"possible deadlock in console_lock_spinning_enable" and "possible deadlock in console_unlock" should be duplicate crash behaviors

16 views
Skip to first unread message

慕冬亮

unread,
Jan 21, 2021, 12:37:32 AM1/21/21
to Greg KH, jiri...@kernel.org, linux-kernel, syzkaller-bugs, syzkaller
Dear kernel developers,

I found that on the syzbot dashboard, “possible deadlock in
console_lock_spinning_enable”[1] and "possible deadlock in
console_unlock"[2] should share the same root cause.

The reasons for the above statement:
1) the stack trace is the same, and this title difference is due to
the inline property of "console_lock_spinning_enable";
2) their PoCs are the same as each other;

If you can have any issues with this statement or our information is
useful to you, please let us know. Thanks very much.

[1] “possible deadlock in console_lock_spinning_enable” -
https://syzkaller.appspot.com/bug?id=2820deb61d92a8d7ab17a56ced58e963e65d76d0
[2] “possible deadlock in console_unlock” -
https://syzkaller.appspot.com/bug?id=39ea6caa479af471183997376dc7e90bc7d64a6a



--
My best regards to you.

No System Is Safe!
Dongliang Mu

Greg KH

unread,
Jan 21, 2021, 3:17:32 AM1/21/21
to 慕冬亮, jiri...@kernel.org, linux-kernel, syzkaller-bugs, syzkaller
Any proposed patch for these issues?

thanks,

greg k-h

Lukas Bulwahn

unread,
Jan 21, 2021, 7:49:52 AM1/21/21
to 慕冬亮, Greg KH, jiri...@kernel.org, linux-kernel, syzkaller-bugs, syzkaller
Dongliang, what is the purpose of this activity?

Why do inform the kernel maintainers that two issues share the root cause?

How does this activity contribute to fixing the bugs? Why does it
become easier to fix the issue/create a patch with the information you
provide?
(Honestly, I do not see how it does. I believe if anyone becomes
active and fixes the issue due to either one of the two reports, the
one report would be closed by the reported-by tag and the other report
would simply disappear after time because it could never be reproduced
and hence, syzbot would close it.)

Would it not be more reasonable to fix issues rather than identifying
duplicates in the automatically filled and managed database?

Best regards,

Lukas

慕冬亮

unread,
Jan 22, 2021, 12:47:39 AM1/22/21
to Lukas Bulwahn, Greg KH, jiri...@kernel.org, linux-kernel, syzkaller-bugs, syzkaller
On Thu, Jan 21, 2021 at 8:49 PM Lukas Bulwahn <lukas....@gmail.com> wrote:
>
> On Thu, Jan 21, 2021 at 6:37 AM 慕冬亮 <mudongl...@gmail.com> wrote:
> >
> > Dear kernel developers,
> >
> > I found that on the syzbot dashboard, “possible deadlock in
> > console_lock_spinning_enable”[1] and "possible deadlock in
> > console_unlock"[2] should share the same root cause.
> >
> > The reasons for the above statement:
> > 1) the stack trace is the same, and this title difference is due to
> > the inline property of "console_lock_spinning_enable";
> > 2) their PoCs are the same as each other;
> >
> > If you can have any issues with this statement or our information is
> > useful to you, please let us know. Thanks very much.
> >
> > [1] “possible deadlock in console_lock_spinning_enable” -
> > https://syzkaller.appspot.com/bug?id=2820deb61d92a8d7ab17a56ced58e963e65d76d0
> > [2] “possible deadlock in console_unlock” -
> > https://syzkaller.appspot.com/bug?id=39ea6caa479af471183997376dc7e90bc7d64a6a
> >
> >
>
> Dongliang, what is the purpose of this activity?

Lukas,

We are conducting some research on the crash deduplication (or
identifying unique bugs) of kernel crash reports. We would like to
share some results from our research to facilitate the bugfix in the
syzbot dashboard.

>
> Why do inform the kernel maintainers that two issues share the root cause?
>
> How does this activity contribute to fixing the bugs? Why does it
> become easier to fix the issue/create a patch with the information you
> provide?

I do this for three reasons:

(1) I think the reports sharing the same root cause may expedite the
patching processing and help generate more complete patches. After
patching bugs in one case, we can close the other cases quicker.
Without these reports, one developer might be misled to develop an
incomplete patch due to a lack of understanding of the underlying bug
[1].
(2) I think it might help maintainers to better assess the severity of
the bug and thus could prioritize their effort.
(3) Multiple reports might better help maintainers diagnose the bug's
root cause.

