All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: "Björn Töpel" <bjorn.topel@gmail.com>
Cc: "Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
	syzbot+4abadc5d69117b346506@syzkaller.appspotmail.com,
	"Björn Töpel" <bjorn.topel@intel.com>,
	"Karlsson, Magnus" <magnus.karlsson@intel.com>,
	"David Miller" <davem@davemloft.net>,
	LKML <linux-kernel@vger.kernel.org>,
	Netdev <netdev@vger.kernel.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: WARNING: kmalloc bug in xdp_umem_create
Date: Mon, 11 Jun 2018 07:49:41 +0200	[thread overview]
Message-ID: <CACT4Y+ZYNjPTkDZxCranM9X1C3yB4GSy8qQd=U0NoeHiJtmV-w@mail.gmail.com> (raw)
In-Reply-To: <CAJ+HfNh9pRGcd9EO7BEfPPEdCmP5EDdu_rNgLR7r4oDrcLgvQQ@mail.gmail.com>

On Sun, Jun 10, 2018 at 3:03 PM, Björn Töpel <bjorn.topel@gmail.com> wrote:
>> On 2018/06/10 20:52, Dmitry Vyukov wrote:
>> > On Sun, Jun 10, 2018 at 11:31 AM, Björn Töpel <bjorn.topel@gmail.com> wrote:
>> >> Den sön 10 juni 2018 kl 04:53 skrev Tetsuo Handa
>> >> <penguin-kernel@i-love.sakura.ne.jp>:
>> >>>
>> >>> On 2018/06/10 7:47, syzbot wrote:
>> >>>> Hello,
>> >>>>
>> >>>> syzbot found the following crash on:
>> >>>>
>> >>>> HEAD commit:    7d3bf613e99a Merge tag 'libnvdimm-for-4.18' of git://git.k..
>> >>>> git tree:       upstream
>> >>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1073f68f800000
>> >>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f04d8d0a2afb789a
>> >>>> dashboard link: https://syzkaller.appspot.com/bug?extid=4abadc5d69117b346506
>> >>>> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
>> >>>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13c9756f800000
>> >>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16366f9f800000
>> >>>>
>> >>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> >>>> Reported-by: syzbot+4abadc5d69117b346506@syzkaller.appspotmail.com
>> >>>>
>> >>>> random: sshd: uninitialized urandom read (32 bytes read)
>> >>>> random: sshd: uninitialized urandom read (32 bytes read)
>> >>>> random: sshd: uninitialized urandom read (32 bytes read)
>> >>>> random: sshd: uninitialized urandom read (32 bytes read)
>> >>>> random: sshd: uninitialized urandom read (32 bytes read)
>> >>>> WARNING: CPU: 1 PID: 4537 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70 mm/slab_common.c:996
>> >>>> Kernel panic - not syncing: panic_on_warn set ...
>> >>>
>> >>> syzbot gave up upon kmalloc(), but actually error handling path has
>> >>> NULL pointer dereference bug.
>> >>>
>> >>
>> >> Thanks Tetsuo! This crash has been fixed by Daniel Borkmann in commit
>> >> c09290c56376 ("bpf, xdp: fix crash in xdp_umem_unaccount_pages").
>> >
>> > Let's tell syzbot about this:
>> >
>> > #syz fix: bpf, xdp: fix crash in xdp_umem_unaccount_pages
>> >
>> >
>> Excuse me, but that patch fixes NULL pointer dereference which occurs after kmalloc()'s
>> "WARNING: CPU: 1 PID: 4537 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70 mm/slab_common.c:996"
>> message. That is, "Too large memory allocation" itself is not yet fixed.
>
> The code relies on that the sl{u,a,o}b layer says no, and the
> setsockopt bails out. The warning could be opted out using
> __GFP_NOWARN. Is there another preferred way? Two get_user_pages
> calls, where the first call would set pages to NULL just to fault the
> region? Walk the process' VMAs? Something else?

Hi Björn,

Yes, either __GFP_NOWARN for allocations with user-controllable size
or stricter custom limit (if we don't want current sla/u/ob
implementation details to be part of public kernel interface).

  reply	other threads:[~2018-06-11  5:50 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-09 22:47 WARNING: kmalloc bug in xdp_umem_create syzbot
2018-06-10  2:48 ` Tetsuo Handa
2018-06-10  9:31   ` Björn Töpel
2018-06-10 11:52     ` Dmitry Vyukov
2018-06-10 12:53       ` Tetsuo Handa
2018-06-10 12:58         ` Dmitry Vyukov
2018-06-10 13:03         ` Björn Töpel
2018-06-11  5:49           ` Dmitry Vyukov [this message]
2018-06-12 12:08           ` Daniel Borkmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+ZYNjPTkDZxCranM9X1C3yB4GSy8qQd=U0NoeHiJtmV-w@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=bjorn.topel@gmail.com \
    --cc=bjorn.topel@intel.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=magnus.karlsson@intel.com \
    --cc=netdev@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzbot+4abadc5d69117b346506@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.