Re: general protection fault in crypto_remove_spawns (2)

2019-01-15 Thread Eric Biggers
On Sun, Jan 13, 2019 at 11:19:03PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:4b3c31c8d4dd Merge branch 'i2c/for-current' of git://git.k..
> git tree:   upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=144cb81740
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b05cfdb4ee8ab9b2
> dashboard link: https://syzkaller.appspot.com/bug?extid=ee4f315443a4ea97512e
> compiler:   gcc (GCC) 9.0.0 20181231 (experimental)
> 
> Unfortunately, I don't have any reproducer for this crash yet.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+ee4f315443a4ea975...@syzkaller.appspotmail.com
> 
> binder: 18706:18709 ioctl 40046207 0 returned -16
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault:  [#1] PREEMPT SMP KASAN
> CPU: 1 PID: 18713 Comm: cryptomgr_test Not tainted 5.0.0-rc1+ #21
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:crypto_remove_spawns+0x7ac/0x1340 crypto/algapi.c:194
> Code: 49 8d 7c 24 10 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f2 06 00 00 49
> c7 44 24 10 00 00 00 00 4d 8d 66 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85
> ef 06 00 00 49 83 7e 10 00 74 0a e8 4e 9e 24 fe
> RSP: :888054737b88 EFLAGS: 00010202
> RAX: 0002 RBX: dc00 RCX: 11100a8e6f86
> RDX:  RSI: 835d58d2 RDI: 888085c226b8
> RBP: 888054737df8 R08: 88804fb4e4c0 R09: 88804fb4ed60
> R10: 88804fb4ed40 R11: 0001 R12: 0010
> R13: ed100a8e6f8e R14:  R15: 888054737dd0
> FS:  () GS:8880ae70() knlGS:
> CS:  0010 DS:  ES:  CR0: 80050033
> CR2: 7f6091a29000 CR3: 876f9000 CR4: 001406e0
> kobject: 'loop2' (d1d42c09): kobject_uevent_env
> DR0:  DR1:  DR2: 
> DR3:  DR6: fffe0ff0 DR7: 0400
> Call Trace:
> kobject: 'loop2' (d1d42c09): fill_kobj_path: path =
> '/devices/virtual/block/loop2'
>  crypto_alg_tested+0x52d/0x790 crypto/algapi.c:339
>  cryptomgr_test+0x18/0x30 crypto/algboss.c:226
>  kthread+0x357/0x430 kernel/kthread.c:246
> binder: BINDER_SET_CONTEXT_MGR already set
>  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
> Modules linked in:
> kobject: 'loop3' (91226001): kobject_uevent_env
> binder: 18723:18724 ioctl 40046207 0 returned -16
> kobject: 'loop3' (91226001): fill_kobj_path: path =
> '/devices/virtual/block/loop3'
> kobject: 'loop5' (38d1e891): kobject_uevent_env
> kobject: 'loop5' (38d1e891): fill_kobj_path: path =
> '/devices/virtual/block/loop5'
> kobject: 'loop1' (47f20675): kobject_uevent_env
> kobject: 'loop1' (47f20675): fill_kobj_path: path =
> '/devices/virtual/block/loop1'
> kobject: 'loop0' (f3ca3d42): kobject_uevent_env
> kobject: 'loop0' (f3ca3d42): fill_kobj_path: path =
> '/devices/virtual/block/loop0'
> kobject: 'loop5' (38d1e891): kobject_uevent_env
> kobject: 'loop5' (38d1e891): fill_kobj_path: path =
> '/devices/virtual/block/loop5'
> kobject: 'loop1' (47f20675): kobject_uevent_env
> kobject: 'loop1' (47f20675): fill_kobj_path: path =
> '/devices/virtual/block/loop1'
> kobject: 'loop2' (d1d42c09): kobject_uevent_env
> kobject: 'loop2' (d1d42c09): fill_kobj_path: path =
> '/devices/virtual/block/loop2'
> ---[ end trace d2934b3fdb1c156e ]---
> RIP: 0010:crypto_remove_spawns+0x7ac/0x1340 crypto/algapi.c:194
> Code: 49 8d 7c 24 10 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f2 06 00 00 49
> c7 44 24 10 00 00 00 00 4d 8d 66 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85
> ef 06 00 00 49 83 7e 10 00 74 0a e8 4e 9e 24 fe
> RSP: :888054737b88 EFLAGS: 00010202
> RAX: 0002 RBX: dc00 RCX: 11100a8e6f86
> RDX:  RSI: 835d58d2 RDI: 888085c226b8
> RBP: 888054737df8 R08: 88804fb4e4c0 R09: 88804fb4ed60
> R10: 88804fb4ed40 R11: 0001 R12: 0010
> R13: ed100a8e6f8e R14:  R15: 888054737dd0
> FS:  () GS:8880ae70() knlGS:
> CS:  0010 DS:  ES:  CR0: 80050033
> CR2: 0110cfd0 CR3: 94f35000 CR4: 001406e0
> DR0:  DR1:  DR2: 
> DR3:  DR6: fffe0ff0 DR7: 0400
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkal...@googlegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> 

