From: Stefano Brivio <sbrivio@redhat.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
syzbot <syzbot+4ad25edc7a33e4ab91e0@syzkaller.appspotmail.com>,
David Miller <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
linux-kernel <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Subject: Re: kernel panic: stack is corrupted in udp4_lib_lookup2
Date: Fri, 4 Jan 2019 19:05:44 +0100 [thread overview]
Message-ID: <20190104190544.4b0bfaee@redhat.com> (raw)
In-Reply-To: <CACT4Y+bq+X6UFTWmbGz1V0GAjPXizxfk_pLqcq8KkDkp3K-ERg@mail.gmail.com>
On Fri, 4 Jan 2019 18:26:16 +0100
Dmitry Vyukov <dvyukov@google.com> wrote:
> On Fri, Jan 4, 2019 at 6:14 PM Stefano Brivio <sbrivio@redhat.com> wrote:
> >
> > On Fri, 4 Jan 2019 12:05:04 +0100
> > Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > > I've added these as tests:
> > >
> > > https://github.com/google/syzkaller/blob/master/pkg/report/testdata/linux/report/341
> > > https://github.com/google/syzkaller/blob/master/pkg/report/testdata/linux/report/342
> > > https://github.com/google/syzkaller/blob/master/pkg/report/testdata/linux/report/343
> > > https://github.com/google/syzkaller/blob/master/pkg/report/testdata/linux/report/344
> > >
> > > Will try to figure out how to distinguish them from true corrupted
> > > reports. Usually when Call Trace does not have any frames, it's a sign
> > > of a corrupted report, and in other crashes we see the same report but
> > > with a stack trace. But some stack-corruption-related reliably don't
> > > have stack traces (not corrupted). But then some other
> > > stack-corruption-related crashes do have stack traces, and for these
> > > no stack trace again means a corrupted kernel output. Amusingly this
> > > is one of the most complex parts of syzkaller.
> >
> > I'm not sure how complicated that would be, but what about some metric
> > based on valid symbol names being reported?
>
> Please elaborate. What do you mean by "valid symbol names"?
I mean a symbol name listed in /proc/kallsyms on the running system.
This is usually my minimum threshold for "I can do something with this
report" -- which doesn't mean it's necessarily valid, but well, if you
have that, it means that at least something worked in the reporting,
and you can at least start having a look at a specific function.
> Note that corrupted output detection solves 2 problems:
> 1. Do we think the output is truncated to the point of being not useful?
> E.g. sometimes kernel produces just 1 line:
>
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
>
> This is sure a crash, but it's not too useful to report.
Sure. In those tests above you have:
- 341: udp6_lib_lookup2+0x622, handle_irq+0x2cb
- 342: __sanitizer_cov_trace_pc+0x8, handle_irq+0x2cb
- 343: __udp6_lib_err, etc.
- 344: __udp6_lib_lookup+0x1d, etc.
and this makes all those reports at least minimally useful.
> 2. Do we have any reasons to think we extracted bogus crash identity?
> E.g. crash intermixed with output from another thread so that we say
> "something-bad in function foo", when in fact function foo come from
> output of the second non-crashing thread.
Okay, this looks way more complicated :)
--
Stefano
next prev parent reply other threads:[~2019-01-04 18:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-03 13:07 kernel panic: stack is corrupted in udp4_lib_lookup2 syzbot
2019-01-03 19:39 ` Willem de Bruijn
2019-01-03 19:41 ` Willem de Bruijn
2019-01-03 20:00 ` Stefano Brivio
2019-01-03 20:01 ` Eric Dumazet
2019-01-03 20:07 ` Stefano Brivio
2019-01-03 21:15 ` Willem de Bruijn
2019-01-03 21:54 ` Stefano Brivio
2019-01-04 10:32 ` Dmitry Vyukov
2019-01-04 10:34 ` Dmitry Vyukov
2019-01-04 10:54 ` Stefano Brivio
2019-01-04 11:05 ` Dmitry Vyukov
2019-01-04 17:14 ` Stefano Brivio
2019-01-04 17:24 ` Willem de Bruijn
2019-01-04 17:50 ` Stefano Brivio
2019-01-04 17:26 ` Dmitry Vyukov
2019-01-04 18:05 ` Stefano Brivio [this message]
2019-01-07 9:04 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190104190544.4b0bfaee@redhat.com \
--to=sbrivio@redhat.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=eric.dumazet@gmail.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+4ad25edc7a33e4ab91e0@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.