I agree with that having a C reproducer would be much better.
Now I'm working on it.
I will immediately let you know once I get the C reproducer.
Thank you.
Best regards,
DaeRyong Jeong
On 24 Jul 2018, 4:00 PM +0900, Takashi Iwai , wrote:
> On Tue, 24 Jul 2018 05:59:56 +0200,
> Dae
Because our fuzzer has a problem, I don't have a C reproducer so far.
I reported the crash becasue I saw the crash repeatedly in our fuzzer and I
hoped the report is helpful. But it seems not enough.
If I was wrong and I made you confused, I am really sorry for that.
Could you give me a second?
I
I think that below two crashes are also related to the same race issue.
KASAN: use-after-free Read in nd_jump_root, found in v4.17-rc1
KASAN: use-after-free in set_root, found in v4.18-rc3
==
BUG: KASAN: use-after-free in nd_jump_ro
I just realized that the crash has been spotted by Syzkaller a few days before.
(https://syzkaller.appspot.com/bug?id=3490860a465e6b39227c6906f0ef2d40ad4d5bb1)
I'm CC'ing Syzkaller's mailing list.
Best regards,
DaeRyong Jeong
On Tue, Jul 24, 2018 at 12:36 PM, Dae R. Jeong wro
On Mon, May 21, 2018 at 10:38:10AM +0800, Jason Wang wrote:
>
>
> On 2018年05月18日 17:24, Jason Wang wrote:
> >
> >
> > On 2018年05月17日 21:45, DaeRyong Jeong wrote:
> > > We report the crash: KASAN: use-after-free Read in vhost_chr_write_iter
> > >
We report the crash: WARNING in ip_recv_error
(I resend the email since I mistakenly missed the subject in my previous
email. I'm sorry.)
This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows
Bcc:
Subject: WARNING in ip_recv_error
Reply-To:
We report the crash: WARNING in ip_recv_error
This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows that the race occurs when invoking two
We report the crash: WARNING in __static_key_slow_dec
This crash has been found in v4.8 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report.
Even though v4.8 is the relatively old version, we did manual verification
and we think the bug still exists
We report the crash: KASAN: use-after-free Read in vhost_chr_write_iter
This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows that the race occurs when invoking two
syscalls concurrently, writ
We report the crash: KASAN: null-ptr-deref Read in rdma_listen
This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows that the race occurs when invoking two
write syscalls with the command 'lis
On Sun, May 13, 2018 at 02:34:13PM -0600, Jason Gunthorpe wrote:
> On Fri, May 11, 2018 at 02:25:22PM +0900, DaeRyong Jeong wrote:
> > We report the crash: KASAN: use-after-free Read in cma_cancel_operation
> >
> > Note that this bug is previously reported by
We report the crash: KASAN: use-after-free Read in cma_cancel_operation
Note that this bug is previously reported by syzkaller.
https://syzkaller.appspot.com/bug?id=95f89b8fb9fdc42e28ad586e657fea074e4e719b
Nonetheless, this bug has not fixed yet, and we hope that this report and our
analysis, whic
We report the crash: KASAN: null-ptr-deref Read in rds_ib_get_mr
Note that this bug is previously reported by syzkaller.
https://syzkaller.appspot.com/bug?id=0bb56a5a48b000b52aa2b0d8dd20b1f545214d91
Nonetheless, this bug has not fixed yet, and we hope that this report and our
analysis, which gets
x8f/0xc0 fs/ioctl.c:685
entry_SYSCALL_64_fastpath+0x1f/0xbd
Signed-off-by: DaeRyong Jeong
---
drivers/tty/pty.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index 364c0e9..0c7ec27 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -110,16
We report the crash:
KASAN: use-after-free in loopback_active_get
This crash has been found in v4.17-rc1 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this report.
Our analysis shows that the race occurs when invoking two syscalls concurrently,
ioctl$SNDR
On Thu, Apr 26, 2018 at 09:17:45AM +0200, Takashi Iwai wrote:
> On Thu, 26 Apr 2018 06:52:27 +0200,
> DaeRyong Jeong wrote:
> >
> > We report the crash:
> > unable to handle kernel paging request in snd_seq_oss_readq_puts
> >
> > This crash has been found i
We report the crash:
unable to handle kernel paging request in snd_seq_oss_readq_puts
This crash has been found in v4.16 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows that the race occurs when invoking two
syscalls concurre
On Wed, Apr 25, 2018 at 03:39:48PM +0100, Alan Cox wrote:
> On Wed, 25 Apr 2018 22:20:50 +0900
> DaeRyong Jeong wrote:
>
> > tty_insert_flip_string_fixed_flag() copies chars to the buffer indicated
> > by th->used and updates tb->used.
> > But tty_insert_flip_st
On Wed, Apr 25, 2018 at 03:41:59PM +0200, Greg KH wrote:
> On Wed, Apr 25, 2018 at 10:20:50PM +0900, DaeRyong Jeong wrote:
> > tty_insert_flip_string_fixed_flag() copies chars to the buffer indicated
> > by th->used and updates tb->used.
> > But tty_insert_flip_string_f
() can sends frames.
Signed-off-by: DaeRyong Jeong
---
drivers/tty/tty_io.c| 16 +---
drivers/tty/tty_ioctl.c | 5 +
include/linux/tty.h | 2 ++
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 63114ea35ec1..
I'm really sorry.
Best regards,
Daeryong Jeong.
On Wed, Apr 25, 2018 at 9:53 PM, Greg KH wrote:
> On Thu, Apr 19, 2018 at 09:25:08PM +0900, DaeRyong Jeong wrote:
>> The patch is attached at the end of this email and can be downloaded from
>> here.
>> https://k
__start_tty(), Prevent calling wake_up_interruptible_poll() twice by
adding the wakeup flag to tty_write_unlock()
If there is something that we are missing or we are wrong, please let us know.
Thank you.
Best regards,
Daeryong Jeong
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
i
We report the crash:
KASAN: slab-out-of-bounds Write in tty_insert_flip_string_fixed_flag
This crash has been found in v4.16 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows that the race occurs when invoking two
syscalls conc
le RaceFuzzer precisely interleaves the scheduling at the
kernel's instruction level when finding this bug, C repro cannot fully
utilize such a feature. Please disregard all code related to
"should_hypercall" in the C repro, as this is only for our debugging
purposes using our own hyperv
s using our own hypervisor.
On Tue, Apr 3, 2018 at 1:12 PM, DaeRyong Jeong wrote:
> No. Only the first crash (WARNING in refcount_dec) is reproduced by
> the attached reproducer.
>
> The second crash (kernel bug at af_packet.c:3107) is reproduced by
> another reproducer.
> We reported
No. Only the first crash (WARNING in refcount_dec) is reproduced by
the attached reproducer.
The second crash (kernel bug at af_packet.c:3107) is reproduced by
another reproducer.
We reported it here.
http://lkml.iu.edu/hypermail/linux/kernel/1803.3/05324.html
On Sun, Apr 1, 2018 at 4:38 PM, Will
We report the crash: kernel BUG at
/home/blee/project/race-fuzzer/kernels/kernel_v4.16-rc3/net/packet/af_packet.c:LINE!
This crash has been found in v4.16-rc3 using RaceFuzzer (a modified
version of Syzkaller), which we describe more at the end of this
report. Our analysis shows that the race occu
27 matches
Mail list logo
