Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2609402imu; Tue, 6 Nov 2018 18:30:36 -0800 (PST) X-Google-Smtp-Source: AJdET5cj2OEufG8FMgREvsUy6DWjc0mpGmxKMGXfiME7+l6r6zo9xtZu7Nh4rJ3FcYWqtdba1O8H X-Received: by 2002:a63:64c:: with SMTP id 73mr32805pgg.373.1541557836297; Tue, 06 Nov 2018 18:30:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541557836; cv=none; d=google.com; s=arc-20160816; b=0euqoyJCUtr0UQa4/c5NkoT2BpH7qBGYT0XFxv49qrnysdedtOaecz2JqZQMt8MyXC eZtjDQ4wlpmJOmkgmB/WzwpVDdX44OIt76lpvn8To9qOeXbAtCN6gnNEfi47paXE/rJb DI/SIoyB5xthJepVA35bVcTfoxnpGBzEb9F4sH0qjerbaw25RvYH97PUoAgztjV7uZpa TBZc03/tTj4pB+PrlWE2M95mTPsSyWYdHUSaWox+PyaaqcPJYLAJXXvoBCKDMLc7bk1r 49asbuNjZPQPzddHS3e1nbbCJveclvghIR7/sOqzVl/0nE6t9XzWV9U6wk+J95lzm4LQ WjhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=D5dO5U7xUR43RpvzcZ2rmGU+/p/HCB+fIKQOcJYLgGU=; b=WajPcgr+dBfAk5+adMQFZo7o+FGmkYQ2YS+7Gj4nUCmxklZtmkrQuJzq2dJCZtft0z yRalr6p4f1r45fj6t6MOaI2Hmtc+2ikLDg2aUFBWhJtC820WDhTy3T9rN5BEpV6+hT7E vbrCsy8z/azxQbQ99OzfXbtfo+RZ2WKvG1Fxx7qJH37ewNdHlVspTYkdlr53vDVsqvPD aeAcarUzBPMHpe0WGs/EOGnjHQdmfLnEyCr9T9Artp7nYKcZCN6qn27IjzE2XZm7qfqN 523bTKrkIpFqDgaW69VBPmLSBsxNJQKC6/982ywkJMEoh561qjpPNVVlfQ0wQg8pIRgm Te3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ujzdOS6x; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a62-v6si12240661pfb.266.2018.11.06.18.30.20; Tue, 06 Nov 2018 18:30:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ujzdOS6x; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389190AbeKGL6R (ORCPT + 99 others); Wed, 7 Nov 2018 06:58:17 -0500 Received: from mail-it1-f196.google.com ([209.85.166.196]:52099 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727749AbeKGL6R (ORCPT ); Wed, 7 Nov 2018 06:58:17 -0500 Received: by mail-it1-f196.google.com with SMTP id h13so20937179itl.1 for ; Tue, 06 Nov 2018 18:29:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=D5dO5U7xUR43RpvzcZ2rmGU+/p/HCB+fIKQOcJYLgGU=; b=ujzdOS6xFW2hiVk1V9AYvhElBp2d4T9sskfhOC6OYbJzdgz66piwQmGF6XuNSeUgxO PwmIQiSx2Jkz/XN8gSXfa5UxeoYRd5tRuUt5qGC8G7KIDs+PTD9qDDlZ5hjX1Y9WfDuC b6bqcMOmjwmtSNp05APgv+4BhNxH+am98CVnzlTSBWh5Xg7gBx4kv9xSgmsP5/SEnkpE P/EF0wTj77JAk6AQ3Yv1FvL4RWcr7iCXLcVnVY09TDVhrBW/oReX79CtUQd0nQ+pEhX/ j8Ah2hHzWcKcdQpAhvNjsNZuNYxq7wmbO+ARHaKyYSkLx9ag/v35ijjXduKpJ5jLmGNb YMdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=D5dO5U7xUR43RpvzcZ2rmGU+/p/HCB+fIKQOcJYLgGU=; b=pZjWGI8k2/OUQHa/QWY3Xu3UYxzMOWsoshLRa7cH/H2F7fbf/BkifB5gaNU3tXOMpq s0p8htqbI120JmUTFpd9LqWYS6a10JBJM3Q8wapa8UX/p9a8y8i76DvW+QKBszXDifsb c6Q89Y4W+BZ/LdBg5AzvB7mXpLqtgJl3IqDBwU4iL0fDwzforw0l+5KwrDWxVVWSfyUq 1QNKDyA/shfy8xt784kELpi+ywOxKwJL0n7FoagLegfw/fLJBN8pIOWBZNJmoqaBcd26 3epkkIkwBqlVMWAm6Gr2UGfD3EH/DbuIoMstpOIlOyWSPjw+hkpTt+kYY2olc4QTB8JC +82Q== X-Gm-Message-State: AGRZ1gKn54QXxXNq3Rve2W3d5hCxMh8rUD0R9zzEK2u6LvSjeMyhvDgy KKxkfB71aOgT12FMastAmJB23qMkRjbbecqZ0umPVA== X-Received: by 2002:a24:bd84:: with SMTP id x126-v6mr342898ite.144.1541557797313; Tue, 06 Nov 2018 18:29:57 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a02:b01b:0:0:0:0:0 with HTTP; Tue, 6 Nov 