[1] https://groups.google.com/g/syzkaller-bugs/c/9u_hEFvNbLw/m/CO9bfF8zCQAJ

> (Honestly, I do not see how it does. I believe if anyone becomes
> active and fixes the issue due to either one of the two reports, the
> one report would be closed by the reported-by tag and the other report
> would simply disappear after time because it could never be reproduced
> and hence, syzbot would close it.)
>
> Would it not be more reasonable to fix issues rather than identifying
> duplicates in the automatically filled and managed database?

Yes, fixing issues or bugs is the ultimate goal. However, crash
deduplication does benefit the bugfix process, and can reduce the
heavy burden on the kernel developers. To make our analysis more
useful, we will try our best to add some root cause analysis and how
to fix the underlying bug.

>
> Best regards,
>
> Lukas

Lukas Bulwahn

unread,
Jan 22, 2021, 1:02:45 AM1/22/21
to 慕冬亮, Greg KH, jiri...@kernel.org, linux-kernel, syzkaller-bugs, syzkaller
Well, I am not really convinced, but I guess you will convince me when
(thanks to your feature) all bugs reported by syzbot are quickly fixed
and quickly closed.

good luck :)

Lukas

Null

unread,
Sep 29, 2022, 3:48:58 AMSep 29
to syzkaller
Dear kernel developers,

I found that on the syzbot dashboard, “KASAN: global-out-of-bounds Read in __xfrm6_tunnel_spi_lookup”[1], “general protection fault in __xfrm6_tunnel_spi_lookup”[2] and
“KASAN: slab-out-of-bounds Read in __xfrm6_tunnel_spi_lookup”[3] should share the same root cause.


The reasons for the above statement:
1) the stack traces are similar;
2) their PoCs are similar;
3) We extract their kernel objects related to root cause, which are similar.(xfrm6_tunnel_net
,xfrm6_tunnel_spi)

I continued Mu Dongliang's work and proposed a kernel object driven classification method.  Our new method is also conducive to the determination of root cause.


If you can have any issues with this statement or our information is useful to you, please let us know. Thanks very much.

[1] “KASAN: global-out-of-bounds Read in __xfrm6_tunnel_spi_lookup”-https://syzkaller.appspot.com/bug?id=00b1cbe14832bf7d39a13afd464e5b1da6485ce4
[2] “general protection fault in __xfrm6_tunnel_spi_lookup”-https://syzkaller.appspot.com/bug?id=d4ba8fdd2f9b47a2d1087f8368cc86b4de4eb63c
[3] “KASAN: slab-out-of-bounds Read in __xfrm6_tunnel_spi_lookup”-https://syzkaller.appspot.com/bug?id=aa3cd47728fab91e32dde562a353e64316b38c67

Dmitry Vyukov

unread,
Sep 29, 2022, 4:46:13 AMSep 29
to Null, syzkaller
On Thu, 29 Sept 2022 at 09:49, Null <zxy...@gmail.com> wrote:
>
> Dear kernel developers,
>
> I found that on the syzbot dashboard, “KASAN: global-out-of-bounds Read in __xfrm6_tunnel_spi_lookup”[1], “general protection fault in __xfrm6_tunnel_spi_lookup”[2] and
> “KASAN: slab-out-of-bounds Read in __xfrm6_tunnel_spi_lookup”[3] should share the same root cause.
>
> The reasons for the above statement:
> 1) the stack traces are similar;
> 2) their PoCs are similar;
> 3) We extract their kernel objects related to root cause, which are similar.(xfrm6_tunnel_net
> ,xfrm6_tunnel_spi)
>
> I continued Mu Dongliang's work and proposed a kernel object driven classification method. Our new method is also conducive to the determination of root cause.
>
> If you can have any issues with this statement or our information is useful to you, please let us know. Thanks very much.
>
> [1] “KASAN: global-out-of-bounds Read in __xfrm6_tunnel_spi_lookup”-https://syzkaller.appspot.com/bug?id=00b1cbe14832bf7d39a13afd464e5b1da6485ce4
> [2] “general protection fault in __xfrm6_tunnel_spi_lookup”-https://syzkaller.appspot.com/bug?id=d4ba8fdd2f9b47a2d1087f8368cc86b4de4eb63c
> [3] “KASAN: slab-out-of-bounds Read in __xfrm6_tunnel_spi_lookup”-https://syzkaller.appspot.com/bug?id=aa3cd47728fab91e32dde562a353e64316b38c67

Hi Null,

I think if these would be reported today, syzbot would automatically
merge them based on "alt titles". So this agrees with your analysis.
Alt titles are extracted from the stack traces and bug type.
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/5a27a9ae-0fdd-4ba3-8bd5-9f99df3a6b2cn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages