linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Issue with 'lib/vsprintf.c: don't try to fix pointer wrap-around'
@ 2015-01-16 16:23 Johannes Weiner
  2015-01-16 20:24 ` Andrew Morton
  0 siblings, 1 reply; 3+ messages in thread
From: Johannes Weiner @ 2015-01-16 16:23 UTC (permalink / raw)
  To: Rasmus Villemoes, Andrew Morton; +Cc: linux-kernel

Hi Rasmus,

I have trouble booting my test machine with this patch in -mm:

commit bb2e066c6943e62e9650bb129f416dacf138f8b1
Author: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Date:   Wed Jan 14 01:00:44 2015 +0000

    lib/vsprintf.c: don't try to fix pointer wrap-around
    
    Actual kernel buffers can't wrap into the user address space.  If someone
    manages to pass a buf/size combination that wraps, it is most likely due
    to a bug in the caller.  Instead of trying to fix it by using a smaller
    part of the buffer, bail out.
    
    Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Cc: Jiri Kosina <jkosina@suse.cz>
    Cc: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

After I get "Loading bzImage-new... ok" from the bootloader, the
serial console remains quiet.

A WARN_ON_ONCE() inside vsnprintf() looks like it would deadlock
instantly when triggering this overflow from printk(), no?

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Issue with 'lib/vsprintf.c: don't try to fix pointer wrap-around'
  2015-01-16 16:23 Issue with 'lib/vsprintf.c: don't try to fix pointer wrap-around' Johannes Weiner
@ 2015-01-16 20:24 ` Andrew Morton
  2015-01-16 20:42   ` Rasmus Villemoes
  0 siblings, 1 reply; 3+ messages in thread
From: Andrew Morton @ 2015-01-16 20:24 UTC (permalink / raw)
  To: Johannes Weiner; +Cc: Rasmus Villemoes, linux-kernel

On Fri, 16 Jan 2015 11:23:57 -0500 Johannes Weiner <hannes@cmpxchg.org> wrote:

> Hi Rasmus,
> 
> I have trouble booting my test machine with this patch in -mm:
> 
> commit bb2e066c6943e62e9650bb129f416dacf138f8b1
> Author: Rasmus Villemoes <linux@rasmusvillemoes.dk>
> Date:   Wed Jan 14 01:00:44 2015 +0000
> 
>     lib/vsprintf.c: don't try to fix pointer wrap-around
>     
>     Actual kernel buffers can't wrap into the user address space.  If someone
>     manages to pass a buf/size combination that wraps, it is most likely due
>     to a bug in the caller.  Instead of trying to fix it by using a smaller
>     part of the buffer, bail out.
>     
>     Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
>     Cc: Jiri Kosina <jkosina@suse.cz>
>     Cc: Randy Dunlap <rdunlap@infradead.org>
>     Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> 
> After I get "Loading bzImage-new... ok" from the bootloader, the
> serial console remains quiet.
> 
> A WARN_ON_ONCE() inside vsnprintf() looks like it would deadlock
> instantly when triggering this overflow from printk(), no?

Dammit, I was starting at that printk, ended up deciding it was OK,
didn't think about deadlocks.  logbuf_lock and recursion_bug, for a
start...

I'll drop the patch.  I assume all this means that your machine is
trying to trigger that warning condition?  I wonder what the call
site is.


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Issue with 'lib/vsprintf.c: don't try to fix pointer wrap-around'
  2015-01-16 20:24 ` Andrew Morton
@ 2015-01-16 20:42   ` Rasmus Villemoes
  0 siblings, 0 replies; 3+ messages in thread
From: Rasmus Villemoes @ 2015-01-16 20:42 UTC (permalink / raw)
  To: Andrew Morton; +Cc: Johannes Weiner, linux-kernel

On Fri, Jan 16 2015, Andrew Morton <akpm@linux-foundation.org> wrote:

> On Fri, 16 Jan 2015 11:23:57 -0500 Johannes Weiner <hannes@cmpxchg.org> wrote:
>
>> Hi Rasmus,
>> 
>> I have trouble booting my test machine with this patch in -mm:
>> 
>> commit bb2e066c6943e62e9650bb129f416dacf138f8b1
>> Author: Rasmus Villemoes <linux@rasmusvillemoes.dk>
>> Date:   Wed Jan 14 01:00:44 2015 +0000
>> 
>>     lib/vsprintf.c: don't try to fix pointer wrap-around
>>     
>>     Actual kernel buffers can't wrap into the user address space.  If someone
>>     manages to pass a buf/size combination that wraps, it is most likely due
>>     to a bug in the caller.  Instead of trying to fix it by using a smaller
>>     part of the buffer, bail out.
>>     
>>     Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
>>     Cc: Jiri Kosina <jkosina@suse.cz>
>>     Cc: Randy Dunlap <rdunlap@infradead.org>
>>     Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>> 
>> After I get "Loading bzImage-new... ok" from the bootloader, the
>> serial console remains quiet.
>> 
>> A WARN_ON_ONCE() inside vsnprintf() looks like it would deadlock
>> instantly when triggering this overflow from printk(), no?
>
> Dammit, I was starting at that printk, ended up deciding it was OK,
> didn't think about deadlocks.  logbuf_lock and recursion_bug, for a
> start...
>
> I'll drop the patch.

Good, because the bug is in my brain. I think the cause may be a sprintf
or vsprintf call that doesn't actually print what it is supposed to,
since they pass INT_MAX for size, and that can of course easily cause
buf+size to wrap-around (it is basically guaranteed on 32 bit).

Sorry about this. Thanks for reporting, Johannes.

Rasmus

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-16 20:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-16 16:23 Issue with 'lib/vsprintf.c: don't try to fix pointer wrap-around' Johannes Weiner
2015-01-16 20:24 ` Andrew Morton
2015-01-16 20:42   ` Rasmus Villemoes

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).