github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/pkg/email/patch_test.go (about) 1 // Copyright 2017 syzkaller project authors. All rights reserved. 2 // Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 package email 5 6 import ( 7 "testing" 8 ) 9 10 func TestParsePatch(t *testing.T) { 11 for _, test := range tests { 12 t.Run(test.title, func(t *testing.T) { 13 diff := ParsePatch([]byte(test.text)) 14 if test.diff != diff { 15 t.Fatalf("diff mismatch, want:\n%v\ngot:\n%v", test.diff, diff) 16 } 17 }) 18 } 19 } 20 21 var tests = []struct { 22 text string 23 title string 24 diff string 25 }{ 26 { 27 text: ` 28 commit 7bdb59aaaaaa4bd7161adc8f923cdef10f2638d1 29 Author: Some foo-bar áš <foo@bar.com> 30 Date: Tue Feb 7 17:44:54 2017 +0100 31 32 net/tcp: fix foo() 33 34 foo->bar is wrong. 35 Fix foo(). 36 37 More description. 38 39 Signed-off-by: Some foo-bar áš <foo@bar.com> 40 Reviewed: Some foo-bar <foo@bar.com> 41 Link: http://lkml.kernel.org/r/123123123123-123-1-git-send-email-foo@bar.com 42 43 diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c 44 index 74e0388cc88d..fc6f740d0277 100644 45 --- a/kernel/time/tick-sched.c 46 +++ b/kernel/time/tick-sched.c 47 @@ -725,6 +725,11 @@ static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts, 48 */ 49 if (delta == 0) { 50 tick_nohz_restart(ts, now); 51 + /* 52 + * Make sure next tick stop doesn't get fooled by past 53 + * clock deadline 54 + */ 55 + ts->next_tick = 0; 56 goto out; 57 } 58 } 59 `, 60 title: "net/tcp: fix foo()", 61 diff: `diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c 62 index 74e0388cc88d..fc6f740d0277 100644 63 --- a/kernel/time/tick-sched.c 64 +++ b/kernel/time/tick-sched.c 65 @@ -725,6 +725,11 @@ static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts, 66 */ 67 if (delta == 0) { 68 tick_nohz_restart(ts, now); 69 + /* 70 + * Make sure next tick stop doesn't get fooled by past 71 + * clock deadline 72 + */ 73 + ts->next_tick = 0; 74 goto out; 75 } 76 } 77 `, 78 }, 79 80 { 81 text: ` 82 fix looking up invalid subclass: 4294967295 83 84 diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c 85 index acbe61c..160dc89 100644 86 --- a/net/irda/irqueue.c 87 +++ b/net/irda/irqueue.c 88 @@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new); 89 * for deallocating this structure if it's complex. If not the user can 90 * just supply kfree, which should take care of the job. 91 */ 92 -#ifdef CONFIG_LOCKDEP 93 -static int hashbin_lock_depth = 0; 94 -#endif 95 int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) 96 { 97 irda_queue_t* queue; 98 `, 99 title: "fix looking up invalid subclass: 4294967295", 100 diff: `diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c 101 index acbe61c..160dc89 100644 102 --- a/net/irda/irqueue.c 103 +++ b/net/irda/irqueue.c 104 @@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new); 105 * for deallocating this structure if it's complex. If not the user can 106 * just supply kfree, which should take care of the job. 107 */ 108 -#ifdef CONFIG_LOCKDEP 109 -static int hashbin_lock_depth = 0; 110 -#endif 111 int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) 112 { 113 irda_queue_t* queue; 114 `, 115 }, 116 117 { 118 text: `net: fix looking up invalid subclass: 4294967295 119 diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c 120 index acbe61c..160dc89 100644 121 --- a/net/irda/irqueue.c 122 +++ b/net/irda/irqueue.c 123 @@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new); 124 * for deallocating this structure if