
> We generally try to understand such cases and improve KASAN so that it
> catches such cases more reliably and they do not cause splashes of
> random crashes on syzbot.

I do not have any hypothesis at this point. I know that you induce some fault.
As you mentioned the drbg_kcapi_seed function, I was looking through the error
code paths to see whether some error handlers trip over each other. But all is
guesswork so far. And I am not even sure whether the bug is in the DRBG code
base.

Looking into the trace you sent, I see a NULL pointer dereference. At one
point there is also the drbg_init_hash_kernel that is called. But nowhere I
see any smoking gun.

Could you please give me a description of the fault you are inducing?

Ciao
Stephan

[Dmitry Vyukov]

Hi Stephan,

What do you mean by description of the fault?
It's kernel standard FAULT_INJECTION facility, it injects faults
mainly into kmalloc/slab_alloc (also in a bunch of other things, but
in this case this seems to be kmalloc). In the repro you can see that
it's injecting a fault into 8-th malloc in the setsockopt syscall.

I wonder why you can't reproduce it. I can trigger it reliably in a
qemu. Let's try this:
I have upstream kernel on b284d4d5a6785f8cd07eda2646a95782373cd01e.
Here is my config:
https://gist.githubusercontent.com/dvyukov/f843ea09bc5b9439a820c8e809a5501d/raw/ad330e9b6b710f57f63b61590747b48230e5cb61/gistfile1.txt
Here is the compiler:
https://storage.googleapis.com/syzkaller/gcc-8.0.1-20180301.tar.gz
Build as: make -jN CC=that/gcc/bin/gcc
Then I start qemu as:

qemu-system-x86_64 -hda wheezy.img -net
user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic -nographic -kernel
arch/x86/boot/bzImage -append "kvm-intel.nested=1
kvm-intel.unrestricted_guest=1 kvm-intel.ept=1
kvm-intel.flexpriority=1 kvm-intel.vpid=1
kvm-intel.emulate_invalid_guest_state=1 kvm-intel.eptad=1
kvm-intel.enable_shadow_vmcs=1 kvm-intel.pml=1
kvm-intel.enable_apicv=1 console=ttyS0 root=/dev/sda
earlyprintk=serial slub_debug=UZ vsyscall=native rodata=n oops=panic
panic_on_warn=1 panic=86400" -enable-kvm -pidfile vm_pid -m 2G -smp 4
-cpu host

You can find the wheezy.img and ssh key for it here:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#crash-does-not-reproduce

Then I compile this program:
https://gist.githubusercontent.com/dvyukov/1dd75d55efd238e7207af1cc38478b3a/raw/403859b56b161a6fbb158e8953fac5bb6e73b1a1/gistfile1.txt
as: gcc prog.c -static -m32

Run in the qemu and within a minute it gives me the crash.

[Stephan Mueller]

Am Mittwoch, 11. April 2018, 14:29:45 CEST schrieb Dmitry Vyukov:

Hi Dmitry,
>

> What do you mean by description of the fault?
> It's kernel standard FAULT_INJECTION facility, it injects faults
> mainly into kmalloc/slab_alloc (also in a bunch of other things, but
> in this case this seems to be kmalloc). In the repro you can see that
> it's injecting a fault into 8-th malloc in the setsockopt syscall.

I am now able to reproduce it.

I think I have a smoking gun, but let me test it first.

Ciao
Stephan

[Stephan Müller]

Hi Dimitry,

This fix prevents the kernel from crashing when injecting the fault.
Stack traces are yet shown but I guess that is expected every time
a fault is injected.

As to why KASAN did not notice this one, I am not sure. Maybe it is
because I use two buffer pointers to point to (almost) the same memory
(one that is aligned and one pointing to the complete buffer)?

---8<---

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Signed-off-by: Stephan Mueller <smue...@chronox.de>
Reported-by: syzbot+75397e...@syzkaller.appspotmail.com
---
crypto/drbg.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/crypto/drbg.c b/crypto/drbg.c
index 4faa2781c964..466a112a4446 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg)
if (!drbg)
return;
kzfree(drbg->Vbuf);
+ drbg->Vbuf = NULL;
drbg->V = NULL;
kzfree(drbg->Cbuf);
+ drbg->Cbuf = NULL;
drbg->C = NULL;
kzfree(drbg->scratchpadbuf);
drbg->scratchpadbuf = NULL;
--
2.14.3

[Stephan Müller]

Sorry, this time with the proper subject line.

[Dmitry Vyukov]

On Wed, Apr 11, 2018 at 4:26 PM, Stephan Müller <smue...@chronox.de> wrote:
> Hi Dimitry,
>
> This fix prevents the kernel from crashing when injecting the fault.

Good!

> Stack traces are yet shown but I guess that is expected every time
> a fault is injected.

Yes, nothing to fix here.

> As to why KASAN did not notice this one, I am not sure. Maybe it is
> because I use two buffer pointers to point to (almost) the same memory
> (one that is aligned and one pointing to the complete buffer)?

After looking at the fix, I figured out what happened with KASAN.
Filed https://bugzilla.kernel.org/show_bug.cgi?id=199359. In short,
tricky interplay between kzfree, ksize and double-free detection.
If KASAN worked as intended it would give a nice "double-free in this
stack for object allocated in this stack and previously freed in this
stack", which would probably make debugging much simpler.

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/2186798.qrgUIDAn9S%40positron.chronox.de.

[Eric Biggers]

Can you please add Fixes and Cc stable?

- Eric

[Stephan Müller]

Add the Fixes, CC stable tags.

---8<---

During freeing of the internal buffers used by the DRBG, set the pointer
to NULL. It is possible that the context with the freed buffers is
reused. In case of an error during initialization where the pointers
do not yet point to allocated memory, the NULL value prevents a double
free.

Cc: sta...@vger.kernel.org
Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")

[Herbert Xu]

On Thu, Apr 12, 2018 at 08:40:55AM +0200, Stephan Müller wrote:
> Add the Fixes, CC stable tags.
>
> ---8<---
>
> During freeing of the internal buffers used by the DRBG, set the pointer
> to NULL. It is possible that the context with the freed buffers is
> reused. In case of an error during initialization where the pointers
> do not yet point to allocated memory, the NULL value prevents a double
> free.
>
> Cc: sta...@vger.kernel.org
> Fixes: 3cfc3b9721123 ("crypto: drbg - use aligned buffers")
> Signed-off-by: Stephan Mueller <smue...@chronox.de>
> Reported-by: syzbot+75397e...@syzkaller.appspotmail.com

Patch applied. Thanks.
--
Email: Herbert Xu <her...@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt