From: John Fastabend <john.fastabend@gmail.com>
To: "Michael S. Tsirkin" <mst@redhat.com>, linux-kernel@vger.kernel.org
Cc: netdev@vger.kernel.org, Jason Wang <jasowang@redhat.com>,
David Miller <davem@davemloft.net>,
syzbot+87678bcf753b44c39b67@syzkaller.appspotmail.com
Subject: Re: [PATCH net-next 06/12] Revert "net: ptr_ring: otherwise safe empty checks can overrun array bounds"
Date: Thu, 25 Jan 2018 16:12:51 -0800 [thread overview]
Message-ID: <197fdcc8-4074-2bb3-7abb-5f99f1e95f6c@gmail.com> (raw)
In-Reply-To: <1516923320-16959-7-git-send-email-mst@redhat.com>
On 01/25/2018 03:36 PM, Michael S. Tsirkin wrote:
> This reverts commit bcecb4bbf88aa03171c30652bca761cf27755a6b.
>
> If we try to allocate an extra entry as the above commit did, and when
> the requested size is UINT_MAX, addition overflows causing zero size to
> be passed to kmalloc().
>
> kmalloc then returns ZERO_SIZE_PTR with a subsequent crash.
>
> Reported-by: syzbot+87678bcf753b44c39b67@syzkaller.appspotmail.com
> Cc: John Fastabend <john.fastabend@gmail.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
Dang, I missed this case. Thanks.
Acked-by: John Fastabend <john.fastabend@gmail.com>
> include/linux/ptr_ring.h | 7 +------
> 1 file changed, 1 insertion(+), 6 deletions(-)
>
> diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
> index f175846..3a19ebd 100644
> --- a/include/linux/ptr_ring.h
> +++ b/include/linux/ptr_ring.h
> @@ -466,12 +466,7 @@ static inline int ptr_ring_consume_batched_bh(struct ptr_ring *r,
>
> static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp)
> {
> - /* Allocate an extra dummy element at end of ring to avoid consumer head
> - * or produce head access past the end of the array. Possible when
> - * producer/consumer operations and __ptr_ring_peek operations run in
> - * parallel.
> - */
> - return kcalloc(size + 1, sizeof(void *), gfp);
> + return kcalloc(size, sizeof(void *), gfp);
> }
>
> static inline void __ptr_ring_set_size(struct ptr_ring *r, int size)
>
next prev parent reply other threads:[~2018-01-26 0:13 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 23:36 [PATCH net-next 00/12] ptr_ring fixes Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 01/12] ptr_ring: keep consumer_head valid at all times Michael S. Tsirkin
2018-01-26 0:11 ` John Fastabend
2018-01-25 23:36 ` [PATCH net-next 02/12] ptr_ring: clean up documentation Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 03/12] ptr_ring: READ/WRITE_ONCE for __ptr_ring_empty Michael S. Tsirkin
2018-01-26 2:37 ` Jason Wang
2018-01-26 2:44 ` Michael S. Tsirkin
2018-01-26 3:19 ` Jason Wang
2018-01-26 13:44 ` Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 04/12] tap: fix use-after-free Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 05/12] ptr_ring: disallow lockless __ptr_ring_full Michael S. Tsirkin
2018-01-26 2:38 ` Jason Wang
2018-01-26 2:46 ` Michael S. Tsirkin
2018-01-29 3:36 ` Jason Wang
2018-01-29 4:41 ` Michael S. Tsirkin
2018-01-29 7:09 ` Jason Wang
2018-01-25 23:36 ` [PATCH net-next 06/12] Revert "net: ptr_ring: otherwise safe empty checks can overrun array bounds" Michael S. Tsirkin
2018-01-26 0:12 ` John Fastabend [this message]
2018-01-25 23:36 ` [PATCH net-next 07/12] skb_array: use __ptr_ring_empty Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 08/12] ptr_ring: prevent queue load/store tearing Michael S. Tsirkin
2018-01-26 2:38 ` Jason Wang
2018-01-26 2:49 ` Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 09/12] tools/virtio: switch to __ptr_ring_empty Michael S. Tsirkin
2018-01-25 23:36 ` Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 10/12] tools/virtio: more stubs to fix tools build Michael S. Tsirkin
2018-01-25 23:36 ` Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 11/12] tools/virtio: copy READ/WRITE_ONCE Michael S. Tsirkin
2018-01-25 23:36 ` Michael S. Tsirkin
2018-01-25 23:36 ` [PATCH net-next 12/12] tools/virtio: fix smp_mb on x86 Michael S. Tsirkin
2018-01-26 3:56 ` Jason Wang
2018-01-26 3:56 ` Jason Wang
2018-01-26 13:45 ` Michael S. Tsirkin
2018-01-26 13:45 ` Michael S. Tsirkin
2018-01-25 23:36 ` Michael S. Tsirkin
2018-01-26 3:20 ` [PATCH net-next 00/12] ptr_ring fixes Jason Wang
2018-01-29 7:10 ` Jason Wang
2018-01-29 17:03 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=197fdcc8-4074-2bb3-7abb-5f99f1e95f6c@gmail.com \
--to=john.fastabend@gmail.com \
--cc=davem@davemloft.net \
--cc=jasowang@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=syzbot+87678bcf753b44c39b67@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.