| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Parse the stack trace for the WARNING since the guilty frame
is not necessary the first one.
Skip iput/ihold functions. They are called dozens of times throughout the kernel
and the bug is more likely to be in the caller.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we would pick the first non-ignored file. Now instead,
continue searching the stack trace for more specific files.
A "more specific" file wrt the first non-ignored file has:
- the same directory prefix
- a deeper directory nesting
E.g. `fs/ntfs3/*.c` is "more specific" than "fs/*.c".
We search for the most specific file (i.e. the deepest nesting), and
take the first most specific if there are multiple files with the same
nesting.
This commit also adds three tests for this behaviour, taken from
recent `syzbot` bugs which identified the wrong file. Now the desired
file is identified.
Only one existing test shows different output with the new behaviour.
Updates #3393.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The `assertfail` function is defined in `fs/btrfs/ctree.h`
(https://elixir.bootlin.com/linux/v5.19.11/source/fs/btrfs/ctree.h#L3616).
It is used over 650 times within `fs/btrfs` as part of the `ASSERT`
macro. Without special handling of `assertfail` in log parsing, many
different errors are grouped into a single category.
This commit therefore skips over `assertfail` and adds a test to check
this new behaviour. In particular, the test is a truncated `syzbot` log
which previously showed the `BUG` as originating from `assert_fail`.
|
| | |
|
| |
|
|
| |
They are invalid and we're tired of manually marking them as such.
|
| |
|
|
|
|
| |
The original panic: is printed without logging and is often garbled
by concurrent printing by another core. OTOH, `show panic` is printed
exclusively so we prefer to use that.
|
| |
|
|
|
|
|
| |
It doesn't bring any extra value and only makes the reports bigger.
Don't do such decompilation for hang-related reports. Refactor the
opcode tests to rely more on the more generic NewReporter constructor.
|
| |
|
|
|
| |
Syzbot erroneously treats them as normal WARNINgs and creates lots of
duplicate bugs.
|
| |
|
|
|
|
|
|
| |
Patch "kasan: separate double free case from invalid free"
https://lore.kernel.org/all/20220615062219.22618-1-Kuan-Ying.Lee@mediatek.com/
changes format of KASAN reports.
Currently the new reports are parsed as corrupted.
Update parsing.
|
| |
|
|
|
|
|
|
|
| |
For some reason gcc stopped inlining atomic/bitops functions
on a 5.4 kernel (see add test reports).
Skip all atomic/bitops functions from these files:
https://elixir.bootlin.com/linux/latest/source/include/linux/atomic/atomic-instrumented.h
https://elixir.bootlin.com/linux/latest/source/include/asm-generic/bitops/instrumented-atomic.h
https://elixir.bootlin.com/linux/latest/source/include/asm-generic/bitops/instrumented-lock.h
|
| | |
|
| |
|
|
|
| |
We already ignore all other semaphore-related frames,
but not this one. Ignore this one as well.
|
| |
|
|
| |
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
| |
These are not normal warnings, but they look like real warnings for syzkaller.
|
| |
|
|
| |
It popped up in a new KASAN report after recent KASAN changes.
|
| | |
|
| |
|
|
|
| |
Reported-by: syzbot+aada2d85478c047a3cbf@syzkaller.appspotmail.com
Signed-off-by: Andrei Vagin <avagin@google.com>
|
| |
|
|
|
| |
ref_tracker is a generic debugging facility,
the actual bug is (almost always) in the caller.
|
| |
|
|
| |
That's some mutex internals.
|
| |
|
|
|
|
|
|
| |
Support extracting multiple frames from a single report
(one per parseStackTrace marker). Extract KMSAN origin
frame and use it as an additional ALT title for deduplication.
Fixes #2927
|
| |
|
|
|
|
| |
Keeping backwards compatibility will complicate future changes.
Since KMSAN is not upstream yet and is always rebased, we don't
really need to keep parsing old reports.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
These are not the root cause of bugs and should be skipped.
|
| | |
|
| |
|
|
|
|
|
| |
Not skipping this frame leads to "BUG: sleeping function called from
invalid context at" pointing to the wrong function.
Fix that and add a report parse test.
|
| |
|
|
|
|
|
|
|
| |
Memory access errors inside the crc-calculating functions typically
indicate an error in the calling function, rather than a bug in the CRC
implementation.
Skip them during stack frame parsing. Add a new report test that
validates the new behavior.
|
| |
|
|
|
|
|
|
|
| |
Currently KMSAN does not include the "Call Trace" line into its reports.
As syzkaller still expects it, most of those reports end up being
classified as corruped and do not get published by syzbot (see #2733).
