Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp1495685ybe; Fri, 13 Sep 2019 18:22:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqzTDgZ4/IATd/6lk0rgicP8z7hfDvKuQuQvD8Nn3NdrcH52tAH3OilWlebTY2us9GtMAAga X-Received: by 2002:a17:906:c410:: with SMTP id u16mr1372476ejz.228.1568424124505; Fri, 13 Sep 2019 18:22:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568424124; cv=none; d=google.com; s=arc-20160816; b=ZhRcaVdwtxG+w6MGqn3DluL7ABFKQ0NdpIhWCpQv3bfMniU1CnRTdAwE+a+ae3F2DV gnyyUmJOKIqAe/ysr/e4hWTLYtAaxOJAAp4l8Vw8AJwSMZOFY721Y8+edcn1a2oW2RgG xLQZlJNmg1/yKpKNYiURFC9i2gG1b7X4gbg9+yoa/5dkZnCr/5KlUGs8tWvdYniSqqqI hLvpK2tVebBpXQr85p7SqzY5//UscRw4MGi9L6ceoRLAPDzAfAfe4d/IScX15DPLcGmK GyLwpOC1GNn1ib5U14sUa03v3azD1iRz9hxls2+CBl2RDV5XiLQ66ziWn3sIw/MVwQL2 Cz2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject; bh=7nSN9wvhoKYdWon6QDIGqpWH+96lV7NFl/5Fkxot28g=; b=ippVbsTkDuJDsHWa8EN6On4WT9Yt9ruhIPY///K1lyMhyQQ7E2wPeJ6htP/I4DR67E lfmgOI8F5f/iwYSX/8/8rjhibLo6Y1cxEnjkMhHfJ8rwNXnpNzwCqXNSp7llepFumoSB UjWVkkCiHABXNd34LvNtbQAQnafNUlqzsHWjAhLscTUBFxe8sRUyPEXA6YYZmKpVJhvs a0inJLx2s6eSKYJbQ68cVq7MRmaRHNnidrJHoCCbvgGKbaV5OnvvZxwAlhHs6sI1b0jP c6K7R/xx0QprhsCLIwcioPfiHDuDw82BfODoU4pfXSMX0zW4CRhGnic8v+WhCSqopH3E CLPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id sa6si12220585ejb.359.2019.09.13.18.21.06; Fri, 13 Sep 2019 18:22:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730683AbfIMQOb (ORCPT + 99 others); Fri, 13 Sep 2019 12:14:31 -0400 Received: from mx1.redhat.com ([209.132.183.28]:17854 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730622AbfIMQOa (ORCPT ); Fri, 13 Sep 2019 12:14:30 -0400 Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5745E7FDE5 for ; Fri, 13 Sep 2019 16:14:30 +0000 (UTC) Received: by mail-wr1-f72.google.com with SMTP id v18so604252wro.16 for ; Fri, 13 Sep 2019 09:14:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=7nSN9wvhoKYdWon6QDIGqpWH+96lV7NFl/5Fkxot28g=; b=mbqGOQd21peQ+ePAsVs3s8P3xZzTjqyqGV3xVP3I359NiFgmujjVOPICyC0bLvaJ0R MMSX6eegq8k7HHSrrG+plCkmXXAy2o7rHhPdNCSpEVRs4uoeuH9qZSV5sU2ke2xi9Zsb KaZSGegzEdxD2wly4vem+gt/tXKctVcSXDXbRtrOGHhZpKS205vTtaWAO7CxuDrq2ind +5pK8I0cdwxrLi3GbwHkxdEEBPGX3lBemihJxf3q3WVaJVK6UF8H0Jc57SCleg2bwhd0 Jg5gSgLJG73rX57v+Of81F0/haUEL9gaNO0Xqu8nShqzanFgCV/FvvBId1SkEBEkblv1 Kglw== X-Gm-Message-State: APjAAAVZKZvHzWOs6/1wtWDJvTDUWn2XZUZMm0heE6vqOZ0WxnqI1093 rEm0qcX9k0NhvE1BEEAZF0bGClbC3PsnY3/Ccs1toR7kNfi1Eg8HcFjif+JkJrebEHC2MvO2H+T x0BhWvrVZIIh52g5Hn1W07n5J X-Received: by 2002:adf:f607:: with SMTP id t7mr38318031wrp.60.1568391268768; Fri, 13 Sep 2019 09:14:28 -0700 (PDT) X-Received: by 2002:adf:f607:: with SMTP id t7mr38317997wrp.60.1568391268522; Fri, 13 Sep 2019 09:14:28 -0700 (PDT) Received: from ?IPv6:2001:b07:6468:f312:c5d2:4bb2:a923:3a9a? ([2001:b07:6468:f312:c5d2:4bb2:a923:3a9a]) by smtp.gmail.com with ESMTPSA id v6sm4816939wma.24.2019.09.13.09.14.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 13 Sep 2019 09:14:28 -0700 (PDT) Subject: Re: KASAN: slab-out-of-bounds Read in handle_vmptrld To: Alan Stern Cc: Greg Kroah-Hartman , Vitaly Kuznetsov , kvm@vger.kernel.org, bp@alien8.de, carlo@caione.org, catalin.marinas@arm.com, devicetree@vger.kernel.org, hpa@zytor.com, jmattson@google.com, joro@8bytes.org, khilman@baylibre.com, linux-amlogic@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, mark.rutland@arm.com, mingo@redhat.com, narmstrong@baylibre.com, rkrcmar@redhat.com, robh+dt@kernel.org, sean.j.christopherson@intel.com, syzkaller-bugs@googlegroups.com, tglx@linutronix.de, wanpengli@tencent.com, will.deacon@arm.com, x86@kernel.org, syzbot , Dmitry Vyukov , USB list References: From: Paolo Bonzini Openpgp: preference=signencrypt Message-ID: <1a8a6449-2740-b0a3-805a-47466e0d71c6@redhat.com> Date: Fri, 13 Sep 2019 18:14:26 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/09/19 17:36, Alan Stern wrote: > On Fri, 13 Sep 2019, Paolo Bonzini wrote: > >> On 13/09/19 15:02, Greg Kroah-Hartman wrote: >>> Look at linux-next, we "should" have fixed up hcd_buffer_alloc() now to >>> not need this type of thing. If we got it wrong, please let us know and >>> then yes, a fix like this would be most appreciated :) >> >> I still see >> >> /* some USB hosts just use PIO */ >> if (!hcd_uses_dma(hcd)) { >> *dma = ~(dma_addr_t) 0; >> return kmalloc(size, mem_flags); >> } >> >> in linux-next's hcd_buffer_alloc and also in usb.git's usb-next branch. >> I also see the same >> >> if (remap_pfn_range(vma, vma->vm_start, >> virt_to_phys(usbm->mem) >> PAGE_SHIFT, >> size, vma->vm_page_prot) < 0) { >> ... >> } >> >> in usbdev_mmap. Of course it's possible that I'm looking at the wrong >> branch, or just being dense. > > Have you seen > > https://marc.info/?l=linux-usb&m=156758511218419&w=2 > > ? It certainly is relevant, although Greg hasn't replied to it. It helps but it's not a full fix, since the address would fail is_vmalloc_addr. On top of that, hcd_buffer_alloc and hcd_buffer_free need to switch from kmalloc to vmalloc. > Also, just warning about a non-page-aligned allocation doesn't really > help. It would be better to fix the misbehaving allocator. Of course. The above patch does not fix the issue, it should just allow for an easier reproduction not involving KVM. More long term, it points out where the contracts mismatch (i.e. between hcd_buffer_alloc and usb_alloc_coherent), and more selfishly whose bug it is when syzkaller complains. :) Paolo