This may be the

general protection fault in crypto_remove_spawns (2)

2019-01-13 Thread syzbot

Hello,

syzbot found the following crash on:

HEAD commit:4b3c31c8d4dd Merge branch 'i2c/for-current' of git://git.k..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=144cb81740
kernel config:  https://syzkaller.appspot.com/x/.config?x=b05cfdb4ee8ab9b2
dashboard link: https://syzkaller.appspot.com/bug?extid=ee4f315443a4ea97512e
compiler:   gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ee4f315443a4ea975...@syzkaller.appspotmail.com

binder: 18706:18709 ioctl 40046207 0 returned -16
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault:  [#1] PREEMPT SMP KASAN
CPU: 1 PID: 18713 Comm: cryptomgr_test Not tainted 5.0.0-rc1+ #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

RIP: 0010:crypto_remove_spawns+0x7ac/0x1340 crypto/algapi.c:194
Code: 49 8d 7c 24 10 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f2 06 00 00 49  
c7 44 24 10 00 00 00 00 4d 8d 66 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f  
85 ef 06 00 00 49 83 7e 10 00 74 0a e8 4e 9e 24 fe

RSP: :888054737b88 EFLAGS: 00010202
RAX: 0002 RBX: dc00 RCX: 11100a8e6f86
RDX:  RSI: 835d58d2 RDI: 888085c226b8
RBP: 888054737df8 R08: 88804fb4e4c0 R09: 88804fb4ed60
R10: 88804fb4ed40 R11: 0001 R12: 0010
R13: ed100a8e6f8e R14:  R15: 888054737dd0
FS:  () GS:8880ae70() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f6091a29000 CR3: 876f9000 CR4: 001406e0
kobject: 'loop2' (d1d42c09): kobject_uevent_env
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
kobject: 'loop2' (d1d42c09): fill_kobj_path: path  
= '/devices/virtual/block/loop2'

 crypto_alg_tested+0x52d/0x790 crypto/algapi.c:339
 cryptomgr_test+0x18/0x30 crypto/algboss.c:226
 kthread+0x357/0x430 kernel/kthread.c:246
binder: BINDER_SET_CONTEXT_MGR already set
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
kobject: 'loop3' (91226001): kobject_uevent_env
binder: 18723:18724 ioctl 40046207 0 returned -16
kobject: 'loop3' (91226001): fill_kobj_path: path  
= '/devices/virtual/block/loop3'

kobject: 'loop5' (38d1e891): kobject_uevent_env
kobject: 'loop5' (38d1e891): fill_kobj_path: path  
= '/devices/virtual/block/loop5'

kobject: 'loop1' (47f20675): kobject_uevent_env
kobject: 'loop1' (47f20675): fill_kobj_path: path  
= '/devices/virtual/block/loop1'

kobject: 'loop0' (f3ca3d42): kobject_uevent_env
kobject: 'loop0' (f3ca3d42): fill_kobj_path: path  
= '/devices/virtual/block/loop0'

kobject: 'loop5' (38d1e891): kobject_uevent_env
kobject: 'loop5' (38d1e891): fill_kobj_path: path  
= '/devices/virtual/block/loop5'

kobject: 'loop1' (47f20675): kobject_uevent_env
kobject: 'loop1' (47f20675): fill_kobj_path: path  
= '/devices/virtual/block/loop1'

kobject: 'loop2' (d1d42c09): kobject_uevent_env
kobject: 'loop2' (d1d42c09): fill_kobj_path: path  
= '/devices/virtual/block/loop2'

---[ end trace d2934b3fdb1c156e ]---
RIP: 0010:crypto_remove_spawns+0x7ac/0x1340 crypto/algapi.c:194
Code: 49 8d 7c 24 10 48 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 f2 06 00 00 49  
c7 44 24 10 00 00 00 00 4d 8d 66 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f  
85 ef 06 00 00 49 83 7e 10 00 74 0a e8 4e 9e 24 fe