Adjust the parsing rules to support these new reports.
Add a test to validate the new behavior.
|
| |
|
|
|
|
| |
This bug message includes filesystem type and block device name.
Both can lead to excessive duplicates.
Merge all such bugs together.
|
| |
|
|
|
|
|
| |
gcc and clang somehow print different frames around syscall entry.
sys_-prefixed names is what currently produced for gcc (more common)
and we have lots of existing reports with sys_ prefix.
So make the clang frames parsed the same way as gcc frames are currently parsed.
|
| |
|
|
| |
This routine was recently renamed.
|
| |
|
|
|
|
|
| |
Logs containing "*** stack smashing detected ***: terminated" are not of
particular interest, as this indicates syz-executor corruption.
Suppress bug reports in this case.
|
| |
|
|
|
|
|
| |
This error originates in glibc and is occasionally printed by
corrupted syz-executor instances.
Do not recognize it as a kernel crash.
|
| |
|
|
|
|
|
|
| |
In Linux 5.15 the mand mount option will be deprecated, and the warning
text will change accordingly:
https://lkml.kernel.org/r/20210820163919.435135-3-jlayton@kernel.org/
Update regex to also ignore this case.
|
| |
|
|
|
|
|
| |
Ignore this new warning, as it is intentionally added to warn users and
does not indicate a kernel bug:
https://lkml.kernel.org/r/CAHk-=wgD-SNxB=2iCurEoP=RjrciRgLtXZ7R_DejK+mXF2etfg@mail.gmail.com
|
| |
|
|
|
|
|
|
|
|
|
| |
Skip Code: lines that refer to user-space. Skip code listings where the
trapping instruction is an intentionally invalid one (this happens in
WARNINGs and most of BUG reports). Decompilation of such code fragments
provides no value to the user.
Add new tests and update the existing ones.
Closes #2709 and #2710.
|
| |
|
|
|
|
|
|
| |
Let decompiler also parse the exact command name. Perform right trim on
the full output line, as it may contain tabs and spaces at the end.
Introduce an "-update" flag to facilitate mass updating of opcode
decompilation tests after changes to this functionality.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace not just long sequences of digits in report titles, but every
sequence of '0'-'9' that is not surrounded by word characters.
As such matches will overlap and Go does not (currently?) support regexp
lookarounds, do the replacement multiple times until there is nothing
more to do. This should not slow down syzkaller, since this code is
only invoked during crash processing.
Restrict LINE replacement only to fragments that have a preceeding file
name. This prevents replacements like [1:2] -> [NUM:LINE].
|
| |
|
|
|
|
|
|
|
|
|
| |
Improve Linux reports quality by decompiling "Code: " descriptions.
As that line of opcodes is not guaranteed to begin at the boundary of an
instruction, try to find the right boundary.
Handle the cases of multiple "Code: ..." lines by only decompiling the
first one. In most cases the last such line shows user-space bytes,
which is usually not of great importance.
|
| |
|
|
|
| |
We ignored some el1_* arm64 frames, but not a new el1h_64_sync
frame appeared in HWASAN reports. Ignore it as well.
|
| |
|
|
|
|
|
| |
Now that we increased CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT to 16
we started getting full parsable "stack guard page was hit" crashes.
Extract the anchor frame as we do for stalls.
This makes reports deterministic rather than point to a random top frame.
|
| |
|
|
|
|
|
|
| |
The format of the panic message means that we get lots of duplicate
reports. Normalize KASAN report titles. In particular, strip the code
name since it encodes the size of the redzone, which may vary depending
on the test case, especially if the report is triggered by a false
positive.
|
| |
|
|
| |
Some kernel code seems to have been changed again...
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We are getting some duplicate reports where the stall actually happens
in some syscall, but the syscall triggers a page fault repeatedly.
As the result we can attribute some of the stalls to the next frame
after handle_mm_fault.
So don't consider handle_mm_fault as an anchor frame.
We need to be careful to not skip entry into page fault
from user space, because that's a completly different case.
In that case the stall is indeed in the page fault handler.
It's also unclear if this is the right thing to do.
If the stall actually happens in the fault handler
and the root cause in the fault handler, then after this change
we will produce duplicate stalls for every place in the kernel
that can trigger a page fault (we will be skipping the handler
itself and attribute it to the innocent caller).
But so far we don't have such examples.
|
| |
|
|
|
| |
Suggested-by: Vegard Nossum
Link: https://groups.google.com/g/syzkaller/c/aHHCG_ZHOZA/m/M6aiIuzkAQAJ
|
| | |
|
| | |
|
| | |
|
