Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/25/17 10:38 AM, Andrey Konovalov wrote: > I'll keep fuzzing in the meantime to make sure. > Maybe I'll be able to collect more reports or even another reproducer. start a new email thread for each stack trace. I'll write a debug patch for the trace you hit today.

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/25/17 10:38 AM, Andrey Konovalov wrote: > I'll keep fuzzing in the meantime to make sure. > Maybe I'll be able to collect more reports or even another reproducer. start a new email thread for each stack trace. I'll write a debug patch for the trace you hit today.

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Apr 25, 2017 at 6:36 PM, Andrey Konovalov wrote: > On Tue, Apr 25, 2017 at 5:56 PM, David Ahern wrote: >> On 3/4/17 11:57 AM, Dmitry Vyukov wrote: >>> == >>> BUG: KASAN:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Apr 25, 2017 at 6:36 PM, Andrey Konovalov wrote: > On Tue, Apr 25, 2017 at 5:56 PM, David Ahern wrote: >> On 3/4/17 11:57 AM, Dmitry Vyukov wrote: >>> == >>> BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0 >>>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Apr 25, 2017 at 5:56 PM, David Ahern wrote: > On 3/4/17 11:57 AM, Dmitry Vyukov wrote: >> == >> BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0 >> net/ipv6/route.c:3551 at addr

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Apr 25, 2017 at 5:56 PM, David Ahern wrote: > On 3/4/17 11:57 AM, Dmitry Vyukov wrote: >> == >> BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0 >> net/ipv6/route.c:3551 at addr 88007e523694 >> Read of size 4

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 2:21 AM, Dmitry Vyukov wrote: > [ cut here ] > WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 > fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991 net/ipv6/ip6_fib.c:991 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 2 PID: 3990 Comm: kworker/2:4

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 2:21 AM, Dmitry Vyukov wrote: > [ cut here ] > WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 > fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991 net/ipv6/ip6_fib.c:991 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 2 PID: 3990 Comm: kworker/2:4

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 11:57 AM, Dmitry Vyukov wrote: > == > BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0 > net/ipv6/route.c:3551 at addr 88007e523694 > Read of size 4 by task syz-executor3/24426 > CPU: 2 PID: 24426 Comm:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 11:57 AM, Dmitry Vyukov wrote: > == > BUG: KASAN: slab-out-of-bounds in rt6_dump_route+0x293/0x2f0 > net/ipv6/route.c:3551 at addr 88007e523694 > Read of size 4 by task syz-executor3/24426 > CPU: 2 PID: 24426 Comm:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > Modules linked in: > CPU: 1 PID: 4035 Comm: a.out Not tainted 4.11.0-rc7+ #250 > Hardware name:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > Modules linked in: > CPU: 1 PID: 4035 Comm: a.out Not tainted 4.11.0-rc7+ #250 > Hardware name:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Fri, 2017-04-21 at 08:27 -0600, David Ahern wrote: > On 4/20/17 10:09 AM, Andrey Konovalov wrote: > > On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov > > wrote: > >> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern > >> wrote: > >>> On 4/20/17

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Fri, 2017-04-21 at 08:27 -0600, David Ahern wrote: > On 4/20/17 10:09 AM, Andrey Konovalov wrote: > > On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov > > wrote: > >> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern > >> wrote: > >>> On 4/20/17 9:28 AM, Andrey Konovalov wrote: > This one

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/21/17 10:47 AM, Eric Dumazet wrote: > On Fri, 2017-04-21 at 08:27 -0600, David Ahern wrote: >> On 4/20/17 10:09 AM, Andrey Konovalov wrote: >>> On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov >>> wrote: On Thu, Apr 20, 2017 at 5:35 PM, David Ahern

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/21/17 10:47 AM, Eric Dumazet wrote: > On Fri, 2017-04-21 at 08:27 -0600, David Ahern wrote: >> On 4/20/17 10:09 AM, Andrey Konovalov wrote: >>> On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov >>> wrote: On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote: > On 4/20/17 9:28

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/20/17 10:09 AM, Andrey Konovalov wrote: > On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov > wrote: >> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern >> wrote: >>> On 4/20/17 9:28 AM, Andrey Konovalov wrote: This one seems to be much

