Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp7589675ybc; Thu, 28 Nov 2019 21:01:04 -0800 (PST) X-Google-Smtp-Source: APXvYqxHRSUcRCLuB8nfUEDpM7SDX263Y1WR8tA9FCkobmOBDvY4ooxPsbU+dxVnFrkFMUmLgvH/ X-Received: by 2002:aa7:d44a:: with SMTP id q10mr8499020edr.45.1575003664035; Thu, 28 Nov 2019 21:01:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575003664; cv=none; d=google.com; s=arc-20160816; b=snAeKSdd2xkpTq4668zdEM5mq5BowqUe3F4fqQzkjCGWoj/Ujx4XbJN1CBqseVLeBI 3XA+UMJ4nrjpvRuHfvkPshNPUTDieg4fHFYO4OYotg/1d3mEyEyhkCcnT+VaET7r7WkH G+o47xv/klFYsmX6K/Zh0YPLB9mHoaz340nZEUppD58w75gKGIkxAvz0VmSKcG+jSf/o mSCT8Ii8/OFqv1b2GUu92EvwhVrNI3El92joC/JXlZ9jN7ssgzpy59PpkDarKO9WfpSG o1RadnXGeFSGpwCyHhR+rjj5NzCurh6kCUsXfLSrBBn/wkqGcBlN9Ihz8To2YCgAJIFm bKDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:dkim-signature; bh=xoMd8yYcGXm+uoq0RWTiodLw662TYcbpQ7twz+xDCPM=; b=zLMQ85ccV7n0CWcaJUHjkIWjCjgzTNzCh+fjC3eziy2ZSJ8SwlAruLcUMFrkWzBgiy RhOPTjNCW8CeY22CzcFFffAqOwTN/CDW4KixVLIJqauS8s9h1Q037V7ek6KldlP3GbKl +BNCtIoYvL4NG8LEG48YsExX4rRK7c+2UZVFTbzHsgQHCccfa01QGxUjFtLdk9XvYyAR nQNxd7rW4q/h1qlAuW9Crshgbhh/tHe6I3DlxxJnk+igcFBhaQ12hzMFjOq1+CvLdTtW 51EuwlOjEoB7kI/KVCVHZhYztbdyAY/THNgjWPksZWaCrG1a29MoGLb2qbPkbiqiYLXd Cp8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ellerman.id.au header.s=201909 header.b=XUCEc+EW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m14si14461919edp.78.2019.11.28.21.00.39; Thu, 28 Nov 2019 21:01:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ellerman.id.au header.s=201909 header.b=XUCEc+EW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727007AbfK2E7h (ORCPT + 99 others); Thu, 28 Nov 2019 23:59:37 -0500 Received: from bilbo.ozlabs.org ([203.11.71.1]:36087 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726800AbfK2E7h (ORCPT ); Thu, 28 Nov 2019 23:59:37 -0500 Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.ozlabs.org (Postfix) with ESMTPSA id 47PMk93X45z9sPj; Fri, 29 Nov 2019 15:59:29 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ellerman.id.au; s=201909; t=1575003574; bh=19pJP6vUr4t2D8dTKyATaMi+48+ZIdMKG/tYr/jD0V4=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=XUCEc+EWpMdNAtEBbV6Q+/egdrVh/W32IvexKmcHnYsjLD0xi16QwSbsLC4qYb7b4 A1VJXiTd99K0L0/6tJzeKQVUY6D9EillQpyWjbLFOzBx0zaM5esGAtny4tJeLzHllH iTcEWCOA0BV8wDCCYwZbfXYy4+lQFR5nCPv82NbrwoVCx7BRZAJJbZFEvEPoB0W+c9 jk2hIV6o4DHGjqVs4DqFm5cb4sgoKKehvLdMGOnEmgzwCElzoV+epn1wEqm8+fYWdy RvtmHbSPilqsK9i+E83E2TLZehSShpi/OVLrshGEkBfoPJ+QTte4t7H1pqgY/Ac/A7 qbwrGIau+nrjg== From: Michael Ellerman To: Daniel Axtens , linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk Cc: akash.goel@intel.com, ajd@linux.ibm.com, Daniel Axtens , syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com, syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com, syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com, syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com Subject: Re: [PATCH] relay: handle alloc_percpu returning NULL in relay_open In-Reply-To: <20191129013745.7168-1-dja@axtens.net> References: <20191129013745.7168-1-dja@axtens.net> Date: Fri, 29 Nov 2019 15:59:27 +1100 Message-ID: <87d0dbffbk.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Daniel Axtens writes: > alloc_percpu() may return NULL, which means chan->buf may be set to > NULL. In that case, when we do *per_cpu_ptr(chan->buf, ...), we > dereference an invalid pointer: > > BUG: Unable to handle kernel data access at 0x7dae0000 > Faulting instruction address: 0xc0000000003f3fec > ... > NIP [c0000000003f3fec] relay_open+0x29c/0x600 > LR [c0000000003f3fc0] relay_open+0x270/0x600 > Call Trace: > [c000000054353a70] [c0000000003f3fb4] relay_open+0x264/0x600 (unreliable) > [c000000054353b00] [c000000000451764] __blk_trace_setup+0x254/0x600 > [c000000054353bb0] [c000000000451b78] blk_trace_setup+0x68/0xa0 > [c000000054353c10] [c0000000010da77c] sg_ioctl+0x7bc/0x2e80 > [c000000054353cd0] [c000000000758cbc] do_vfs_ioctl+0x13c/0x1300 > [c000000054353d90] [c000000000759f14] ksys_ioctl+0x94/0x130 > [c000000054353de0] [c000000000759ff8] sys_ioctl+0x48/0xb0 > [c000000054353e20] [c00000000000bcd0] system_call+0x5c/0x68 > > Check if alloc_percpu returns NULL. Because we can readily catch and > handle this situation, switch to alloc_cpu_gfp and pass in __GFP_NOWARN. > > This was found by syzkaller both on x86 and powerpc, and the reproducer > it found on powerpc is capable of hitting the issue as an unprivileged > user. > > Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") > Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com > Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com > Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com > Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com > Cc: Akash Goel > Cc: Andrew Donnellan # syzkaller-ppc64 > Cc: stable@vger.kernel.org # v4.10+ > Signed-off-by: Daniel Axtens ... > diff --git a/kernel/relay.c b/kernel/relay.c > index ade14fb7ce2e..a376cc6b54ec 100644 > --- a/kernel/relay.c > +++ b/kernel/relay.c > @@ -580,7 +580,13 @@ struct rchan *relay_open(const char *base_filename, > if (!chan) > return NULL; > > - chan->buf = alloc_percpu(struct rchan_buf *); > + chan->buf = alloc_percpu_gfp(struct rchan_buf *, > + GFP_KERNEL | __GFP_NOWARN); > + if (!chan->buf) { > + kfree(chan); > + return NULL; > + } > + > chan->version = RELAYFS_CHANNEL_VERSION; > chan->n_subbufs = n_subbufs; > chan->subbuf_size = subbuf_size; This looks right to me. The kfree + direct return is correct, there's nothing else that needs tear down in this function. I think I'm 50/50 on the __GFP_NOWARN. We're only asking for 8 bytes per cpu, and if that fails the system is pretty sick, so a warning could be helpful. There's also logic in the percpu allocator to limit the number of warnings printed. But see what others think. Reviewed-by: Michael Ellerman cheers