BUG: WARNING in retire_sysctl_set

BUG: WARNING in retire_sysctl_set

[Xingyu Li]

Hi,

We found a bug in Linux 6.10. It is possibly a logic   bug.
The bug report is as follows, but unfortunately there is no generated
syzkaller reproducer.

Bug report:

team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
------------[ cut here ]------------
WARNING: CPU: 0 PID: 27 at fs/proc/proc_sysctl.c:1536
retire_sysctl_set+0x3e/0x50
Modules linked in:
CPU: 0 PID: 27 Comm: kworker/u4:2 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:retire_sysctl_set+0x3e/0x50 fs/proc/proc_sysctl.c:1536
Code: 48 b9 00 00 00 00 00 fc ff df 80 3c 08 00 74 08 48 89 df e8 44
a1 c6 ff 48 83 3b 00 75 07 e8 19 96 63 ff 5b c3 e8 12 96 63 ff <0f> 0b
5b c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 55 53 48 89
RSP: 0018:ffffc900001e7ad0 EFLAGS: 00010293
RAX: ffffffff822dbb4e RBX: ffff88801b87bc68 RCX: ffff8880137a3c00
RDX: 0000000000000000 RSI: ffff8880137a3c00 RDI: ffff88801b87bc08
RBP: ffffc900001e7bd0 R08: ffffffff910fc58f R09: 1ffffffff221f8b1
R10: dffffc0000000000 R11: ffffffff8ab261b0 R12: ffff88801b87b980
R13: 1ffffffff1e0aec8 R14: ffffffff8f057620 R15: ffffffff8f057640
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005599fcd69b18 CR3: 000000003c258000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 ops_exit_list net/core/net_namespace.c:173 [inline]
 cleanup_net+0x810/0xcd0 net/core/net_namespace.c:640
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
 kthread+0x2eb/0x380 kernel/kthread.c:389
 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>


-- 
Yours sincerely,
Xingyu

Re: BUG: WARNING in retire_sysctl_set

[Kees Cook]

Hi,

On Wed, Aug 28, 2024 at 02:16:34PM -0700, Xingyu Li wrote:
> We found a bug in Linux 6.10. It is possibly a logic   bug.
> The bug report is as follows, but unfortunately there is no generated
> syzkaller reproducer.

I see you've sent 44 reports like this recently[1], but only have
reproducers for 4 of them[2].

Without reproducers these reports aren't very helpful. There
are hundreds like them (many with reproducers) already at:
https://syzkaller.appspot.com/upstream

Please only send these kind of reports if you have a fix for them
(preferred) or a reproducer for an actual problem. This has been mentioned
a few times already[3][4]; have you seen these replies?

-Kees

[1] https://lore.kernel.org/all/?q=f%3Axli399%40
[2] https://lore.kernel.org/all/?q=f%3Axli399%40+%22The+reproducer%22
[3] https://lore.kernel.org/netdev/CANn89iK6rq0XWO5-R5CzA5YAv2ygaTA==EVh+O74VHGDBNqUoA@mail.gmail.com/
[4] https://lore.kernel.org/all/20240829011805.92574-1-kuniyu@amazon.com/

-- 
Kees Cook

Re: BUG: WARNING in retire_sysctl_set

[Xingyu Li]

This has been mentioned
a few times already[3][4]; have you seen these replies?

Sorry, I did not see this email
https://lore.kernel.org/netdev/CANn89iK6rq0XWO5-R5CzA5YAv2ygaTA==EVh+O74VHGDBNqUoA@mail.gmail.com/.
And I received this reply
https://lore.kernel.org/all/20240829011805.92574-1-kuniyu@amazon.com/
just 8 minutes before your response.
Previously, I did not have the experience to send emails about bug
reporting. Later, I will take care that I only send bug reports with
reproducer or with a patch.

but only have
reproducers for 4 of them[2].

Your search words may ignore some of my emails. In fact, it has 16 bug
reports with the C reproducer(previously, some of them is only given a
syzkaller reproducer, and I just checked to confirm that C reproducer
is given for each bug).

