| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
| |
In several places we do special handling for some crash types.
Currently we compare report title with magic strings,
which is error-prone. Add explicit Type to reports.
|
| |
|
|
|
|
|
| |
Add a second "questionable" regex to match the powerpc "(unreliable)"
format.
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
| |
Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
|
| |
|
|
|
|
|
|
| |
For some bug types kernel produces traceback of all CPUs
(which is presumably useful for these crashes).
However, we currently throw it away because it has context
different from the oops context.
Detect such traceback and preserve output.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This change makes the reporting code account for the skip patterns when
selecting the frame that is used in a title of a generic warning report.
|
| |
|
|
|
|
|
| |
powerpc stack traces are printed a bit differently from x86 stack traces.
Adjust the regexes accordingly to cope with this format.
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Even though we extract an anchor frame which usually higher up the stack,
the anchor frame can be on RIP: line too. Account for that.
|
| |
|
|
| |
Another new helper for locking.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
These __x86_indirect_thunk_rax broke reports for bad indirect calls.
|
| |
|
|
|
|
|
|
| |
This ability was never used but we maintain a bunch of code for it.
syzkaller also recently learned to spoof this error code
with some ptrace magic (probably intercepted control flow again
and exploited executor binary).
Drop all of it.
|
| |
|
|
| |
Skip various *_trylock functions as we do for *_lock functions.
|
| |
|
|
| |
Update #933
|
| |
|
|
| |
Update #933
|
| |
|
|
|
|
| |
Oops messages frequently induce possible deadlock reports
because oops reporting introduces unexpected locking chains.
So if we have enough of the actual oops, strip the deadlock message.
|
| |
|
|
|
| |
If we have contexts, we don't need to strip the first report
at the beginning of the second report.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CONFIG_PRINTK_CALLER has reached linux-next:
https://groups.google.com/d/msg/syzkaller/xEDUgkgFvL8/d5bBS3BJBwAJ
Enable CONFIG_PRINTK_CALLER and support parsing of its output format.
This gives us several advantages:
- output from different contexts don't intermix
- intermixed output doesn't cause corrupted reports
- we can keep larger prefix since we know it comes from the same task
Credit for the kernel part goes to Tetsuo Handa.
Also Sergey Senozhatsky and Petr Mladek for reviews of the kernel part.
Fixes #596
Fixes #600
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Ignore double faults as start of a second report.
Double fault can happen during handling of paging faults
if memory is badly corrupted. Also it usually happens
synchronously, which means that maybe the report is not corrupted.
But of course it can come from another CPU as well.
Add more interesting test cases.
|
| | |
|
| | |
|
| |
|
|
| |
Add another anchor frame.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We started detecting all kernel reboots as corrupted,
because we considered that after any "Allocated" line
a stack trace should follow.
Kernel boot output now contains:
ima: Allocated hash algorithm: sha256
and there is no stack trace after that.
1. Refine stack trace regexps (we actually want to look for
"Allocated by task PID:" lines).
2. Don't check stacks if report format says that it
does not contain stacks.
|
| |
|
|
|
|
|
| |
Amusing that's another kernel failure mode that we are discovering after 3 years.
One can't even reliably understand when kernel has crashed.
I wonder if syzkaller never hit these, or just never recognized and reported them. We will see.
Don't even want to think about arm kernel output parsing.
|
| |
|
|
|
|
|
| |
This is called from kfree in the added test.
We already ignore everything related to kmalloc/free
and e.g. arch/.*/mm/fault.c, so it looks reasonable
to ignore this one too.
|
| | |
|
| |
|
|
| |
Skip few more common allocation functions.
|
| |
|
|
|
| |
Account for the case that some file names can appear _before_ crash report starts.
Start extracting guilty file starting from StartPos.
|
| | |
|
| |
|
|
|
|
| |
Extract guilty frame from stack.
Add few more ignored functions.
Add more tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During rcu stalls and cpu lockups kernel loops in some part of code,
usually across several functions. When the stall is detected, traceback
points to a random stack within the looping code. We generally take
the top function in the stack (with few exceptions) as the bug identity.
As the result stalls with the same root would produce multiple reports
in different functions, which is bad.
Instead we identify a representative function deeper in the stack.
For most syscalls it can be the syscall entry function (e.g. SyS_timer_create).
However, for highly discriminated functions syscalls like ioctl/read/write/connect
we take the previous function (e.g. for connect the one that points to exact
protocol, or for ioctl the one that is related to the device).
Fixes #710
|
| | |
|