2018 18:29:36 -0800 (PST) In-Reply-To: <20181102223908.GA9565@nautica> References: <0000000000009d4c780579b04ee4@google.com> <20181102223908.GA9565@nautica> From: Dmitry Vyukov Date: Tue, 6 Nov 2018 18:29:36 -0800 Message-ID: Subject: Re: WARNING in kmem_cache_create_usercopy To: Dominique Martinet Cc: syzbot , David Miller , Eric Van Hensbergen , LKML , Latchesar Ionkov , netdev , syzkaller-bugs@googlegroups.com, v9fs-developer@lists.sourceforge.net Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 2, 2018 at 3:39 PM, Dominique Martinet wrote: > syzbot wrote on Fri, Nov 02, 2018: >> RIP: 0010:kmem_cache_create_usercopy+0xad/0x240 mm/slab_common.c:473 >> Code: 44 89 f0 25 00 60 de 04 45 85 ed 89 45 cc 75 0b 8b 45 d0 85 c0 >> 0f 85 8e 01 00 00 44 39 eb 72 0a 89 d8 44 29 e8 3b 45 d0 73 7e <0f> >> 0b c7 45 d0 00 00 00 00 4c 8b 45 10 44 89 fa 89 de 4c 89 e7 8b >> RSP: 0018:ffff8801bc23f5d0 EFLAGS: 00010213 >> RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000006 >> RDX: 0000000000000000 RSI: 0000000000000020 RDI: ffffffff88b04b20 >> RBP: ffff8801bc23f608 R08: fffffbfff1283a2d R09: fffffbfff1283a2c >> R10: ffff8801bc23f5c0 R11: ffffffff8941d167 R12: ffffffff88b04b20 >> R13: 00000000fffffffd R14: 0000000000000000 R15: 0000000000000000 >> p9_client_create+0xa58/0x1769 net/9p/client.c:1054 > > No lower bound on msize, the reproducer gives a reply from the > pseudo-server with msize=8 and we happily take it, underflowing the > msize - 11 (hdr+4) argument to kmem_cache_create_usercopy... > This probably never worked anyway, but we now get a warning :) > > > We need to add a sane lower bound to msize as well as the current upper > bound set in the transport. > We have some header sizes in 9p.h for IO header overhead (P9_IOHDRSZ to > 24 for example) but I think that's too low in practice; stuff like > readdir will require more than this to get a single entry... We can > request the server to ask for at least 4k? > 9p would probably work with less (e.g. 1k; I'd rather not have to > figgure the minimum length we need to get each messages to work in its > minimal form) but honestly even with 4k the perforamnces will be > terrible, so tempted to go with that... > > I'll send a patch imposing 4k next week unless someone else does first, > or replies indicate different preferences. > > > @Dmitry: semi-related, the C reproducer ( > https://syzkaller.appspot.com/x/repro.c?x=1701f831400000 ) has a lot of > "readable" letters spelled out as "\x63..." or chars as 0x3d - it's fine > for generated code and that might be easier for the intermediate > representation syzkaller works with, but do you know something handy > that would help convert these to readable strings? > e.g. "\x63\x61\x63\x68\x65\x3d\xc0\x6d\x61\x70" could be written > "cache=\xc0map", and 0x3d as '=' (hm I guess the later would not always > make sense to convert so probably best left as is, but it gets annoying > pretty fast with longer strings) Hi Dominique, I've filed https://github.com/google/syzkaller/issues/792 for this. Thanks for the feedback.