Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp1017125ybe;
        Fri, 13 Sep 2019 09:46:54 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwf6lc+lDliplpGxqE5lhsk4I6o3TABim7zoKkxlaOYgx7kHGFAi6+28MzArla2RL2HWmEE
X-Received: by 2002:a17:907:10c5:: with SMTP id rv5mr5288552ejb.262.1568393213931;
        Fri, 13 Sep 2019 09:46:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568393213; cv=none;
        d=google.com; s=arc-20160816;
        b=U4btjfTev5Y6ys/9mdL78U5LcBSsTtlOmumt1FDa/bgRnLqnpjXFj220ARZ25cVVBv
         jC8dCN5r3qwYoY8YsWO9s3Wf5PiSGZlBJ3pOxBzOtvKFyA/gYDjr8TvzR8gRvu2Gymqr
         nqd7BpW1b8ZpKHDzoNYv/DHNSBE3QAApGvXAlqpbOh6eO1J5vWW1fPZNpEaqxS9oN8uQ
         vzrXZfySGegeJuJAMRy1+j/xl4zkXOGFluW4Iducn6zbT23wj/ohJTRsDY8Ztu924AMH
         TXSqzzXUls5Uw1ZkecGn0yGIimMltl6b/byx8FsJdDYV66UfsbYg7A37S8Ja/jCSpg7o
         W34w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:in-reply-to
         :subject:cc:to:from:date;
        bh=UGjEaX2FaGlykDWQ/qFxoYoZ+8OOb+hzPn/3gT/E58A=;
        b=FEJics1W3WYXAtE0LBbY0kNnmYOMMIv+XgZibmwor4jC66661sOiTb331pL4vZnI7d
         PvJYrjaWsXHGdodwcA8sfnqwdTt6eqyTi0VVyPWwvg1wqaEMBnO5v9bmkQ178UO0KMfk
         xp0SV/o02zSTU0ZxyyOhSSKJPcBSKaVTkU7l5Ap2sezPPLpXegSra1xpL5eLnJ6/upe4
         iyoOdv9VlQYOe/gQA4BbyAOhXXURDF2clTp9hrUlaN7dm9f6RoTr2Sg6c+DzPrgfvB6q
         DJZFmM1iu3eOpNwn5Klz0QpCFV0XI086tqrZYUO9PEXjGPS3Bjpbcs+iXc6XjQpwDigQ
         jJqQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id ch15si14967668ejb.59.2019.09.13.09.46.29;
        Fri, 13 Sep 2019 09:46:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390308AbfIMPgb (ORCPT <rfc822;mailist1go@gmail.com>
        + 99 others); Fri, 13 Sep 2019 11:36:31 -0400
Received: from iolanthe.rowland.org ([192.131.102.54]:53686 "HELO
        iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with SMTP id S1728811AbfIMPga (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Sep 2019 11:36:30 -0400
Received: (qmail 3387 invoked by uid 2102); 13 Sep 2019 11:36:30 -0400
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 13 Sep 2019 11:36:30 -0400
Date:   Fri, 13 Sep 2019 11:36:30 -0400 (EDT)
From:   Alan Stern <stern@rowland.harvard.edu>
X-X-Sender: stern@iolanthe.rowland.org
To:     Paolo Bonzini <pbonzini@redhat.com>
cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Vitaly Kuznetsov <vkuznets@redhat.com>, <kvm@vger.kernel.org>,
        <bp@alien8.de>, <carlo@caione.org>, <catalin.marinas@arm.com>,
        <devicetree@vger.kernel.org>, <hpa@zytor.com>,
        <jmattson@google.com>, <joro@8bytes.org>, <khilman@baylibre.com>,
        <linux-amlogic@lists.infradead.org>,
        <linux-arm-kernel@lists.infradead.org>,
        <linux-kernel@vger.kernel.org>, <mark.rutland@arm.com>,
        <mingo@redhat.com>, <narmstrong@baylibre.com>,
        <rkrcmar@redhat.com>, <robh+dt@kernel.org>,
        <sean.j.christopherson@intel.com>,
        <syzkaller-bugs@googlegroups.com>, <tglx@linutronix.de>,
        <wanpengli@tencent.com>, <will.deacon@arm.com>, <x86@kernel.org>,
        syzbot <syzbot+46f1dd7dbbe2bfb98b10@syzkaller.appspotmail.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        USB list <linux-usb@vger.kernel.org>
Subject: Re: KASAN: slab-out-of-bounds Read in handle_vmptrld
In-Reply-To: <6a0ec3a2-2a52-f67a-6140-e0a60874538a@redhat.com>
Message-ID: <Pine.LNX.4.44L0.1909131129390.1466-100000@iolanthe.rowland.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 13 Sep 2019, Paolo Bonzini wrote:

> On 13/09/19 15:02, Greg Kroah-Hartman wrote:
> > Look at linux-next, we "should" have fixed up hcd_buffer_alloc() now to
> > not need this type of thing.  If we got it wrong, please let us know and
> > then yes, a fix like this would be most appreciated :)
> 
> I still see
> 
> 	/* some USB hosts just use PIO */
> 	if (!hcd_uses_dma(hcd)) {
> 		*dma = ~(dma_addr_t) 0;
> 		return kmalloc(size, mem_flags);
> 	}
> 
> in linux-next's hcd_buffer_alloc and also in usb.git's usb-next branch.
>  I also see the same
> 
> 	if (remap_pfn_range(vma, vma->vm_start,
> 			virt_to_phys(usbm->mem) >> PAGE_SHIFT,
> 			size, vma->vm_page_prot) < 0) {
> 		...
> 	}
> 
> in usbdev_mmap.  Of course it's possible that I'm looking at the wrong
> branch, or just being dense.

Have you seen

	https://marc.info/?l=linux-usb&m=156758511218419&w=2

?  It certainly is relevant, although Greg hasn't replied to it.

There have been other messages on the mailing list about this issue,
but I haven't tried to keep track of them.

Also, just warning about a non-page-aligned allocation doesn't really 
help.  It would be better to fix the misbehaving allocator.

Alan Stern