Re: KASAN: use-after-free Read in hiddev_disconnect

From: Dmitry Vyukov
Date: Mon Jan 27 2020 - 09:34:47 EST


On Mon, Jan 27, 2020 at 10:29 AM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> I already fixed this bug in an earlier thread.
>
> Syzbot always reports a use after free as two separate bugs, a read
> after free and a write after free. It's too much hassle to mark all
> the duplicates.

+syzkaller mailing list

Hi Dan,

Not that it happens always, but, yes, it happens for racy bugs (for
single-threaded the type of the first access is usually
deterministic). Worse, sometimes they show up as GPF, unable to handle
kernel paging request, null-ptr-deref, user-memory-access, especially
for crashes that happen very frequently so that syzbot starts catching
long tail of more weird/unlucky incarnations.

The exact string is under our full control and can be changed. We did
some refinements to strings/grouping lots of times. I considered if
all of these should be grouped together and reported just as, say,
"bad-access in [function name]". However, the problem is that changes
to the strings/grouping will affect _all_ existing bugs: they will be
re-reported under new names, then old will be suspected to be fixed
(stopped happening), fix bisected, some closed as obsolete, some
concluded to be still happening, etc. And we have 300+ for upstream
(https://syzkaller.appspot.com/upstream) + 4 LTS versions + 4 Android
versions + a bunch of internal kernels + all users of syzkaller for
linux out there. So this will produce a whole lot of churn for
hundreds of people. The ones that we changed just affected
significantly fewer bugs (e.g. a new bug type).

I don't know what's the right solution at this point...
Changing the title will include lots of churn.
Marking as dups is too much hassle.
Not marking as dups will lead to hundreds of lots bugs and/or lots of
wasted time for people to rescan list of open bugs again and again,
missed backports, etc.