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/20/17 10:09 AM, Andrey Konovalov wrote: > On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov > wrote: >> On Thu, Apr 20, 2017 at 5:35 PM, David Ahern >> wrote: >>> On 4/20/17 9:28 AM, Andrey Konovalov wrote: This one seems to be much closer to what Dmitry reported intially. >>> does

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov wrote: > On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote: >> On 4/20/17 9:28 AM, Andrey Konovalov wrote: >>> This one seems to be much closer to what Dmitry reported intially. >> >> does not

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 5:39 PM, Andrey Konovalov wrote: > On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote: >> On 4/20/17 9:28 AM, Andrey Konovalov wrote: >>> This one seems to be much closer to what Dmitry reported intially. >> >> does not repro here; I ran in a loop and nothing. Here's

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote: > On 4/20/17 9:28 AM, Andrey Konovalov wrote: >> This one seems to be much closer to what Dmitry reported intially. > > does not repro here; I ran in a loop and nothing. You use the attached config, right? > > can you

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 5:35 PM, David Ahern wrote: > On 4/20/17 9:28 AM, Andrey Konovalov wrote: >> This one seems to be much closer to what Dmitry reported intially. > > does not repro here; I ran in a loop and nothing. You use the attached config, right? > > can you send output of "sysctl -a

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/20/17 9:28 AM, Andrey Konovalov wrote: > This one seems to be much closer to what Dmitry reported intially. does not repro here; I ran in a loop and nothing. can you send output of "sysctl -a --pattern 'net.ipv6'"

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/20/17 9:28 AM, Andrey Konovalov wrote: > This one seems to be much closer to what Dmitry reported intially. does not repro here; I ran in a loop and nothing. can you send output of "sysctl -a --pattern 'net.ipv6'"

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 5:28 PM, Andrey Konovalov wrote: > I've extracted a reproducer for another bug. It works for me as is, but you might need to run it in a loop. > > This one seems to be much closer to what Dmitry reported intially. > > [ cut here

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 5:28 PM, Andrey Konovalov wrote: > I've extracted a reproducer for another bug. It works for me as is, but you might need to run it in a loop. > > This one seems to be much closer to what Dmitry reported intially. > > [ cut here ] > WARNING: CPU:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 10:35 AM, Dmitry Vyukov wrote: > On Thu, Apr 20, 2017 at 1:51 AM, David Ahern wrote: >> On 4/19/17 5:47 PM, Cong Wang wrote: >>> On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov >>> wrote:

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 10:35 AM, Dmitry Vyukov wrote: > On Thu, Apr 20, 2017 at 1:51 AM, David Ahern wrote: >> On 4/19/17 5:47 PM, Cong Wang wrote: >>> On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov >>> wrote: Anyway, I just finished simplifying the reproducer. Give this one a

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 1:51 AM, David Ahern wrote: > On 4/19/17 5:47 PM, Cong Wang wrote: >> On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov >> wrote: >>> >>> Anyway, I just finished simplifying the reproducer. Give this one a try. >> >>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Thu, Apr 20, 2017 at 1:51 AM, David Ahern wrote: > On 4/19/17 5:47 PM, Cong Wang wrote: >> On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov >> wrote: >>> >>> Anyway, I just finished simplifying the reproducer. Give this one a try. >> >> Thanks for providing such a minimal reproducer! >> >>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/19/17 5:47 PM, Cong Wang wrote: > On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov > wrote: >> >> Anyway, I just finished simplifying the reproducer. Give this one a try. > > Thanks for providing such a minimal reproducer! > > The following patch could fix this

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/19/17 5:47 PM, Cong Wang wrote: > On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov > wrote: >> >> Anyway, I just finished simplifying the reproducer. Give this one a try. > > Thanks for providing such a minimal reproducer! > > The following patch could fix this crash, but I am not 100%

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov wrote: > > Anyway, I just finished simplifying the reproducer. Give this one a try. Thanks for providing such a minimal reproducer! The following patch could fix this crash, but I am not 100% sure if we should just clear

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Apr 19, 2017 at 9:12 AM, Andrey Konovalov wrote: > > Anyway, I just finished simplifying the reproducer. Give this one a try. Thanks for providing such a minimal reproducer! The following patch could fix this crash, but I am not 100% sure if we should just clear these bits or reject

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/19/17 10:12 AM, Andrey Konovalov wrote: > That's weird. I usually see this when I have CONFIG_USER_NS disabled. I bungled the movement of .config between servers. reproduced. will investigate.

