Re: [PATCH 0/1] Re: kernel BUG at fs/userfaultfd.c:LINE!

From: Eric Biggers
Date: Wed Jan 17 2018 - 18:26:41 EST


On Wed, Jan 17, 2018 at 09:56:29AM +0100, Pavel Machek wrote:
> Hi!
>
> > > Andrea Arcangeli (1):
> > > userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK
> > > fails
> > >
> > > fs/userfaultfd.c | 20 ++++++++++++++++++--
> > > 1 file changed, 18 insertions(+), 2 deletions(-)
> >
> > The original report footer was stripped, so:
> >
> > Please credit me with: Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
>
> Please don't. We don't credit our CPUs, and we don't credit Qemu. We
> credit humans.
>

The difference is that unlike your CPU or QEMU, syzbot is a program specifically
written to find and report Linux kernel bugs. And although Dmitry Vyukov has
done most of the work, syzkaller and syzbot have had many contributors, and you
are welcome to contribute too: https://github.com/google/syzkaller

> > and we also need to tell syzbot about the fix with:
> >
> > #syz fix:
> > userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails
>
> Now you claimed you care about bugs being fixed. What about actually
> testing Andrea's fix and telling us if it fixes the problem or not,
> and maybe saying "thank you"?

Of course the syzbot team cares about bugs being fixed, why else would they
report them?

I too would like to see syzbot become smarter about handling bugs with
reproducers. For example it could bisect to find the commit which introduced
the bug, and could automatically detect where the bug has/hasn't been fixed. Of
course due to the nature of the kernel it's not possible with every bug, but for
some it is possible.

Nevertheless, at the end of the day, no matter how a bug is reported or who
reports it, it is primarily the responsibility of the person patching the bug to
test their patch. I've never really understood why people try to patch
reproducible bugs without even testing their fix; it just doesn't make any
sense. It's pretty easy to run the syzkaller-provided reproducers too.
Personally I've fixed 20+ syzkaller-reported bugs, and I always run the
reproducer if there is one. In fact the reproducer is usually needed to even
figure out what to fix in the first place...

Yes, Andrea deserves thanks for fixing this bug! But so does syzbot and its
authors for reporting this bug. And personally I am not at all impressed by the
fact that userfaultfd has no maintainer listed in MAINTAINERS, nor did any of
the authors feel responsible enough to quickly patch a critical security bug in
code they wrote less than a year ago, even after I Cc'ed them with a simplified
reproducer and explanation of the problem. Note that userfaultfd is usable by
unprivileged users and is enabled on most major Linux distros. Does syzbot need
to start automatically requesting CVE's as well? :-)

(And yes, I wanted to fix this myself, as I've done with a lot of other of the
syzbot-reported bugs, but unfortunately I wasn't familiar enough with the
userfaultfd code, and there are 200 other bugs to work on too...)

Eric