Hi!
I've got the following error report while running the syzkaller fuzzer.
A reproducer is attached.
On commit d8e435f3ab6fea2ea324dce72b51dd7761747523 (Nov 26).
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4009 at mm/page_alloc.c:3511
__alloc_pages_slowpath+0x3d4/0x1bf0
Modules linked in:
CPU: 0 PID: 4009 Comm: a.out Not tainted 4.9.0-rc6+ #54
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006832f8a8 ffffffff81c73b14 0000000000000000 0000000000000000
ffffffff842c6320 0000000000000000 ffff88006832f8f0 ffffffff8123dc57
ffff880067d86000 ffffffff00000db7 ffffffff842c6320 0000000000000db7
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81c73b14>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
[<ffffffff8123dc57>] __warn+0x1a7/0x1f0 kernel/panic.c:550
[<ffffffff8123de6c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
[<ffffffff81559b04>] __alloc_pages_slowpath+0x3d4/0x1bf0 mm/page_alloc.c:3511
[<ffffffff8155b8e2>] __alloc_pages_nodemask+0x5c2/0x710 mm/page_alloc.c:3781
[<ffffffff816236a4>] alloc_pages_current+0xf4/0x400 mm/mempolicy.c:2072
[< inline >] alloc_pages ./include/linux/gfp.h:469
[<ffffffff815a834f>] kmalloc_order+0x1f/0x70 mm/slab_common.c:1015
[<ffffffff815a83bf>] kmalloc_order_trace+0x1f/0x160 mm/slab_common.c:1026
[< inline >] kmalloc_large ./include/linux/slab.h:422
[<ffffffff81635e67>] __kmalloc_track_caller+0x227/0x2a0 mm/slub.c:4233
[<ffffffff8159932c>] memdup_user+0x2c/0xa0 mm/util.c:137
[<ffffffff8369e0de>] raw_setsockopt+0x1be/0x9f0 net/can/raw.c:506
[< inline >] SYSC_setsockopt net/socket.c:1757
[<ffffffff82ca10c4>] SyS_setsockopt+0x154/0x240 net/socket.c:1736
[<ffffffff840f2901>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
---[ end trace bc80556cca970089 ]---
On 12/02/2016 01:43 PM, Andrey Konovalov wrote:
> Hi!
>
> I've got the following error report while running the syzkaller fuzzer.
>
> A reproducer is attached.
>
> On commit d8e435f3ab6fea2ea324dce72b51dd7761747523 (Nov 26).
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 4009 at mm/page_alloc.c:3511
> __alloc_pages_slowpath+0x3d4/0x1bf0
> Modules linked in:
> CPU: 0 PID: 4009 Comm: a.out Not tainted 4.9.0-rc6+ #54
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> ffff88006832f8a8 ffffffff81c73b14 0000000000000000 0000000000000000
> ffffffff842c6320 0000000000000000 ffff88006832f8f0 ffffffff8123dc57
> ffff880067d86000 ffffffff00000db7 ffffffff842c6320 0000000000000db7
> Call Trace:
> [< inline >] __dump_stack lib/dump_stack.c:15
> [<ffffffff81c73b14>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
> [<ffffffff8123dc57>] __warn+0x1a7/0x1f0 kernel/panic.c:550
> [<ffffffff8123de6c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
> [<ffffffff81559b04>] __alloc_pages_slowpath+0x3d4/0x1bf0 mm/page_alloc.c:3511
> [<ffffffff8155b8e2>] __alloc_pages_nodemask+0x5c2/0x710 mm/page_alloc.c:3781
> [<ffffffff816236a4>] alloc_pages_current+0xf4/0x400 mm/mempolicy.c:2072
> [< inline >] alloc_pages ./include/linux/gfp.h:469
> [<ffffffff815a834f>] kmalloc_order+0x1f/0x70 mm/slab_common.c:1015
> [<ffffffff815a83bf>] kmalloc_order_trace+0x1f/0x160 mm/slab_common.c:1026
> [< inline >] kmalloc_large ./include/linux/slab.h:422
> [<ffffffff81635e67>] __kmalloc_track_caller+0x227/0x2a0 mm/slub.c:4233
> [<ffffffff8159932c>] memdup_user+0x2c/0xa0 mm/util.c:137
> [<ffffffff8369e0de>] raw_setsockopt+0x1be/0x9f0 net/can/raw.c:506
We should add a check for a sensible optlen....
> static int raw_setsockopt(struct socket *sock, int level, int optname,
> char __user *optval, unsigned int optlen)
> {
> struct sock *sk = sock->sk;
> struct raw_sock *ro = raw_sk(sk);
> struct can_filter *filter = NULL; /* dyn. alloc'ed filters */
> struct can_filter sfilter; /* single filter */
> struct net_device *dev = NULL;
> can_err_mask_t err_mask = 0;
> int count = 0;
> int err = 0;
>
> if (level != SOL_CAN_RAW)
> return -EINVAL;
>
> switch (optname) {
>
> case CAN_RAW_FILTER:
> if (optlen % sizeof(struct can_filter) != 0)
> return -EINVAL;
here...
if (optlen > 64 * sizeof(struct can_filter))
return -EINVAL;
>
> count = optlen / sizeof(struct can_filter);
>
> if (count > 1) {
> /* filter does not fit into dfilter => alloc space */
> filter = memdup_user(optval, optlen);
> if (IS_ERR(filter))
> return PTR_ERR(filter);
> } else if (count == 1) {
> if (copy_from_user(&sfilter, optval, sizeof(sfilter)))
> return -EFAULT;
> }
>
> lock_sock(sk);
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
On 12/02/2016 02:24 PM, Marc Kleine-Budde wrote:
> On 12/02/2016 01:43 PM, Andrey Konovalov wrote:
>> [<ffffffff8369e0de>] raw_setsockopt+0x1be/0x9f0 net/can/raw.c:506
>
> We should add a check for a sensible optlen....
>
>> static int raw_setsockopt(struct socket *sock, int level, int optname,
>> char __user *optval, unsigned int optlen)
>> {
>> struct sock *sk = sock->sk;
>> struct raw_sock *ro = raw_sk(sk);
>> struct can_filter *filter = NULL; /* dyn. alloc'ed filters */
>> struct can_filter sfilter; /* single filter */
>> struct net_device *dev = NULL;
>> can_err_mask_t err_mask = 0;
>> int count = 0;
>> int err = 0;
>>
>> if (level != SOL_CAN_RAW)
>> return -EINVAL;
>>
>> switch (optname) {
>>
>> case CAN_RAW_FILTER:
>> if (optlen % sizeof(struct can_filter) != 0)
>> return -EINVAL;
>
> here...
>
> if (optlen > 64 * sizeof(struct can_filter))
> return -EINVAL;
>
Agreed.
But what is sensible here?
64 filters is way to small IMO.
When thinking about picking a bunch of single CAN IDs I would tend to
something like 512 filters.
Regards,
Oliver
>>
>> count = optlen / sizeof(struct can_filter);
>>
>> if (count > 1) {
>> /* filter does not fit into dfilter => alloc space */
>> filter = memdup_user(optval, optlen);
>> if (IS_ERR(filter))
>> return PTR_ERR(filter);
>> } else if (count == 1) {
>> if (copy_from_user(&sfilter, optval, sizeof(sfilter)))
>> return -EFAULT;
>> }
>>
>> lock_sock(sk);
>
> Marc
>
On 12/02/2016 04:11 PM, Oliver Hartkopp wrote:
>
>
> On 12/02/2016 02:24 PM, Marc Kleine-Budde wrote:
>> On 12/02/2016 01:43 PM, Andrey Konovalov wrote:
>
>
>>> [<ffffffff8369e0de>] raw_setsockopt+0x1be/0x9f0 net/can/raw.c:506
>>
>> We should add a check for a sensible optlen....
>>
>>> static int raw_setsockopt(struct socket *sock, int level, int optname,
>>> char __user *optval, unsigned int optlen)
>>> {
>>> struct sock *sk = sock->sk;
>>> struct raw_sock *ro = raw_sk(sk);
>>> struct can_filter *filter = NULL; /* dyn. alloc'ed filters */
>>> struct can_filter sfilter; /* single filter */
>>> struct net_device *dev = NULL;
>>> can_err_mask_t err_mask = 0;
>>> int count = 0;
>>> int err = 0;
>>>
>>> if (level != SOL_CAN_RAW)
>>> return -EINVAL;
>>>
>>> switch (optname) {
>>>
>>> case CAN_RAW_FILTER:
>>> if (optlen % sizeof(struct can_filter) != 0)
>>> return -EINVAL;
>>
>> here...
>>
>> if (optlen > 64 * sizeof(struct can_filter))
>> return -EINVAL;
>>
>
> Agreed.
>
> But what is sensible here?
> 64 filters is way to small IMO.
>
> When thinking about picking a bunch of single CAN IDs I would tend to
> something like 512 filters.
Ok - 64 was just an arbitrary chosen value for demonstration purposes :)
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
On 12/02/2016 04:42 PM, Marc Kleine-Budde wrote:
> On 12/02/2016 04:11 PM, Oliver Hartkopp wrote:
>>
>>
>> On 12/02/2016 02:24 PM, Marc Kleine-Budde wrote:
>>> On 12/02/2016 01:43 PM, Andrey Konovalov wrote:
>>
>>
>>>> [<ffffffff8369e0de>] raw_setsockopt+0x1be/0x9f0 net/can/raw.c:506
>>>
>>> We should add a check for a sensible optlen....
>>>
>>>> static int raw_setsockopt(struct socket *sock, int level, int optname,
>>>> char __user *optval, unsigned int optlen)
>>>> {
>>>> struct sock *sk = sock->sk;
>>>> struct raw_sock *ro = raw_sk(sk);
>>>> struct can_filter *filter = NULL; /* dyn. alloc'ed filters */
>>>> struct can_filter sfilter; /* single filter */
>>>> struct net_device *dev = NULL;
>>>> can_err_mask_t err_mask = 0;
>>>> int count = 0;
>>>> int err = 0;
>>>>
>>>> if (level != SOL_CAN_RAW)
>>>> return -EINVAL;
>>>>
>>>> switch (optname) {
>>>>
>>>> case CAN_RAW_FILTER:
>>>> if (optlen % sizeof(struct can_filter) != 0)
>>>> return -EINVAL;
>>>
>>> here...
>>>
>>> if (optlen > 64 * sizeof(struct can_filter))
>>> return -EINVAL;
>>>
>>
>> Agreed.
>>
>> But what is sensible here?
>> 64 filters is way to small IMO.
>>
>> When thinking about picking a bunch of single CAN IDs I would tend to
>> something like 512 filters.
>
> Ok - 64 was just an arbitrary chosen value for demonstration purposes :)
>
:-)
Would you like to send a patch?
Regards,
Oliver
On 12/02/2016 06:05 PM, Oliver Hartkopp wrote:
>
>
> On 12/02/2016 04:42 PM, Marc Kleine-Budde wrote:
>> On 12/02/2016 04:11 PM, Oliver Hartkopp wrote:
>>>
>>>
>>> On 12/02/2016 02:24 PM, Marc Kleine-Budde wrote:
>>>> On 12/02/2016 01:43 PM, Andrey Konovalov wrote:
>>>
>>>
>>>>> [<ffffffff8369e0de>] raw_setsockopt+0x1be/0x9f0 net/can/raw.c:506
>>>>
>>>> We should add a check for a sensible optlen....
>>>>
>>>>> static int raw_setsockopt(struct socket *sock, int level, int optname,
>>>>> char __user *optval, unsigned int optlen)
>>>>> {
>>>>> struct sock *sk = sock->sk;
>>>>> struct raw_sock *ro = raw_sk(sk);
>>>>> struct can_filter *filter = NULL; /* dyn. alloc'ed filters */
>>>>> struct can_filter sfilter; /* single filter */
>>>>> struct net_device *dev = NULL;
>>>>> can_err_mask_t err_mask = 0;
>>>>> int count = 0;
>>>>> int err = 0;
>>>>>
>>>>> if (level != SOL_CAN_RAW)
>>>>> return -EINVAL;
>>>>>
>>>>> switch (optname) {
>>>>>
>>>>> case CAN_RAW_FILTER:
>>>>> if (optlen % sizeof(struct can_filter) != 0)
>>>>> return -EINVAL;
>>>>
>>>> here...
>>>>
>>>> if (optlen > 64 * sizeof(struct can_filter))
>>>> return -EINVAL;
>>>>
>>>
>>> Agreed.
>>>
>>> But what is sensible here?
>>> 64 filters is way to small IMO.
>>>
>>> When thinking about picking a bunch of single CAN IDs I would tend to
>>> something like 512 filters.
>>
>> Ok - 64 was just an arbitrary chosen value for demonstration purposes :)
>>
>
> :-)
>
> Would you like to send a patch?
Yes, how many Filters? 512? Can you test, as I don't have the setup ready?
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |