Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp314160pxk; Wed, 2 Sep 2020 01:56:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzd6pIUrdX7H5GZbHG16QKN1w5duugJZsc66sfLMx1O44aQITgztnkv7xu+CQlSD2Uurs2K X-Received: by 2002:a17:906:6010:: with SMTP id o16mr5033693ejj.320.1599036991886; Wed, 02 Sep 2020 01:56:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599036991; cv=none; d=google.com; s=arc-20160816; b=HroXsfhKcwjlzUcvyTHiBJq4Mf4s6PMpKK00YtFHa3Jio5SbPPID0vaOl0euMZpKNw G9RsWd1TcVmLBGQ5b/tU/2cXk86I11fjhF3S1COfqcKy1N+j+nT/GAnJT5XRu6N8WFD8 39jkEBtdhNRBdPHR2xH+SewuTMQSTqCj9baSJMj6KbZfAycSOq264dT+d4FNdDjsm7tZ 9XDar/ldd6Ie0lpAoWBEZmUNbJ20gwtThb0UWBiQdlZORs0+iuQNv+qGvlrY7+cHY6ii a4MF/rcSqMqzQPZGuKSrFB/xGiJ3PZAAEdKgANPznGBUzLfzgNjdfDcR0iIplRHLN9lF kSDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=V0oRRAMUuGctiaqT6kpm2R+DGCBXwe0Wb7s8zkJvFh0=; b=i8TgfZa1kqBSvJQdIiV4PMLwn0tvG21dF5wvpdOfNcukAH0eC+/qaFQKZOYMUeOFQF H0ZBkRhKkOTv9eNSYYgwYx0kHpc0UYt1HdMye3fWX68x7oZ5cwyw5/7kmffp7eDqWxRQ H7qh2YI/+DpSFgMKggo6xVR2Taa4nfmAt/r2MJWTrDAPpk7QRe3PBvA3ijv/HMHC0k1Z 3IfT5RcIpTthGycKqtEeDXyfqibxYu/wwmB20LyS7KilmItne4WLndJhYXuWkb5HfjP7 d0D5Ar2W16MryKmGXOYe3d5eub2WyHpmQ79254NaJRQh+tclsbi+0Bi/gwzKC5JphiIj F36w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Or5QcCAw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d23si602257edt.607.2020.09.02.01.56.09; Wed, 02 Sep 2020 01:56:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Or5QcCAw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726426AbgIBIzY (ORCPT + 99 others); Wed, 2 Sep 2020 04:55:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:34856 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726124AbgIBIzX (ORCPT ); Wed, 2 Sep 2020 04:55:23 -0400 Received: from localhost (unknown [213.57.247.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 46C8420829; Wed, 2 Sep 2020 08:55:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1599036923; bh=mfoCecgG24RsRJtuuLU9UhUf+PeRc8u7kbA9jNUr3Sg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Or5QcCAwzq6x4gNCiN/jJY8cGHk6oss/IQqwsQ2DgFAzDFjFnphL1v7y9mCWNlE3H sdTyHnZ6gAJPqhixWnnPNH8MsyJMm4gUzEJFxTfbRv9XqkBg39WNT8G3HwYTgkW/mV iRDxfOmMou/bl9qXReaej4UA+BN/yVdJNYTUehcw= From: Leon Romanovsky To: Linus Torvalds , Peter Oberparleiter Cc: Leon Romanovsky , linux-kernel@vger.kernel.org, Colin Ian King , Andrew Morton Subject: [PATCH rdma-next 1/4] gcov: Open-code kmemdup() to work correctly with kernel and user space pointers Date: Wed, 2 Sep 2020 11:55:10 +0300 Message-Id: <20200902085513.748149-2-leon@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200902085513.748149-1-leon@kernel.org> References: <20200902085513.748149-1-leon@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Leon Romanovsky The kernel with KASAN and GCOV enabled generates the following splat due to the situation that gcov_info can be both user and kernel pointer. It is triggered by the memcpy() inside kmemdup(), so as a possible solution let's copy fields manually. ================================================================== BUG: KASAN: global-out-of-bounds in kmemdup+0x43/0x70 Read of size 120 at addr ffffffffa0d2c780 by task modprobe/296 CPU: 0 PID: 296 Comm: modprobe Not tainted 5.9.0-rc1+ #1860 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04 /01/2014 Call Trace: dump_stack+0x128/0x1af print_address_description.constprop.0+0x2c/0x3f0 _raw_spin_lock_irqsave+0x34/0xa0 __kasan_check_read+0x1d/0x30 kmemdup+0x43/0x70 kmemdup+0x43/0x70 gcov_info_dup+0x2d/0x730 __kasan_check_write+0x20/0x30 __mutex_unlock_slowpath+0x10d/0x740 gcov_event+0x88d/0xd30 gcov_module_notifier+0xe9/0x100 notifier_call_chain+0xeb/0x170 blocking_notifier_call_chain+0x75/0xc0 __x64_sys_delete_module+0x326/0x5a0 do_init_module+0x810/0x810 syscall_enter_from_user_mode+0x40/0x420 trace_hardirqs_on+0x45/0xb0 syscall_enter_from_user_mode+0x40/0x420 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the variable: __gcov_.uverbs_attr_get_obj+0x60/0xfffffffffff778e0 [mlx5_ib] Memory state around the buggy address: ffffffffa0d2c680: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 ffffffffa0d2c700: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 >ffffffffa0d2c780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 ^ ffffffffa0d2c800: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 ffffffffa0d2c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Disabling lock debugging due to kernel taint ---[ end trace 065ea9cc2ba144a6 ]--- Cc: Colin Ian King Signed-off-by: Leon Romanovsky --- kernel/gcov/gcc_4_7.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/gcov/gcc_4_7.c b/kernel/gcov/gcc_4_7.c index 908fdf5098c3..6d706c5eed5c 100644 --- a/kernel/gcov/gcc_4_7.c +++ b/kernel/gcov/gcc_4_7.c @@ -275,13 +275,13 @@ struct gcov_info *gcov_info_dup(struct gcov_info *info) size_t fi_size; /* function info size */ size_t cv_size; /* counter values size */ - dup = kmemdup(info, sizeof(*dup), GFP_KERNEL); + dup = kzalloc(sizeof(*dup), GFP_KERNEL); if (!dup) return NULL; - dup->next = NULL; - dup->filename = NULL; - dup->functions = NULL; + for (fi_idx = 0; fi_idx < GCOV_COUNTERS; fi_idx++) + dup->merge[fi_idx] = info->merge[fi_idx]; + dup->n_functions = info->n_functions; dup->filename = kstrdup(info->filename, GFP_KERNEL); if (!dup->filename) -- 2.26.2