it's complex. If not the user can 125 * just supply kfree, which should take care of the job. 126 */ 127 -#ifdef CONFIG_LOCKDEP 128 -static int hashbin_lock_depth = 0; 129 -#endif 130 int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)`, 131 title: "net: fix looking up invalid subclass: 4294967295", 132 diff: `diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c 133 index acbe61c..160dc89 100644 134 --- a/net/irda/irqueue.c 135 +++ b/net/irda/irqueue.c 136 @@ -383,9 +383,6 @@ EXPORT_SYMBOL(hashbin_new); 137 * for deallocating this structure if it's complex. If not the user can 138 * just supply kfree, which should take care of the job. 139 */ 140 -#ifdef CONFIG_LOCKDEP 141 -static int hashbin_lock_depth = 0; 142 -#endif 143 int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func) 144 `, 145 }, 146 147 { 148 text: ` 149 Delivered-To: foo@bar.com 150 Date: Tue, 31 Jan 2017 15:24:03 +0100 (CET) 151 To: Foo Bar <foo@bar.com> 152 Subject: [PATCH v2] timerfd: Protect the might cancel mechanism proper 153 MIME-Version: 1.0 154 Content-Type: text/plain; charset=US-ASCII 155 156 The handling of the might_cancel queueing is not properly protected, so 157 parallel operations on the file descriptor can race with each other and 158 lead to list corruptions or use after free. 159 160 Protect the context for these operations with a separate lock. 161 162 Reported-by: Foo Bar <foo@bar.com> 163 Signed-off-by: Foo Bar <foo@bar.com> 164 --- 165 fs/timerfd.c | 17 ++++++++++++++--- 166 1 file changed, 14 insertions(+), 3 deletions(-) 167 168 --- a/fs/timerfd.c 169 +++ b/fs/timerfd.c 170 @@ -40,6 +40,7 @@ struct timerfd_ctx { 171 short unsigned settime_flags; /* to show in fdinfo */ 172 struct rcu_head rcu; 173 struct list_head clist; 174 + spinlock_t cancel_lock; 175 bool might_cancel; 176 }; 177 `, 178 title: "timerfd: Protect the might cancel mechanism proper", 179 diff: `--- a/fs/timerfd.c 180 +++ b/fs/timerfd.c 181 @@ -40,6 +40,7 @@ struct timerfd_ctx { 182 short unsigned settime_flags; /* to show in fdinfo */ 183 struct rcu_head rcu; 184 struct list_head clist; 185 + spinlock_t cancel_lock; 186 bool might_cancel; 187 }; 188 `, 189 }, 190 191 { 192 text: `crypto/sha512-mb: Correct initialization value for lane lens 193 diff --git a/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c b/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c 194 index 36870b2..5484d77 100644 195 --- a/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c 196 +++ b/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c 197 @@ -57,10 +57,10 @@ void sha512_mb_mgr_init_avx2(struct sha512_mb_mgr *state) 198 { 199 unsigned int j; 200 201 - state->lens[0] = 0; 202 - state->lens[1] = 1; 203 - state->lens[2] = 2; 204 - state->lens[3] = 3; 205 + state->lens[0] = 0xFFFFFFFF00000000; 206 + state->lens[1] = 0xFFFFFFFF00000001; 207 + state->lens[2] = 0xFFFFFFFF00000002; 208 + state->lens[3] = 0xFFFFFFFF00000003; 209 state->unused_lanes = 0xFF03020100; 210 for (j = 0; j < 4; j++) 211 state->ldata[j].job_in_lane = NULL; 212 -- 213 2.5.5`, 214 title: "crypto/sha512-mb: Correct initialization value for lane lens", 215 diff: `diff --git a/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c ` + 216 `b/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c 217 index 36870b2..5484d77 100644 218 --- a/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c 219 +++ b/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c 220 @@ -57,10 +57,10 @@ void sha512_mb_mgr_init_avx2(struct sha512_mb_mgr *state) 221 { 222 unsigned int j; 223 224 - state->lens[0] = 0; 225 - state->lens[1] = 1; 226 - state->lens[2] = 2; 227 - state->lens[3] = 3; 228 + state->lens[0] = 0xFFFFFFFF00000000; 229 + state->lens[1] = 0xFFFFFFFF00000001; 230 + state->lens[2] = 0xFFFFFFFF00000002; 231 + state->lens[3] = 0xFFFFFFFF00000003; 232 state->unused_lanes = 0xFF03020100; 233 for (j = 0; j < 4; j++) 234 state->ldata[j].job_in_lane = NULL; 235 `, 236 }, 237 238 { 239 text: ` 240 Subject: [Patch net] kcm: fix a null pointer dereference in kcm_sendmsg() 241 242 --- a/fs/timerfd.c 243 +++ b/fs/timerfd.c 244 @@ -40,6 +40,7 @@ struct timerfd_ctx { 245 short unsigned settime_flags; /* to show in fdinfo */ 246 struct rcu_head rcu; 247 struct list_head clist; 248 + spinlock_t cancel_lock; 249 bool might_cancel; 250 }; 251 252 On Fri, Nov 17, 2017 at 3:46 PM, syzbot wrote: 253 `, 254 title: "kcm: fix a null pointer dereference in kcm_sendmsg()", 255 diff: `--- a/fs/timerfd.c 256 +++ b/fs/timerfd.c 257 @@ -40,6 +40,7 @@ struct timerfd_ctx { 258 short unsigned settime_flags; /* to show in fdinfo */ 259 struct rcu_head rcu; 260 struct list_head clist; 261 + spinlock_t cancel_lock; 262 bool might_cancel; 263 }; 264 `, 265 }, 266 267 { 268 text: ` 269 Subject: Re: [PATCH v3] net/irda: fix lockdep annotation 270 271 --- a/fs/timerfd.c 272 +++ b/fs/timerfd.c 273 @@ -40,6 +40,7 @@ struct timerfd_ctx { 274 short unsigned settime_flags; /* to show in fdinfo */ 275 struct rcu_head rcu; 276 struct list_head clist; 277 + spinlock_t cancel_lock; 278 bool might_cancel; 279 }; 280 > Does this help? 281 `, 282 title: "net/irda: fix lockdep annotation", 283 diff: `--- a/fs/timerfd.c 284 +++ b/fs/timerfd.c 285 @@ -40,6 +40,7 @@ struct timerfd_ctx { 286 short unsigned settime_flags; /* to show in fdinfo */ 287 struct rcu_head rcu; 288 struct list_head clist; 289 + spinlock_t cancel_lock; 290 bool might_cancel; 291 }; 292 `, 293 }, 294 295 { 296 text: `syz-dash: first version of dashboard app 297 diff --git a/syz-dash/api.go b/syz-dash/api.go 298 new file mode 100644 299 index 0000000..a1a0499 300 --- /dev/null 301 +++ b/syz-dash/api.go 302 @@ -0,0 +1,444 @@ 303 +package dash 304 `, 305 title: "syz-dash: first version of dashboard app", 306 diff: `diff --git a/syz-dash/api.go b/syz-dash/api.go 307 new file mode 100644 308 index 0000000..a1a0499 309 --- /dev/null 310 +++ b/syz-dash/api.go 311 @@ -0,0 +1,444 @@ 312 +package dash 313 `, 314 }, 315 { 316 text: `Subject: multi-file patch 317 318 diff --git a/init/main.c b/init/main.c 319 index 0ee9c6866ada..ed01296f7b23 100644 320 --- a/init/main.c 321 +++ b/init/main.c 322 @@ -706,6 +706,8 @@ asmlinkage __visible void __init start_kernel(void) 323 efi_free_boot_services(); 324 } 325 326 + BUG(); 327 + 328 /* Do the rest non-__init'ed, we're now alive */ 329 rest_init(); 330 } 331 diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c 332 index 6f319fb81718..76a8d5aeed4b 100644 333 --- a/mm/kasan/kasan.c 334 +++ b/mm/kasan/kasan.c 335 @@ -42,7 +42,7 @@ 336 337 void kasan_enable_current(void) 338 { 339 - current->kasan_depth++; 340 + current->kasan_depth--; 341 } 342 343 void kasan_disable_current(void) 344 345 > Does this help? 346 `, 347 title: "multi-file patch", 348 diff: `diff --git a/init/main.c b/init/main.c 349 index 0ee9c6866ada..ed01296f7b23 100644 350 --- a/init/main.c 351 +++ b/init/main.c 352 @@ -706,6 +706,8 @@ asmlinkage __visible void __init start_kernel(void) 353 efi_free_boot_services(); 354 } 355 356 + BUG(); 357 + 358 /* Do the rest non-__init'ed, we're now alive */ 359 rest_init(); 360 } 361 diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c 362 index 6f319fb81718..76a8d5aeed4b 100644 363 --- a/mm/kasan/kasan.c 364 +++ b/mm/kasan/kasan.c 365 @@ -42,7 +42,7 @@ 366 367 void kasan_enable_current(void) 368 { 369 - current->kasan_depth++; 370 + current->kasan_depth--; 371 } 372 373 void kasan_disable_current(void) 374 `, 375 }, 376 { 377 text: `Subject: Re: WARNING in usb_submit_urb (4) 378 379 #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.1-rc3 380 381 Index: usb-devel/drivers/usb/core/driver.c 382 =================================================================== 383 --- usb-devel.orig/drivers/usb/core/driver.c 384 +++ usb-devel/drivers/usb/core/driver.c 385 @@ -34,6 +34,9 @@ 386 387 #include "usb.h" 388 389 +#undef dev_vdbg 390 +#define dev_vdbg dev_info 391 + 392 393 /* 394 * Adds a new dynamic USBdevice ID to this driver, 395 Index: usb-devel/drivers/usb/core/hub.c 396 =================================================================== 397 --- usb-devel.orig/drivers/usb/core/hub.c 398 +++ usb-devel/drivers/usb/core/hub.c 399 @@ -36,6 +36,10 @@ 400 #include "hub.h" 401 402 +#undef dev_dbg 403 +#define dev_dbg dev_info 404 + 405 + 406 #define USB_VENDOR_GENESYS_LOGIC 0x05e3 407 #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 408 409 @@ -1016,6 +1020,8 @@ static void hub_activate(struct usb_hub 410 bool need_debounce_delay = false; 411 unsigned delay; 412 413 + dev_info(hub->intfdev, "%s type %d\n", __func__, type); 414 + 415 /* Continue a partial initialization */ 416 if (type == HUB_INIT2 || type == HUB_INIT3) { 417 device_lock(&hdev->dev); 418 @@ -1254,6 +1260,7 @@ static void hub_activate(struct usb_hub 419 init3: 420 hub->quiescing = 0; 421 422 + dev_info(hub->intfdev, "Submitting status URB\n"); 423 status = usb_submit_urb(hub->urb, GFP_NOIO); 424 if (status < 0) 425 dev_err(hub->intfdev, "activate --> %d\n", status); 426 `, 427 title: "Re: WARNING in usb_submit_urb (4)", 428 diff: `Index: usb-devel/drivers/usb/core/driver.c 429 =================================================================== 430 --- usb-devel.orig/drivers/usb/core/driver.c 431 +++ usb-devel/drivers/usb/core/driver.c 432 @@ -34,6 +34,9 @@ 433 434 #include "usb.h" 435 436 +#undef dev_vdbg 437 +#define dev_vdbg dev_info 438 + 439 440 /* 441 * Adds a new dynamic USBdevice ID to this driver, 442 Index: usb-devel/drivers/usb/core/hub.c 443 =================================================================== 444 --- usb-devel.orig/drivers/usb/core/hub.c 445 +++ usb-devel/drivers/usb/core/hub.c 446 @@ -36,6 +36,10 @@ 447 #include "hub.h" 448 449 +#undef dev_dbg 450 +#define dev_dbg dev_info 451 + 452 + 453 #define USB_VENDOR_GENESYS_LOGIC 0x05e3 454 #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 455 456 @@ -1016,6 +1020,8 @@ static void hub_activate(struct usb_hub 457 bool need_debounce_delay = false; 458 unsigned delay; 459 460 + dev_info(hub->intfdev, "%s type %d\n", __func__, type); 461 + 462 /* Continue a partial initialization */ 463 if (type == HUB_INIT2 || type == HUB_INIT3) { 464 device_lock(&hdev->dev); 465 @@ -1254,6 +1260,7 @@ static void hub_activate(struct usb_hub 466 init3: 467 hub->quiescing = 0; 468 469 + dev_info(hub->intfdev, "Submitting status URB\n"); 470 status = usb_submit_urb(hub->urb, GFP_NOIO); 471 if (status < 0) 472 dev_err(hub->intfdev, "activate --> %d\n", status); 473 `, 474 }, 475 { 476 text: `Some 477 Text 478 Without 479 Any 480 Diff 481 `, 482 diff: "", 483 title: "test empty patch", 484 }, 485 }