From: Dmitry Vyukov <dvyukov@google.com> To: Vlad Yasevich <vyasevich@gmail.com>, Neil Horman <nhorman@tuxdriver.com>, "David S. Miller" <davem@davemloft.net>, linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org> Cc: syzkaller <syzkaller@googlegroups.com>, Kostya Serebryany <kcc@google.com>, Alexander Potapenko <glider@google.com>, Sasha Levin <sasha.levin@oracle.com>, Eric Dumazet <edumazet@google.com> Subject: user-controllable kmalloc size in sctp_getsockopt_local_addrs Date: Sat, 28 Nov 2015 13:40:08 +0100 [thread overview] Message-ID: <CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.com> (raw) Hello, The following program triggers WARNING in kmalloc: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <sys/types.h> #include <sys/socket.h> #include <linux/socket.h> #include <linux/in.h> #define SOL_SCTP 132 #define SCTP_GET_LOCAL_ADDRS 109 int main() { int fd = socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP); char buf[256]; int len = 0x04000000; getsockopt(fd, SOL_SCTP, SCTP_GET_LOCAL_ADDRS, &buf, &len); return 0; } ------------[ cut here ]------------ WARNING: CPU: 0 PID: 6006 at mm/page_alloc.c:2989 __alloc_pages_nodemask+0x695/0x14e0() Modules linked in: CPU: 0 PID: 6006 Comm: executor Not tainted 4.4.0-rc2+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 00000000ffffffff ffff880033887720 ffffffff82719fc6 0000000000000000 ffff8800338c2d80 ffffffff85a62a20 ffff880033887760 ffffffff81244ec9 ffffffff8154e3e5 ffffffff85a62a20 0000000000000bad 0000000000000000 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82719fc6>] dump_stack+0x68/0x92 lib/dump_stack.c:50 [<ffffffff81244ec9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:460 [<ffffffff812450f9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:493 [< inline >] __alloc_pages_slowpath mm/page_alloc.c:2989 [<ffffffff8154e3e5>] __alloc_pages_nodemask+0x695/0x14e0 mm/page_alloc.c:3235 [<ffffffff8160ceee>] alloc_pages_current+0xee/0x340 mm/mempolicy.c:2055 [< inline >] alloc_pages include/linux/gfp.h:451 [<ffffffff81549c56>] alloc_kmem_pages+0x16/0xf0 mm/page_alloc.c:3414 [<ffffffff81595e79>] kmalloc_order+0x19/0x60 mm/slab_common.c:1007 [<ffffffff81595edf>] kmalloc_order_trace+0x1f/0xa0 mm/slab_common.c:1018 [< inline >] kmalloc_large include/linux/slab.h:390 [<ffffffff8161bd74>] __kmalloc+0x234/0x250 mm/slub.c:3525 [< inline >] kmalloc include/linux/slab.h:463 [< inline >] sctp_getsockopt_local_addrs net/sctp/socket.c:4931 [<ffffffff854d9730>] sctp_getsockopt+0x11b0/0x3e00 net/sctp/socket.c:6007 [<ffffffff84913ad5>] sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2604 [< inline >] SYSC_getsockopt net/socket.c:1788 [<ffffffff84911282>] SyS_getsockopt+0x142/0x230 net/socket.c:1770 [<ffffffff859551f6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 ---[ end trace 42716df2ed49f73e ]--- On commit 78c4a49a69e910a162b05e4e8727b9bdbf948f13 (Nov 25).
WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Vyukov <dvyukov@google.com> To: Vlad Yasevich <vyasevich@gmail.com>, Neil Horman <nhorman@tuxdriver.com>, "David S. Miller" <davem@davemloft.net>, linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org> Cc: syzkaller <syzkaller@googlegroups.com>, Kostya Serebryany <kcc@google.com>, Alexander Potapenko <glider@google.com>, Sasha Levin <sasha.levin@oracle.com>, Eric Dumazet <edumazet@google.com> Subject: user-controllable kmalloc size in sctp_getsockopt_local_addrs Date: Sat, 28 Nov 2015 12:40:08 +0000 [thread overview] Message-ID: <CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.com> (raw) Hello, The following program triggers WARNING in kmalloc: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <sys/types.h> #include <sys/socket.h> #include <linux/socket.h> #include <linux/in.h> #define SOL_SCTP 132 #define SCTP_GET_LOCAL_ADDRS 109 int main() { int fd = socket(PF_INET, SOCK_SEQPACKET, IPPROTO_SCTP); char buf[256]; int len = 0x04000000; getsockopt(fd, SOL_SCTP, SCTP_GET_LOCAL_ADDRS, &buf, &len); return 0; } ------------[ cut here ]------------ WARNING: CPU: 0 PID: 6006 at mm/page_alloc.c:2989 __alloc_pages_nodemask+0x695/0x14e0() Modules linked in: CPU: 0 PID: 6006 Comm: executor Not tainted 4.4.0-rc2+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 00000000ffffffff ffff880033887720 ffffffff82719fc6 0000000000000000 ffff8800338c2d80 ffffffff85a62a20 ffff880033887760 ffffffff81244ec9 ffffffff8154e3e5 ffffffff85a62a20 0000000000000bad 0000000000000000 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82719fc6>] dump_stack+0x68/0x92 lib/dump_stack.c:50 [<ffffffff81244ec9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:460 [<ffffffff812450f9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:493 [< inline >] __alloc_pages_slowpath mm/page_alloc.c:2989 [<ffffffff8154e3e5>] __alloc_pages_nodemask+0x695/0x14e0 mm/page_alloc.c:3235 [<ffffffff8160ceee>] alloc_pages_current+0xee/0x340 mm/mempolicy.c:2055 [< inline >] alloc_pages include/linux/gfp.h:451 [<ffffffff81549c56>] alloc_kmem_pages+0x16/0xf0 mm/page_alloc.c:3414 [<ffffffff81595e79>] kmalloc_order+0x19/0x60 mm/slab_common.c:1007 [<ffffffff81595edf>] kmalloc_order_trace+0x1f/0xa0 mm/slab_common.c:1018 [< inline >] kmalloc_large include/linux/slab.h:390 [<ffffffff8161bd74>] __kmalloc+0x234/0x250 mm/slub.c:3525 [< inline >] kmalloc include/linux/slab.h:463 [< inline >] sctp_getsockopt_local_addrs net/sctp/socket.c:4931 [<ffffffff854d9730>] sctp_getsockopt+0x11b0/0x3e00 net/sctp/socket.c:6007 [<ffffffff84913ad5>] sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2604 [< inline >] SYSC_getsockopt net/socket.c:1788 [<ffffffff84911282>] SyS_getsockopt+0x142/0x230 net/socket.c:1770 [<ffffffff859551f6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 ---[ end trace 42716df2ed49f73e ]--- On commit 78c4a49a69e910a162b05e4e8727b9bdbf948f13 (Nov 25).
next reply other threads:[~2015-11-28 12:40 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-11-28 12:40 Dmitry Vyukov [this message] 2015-11-28 12:40 ` user-controllable kmalloc size in sctp_getsockopt_local_addrs Dmitry Vyukov 2015-11-30 16:36 ` Marcelo Ricardo Leitner 2015-11-30 16:36 ` Marcelo Ricardo Leitner
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CACT4Y+a_V5WQZNEnYkuA3Xc5qCWmLV3oScNeNiATZm-wW5eg3Q@mail.gmail.com \ --to=dvyukov@google.com \ --cc=davem@davemloft.net \ --cc=edumazet@google.com \ --cc=glider@google.com \ --cc=kcc@google.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-sctp@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=sasha.levin@oracle.com \ --cc=syzkaller@googlegroups.com \ --cc=vyasevich@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.