public inbox for [email protected]
 help / color / mirror / Atom feed
From: Aleksandr Nogikh <[email protected]>
To: Jens Axboe <[email protected]>
Cc: syzbot
	<[email protected]>,
	[email protected], [email protected],
	[email protected]
Subject: Re: [syzbot] Monthly io-uring report
Date: Mon, 27 Mar 2023 21:12:06 +0200	[thread overview]
Message-ID: <CANp29Y66H4-+d4hat_HCJck=u8dTn9Hw5KNzm1aYifQArQNNEw@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>

On Mon, Mar 27, 2023 at 8:23 PM Jens Axboe <[email protected]> wrote:
>
> On 3/27/23 5:01?AM, syzbot wrote:
> > 1873    Yes   WARNING in split_huge_page_to_list (2)
> >               https://syzkaller.appspot.com/bug?extid=07a218429c8d19b1fb25
> > 38      Yes   KASAN: use-after-free Read in nfc_llcp_find_local
> >               https://syzkaller.appspot.com/bug?extid=e7ac69e6a5d806180b40
>
> These two are not io_uring. Particularly for the latter, I think syzbot
> has a tendency to guess it's io_uring if any kind of task_work is
> involved. That means anything off fput ends up in that bucket. Can we
> get that improved please?

Sure, I'll update the rules and rerun the subsystem recognition.

Currently syzbot sets io_uring if at least one is true
a) The crash stack trace points to the io_uring sources (according to
MAINTAINERS)
b) At least one reproducer has the syz_io_uring_setup call (that's a
helper function that's part of syzkaller).

In general syzbot tries to minimize the reproducer, but unfortunately
sometimes there remain some calls, which are not necessary per se. It
definitely tried to get rid of them, but the reproducer was just not
working with those calls cut out. Maybe they were just somehow
affecting the global state and in the execution log there didn't exist
any other call candidates, which could have fulfilled the purpose just
as well.

I can update b) to "all reproducers have syz_io_uring_setup". Then
those two bugs won't match the criteria.
If it doesn't suffice and there are still too many false positives, I
can drop b) completely.

By the way, should F: fs/io-wq.c also be added to the IO_URING's
record in the MAINTAINERS file?

--
Aleksandr

>
> --
> Jens Axboe
>

  reply	other threads:[~2023-03-27 19:12 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-27 11:01 [syzbot] Monthly io-uring report syzbot
2023-03-27 18:23 ` Jens Axboe
2023-03-27 19:12   ` Aleksandr Nogikh [this message]
2023-03-27 19:20     ` Jens Axboe
2023-03-27 20:12       ` Aleksandr Nogikh
2023-03-27 19:21 ` Eric Biggers
2023-03-27 19:25   ` Jens Axboe
2023-03-27 19:56     ` Eric Biggers
2023-03-27 20:00       ` Jens Axboe
2023-03-27 20:21         ` Aleksandr Nogikh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CANp29Y66H4-+d4hat_HCJck=u8dTn9Hw5KNzm1aYifQArQNNEw@mail.gmail.com' \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox