Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1590669pxb; Wed, 10 Feb 2021 11:55:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJxyBvZQJZPDzjuiaKsEBgadfJmLNecA2WMw6z1k31H3x9yKUkbWgFFCwDUNcWbrM4ZU3b5T X-Received: by 2002:a17:906:a2c9:: with SMTP id by9mr4565421ejb.546.1612986908749; Wed, 10 Feb 2021 11:55:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612986908; cv=none; d=google.com; s=arc-20160816; b=BUqQQymoPK16m/gNDTbnJbgClBDe8pNVheP3JR0XaQp/QoDOb3ce62Q4TdU9rg9Q/Z gSUMYLgTlbcNGFk2bTIuJyoVEtqcQSEWjf5tC54K5nJQR41uGgWeAyJaLKUu8+5EVbPs ct/aea0eBWeCTswtDOcxDlyXWu1df1tYWNXW80TcGJrhMxg8MKLG3vU+itnN3swHxI28 Fcq/PiPfNDmKz8FwMj4bWncahF4Jaan11EQSrtJLKyxFCCMrB6S7+RmsOnbgNwHsN8EX /m1uhh8d9MIhMsKLCH7nfJNdK42ta1RH7+9cgNOGcOo4XMBjz4TUI36L1gT8uGqYDnk6 w3+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=wEou7zE+dj5fHaP/ldP2nLMdogsQLmBYHODk4BNExtM=; b=vcIF9BPVElxONblma/PvN5Ahqr89M6Q5XWHsAjq3KDU1uy1BGV9r0RduK02LIQ1Op2 s9dI2TIunJMMJHTRWrMHv7sSlH7SeTX6cXPNCHRXvuZJm6t7celWf7cfWYIWtYqJ86TK hHGLzndqSaaPOwcCez+Ah1eOuRKKPvithpRAx0s2UijN8Pgd8N5TpvknwBUyy0flpjP9 dpH5VtzM3THHTGFFocf+09xENG53B9HOQ0RoZM97ac3urV01x4vldVq5WDSGJKbifTAd VmPt1xJEjzAq01lxKGDDaRtx+CrEW09mg52h6XiFFGglno0xCeEyGq3jvs111IpA1+gg ENSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z5si2241432edp.552.2021.02.10.11.54.44; Wed, 10 Feb 2021 11:55:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232798AbhBJTxi convert rfc822-to-8bit (ORCPT + 99 others); Wed, 10 Feb 2021 14:53:38 -0500 Received: from mail.kernel.org ([198.145.29.99]:40196 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232715AbhBJTww (ORCPT ); Wed, 10 Feb 2021 14:52:52 -0500 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BCAD464EDA; Wed, 10 Feb 2021 19:52:08 +0000 (UTC) Date: Wed, 10 Feb 2021 14:52:07 -0500 From: Steven Rostedt To: Eric Dumazet Cc: Yonghong Song , Dmitry Vyukov , syzbot , Andrew Morton , andrii@kernel.org, Alexei Starovoitov , bpf , Daniel Borkmann , David Miller , Jesper Dangaard Brouer , John Fastabend , Martin KaFai Lau , KP Singh , Jakub Kicinski , LKML , Ingo Molnar , Ingo Molnar , mmullins@fb.com, netdev , Peter Zijlstra , Song Liu , syzkaller-bugs Subject: Re: KASAN: vmalloc-out-of-bounds Read in bpf_trace_run3 Message-ID: <20210210145207.77798d6c@gandalf.local.home> In-Reply-To: <7b0fe079-bcd3-484d-fda6-12d962f584f8@gmail.com> References: <00000000000004500b05b31e68ce@google.com> <20201113053722.7i4xkiyrlymcwebg@hydra.tuxags.com> <7b0fe079-bcd3-484d-fda6-12d962f584f8@gmail.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 10 Feb 2021 19:23:38 +0100 Eric Dumazet wrote: > >> The problem here is a kmalloc failure injection into > >> tracepoint_probe_unregister, but the error is ignored -- so the bpf > >> program is freed even though the tracepoint is never unregistered. > >> > >> I have a first pass at a patch to pipe through the error code, but it's > >> pretty ugly.  It's also called from the file_operations ->release(), for > > > > Maybe you can still post the patch, so people can review and make suggestions which may lead to a *better* solution. > > > ping > > This bug is still there. Is this a bug via syzkaller? I have this fix in linux-next: befe6d946551 ("tracepoint: Do not fail unregistering a probe due to memory failure") But because it is using undefined behavior (calling a sub return from a call that has parameters, but Peter Zijlstra says is OK), I'm hesitant to send it to Linus now or label it as stable. Now this can only happen if kmalloc fails from here (called by func_remove). static inline void *allocate_probes(int count) { struct tp_probes *p = kmalloc(struct_size(p, probes, count), GFP_KERNEL); return p == NULL ? NULL : p->probes; } As probes and count together is typically much less than a page (unless you are doing fuzz testing and adding a ton of callbacks to a single tracepoint), that kmalloc should always succeed. The failure above can only happen if allocate_probes returns NULL, which is extremely unlikely. My question is, how is this triggered? And this should only be triggered by root doing stupid crap. Is it that critical to have fixed? -- Steve