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/19/17 10:12 AM, Andrey Konovalov wrote: > That's weird. I usually see this when I have CONFIG_USER_NS disabled. I bungled the movement of .config between servers. reproduced. will investigate.

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Apr 19, 2017 at 6:09 PM, David Ahern wrote: > On 4/18/17 2:43 PM, Andrey Konovalov wrote: >> Hi! >> >> I've finally managed to reproduce one of the crashes on commit >> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). >> >> I'm not sure if this bug has the

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Apr 19, 2017 at 6:09 PM, David Ahern wrote: > On 4/18/17 2:43 PM, Andrey Konovalov wrote: >> Hi! >> >> I've finally managed to reproduce one of the crashes on commit >> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). >> >> I'm not sure if this bug has the same root cause as the first

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > Hi! > > I've finally managed to reproduce one of the crashes on commit > 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). > > I'm not sure if this bug has the same root cause as the first one > reported in this thread, but it definitely has to do

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > Hi! > > I've finally managed to reproduce one of the crashes on commit > 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). > > I'm not sure if this bug has the same root cause as the first one > reported in this thread, but it definitely has to do

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Apr 19, 2017 at 1:20 AM, David Ahern wrote: > On 4/18/17 2:43 PM, Andrey Konovalov wrote: >> I've finally managed to reproduce one of the crashes on commit >> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). >> >> I'm not sure if this bug has the same root

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Apr 19, 2017 at 1:20 AM, David Ahern wrote: > On 4/18/17 2:43 PM, Andrey Konovalov wrote: >> I've finally managed to reproduce one of the crashes on commit >> 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). >> >> I'm not sure if this bug has the same root cause as the first one >>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > I've finally managed to reproduce one of the crashes on commit > 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). > > I'm not sure if this bug has the same root cause as the first one > reported in this thread, but it definitely has to do with

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 4/18/17 2:43 PM, Andrey Konovalov wrote: > I've finally managed to reproduce one of the crashes on commit > 4f7d029b9bf009fbee76bb10c0c4351a1870d2f3 (4.11-rc7). > > I'm not sure if this bug has the same root cause as the first one > reported in this thread, but it definitely has to do with

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/27/17 6:42 AM, Dmitry Vyukov wrote: > A friendly ping. This still happens all the time for us. Haven't looked at this in a couple of weeks. I have syzkaller installed on a machine locally and never was able to reproduce this ipv6 problem. I am using a jessie rootfs; from the syzkaller files

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/27/17 6:42 AM, Dmitry Vyukov wrote: > A friendly ping. This still happens all the time for us. Haven't looked at this in a couple of weeks. I have syzkaller installed on a machine locally and never was able to reproduce this ipv6 problem. I am using a jessie rootfs; from the syzkaller files

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Mar 8, 2017 at 12:55 PM, Dmitry Vyukov wrote: > On Tue, Mar 7, 2017 at 9:00 PM, Dmitry Vyukov wrote: >> On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote: > On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >>> on this

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Wed, Mar 8, 2017 at 12:55 PM, Dmitry Vyukov wrote: > On Tue, Mar 7, 2017 at 9:00 PM, Dmitry Vyukov wrote: >> On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote: > On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >>> on this warning: >>> >>> /* dst.next really should not be set at

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 9:00 PM, Dmitry Vyukov wrote: > On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote: On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >> on this warning: >> >> /* dst.next really should not be set at this point */ >> if

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 9:00 PM, Dmitry Vyukov wrote: > On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote: On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >> on this warning: >> >> /* dst.next really should not be set at this point */ >> if (rt->dst.next &&

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 2:21 AM, Dmitry Vyukov wrote: > I've commented that warning just to see I can obtain more information. > Then I also got this: > > [ cut here ] > WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 > fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 2:21 AM, Dmitry Vyukov wrote: > I've commented that warning just to see I can obtain more information. > Then I also got this: > > [ cut here ] > WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 > fib6_add+0x2e12/0x3290 net/ipv6/ip6_fib.c:991

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote: >>> On 3/7/17 11:13 AM, Dmitry Vyukov wrote: > on this warning: > > /* dst.next really should not be set at this point */ > if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) { >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 8:30 PM, Dmitry Vyukov wrote: >>> On 3/7/17 11:13 AM, Dmitry Vyukov wrote: > on this warning: > > /* dst.next really should not be set at this point */ > if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) { > pr_warn("fib6_add: adding rt

