Re: scsi: sg: assorted memory corruptions

On Sun, Feb 4, 2018 at 10:07 AM, Eric Biggers <ebigge...@gmail.com> wrote: > On Thu, Feb 01, 2018 at 05:21:12PM +0100, 'Dmitry Vyukov' via syzkaller wrote: >> On Thu, Feb 1, 2018 at 5:17 PM, Ben Hutchings >> <ben.hutchi...@codethink.co.uk> wrote: >> > On Th

Re: scsi: sg: assorted memory corruptions

On Thu, Feb 1, 2018 at 5:17 PM, Ben Hutchings <ben.hutchi...@codethink.co.uk> wrote: > On Thu, 2018-02-01 at 08:04 +0100, Dmitry Vyukov wrote: >> On Thu, Feb 1, 2018 at 7:03 AM, Douglas Gilbert <dgilb...@interlog.com> >> wrote: >> > On 2018-01-30 07:22 AM, Dmit

Re: scsi: sg: assorted memory corruptions

On Thu, Feb 1, 2018 at 7:03 AM, Douglas Gilbert <dgilb...@interlog.com> wrote: > On 2018-01-30 07:22 AM, Dmitry Vyukov wrote: >> >> Uh, I've answered this a week ago, but did not notice that Doug >> dropped everybody from CC. Reporting to all. >> >> On Mon, J

Re: scsi: sg: assorted memory corruptions

On Mon, Jan 22, 2018 at 7:57 PM, Douglas Gilbert <dgilb...@interlog.com> wrote: > On 2018-01-22 11:30 AM, Bart Van Assche wrote: >> >> On Mon, 2018-01-22 at 12:06 +0100, Dmitry Vyukov wrote: >>> >>> general protection fault: [#1] SMP KASAN >

scsi: sg: assorted memory corruptions

Hello, The following program triggers assorted memory corruptions on 4.15-rc9: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include #include #define SG_NEXT_CMD_LEN 0x2283 int main() { int fd = open("/dev/sg0", O_RDWR); long len = 9;

Re: scsi: memory leak in sg_start_req

On Thu, Jan 11, 2018 at 7:04 AM, Douglas Gilbert <dgilb...@interlog.com> wrote: > On 2018-01-09 11:05 AM, Dmitry Vyukov wrote: >> >> Hello, >> >> syzkaller has found the following memory leak: >> >> unreferenced object 0x88004c19 (size 8328):

scsi: memory leak in sg_start_req

Hello, syzkaller has found the following memory leak: unreferenced object 0x88004c19 (size 8328): comm "syz-executor", pid 4627, jiffies 4294749150 (age 45.507s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 22 01 00

sg: random memory corruptions

Hello, The following program causes random assorted memory corruptions: https://gist.githubusercontent.com/dvyukov/da3463af2d1ff8c7d3624891b5d7427f/raw/09cf0f4af529f4506f9e0a9fa6bdb066a8777b9d/gistfile1.txt It does some ioctl's on /dev/sg0. general protection fault: [#1] SMP KASAN Modules

Re: [patch] check length passed to SG_NEXT_CMD_LEN

On Fri, Mar 17, 2017 at 12:48 AM, Martin K. Petersen wrote: > Peter Chang writes: > > Applied to 4.11/scsi-fixes. > > Thanks! > > -- > Martin K. Petersen Oracle Linux Engineering Hi, Can you point to the commit/tree? I don't see it here:

Re: [patch] check length passed to SG_NEXT_CMD_LEN

On Thu, Mar 2, 2017 at 7:29 PM, Peter Chang wrote: > now that i think i've got gmail not marking everything as spam... +syzkaller mailing list as this does not seem to appear anywhere on open web From 93409c62db49d15105390315a685e54083029bee Mon Sep 17 00:00:00 2001 From: peter

Re: [PATCH] sg: protect access to to 'reserved' page array

, saving us to allocate pages per request. >>> However, the 'reserved' array is only capable of holding one >>> request, so we need to protect it against concurrent accesses. >>> >>> Cc: sta...@vger.kernel.org >>> Reported-by: Dmitry Vyukov <dvy

Re: scsi: BUG in scsi_init_io

On Tue, Jan 31, 2017 at 10:58 AM, Johannes Thumshirn wrote: > > [...] > >> Please-please-please, let's not use WARN for something that is not a >> kernel bug and is user-triggerable. This makes it impossible to >> automate kernel testing and requires hiring an army of people

scsi: BUG in scsi_init_io

Hello, The following program triggers BUG in scsi_init_io: kernel BUG at drivers/scsi/scsi_lib.c:1043! invalid opcode: [#1] SMP KASAN Modules linked in: CPU: 0 PID: 2899 Comm: a.out Not tainted 4.10.0-rc5+ #201 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011

Re: scsi: use-after-free in bio_copy_from_iter

On Tue, Dec 6, 2016 at 4:38 PM, Johannes Thumshirn <jthumsh...@suse.de> wrote: > On Tue, Dec 06, 2016 at 10:43:57AM +0100, Dmitry Vyukov wrote: >> On Tue, Dec 6, 2016 at 10:32 AM, Johannes Thumshirn <jthumsh...@suse.de> >> wrote: >> > On Mon, Dec 05, 201

Re: scsi: use-after-free in bio_copy_from_iter

On Tue, Dec 6, 2016 at 10:32 AM, Johannes Thumshirn wrote: > On Mon, Dec 05, 2016 at 07:03:39PM +, Al Viro wrote: >> On Mon, Dec 05, 2016 at 04:17:53PM +0100, Johannes Thumshirn wrote: >> > 633 hp = >header; >> > [...] >> > 646 hp->dxferp = (char