https://lore.kernel.org/all/CALAgD-4M6bv53fpWnb2vdu4kxnCe_7H3kbOvs3DBAd8DeRHYuw@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-5cKJnWRsS_2rjL1P9pC0dbNX66b8x09p=DUx1kD+p6PQ@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-7TsMdA7rjxfpheXc=MNqikEXY9TZNxJt4z9vm6Yfs5qQ@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-6miPB6F2=89m90HzEGT4dmCX_ws1r26w7Vr8rtD8Z96Q@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-6Uy-2kVrj05SeCiN4wZu75Vq5-TCEsiUGzYwzjO4+Ahg@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-5myPieAa_9BY6RVfBjWT_8g48+S0CX7c=EihMzdwakxw@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-718DVmcVHtgSFGKbgr0ePoUjN2ST=gBtdYtGX5GUqBQg@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-5kt+F6S1aAwRhKMKb0KwFGzfJCWyHguotEvJGBBBvFkA@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-7JNKw5m0wpGAN+ezCL-qn7LcTL5vgyBmQZKbf5BTNUCw@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-6MJC+D0DzxLOpVvCbYzHE-r1YzNORtpOh-f+hgEkMjzg@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-7hbfOzovnPqVqo6bqb1nHZ2WciUOTsz0Dtwsgr+yx04w@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-4hkHVcCq2ycdwnA2hYDBMqijLUOfZgvf1WfFpU-8+42w@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-6gJ4W1rPj=CWG7bFUPpEJnUjEhQd3uvH=7C=aGKb=CUQ@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-7C3t=vRTvpnVvsZ_1YhgiiynDaX_ud0O6pxSBn3suADQ@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-4b_yFdN4fwPxpXEpJkcxEwXBxRHeQjeA3x3rMX4JpUwA@mail.gmail.com/
https://lore.kernel.org/all/CALAgD-58VEomA47Srga5H-p6cZa0zPj+y3E1se0rHb3gj4UvyA@mail.gmail.com/


There
are hundreds like them (many with reproducers) already at:
https://syzkaller.appspot.com/upstream

In fact, the bugs that I report are fuzzed by the syzkaller templates
that we generated, but not those from the syzkaller official
templates. We want to find bugs that do not have the corresponding
official syzkaller template.
I also checked to make sure that the bugs I reported did not occur on syzbot.



On Wed, Aug 28, 2024 at 6:26 PM Kees Cook <kees@kernel.org> wrote:
>
> Hi,
>
> On Wed, Aug 28, 2024 at 02:16:34PM -0700, Xingyu Li wrote:
> > We found a bug in Linux 6.10. It is possibly a logic   bug.
> > The bug report is as follows, but unfortunately there is no generated
> > syzkaller reproducer.
>
> I see you've sent 44 reports like this recently[1], but only have
> reproducers for 4 of them[2].
>
> Without reproducers these reports aren't very helpful. There
> are hundreds like them (many with reproducers) already at:
> https://syzkaller.appspot.com/upstream
>
> Please only send these kind of reports if you have a fix for them
> (preferred) or a reproducer for an actual problem. This has been mentioned
> a few times already[3][4]; have you seen these replies?
>
> -Kees
>
> [1] https://lore.kernel.org/all/?q=f%3Axli399%40
> [2] https://lore.kernel.org/all/?q=f%3Axli399%40+%22The+reproducer%22
> [3] https://lore.kernel.org/netdev/CANn89iK6rq0XWO5-R5CzA5YAv2ygaTA==EVh+O74VHGDBNqUoA@mail.gmail.com/
> [4] https://lore.kernel.org/all/20240829011805.92574-1-kuniyu@amazon.com/
>
> --
> Kees Cook



--
Yours sincerely,
Xingyu

Re: BUG: WARNING in retire_sysctl_set

[Kees Cook]

On August 28, 2024 10:02:00 PM PDT, Xingyu Li <xli399@ucr.edu> wrote:
>In fact, the bugs that I report are fuzzed by the syzkaller templates
>that we generated, but not those from the syzkaller official
>templates. We want to find bugs that do not have the corresponding
>official syzkaller template.
>I also checked to make sure that the bugs I reported did not occur on syzbot.

That's excellent that you've developed better templates! Can you submit these to syzkaller upstream? Then the automated fuzzing CI dashboard will benefit (and save you the work of running and reporting the new finds).

-Kees

-- 
Kees Cook

Re: BUG: WARNING in retire_sysctl_set

[Yu Hao]

On Wed, Aug 28, 2024 at 10:33 PM Kees Cook <kees@kernel.org> wrote:
> That's excellent that you've developed better templates! Can you submit these to syzkaller upstream? Then the automated fuzzing CI dashboard will benefit (and save you the work of running and reporting the new finds).
Yes, we are also working on this.
And it also takes some time to figure out the differences in the
syscall descriptions and to satisfy syzkaller's style requirements.
So we are still working on the patch of syscall descriptions for Syzkaller.

Once again, we apologize for our mistakes of some helpless report
emails and thank you for your reminder and understanding.