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 8:02 PM, Dmitry Vyukov wrote: > On Tue, Mar 7, 2017 at 7:43 PM, David Ahern wrote: >> On 3/7/17 11:13 AM, Dmitry Vyukov wrote: on this warning: /* dst.next really should not be set at this point */ if

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 8:02 PM, Dmitry Vyukov wrote: > On Tue, Mar 7, 2017 at 7:43 PM, David Ahern wrote: >> On 3/7/17 11:13 AM, Dmitry Vyukov wrote: on this warning: /* dst.next really should not be set at this point */ if (rt->dst.next && rt->dst.next->ops->family !=

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 7:43 PM, David Ahern wrote: > On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >>> on this warning: >>> >>> /* dst.next really should not be set at this point */ >>> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) { >>>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 7:43 PM, David Ahern wrote: > On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >>> on this warning: >>> >>> /* dst.next really should not be set at this point */ >>> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) { >>> pr_warn("fib6_add: adding rt with bad next

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >> on this warning: >> >> /* dst.next really should not be set at this point */ >> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) { >> pr_warn("fib6_add: adding rt with bad next -- family %d dst >> flags %x\n", >>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 11:13 AM, Dmitry Vyukov wrote: >> on this warning: >> >> /* dst.next really should not be set at this point */ >> if (rt->dst.next && rt->dst.next->ops->family != AF_INET6) { >> pr_warn("fib6_add: adding rt with bad next -- family %d dst >> flags %x\n", >>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 1:43 AM, Dmitry Vyukov wrote: > This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel > output from your patch (pr_err). > > [ cut here ] > WARNING: CPU: 1 PID: 30179 at net/ipv6/ip6_fib.c:158 > rt6_rcu_free+0x61/0x70 net/ipv6/ip6_fib.c:158 >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 1:43 AM, Dmitry Vyukov wrote: > This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel > output from your patch (pr_err). > > [ cut here ] > WARNING: CPU: 1 PID: 30179 at net/ipv6/ip6_fib.c:158 > rt6_rcu_free+0x61/0x70 net/ipv6/ip6_fib.c:158 >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 7:03 PM, David Ahern wrote: > On 3/7/17 2:21 AM, Dmitry Vyukov wrote: >> I've commented that warning just to see I can obtain more information. >> Then I also got this: >> >> [ cut here ] >> WARNING: CPU: 2 PID: 3990 at

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 7:03 PM, David Ahern wrote: > On 3/7/17 2:21 AM, Dmitry Vyukov wrote: >> I've commented that warning just to see I can obtain more information. >> Then I also got this: >> >> [ cut here ] >> WARNING: CPU: 2 PID: 3990 at net/ipv6/ip6_fib.c:991 >>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 1:43 AM, Dmitry Vyukov wrote: > This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel > output from your patch (pr_err). Is the below supposed to be from the same qemu instance at the time of the crash? cpu1 and cpu2 are both supposedly doing a route insert? > >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/7/17 1:43 AM, Dmitry Vyukov wrote: > This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel > output from your patch (pr_err). Is the below supposed to be from the same qemu instance at the time of the crash? cpu1 and cpu2 are both supposedly doing a route insert? > >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 6:17 PM, 'David Ahern' via syzkaller wrote: > On 3/7/17 1:43 AM, Dmitry Vyukov wrote: >> This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel >> output from your patch (pr_err). > > Is the below supposed to be from the same qemu

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 6:17 PM, 'David Ahern' via syzkaller wrote: > On 3/7/17 1:43 AM, Dmitry Vyukov wrote: >> This is on c1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201. No other kernel >> output from your patch (pr_err). > > Is the below supposed to be from the same qemu instance at the time of > the

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 9:43 AM, Dmitry Vyukov wrote: > On Tue, Mar 7, 2017 at 12:41 AM, David Ahern wrote: >> On 3/6/17 11:51 AM, Dmitry Vyukov wrote: >>> We hit it several thousand times, but we get only several dozens of >>> crashes per day on ~80

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 9:43 AM, Dmitry Vyukov wrote: > On Tue, Mar 7, 2017 at 12:41 AM, David Ahern wrote: >> On 3/6/17 11:51 AM, Dmitry Vyukov wrote: >>> We hit it several thousand times, but we get only several dozens of >>> crashes per day on ~80 VMs. So if you try to reproduce it on a single