Re: scsi: use-after-free in bio_copy_from_iter

On Sat, Dec 3, 2016 at 7:19 PM, Johannes Thumshirn <jthumsh...@suse.de> wrote: > On Sat, Dec 03, 2016 at 04:22:39PM +0100, Dmitry Vyukov wrote: >> On Sat, Dec 3, 2016 at 11:38 AM, Johannes Thumshirn <jthumsh...@suse.de> >> wrote: >> > On Fri, Dec 02, 2016 at 0

Re: scsi: use-after-free in bio_copy_from_iter

On Sat, Dec 3, 2016 at 11:38 AM, Johannes Thumshirn <jthumsh...@suse.de> wrote: > On Fri, Dec 02, 2016 at 05:50:39PM +0100, Dmitry Vyukov wrote: >> On Fri, Nov 25, 2016 at 8:08 PM, Dmitry Vyukov <dvyu...@google.com> wrote: > > [...] > >> >> +David did s

Re: scsi: use-after-free in bio_copy_from_iter

On Fri, Nov 25, 2016 at 8:08 PM, Dmitry Vyukov <dvyu...@google.com> wrote: > Hello, > > The following program triggers use-after-free in bio_copy_from_iter: > https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff9

scsi: use-after-free in bio_copy_from_iter

Hello, The following program triggers use-after-free in bio_copy_from_iter: https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt == BUG: KASAN:

scsi: machine hang due to write to /dev/sg0

Hello, I am not sure whether there is some to fix or not, since it can be triggered only by root. But still if I run the following program several times in a row, whole machine becomes unusable for several minutes (ssh, ps and pretty much everything hangs): // autogenerated by syzkaller

Re: mm: another VM_BUG_ON_PAGE(PageTail(page))

On Fri, Jan 29, 2016 at 1:35 PM, Kirill A. Shutemov wrote: > From 691a961bb401c5815ed741dac63591efbc6027e3 Mon Sep 17 00:00:00 2001 > From: "Kirill A. Shutemov" > Date: Fri, 29 Jan 2016 15:06:17 +0300 > Subject: [PATCH 2/2]

Re: mm: another VM_BUG_ON_PAGE(PageTail(page))

On Thu, Jan 28, 2016 at 12:40 PM, Kirill A. Shutemov <kir...@shutemov.name> wrote: > On Thu, Jan 28, 2016 at 11:55:14AM +0100, Dmitry Vyukov wrote: >> On Thu, Jan 28, 2016 at 11:51 AM, Kirill A. Shutemov >> <kir...@shutemov.name> wrote: >> > On Thu, Jan 28, 201

mm: another VM_BUG_ON_PAGE(PageTail(page))

Hello, The following program triggers VM_BUG_ON_PAGE(PageTail(page)): // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include int main() { int fd; mmap((void*)0x2000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1,

scsi: NULL deref in sg_start_req

Hello, The following program causes NULL deref in sg_start_req: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include #include #ifndef SYS_memfd_create #define SYS_memfd_create 319 #endif int main() { long r[26]; syscall(SYS_mmap,

Re: Potential data race in __scsi_init_queue/ata_sg_setup

worker_thread+0xb0/0x900 kernel/workqueue.c:2170 [] kthread+0x150/0x170 kernel/kthread.c:209 [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:529 The race is between: if (q->kobj.sd) { and: kobj->sd = kn; On Mon, Sep 21, 2015 at 11:58 AM, Dmitry Vyukov <dvyu...

Potential data race in __scsi_init_queue/ata_sg_setup

k+0x688/0x760 block/genhd.c:619 [] sd_probe_async+0x298/0x370 drivers/scsi/sd.c:2896 [] async_run_entry_fn+0x7d/0x1e0 kernel/async.c:123 [] process_one_work+0x47e/0x930 kernel/workqueue.c:2036 [] worker_thread+0xb0/0x900 kernel/workqueue.c:2170 [] kthread+0x150/0x170 kernel/kthread.c:20

Re: Use-after-free in ata_qc_issue

On Sun, Sep 22, 2013 at 9:39 AM, Tejun Heo t...@kernel.org wrote: (cc'ing SCSI people) On Wed, Sep 18, 2013 at 11:45:22AM -0700, Dmitry Vyukov wrote: Hi! I am working on AddressSanitizer -- a tool that detects use-after-free and out-of-bounds bugs (https://code.google.com/p/address

Re: Use-after-free in ata_qc_issue

On Sun, Sep 22, 2013 at 11:24 AM, Dmitry Vyukov dvyu...@google.com wrote: On Sun, Sep 22, 2013 at 9:39 AM, Tejun Heo t...@kernel.org wrote: (cc'ing SCSI people) On Wed, Sep 18, 2013 at 11:45:22AM -0700, Dmitry Vyukov wrote: Hi! I am working on AddressSanitizer -- a tool that detects use

Re: Use-after-free in ata_qc_issue

On Sun, Sep 22, 2013 at 2:47 PM, Tejun Heo t...@kernel.org wrote: Hello, On Sun, Sep 22, 2013 at 11:59:53AM -0700, Dmitry Vyukov wrote: I've noticed that free happens in scsi_error_handler thread, so maybe a timeout or some other error condition is involved here. It is possible that timeout

Re: Potential out-of-bounds access in drivers/scsi/sd.c

On Wed, Sep 4, 2013 at 6:32 PM, Alan Stern st...@rowland.harvard.edu wrote: On Wed, 4 Sep 2013, Dmitry Vyukov wrote: Hi, We are working on a memory error detector AddressSanitizer for Linux kernel (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel), it can detect

Potential out-of-bounds access in drivers/scsi/sd.c

Hi, We are working on a memory error detector AddressSanitizer for Linux kernel (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel), it can detect use-after-free and buffer-overflow errors. Here one of the reports from the tool: [ 166.124485] ERROR: AddressSanitizer: