Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2981071imm; Sun, 10 Jun 2018 06:04:24 -0700 (PDT) X-Google-Smtp-Source: ADUXVKI9u4VvbM5S8n880ul2u5S6waoP5GNVMIO5o8AR0Czne0ZfF9YfdtIxqyKc5GvR5snzoPge X-Received: by 2002:a62:5991:: with SMTP id k17-v6mr3504384pfj.94.1528635864865; Sun, 10 Jun 2018 06:04:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528635864; cv=none; d=google.com; s=arc-20160816; b=ldQvOTNTPui7HbyeI+SOBkRufw8aE3S8DEd7SqfzbOscuBIow+KmF2tgXRuNFhy/cM F07IDk9FDVO1X6KatHwX5BANzYmFlmdnAk8k14U8aNkNE0QU2vunrF9ooC/1EuB9HQn9 eNRsxOgS8Gk8THaazNdZ3bOxw/gsHoKfOCsFGmahrEM+QQ1BRAusb7Qi3oeRmupM/uUU wIMfip8ddRKsZjdiapCaX4zRr+2U0RJzlCgpNXNUEdNIK3Ie9plIY7Y09bN3I8Sqolf4 +zPYoySVhet/5O8JV87TrW6LojhIYp/9uYSLt2ytzgC8SjK091tcCepViPshWONtepew /eMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature:arc-authentication-results; bh=A9U9Snzm2We4BuSvUXwdjryNGkskR4omDNWMB6raU7c=; b=sr5Fx40bGV37VaXRoLkm6xCBRSLllo0p7diFMx0YCUz3w2Goo9vewMMvy0Ny73+GVw +BcXwF7xiIUwXT992EvRH2kgWF7XjMIVz2fkVMuIHliLuZdvNUpjP7evcbDtZJNlcC98 jbk7L5qjOnli0FzzBnRYBjL6oUbVnLAyjYyOby2AOYEwM/Rr0ukmsfZXe9WexNSuuitS w1IIpmdXMwH/qPWbqHN9iO0EmoEauDi0Lth1xch9JGaMlTBpjRk004egjM2hD/j5HtBy UvwYyIfJWM0rl8WNnCYlvHmBj3wlOY/2al+8M0/dcyRLQVWpk1G6Qd296UuyxS8qcPP1 vRiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LZXBGiDZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l3-v6si476397pgf.505.2018.06.10.06.04.09; Sun, 10 Jun 2018 06:04:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LZXBGiDZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753592AbeFJNDa (ORCPT + 99 others); Sun, 10 Jun 2018 09:03:30 -0400 Received: from mail-qk0-f195.google.com ([209.85.220.195]:41460 "EHLO mail-qk0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753375AbeFJND2 (ORCPT ); Sun, 10 Jun 2018 09:03:28 -0400 Received: by mail-qk0-f195.google.com with SMTP id w23-v6so11482387qkb.8; Sun, 10 Jun 2018 06:03:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=A9U9Snzm2We4BuSvUXwdjryNGkskR4omDNWMB6raU7c=; b=LZXBGiDZM94GYOp2dRLM7YXqTBYhBurRXI8utQd2zDZxx0EgkVnQ1zc4l4KI6aWhZ8 mZW8euXWuayGIE5mgCE2thZ/HP7PCNnkqNJ/liVmETHe06kNPMpZz+Gb+GfRQcW1T5D/ 1Sa/BzTLTZIf0Gc75oCBCW5vlFjeiIYpR7WDyqp9ljK38t8qodiL51TtOR4ZE/6dliEr Ru2tU0QK7M0hG43xe8cqlKEKLEXaWSXMWLNOHSFeA2p3YNo2EgH3kxYFN6yMcLAztVC9 3vzRBPElnwFsD7SqOGvJ1L2tJEtRurhdWrqfkQXSHAluiLhf6yR9Pj6LOjOiNmhI15fo XIVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=A9U9Snzm2We4BuSvUXwdjryNGkskR4omDNWMB6raU7c=; b=Dg5IW4K33MaHd/b8fdXtD4UP9RwtH8MBWRKjEEuut6ADkl8gaJt/6kvpJtZ5X+eBNF CV2acQg6AaL6Lw7WjzZuZ0yTLHateGg/OKeAMWqE7kGj4IrSRDimX2kq+2Jl5jFJ9IWk o0ci0SsPcQWPtL45HnjxUGxawY3P3Xq3sTz95WVNzy/JaGBvy67ojJC2y8ckPqr5/WJ/ OMbRCLUc+yhFik+gToOdpAMZGW1dikRmt6ItiFjIOmoEvF2pEB1MJAOZqWx9l6aB+34k z94ZZ82ynbWEpphB5oViNZBUzzICrPiOUfEUyOGqfs97T4XmSbN+NYegJz3mAuowrqN+ KP2Q== X-Gm-Message-State: APt69E25dRKNSXvtkarfKoTbYRhCjaHay8/DrcwI1UYdLHAFL0t5kC17 ILbl+QbP5nyh+dhrw5H8WSCJW0drNTQCO2uXdZg= X-Received: by 2002:a37:7b86:: with SMTP id w128-v6mr10817964qkc.123.1528635807992; Sun, 10 Jun 2018 06:03:27 -0700 (PDT) MIME-Version: 1.0 References: <00000000000092de58056e3d4b96@google.com> <10d6b170-b820-3077-8737-c9d06e98d0fb@I-love.SAKURA.ne.jp> <13f6777a-2170-d0cc-1066-1b48a27ec981@i-love.sakura.ne.jp> In-Reply-To: <13f6777a-2170-d0cc-1066-1b48a27ec981@i-love.sakura.ne.jp> From: =?UTF-8?B?QmrDtnJuIFTDtnBlbA==?