All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Paul E. McKenney" <paulmck@linux.ibm.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Stefano Brivio <sbrivio@redhat.com>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	Arjan van de Ven <arjan@linux.intel.com>,
	syzbot <syzbot+43f6755d1c2e62743468@syzkaller.appspotmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Josh Triplett <josh@joshtriplett.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Ingo Molnar <mingo@kernel.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	netdev <netdev@vger.kernel.org>,
	Cong Wang <xiyou.wangcong@gmail.com>,
	Xin Long <lucien.xin@gmail.com>
Subject: Re: WARNING in __rcu_read_unlock
Date: Tue, 18 Dec 2018 06:02:58 -0800	[thread overview]
Message-ID: <20181218140258.GQ4170@linux.ibm.com> (raw)
In-Reply-To: <CACT4Y+az3--Y2f0OKSbF0kxwckdkKSASVog=XkX=+cXCt5r3ew@mail.gmail.com>

On Tue, Dec 18, 2018 at 02:26:00PM +0100, Dmitry Vyukov wrote:
> On Tue, Dec 18, 2018 at 1:40 PM Stefano Brivio <sbrivio@redhat.com> wrote:
> >
> > On Tue, 18 Dec 2018 09:49:17 +0100
> > Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > > On Tue, Dec 18, 2018 at 12:18 AM Stefano Brivio <sbrivio@redhat.com> wrote:
> > > >
> > > > On Mon, 17 Dec 2018 16:53:36 +0100
> > > > Dmitry Vyukov <dvyukov@google.com> wrote:
> > > >
> > > > > On Mon, Dec 17, 2018 at 4:24 PM Stefano Brivio <sbrivio@redhat.com> wrote:
> > > > > >
> > > > > > On Mon, 17 Dec 2018 06:57:35 -0800
> > > > > > Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > > > > >
> > > > > > > Might be cause by commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e
> > > > > > > fou, fou6: ICMP error handlers for FoU and GUE
> > > > > >
> > > > > > This:
> > > > > >
> > > > > > diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
> > > > > > index 0d0ad19ecb87..20a6de26d146 100644
> > > > > > --- a/net/ipv4/fou.c
> > > > > > +++ b/net/ipv4/fou.c
> > > > > > @@ -1008,6 +1008,9 @@ static int gue_err_proto_handler(int proto, struct sk_buff *skb, u32 info)
> > > > > >  {
> > > > > >         const struct net_protocol *ipprot = rcu_dereference(inet_protos[proto]);
> > > > > >
> > > > > > +       if (ipprot == IPPROTO_UDP)
> > > > > > +               return -EINVAL;
> > > > > > +
> > > > > >         if (ipprot && ipprot->err_handler) {
> > > > > >                 if (!ipprot->err_handler(skb, info))
> > > > > >                         return 0;
> > > > > >
> > > > > > should fix the issue, but I still have to run tests and make sure we
> > > > > > don't hit similar cases.
> > > > >
> > > > > Please don't forget to add a regression test for it too ;)
> > > >
> > > > Where would you suggest to add this? The only selftest that goes
> > >
> > > I dunno. But there must be some place for such tests, right?
> >
> > Not as far as I know. The selftests checking this path, by design, only
> > use supported configurations, they don't forge packets.
> >
> > Maybe it would be nice to have a semi-automated way to isolate and
> > describe/name specific conditions found by syzbot via fuzzing and turn
> > those into tests that are then repeated periodically. I'm not sure how
> > that would look like, but I think it's still more maintainable than a
> > pile of C reproducers with forged packets in selftests/net.
> 
> It would be nice to do something like this. Filed
> https://github.com/google/syzkaller/issues/884
> However, there are few open questions that I am not sure how to resolve yet...
> 
> 
> > Eric, Cong, Xin, as you also recently fixed a nice deal of similar cases
> > reported by syzbot, what do you think? Did you ever feel the need to
> > turn a syzbot reproducer into a regression test case?
> >
> > > > through this path currently is net/pmtu.sh, but as configuration of an
> > > > actual UDP-in-GUE tunnel is currently not supported, I would really
> > > > need to forge that specific packet, so that doesn't seem to be a good
> > > > fit.
> > > >
> > > > Won't syzbot add this to some list of reproducers that are checked in
> > > > the future?
> > >
> > > It won't. Also fuzzing is complementary to testing, not a replacement:
> >
> > Indeed, but that doesn't mean we need to limit the potential of fuzzing
> > because "it's not testing". It can be used to check for regressions,
> > too, especially in these cases.
> >
> > > https://twitter.com/dvyukov/status/1074719682962358272
> >
> > Now, I'm extremely thankful for the work you're doing and especially
> > for finding this subtle condition with syzbot, but this is quite
> > inaccurate. To be exposed to this issue, the user would need to
> > have the fou module loaded (it won't autoload), which is used quite
> > rarely, and, on top of that, have a UDP tunnel configured. It wouldn't
> > have been the kind of "evil packet crashes the internet" scenario you
> > were dreaming of ;)
> 
> Okay, I see. Full bug assessment is hard. I mess it both ways for
> different bugs.
> But I did not claim that it does not require some setup :)
> And maybe there is somebody important on the internet that uses such
> setup. Who knows.

Black hats, if no one else.  ;-)

							Thanx, Paul


  reply	other threads:[~2018-12-18 14:03 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-15 12:41 WARNING in __rcu_read_unlock syzbot
2018-12-16 19:04 ` Paul E. McKenney
2018-12-17  9:44   ` Dmitry Vyukov
2018-12-17 11:29     ` Paul E. McKenney
2018-12-17 13:07       ` Dmitry Vyukov
2018-12-17 14:14       ` Arjan van de Ven
2018-12-17 14:40         ` Dmitry Vyukov
2018-12-17 14:49           ` Paul E. McKenney
2018-12-17 14:57           ` Eric Dumazet
2018-12-17 14:59             ` Stefano Brivio
2018-12-17 15:11               ` Dmitry Vyukov
2018-12-17 15:24             ` Stefano Brivio
2018-12-17 15:53               ` Dmitry Vyukov
2018-12-17 23:18                 ` Stefano Brivio
2018-12-18  8:49                   ` Dmitry Vyukov
2018-12-18 12:40                     ` Stefano Brivio
2018-12-18 13:26                       ` Dmitry Vyukov
2018-12-18 14:02                         ` Paul E. McKenney [this message]
2018-12-18 14:12                         ` Stefano Brivio
2018-12-18 16:05                           ` Dmitry Vyukov
2018-12-19  4:12                       ` Cong Wang
2018-12-17 18:21               ` Stefano Brivio
2018-12-17 18:45                 ` Dmitry Vyukov
2018-12-17 19:56                   ` Paul E. McKenney

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181218140258.GQ4170@linux.ibm.com \
    --to=paulmck@linux.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@linux.intel.com \
    --cc=dvyukov@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=josh@joshtriplett.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=mingo@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=sbrivio@redhat.com \
    --cc=syzbot+43f6755d1c2e62743468@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.