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 12:41 AM, David Ahern wrote: > On 3/6/17 11:51 AM, Dmitry Vyukov wrote: >> We hit it several thousand times, but we get only several dozens of >> crashes per day on ~80 VMs. So if you try to reproduce it on a single >> machine it can take days for

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Tue, Mar 7, 2017 at 12:41 AM, David Ahern wrote: > On 3/6/17 11:51 AM, Dmitry Vyukov wrote: >> We hit it several thousand times, but we get only several dozens of >> crashes per day on ~80 VMs. So if you try to reproduce it on a single >> machine it can take days for a single crash. >> If you

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/6/17 11:51 AM, Dmitry Vyukov wrote: > We hit it several thousand times, but we get only several dozens of > crashes per day on ~80 VMs. So if you try to reproduce it on a single > machine it can take days for a single crash. > If you are ready to go that route, here are some instructions on >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/6/17 11:51 AM, Dmitry Vyukov wrote: > We hit it several thousand times, but we get only several dozens of > crashes per day on ~80 VMs. So if you try to reproduce it on a single > machine it can take days for a single crash. > If you are ready to go that route, here are some instructions on >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Mon, Mar 6, 2017 at 6:31 PM, David Ahern wrote: > On 3/4/17 1:15 PM, Eric Dumazet wrote: >> On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: >>> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern >>> wrote: On 3/3/17 6:39 AM, Dmitry

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Mon, Mar 6, 2017 at 6:31 PM, David Ahern wrote: > On 3/4/17 1:15 PM, Eric Dumazet wrote: >> On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: >>> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern >>> wrote: On 3/3/17 6:39 AM, Dmitry Vyukov wrote: > I am getting heap out-of-bounds

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 1:15 PM, Eric Dumazet wrote: > On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: >> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: >>> On 3/3/17 6:39 AM, Dmitry Vyukov wrote: I am getting heap out-of-bounds reports in

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/4/17 1:15 PM, Eric Dumazet wrote: > On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: >> On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: >>> On 3/3/17 6:39 AM, Dmitry Vyukov wrote: I am getting heap out-of-bounds reports in

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Sat, Mar 4, 2017 at 9:15 PM, Eric Dumazet wrote: >> > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >> >> I am getting heap out-of-bounds reports in >> >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running >> >> syzkaller fuzzer on

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Sat, Mar 4, 2017 at 9:15 PM, Eric Dumazet wrote: >> > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >> >> I am getting heap out-of-bounds reports in >> >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running >> >> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: > On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: > > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: > >> I am getting heap out-of-bounds reports in > >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Sat, 2017-03-04 at 19:57 +0100, Dmitry Vyukov wrote: > On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: > > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: > >> I am getting heap out-of-bounds reports in > >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running > >> syzkaller fuzzer

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Sat, Mar 4, 2017 at 7:57 PM, Dmitry Vyukov wrote: > On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: >> On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >>> I am getting heap out-of-bounds reports in >>>

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Sat, Mar 4, 2017 at 7:57 PM, Dmitry Vyukov wrote: > On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: >> On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >>> I am getting heap out-of-bounds reports in >>> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running >>> syzkaller fuzzer on

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >> I am getting heap out-of-bounds reports in >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running >> syzkaller fuzzer on

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >> I am getting heap out-of-bounds reports in >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running >> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all >> follow

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/3/17 6:39 AM, Dmitry Vyukov wrote: > I am getting heap out-of-bounds reports in > fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running > syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all > follow the same pattern: an object of size 216 is allocated from >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On 3/3/17 6:39 AM, Dmitry Vyukov wrote: > I am getting heap out-of-bounds reports in > fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running > syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all > follow the same pattern: an object of size 216 is allocated from >

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >> I am getting heap out-of-bounds reports in >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running >> syzkaller fuzzer on

Re: net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

On Fri, Mar 3, 2017 at 8:12 PM, David Ahern wrote: > On 3/3/17 6:39 AM, Dmitry Vyukov wrote: >> I am getting heap out-of-bounds reports in >> fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running >> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all >> follow

net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

Hello, I am getting heap out-of-bounds reports in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all follow the same pattern: an object of size 216 is allocated from ip_dst_cache slab, and then accessed at

net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone

Hello, I am getting heap out-of-bounds reports in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone while running syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760. They all follow the same pattern: an object of size 216 is allocated from ip_dst_cache slab, and then accessed at