Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp2175154ybg;
        Fri, 5 Jun 2020 07:26:40 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyU4hVxs9NoXRV/ZcRNFzIU6c1auTxeSQqARJyTKDN3l5M9v3WT7dueOdGsbzGU+kp5xP6d
X-Received: by 2002:a05:6402:4c6:: with SMTP id n6mr9337378edw.264.1591367200128;
        Fri, 05 Jun 2020 07:26:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1591367200; cv=none;
        d=google.com; s=arc-20160816;
        b=olFOePZAG0USfjXA1iqLSGqiu2mUhXkb8ntyBDNSzV+40isyXIw4VYg/vQBWfyHK+O
         9FOV1+teAVjIYPsA4cXRo9XSwtXDQ2ZjbP2jeE1DCtaeF8bw+x9PFQpn7+0o5PbPtLrp
         eGpdwgjZmB/UDV+PpmP9qsQhQY60mYWubn3h8L/edTEANYRNtCrZufw53N7bEgjrK+ka
         gagEF9Lotqg2t/PuGcNWTn5ekKR1if6Zt544nUBj71gJ4bmVJbtDXTR8K+ToN0YwsrsN
         cGKIp2yg+SQ4zfPuD4Dn/qu0Ozfu2RfyUYDUXvwzPFUQxpXNyisxyRVHzWD/RlCdRUpO
         ucBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=nJuUK/07IHjuL4/U6CVxJolrtTf1QHUvn4IE3K3lj7k=;
        b=Hn12KvwtZ1yxf+FDt5RqJj/uLwxGKrK+X/2qoivS4Qy9fwzz3vOfr35Y1u6lj6yN+U
         RuoFO4hiJHj5ttQWucxOJtbcCTrmmDxxh4Kd+aNHbYm0V3VadD0YouwEGcV4eS6JJoqC
         W5p46s0QSqVwCw8CWHToAvpQTYGl+m/V0XWdmftiBjtuClnsLxw+h8382viwjPybiTUI
         I2qrQEHLDBGNQQon1KbaTuMeBqY5edSlpP14XmPwND/QT+pc2dkDpXp93a4B+9Taxxj0
         rgXT0F4uNfrN0yQr7syVvsEzbtBAklKWiLCoFDaP/sDCNS7rHg1CWOd0K4nv0DooDXz0
         FgEA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=q16biRXa;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g1si3226771ejk.122.2020.06.05.07.26.17;
        Fri, 05 Jun 2020 07:26:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=q16biRXa;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728991AbgFEOUp (ORCPT <rfc822;zffurovfq63@gmail.com>
        + 99 others); Fri, 5 Jun 2020 10:20:45 -0400
Received: from mail.kernel.org ([198.145.29.99]:51694 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728485AbgFEOUZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Jun 2020 10:20:25 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B0D76206DC;
        Fri,  5 Jun 2020 14:20:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1591366824;
        bh=k4MdHdKkOwBPSJvJDuxl0DBhK1L0mnYClje06rnuBRo=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=q16biRXaDee45UnkZEJkT7dHeg449l9dji/lH5mYywMrR56HsGsu7af8ldJYEaoZw
         /ADfG+qLodWFRMguP5wli6naqw2e1i9nJLSCv3Hg5MEQGgXbbRSq1ayIH8KfYQfyBn
         jj7D7ZN36/l9BHLCH2JJ0H3C+I0omFRElD+vEJfI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com,
        syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com,
        syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com,
        syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com,
        Daniel Axtens <dja@axtens.net>,
        Andrew Morton <akpm@linux-foundation.org>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Andrew Donnellan <ajd@linux.ibm.com>,
        David Rientjes <rientjes@google.com>,
        Akash Goel <akash.goel@intel.com>,
        Guenter Roeck <linux@roeck-us.net>,
        Salvatore Bonaccorso <carnil@debian.org>,
        Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.19 07/28] kernel/relay.c: handle alloc_percpu returning NULL in relay_open
Date:   Fri,  5 Jun 2020 16:15:09 +0200
Message-Id: <20200605140252.766450436@linuxfoundation.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200605140252.338635395@linuxfoundation.org>
References: <20200605140252.338635395@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Daniel Axtens <dja@axtens.net>

commit 54e200ab40fc14c863bcc80a51e20b7906608fce upstream.

alloc_percpu() may return NULL, which means chan->buf may be set to NULL.
In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an
invalid pointer:

  BUG: Unable to handle kernel data access at 0x7dae0000
  Faulting instruction address: 0xc0000000003f3fec
  ...
  NIP relay_open+0x29c/0x600
  LR relay_open+0x270/0x600
  Call Trace:
     relay_open+0x264/0x600 (unreliable)
     __blk_trace_setup+0x254/0x600
     blk_trace_setup+0x68/0xa0
     sg_ioctl+0x7bc/0x2e80
     do_vfs_ioctl+0x13c/0x1300
     ksys_ioctl+0x94/0x130
     sys_ioctl+0x48/0xb0
     system_call+0x5c/0x68

Check if alloc_percpu returns NULL.

This was found by syzkaller both on x86 and powerpc, and the reproducer
it found on powerpc is capable of hitting the issue as an unprivileged
user.

Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com
Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com
Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com
Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Akash Goel <akash.goel@intel.com>
Cc: Andrew Donnellan <ajd@linux.ibm.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Salvatore Bonaccorso <carnil@debian.org>
Cc: <stable@vger.kernel.org>	[4.10+]
Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/relay.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -581,6 +581,11 @@ struct rchan *relay_open(const char *bas
 		return NULL;
 
 	chan->buf = alloc_percpu(struct rchan_buf *);
+	if (!chan->buf) {
+		kfree(chan);
+		return NULL;
+	}
+
 	chan->version = RELAYFS_CHANNEL_VERSION;
 	chan->n_subbufs = n_subbufs;
 	chan->subbuf_size = subbuf_size;