RSP: :888054737b88 EFLAGS: 00010202
RAX: 0002 RBX: dc00 RCX: 11100a8e6f86
RDX:  RSI: 835d58d2 RDI: 888085c226b8
RBP: 888054737df8 R08: 88804fb4e4c0 R09: 88804fb4ed60
R10: 88804fb4ed40 R11: 0001 R12: 0010
R13: ed100a8e6f8e R14:  R15: 888054737dd0
FS:  () GS:8880ae70() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 0110cfd0 CR3: 94f35000 CR4: 001406e0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkal...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.


Re: general protection fault in crypto_remove_spawns

2018-01-16 Thread Eric Biggers
On Mon, Nov 27, 2017 at 10:56:46AM -0800, syzbot wrote:
> Hello,
> 
> syzkaller hit the following crash on
> 1ea8d039f9edcfefb20d8ddfe136930f6e551529
> git://git.cmpxchg.org/linux-mmots.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
> 
> 
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault:  [#1] SMP KASAN
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 25985 Comm: cryptomgr_test Not tainted 4.14.0-mm1+ #25
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> task: 8801c4562180 task.stack: 8801d5b7
> RIP: 0010:crypto_remove_spawns+0x58c/0x1260 crypto/algapi.c:159
> RSP: 0018:8801d5b779e8 EFLAGS: 00010206
> RAX: 0003 RBX: dc00 RCX: 82258aab
> RDX:  RSI: 11003ab6efa6 RDI: 0018
> RBP: 8801d5b77dd8 R08: 8801d5b77d70 R09: 0004
> R10:  R11: 8747dda0 R12: 
> R13: 8801c505bb60 R14: ed003ab6ef4e R15: 8801d5b77db0
> FS:  () GS:8801db40() knlGS:
> CS:  0010 DS:  ES:  CR0: 80050033
> CR2: 7fff1d3ffcac CR3: 0001cf825000 CR4: 001406f0
> DR0:  DR1:  DR2: 
> DR3:  DR6: fffe0ff0 DR7: 0400
> Call Trace:
>  crypto_alg_tested+0x514/0x6f0 crypto/algapi.c:311
>  cryptomgr_test+0x17/0x30 crypto/algboss.c:226
>  kthread+0x37a/0x440 kernel/kthread.c:238
>  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:437
> Code: 84 e3 01 00 00 e8 35 94 4a ff 4c 89 e8 48 c1 e8 03 80 3c 18 00 0f 85
> d8 09 00 00 4d 8b 65 00 49 8d 7c 24 18 48 89 f8 48 c1 e8 03 <80> 3c 18 00 0f
> 85 b4 09 00 00 4d 8b 6c 24 18 4c 3b ad 50 fc ff
> RIP: crypto_remove_spawns+0x58c/0x1260 crypto/algapi.c:159 RSP:
> 8801d5b779e8
> ---[ end trace 14ce8f86fe2873b1 ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..

Fix for the actual crash now is in Linus' tree:

#syz fix: crypto: algapi - fix NULL dereference in crypto_remove_spawns()


Re: general protection fault in crypto_remove_spawns

2017-11-28 Thread Stephan Müller
Am Montag, 27. November 2017, 19:56:46 CET schrieb syzbot:

Hi Herbert,

The issue seems to trigger a bug whose results we have seen before. When 
starting the reproducer and stopping it shortly thereafter, I see the numerous 
identical entries in /proc/crypto:

name : cmac(des3_ede)
driver   : cmac(des3_ede-asm)
module   : kernel
priority : 200
refcnt   : 1
selftest : passed
internal : no
type : shash
blocksize: 8
digestsize   : 8

name : cmac(des3_ede)
driver   : cmac(des3_ede-asm)
module   : kernel
priority : 200
refcnt   : 1
selftest : passed
internal : no
type : shash
blocksize: 8
digestsize   : 8

name : cmac(des3_ede)
driver   : cmac(des3_ede-asm)
module   : kernel
priority : 200
refcnt   : 1
selftest : passed
internal : no
type : shash
blocksize: 8
digestsize   : 8

...

And this list keeps on growing without end:

# ./repro

# less /proc/crypto | wc
   9559   26456  188754

# ./repro

# less /proc/crypto | wc
  11440   31586  226032

At one point in time I think the system simply has too many entries.

Ciao
Stephan