Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* Re: [pipe] d60337eff1: BUG:kernel_NULL_pointer_dereference,address
       [not found] <20191110031348.GE29418@shao2-debian>
@ 2019-11-15 13:28 ` David Howells
  2019-11-15 16:22 ` David Howells
  1 sibling, 0 replies; 3+ messages in thread
From: David Howells @ 2019-11-15 13:28 UTC (permalink / raw)
  To: kernel test robot
  Cc: dhowells, torvalds, Rasmus Villemoes, Greg Kroah-Hartman,
	Peter Zijlstra, nicolas.dichtel, raven, Christian Brauner,
	keyrings, linux-usb, linux-block, linux-security-module,
	linux-fsdevel, linux-api, linux-kernel, lkp

kernel test robot <lkp@intel.com> wrote:

> [    9.423019] BUG: kernel NULL pointer dereference, address: 0000000000000008
> [    9.425646] #PF: supervisor read access in kernel mode
> [    9.427714] #PF: error_code(0x0000) - not-present page
> [    9.429851] PGD 80000001fb937067 P4D 80000001fb937067 PUD 1739e1067 PMD 0 
> [    9.432468] Oops: 0000 [#1] SMP PTI
> [    9.434064] CPU: 0 PID: 178 Comm: cat Not tainted 5.4.0-rc5-00353-gd60337eff18a3 #1
> [    9.437139] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
> [    9.440439] RIP: 0010:iov_iter_get_pages_alloc+0x2a8/0x400

Can you tell me if the following change fixes it for you?

--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -404,7 +404,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
 	buf->offset = offset;
 	buf->len = bytes;
 
-	pipe->head = i_head;
+	pipe->head = i_head + 1;
 	i->iov_offset = offset + bytes;
 	i->head = i_head;
 out:

Attached is a test program that can induce some a bug in
copy_page_to_iter_pipe() where I forgot to increment the new head when
assigning it to pipe->head.

David
---
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <err.h>
#include <sys/wait.h>

static char buf[256 * 1024] __attribute__((aligned(512)));
static char *filename;
static int pipe_wfd = -1;

static void cleanup(void)
{
	close(pipe_wfd);
}

static void cleanup_child(void)
{
	int w;
	wait(&w);
}

int child(int fd)
{
	ssize_t r;

	do {
		r = read(fd, buf, 256 * 1024);
		if (r == -1)
			err(1, "read");
	} while (r != 0);

	if (close(fd) == -1)
		err(1, "close");

	return 0;
}

int main(int argc, char **argv)
{
	ssize_t n;
	loff_t offset;
	size_t len;
	pid_t pid;
	int fd, pfd[2];

	if (argc != 2) {
		fprintf(stderr, "Format: %s <file>\n", argv[1]);
		exit(2);
	}

	filename = argv[1];

	if (pipe(pfd) == -1)
		err(1, "pipe");
	pipe_wfd = pfd[1];

	pid = fork();
	switch (pid) {
	case -1:
		err(1, "fork");
	case 0:
		close(pfd[1]);
		return child(pfd[0]);
	default:
		close(pfd[0]);
		atexit(cleanup_child);
		break;
	}

	fd = open(filename, O_RDONLY);
	if (fd == -1)
		err(1, "%s", filename);

	atexit(cleanup);

	len = 256 * 1024;
	offset = 0;
	do {
		n = splice(fd, &offset, pfd[1], NULL, 256 * 1024, 0);
		if (n == -1)
			err(1, "splice");
	} while (len -= n, len > 0);

	if (close(pfd[1]) == -1)
		err(1, "close/p");
	if (close(fd) == -1)
		err(1, "close/f");
	return 0;
}


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [pipe] d60337eff1: BUG:kernel_NULL_pointer_dereference,address
       [not found] <20191110031348.GE29418@shao2-debian>
  2019-11-15 13:28 ` [pipe] d60337eff1: BUG:kernel_NULL_pointer_dereference,address David Howells
@ 2019-11-15 16:22 ` David Howells
  2019-11-18  7:53   ` [LKP] " kernel test robot
  1 sibling, 1 reply; 3+ messages in thread
From: David Howells @ 2019-11-15 16:22 UTC (permalink / raw)
  To: kernel test robot
  Cc: dhowells, torvalds, Rasmus Villemoes, Greg Kroah-Hartman,
	Peter Zijlstra, nicolas.dichtel, raven, Christian Brauner,
	keyrings, linux-usb, linux-block, linux-security-module,
	linux-fsdevel, linux-api, linux-kernel, lkp

Actually, no, this is the fix:

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 7006b5b2106d..be2fc5793ddd 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -537,7 +537,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
 		buf->ops = &default_pipe_buf_ops;
 		buf->page = page;
 		buf->offset = 0;
-		buf->len = max_t(ssize_t, left, PAGE_SIZE);
+		buf->len = min_t(ssize_t, left, PAGE_SIZE);
 		left -= buf->len;
 		iter_head++;
 		pipe->head = iter_head;

David


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [LKP] Re: [pipe] d60337eff1: BUG:kernel_NULL_pointer_dereference,address
  2019-11-15 16:22 ` David Howells
@ 2019-11-18  7:53   ` " kernel test robot
  0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2019-11-18  7:53 UTC (permalink / raw)
  To: David Howells, kernel test robot
  Cc: torvalds, Rasmus Villemoes, Greg Kroah-Hartman, Peter Zijlstra,
	nicolas.dichtel, raven, Christian Brauner, keyrings, linux-usb,
	linux-block, linux-security-module, linux-fsdevel, linux-api,
	linux-kernel, lkp

Hi David,

Yes, it can fix the problem.

Best Regards,
Rong Chen

On 11/16/2019 12:22 AM, David Howells wrote:
> Actually, no, this is the fix:
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index 7006b5b2106d..be2fc5793ddd 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -537,7 +537,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
>   		buf->ops = &default_pipe_buf_ops;
>   		buf->page = page;
>   		buf->offset = 0;
> -		buf->len = max_t(ssize_t, left, PAGE_SIZE);
> +		buf->len = min_t(ssize_t, left, PAGE_SIZE);
>   		left -= buf->len;
>   		iter_head++;
>   		pipe->head = iter_head;
>
> David
> _______________________________________________
> LKP mailing list -- lkp@lists.01.org
> To unsubscribe send an email to lkp-leave@lists.01.org


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20191110031348.GE29418@shao2-debian>
2019-11-15 13:28 ` [pipe] d60337eff1: BUG:kernel_NULL_pointer_dereference,address David Howells
2019-11-15 16:22 ` David Howells
2019-11-18  7:53   ` [LKP] " kernel test robot

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git