= Date: Sun, 10 Jun 2018 15:03:14 +0200 Message-ID: Subject: Re: WARNING: kmalloc bug in xdp_umem_create To: penguin-kernel@i-love.sakura.ne.jp Cc: dvyukov@google.com, syzbot+4abadc5d69117b346506@syzkaller.appspotmail.com, =?UTF-8?B?QmrDtnJuIFTDtnBlbA==?= , "Karlsson, Magnus" , David Miller , LKML , Netdev , syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Den s=C3=B6n 10 juni 2018 kl 14:53 skrev Tetsuo Handa : > > On 2018/06/10 20:52, Dmitry Vyukov wrote: > > On Sun, Jun 10, 2018 at 11:31 AM, Bj=C3=B6rn T=C3=B6pel wrote: > >> Den s=C3=B6n 10 juni 2018 kl 04:53 skrev Tetsuo Handa > >> : > >>> > >>> On 2018/06/10 7:47, syzbot wrote: > >>>> Hello, > >>>> > >>>> syzbot found the following crash on: > >>>> > >>>> HEAD commit: 7d3bf613e99a Merge tag 'libnvdimm-for-4.18' of git:/= /git.k.. > >>>> git tree: upstream > >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=3D1073f68f= 800000 > >>>> kernel config: https://syzkaller.appspot.com/x/.config?x=3Df04d8d0a= 2afb789a > >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=3D4abadc5d69= 117b346506 > >>>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) > >>>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=3D13c975= 6f800000 > >>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D16366f9f= 800000 > >>>> > >>>> IMPORTANT: if you fix the bug, please add the following tag to the c= ommit: > >>>> Reported-by: syzbot+4abadc5d69117b346506@syzkaller.appspotmail.com > >>>> > >>>> random: sshd: uninitialized urandom read (32 bytes read) > >>>> random: sshd: uninitialized urandom read (32 bytes read) > >>>> random: sshd: uninitialized urandom read (32 bytes read) > >>>> random: sshd: uninitialized urandom read (32 bytes read) > >>>> random: sshd: uninitialized urandom read (32 bytes read) > >>>> WARNING: CPU: 1 PID: 4537 at mm/slab_common.c:996 kmalloc_slab+0x56/= 0x70 mm/slab_common.c:996 > >>>> Kernel panic - not syncing: panic_on_warn set ... > >>> > >>> syzbot gave up upon kmalloc(), but actually error handling path has > >>> NULL pointer dereference bug. > >>> > >> > >> Thanks Tetsuo! This crash has been fixed by Daniel Borkmann in commit > >> c09290c56376 ("bpf, xdp: fix crash in xdp_umem_unaccount_pages"). > > > > Let's tell syzbot about this: > > > > #syz fix: bpf, xdp: fix crash in xdp_umem_unaccount_pages > > > > > Excuse me, but that patch fixes NULL pointer dereference which occurs aft= er kmalloc()'s > "WARNING: CPU: 1 PID: 4537 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70= mm/slab_common.c:996" > message. That is, "Too large memory allocation" itself is not yet fixed. The code relies on that the sl{u,a,o}b layer says no, and the setsockopt bails out. The warning could be opted out using __GFP_NOWARN. Is there another preferred way? Two get_user_pages calls, where the first call would set pages to NULL just to fault the region? Walk the process' VMAs? Something else? Bj=C3=B6rn