Re: general protection fault in crypto_remove_spawns

2018-01-16 Thread Eric Biggers 
On Mon, Nov 27, 2017 at 10:56:46AM -0800, syzbot wrote:
> Hello,
> 
> syzkaller hit the following crash on
> 1ea8d039f9edcfefb20d8ddfe136930f6e551529
> git://git.cmpxchg.org/linux-mmots.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
> 
> 
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault:  [#1] SMP KASAN
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 25985 Comm: cryptomgr_test Not tainted 4.14.0-mm1+ #25
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> task: 8801c4562180 task.stack: 8801d5b7
> RIP: 0010:crypto_remove_spawns+0x58c/0x1260 crypto/algapi.c:159
> RSP: 0018:8801d5b779e8 EFLAGS: 00010206
> RAX: 0003 RBX: dc00 RCX: 82258aab
> RDX:  RSI: 11003ab6efa6 RDI: 0018
> RBP: 8801d5b77dd8 R08: 8801d5b77d70 R09: 0004
> R10:  R11: 8747dda0 R12: 
> R13: 8801c505bb60 R14: ed003ab6ef4e R15: 8801d5b77db0
> FS:  () GS:8801db40() knlGS:
> CS:  0010 DS:  ES:  CR0: 80050033
> CR2: 7fff1d3ffcac CR3: 0001cf825000 CR4: 001406f0
> DR0:  DR1:  DR2: 
> DR3:  DR6: fffe0ff0 DR7: 0400
> Call Trace:
>  crypto_alg_tested+0x514/0x6f0 crypto/algapi.c:311
>  cryptomgr_test+0x17/0x30 crypto/algboss.c:226
>  kthread+0x37a/0x440 kernel/kthread.c:238
>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:437
> Code: 84 e3 01 00 00 e8 35 94 4a ff 4c 89 e8 48 c1 e8 03 80 3c 18 00 0f 85
> d8 09 00 00 4d 8b 65 00 49 8d 7c 24 18 48 89 f8 48 c1 e8 03 <80> 3c 18 00 0f
> 85 b4 09 00 00 4d 8b 6c 24 18 4c 3b ad 50 fc ff
> RIP: crypto_remove_spawns+0x58c/0x1260 crypto/algapi.c:159 RSP:
> 8801d5b779e8
> ---[ end trace 14ce8f86fe2873b1 ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..

Fix for the actual crash now is in Linus' tree:

#syz fix: crypto: algapi - fix NULL dereference in crypto_remove_spawns()

Re: general protection fault in crypto_remove_spawns

2017-11-28 Thread Stephan Müller 
Am Montag, 27. November 2017, 19:56:46 CET schrieb syzbot:

Hi Herbert,

The issue seems to trigger a bug whose results we have seen before. When 
starting the reproducer and stopping it shortly thereafter, I see the numerous 
identical entries in /proc/crypto:

name : cmac(des3_ede)
driver   : cmac(des3_ede-asm)
module   : kernel
priority : 200
refcnt   : 1
selftest : passed
internal : no
type : shash
blocksize: 8
digestsize   : 8

name : cmac(des3_ede)
driver   : cmac(des3_ede-asm)
module   : kernel
priority : 200
refcnt   : 1
selftest : passed
internal : no
type : shash
blocksize: 8
digestsize   : 8

name : cmac(des3_ede)
driver   : cmac(des3_ede-asm)
module   : kernel
priority : 200
refcnt   : 1
selftest : passed
internal : no
type : shash
blocksize: 8
digestsize   : 8

...

And this list keeps on growing without end:

# ./repro

# less /proc/crypto | wc
   9559   26456  188754

# ./repro

# less /proc/crypto | wc
  11440   31586  226032

At one point in time I think the system simply has too many entries.

Ciao
Stephan