From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751716AbeAZANH (ORCPT ); Thu, 25 Jan 2018 19:13:07 -0500 Received: from mail-pf0-f193.google.com ([209.85.192.193]:36140 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751377AbeAZANF (ORCPT ); Thu, 25 Jan 2018 19:13:05 -0500 X-Google-Smtp-Source: AH8x225bleyTS2Zwgw4lWRsdOcUepGALuHtuOfvZdiI8jtJxVud2dPtOuCw/1zl9Iu6VVBBJJNQ/wA== Subject: Re: [PATCH net-next 06/12] Revert "net: ptr_ring: otherwise safe empty checks can overrun array bounds" To: "Michael S. Tsirkin" , linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org, Jason Wang , David Miller , syzbot+87678bcf753b44c39b67@syzkaller.appspotmail.com References: <1516923320-16959-1-git-send-email-mst@redhat.com> <1516923320-16959-7-git-send-email-mst@redhat.com> From: John Fastabend Message-ID: <197fdcc8-4074-2bb3-7abb-5f99f1e95f6c@gmail.com> Date: Thu, 25 Jan 2018 16:12:51 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <1516923320-16959-7-git-send-email-mst@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/25/2018 03:36 PM, Michael S. Tsirkin wrote: > This reverts commit bcecb4bbf88aa03171c30652bca761cf27755a6b. > > If we try to allocate an extra entry as the above commit did, and when > the requested size is UINT_MAX, addition overflows causing zero size to > be passed to kmalloc(). > > kmalloc then returns ZERO_SIZE_PTR with a subsequent crash. > > Reported-by: syzbot+87678bcf753b44c39b67@syzkaller.appspotmail.com > Cc: John Fastabend > Signed-off-by: Michael S. Tsirkin > --- Dang, I missed this case. Thanks. Acked-by: John Fastabend > include/linux/ptr_ring.h | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > > diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h > index f175846..3a19ebd 100644 > --- a/include/linux/ptr_ring.h > +++ b/include/linux/ptr_ring.h > @@ -466,12 +466,7 @@ static inline int ptr_ring_consume_batched_bh(struct ptr_ring *r, > > static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp) > { > - /* Allocate an extra dummy element at end of ring to avoid consumer head > - * or produce head access past the end of the array. Possible when > - * producer/consumer operations and __ptr_ring_peek operations run in > - * parallel. > - */ > - return kcalloc(size + 1, sizeof(void *), gfp); > + return kcalloc(size, sizeof(void *), gfp); > } > > static inline void __ptr_ring_set_size(struct ptr_ring *r, int size) >