From: Linus Torvalds <torvalds@linux-foundation.org>
To: syzbot <syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com>,
Ben Hutchings <ben@decadent.org.uk>
Cc: David Miller <davem@davemloft.net>,
Dmitry Vyukov <dvyukov@google.com>,
Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.com>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
Michal Hocko <mhocko@suse.com>, Netdev <netdev@vger.kernel.org>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
peter@hurleysoftware.com,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
vegard.nossum@gmail.com
Subject: Re: BUG: unable to handle page fault for address = ADDR
Date: Thu, 25 Apr 2019 16:13:58 -0700 [thread overview]
Message-ID: <CAHk-=wjp-R083To=AVbovNJWrskNfYN8rqz=nZZTPRihCohE4g@mail.gmail.com> (raw)
In-Reply-To: <0000000000000101b30587622a69@google.com>
On Thu, Apr 25, 2019 at 3:16 PM syzbot
<syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com> wrote:
>
> The bug was bisected to:
>
> commit bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20
> Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Date: Wed Apr 25 11:12:31 2018 +0000
>
> tty: Use __GFP_NOFAIL for tty_ldisc_get()
I think this just makes slhc_init() fail more easily, but the bug was
pre-existing.
The *real* source of the bug seems to be
4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters
completely")
from back in 2015.
We have (in drivers/net/slip/slip.c: sl_alloc_bufs())
slcomp = slhc_init(16, 16);
if (IS_ERR(slcomp))
goto err_exit;
....
err_exit:
#ifdef SL_INCLUDE_CSLIP
kfree(cbuff);
slhc_free(slcomp);
#endif
so we do "slhc_free()" on an error pointer, which results in
BUG: unable to handle page fault for address = fffffffffffffff4
and the fix might be something like the appended whitespace-damaged
trivial one-liner: just make slhc_free() silently ignore an error
pointer, to match the slhc_init() return behavior.
Ben? David?
Linus
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index f4e93f5fc204..ea90db3c7705 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -153,7 +153,7 @@ slhc_init(int rslots, int tslots)
void
slhc_free(struct slcompress *comp)
{
- if ( comp == NULLSLCOMPR )
+ if ( IS_ERR_OR_NULL(comp) )
return;
if ( comp->tstate != NULLSLSTATE )
next prev parent reply other threads:[~2019-04-25 23:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-25 22:16 BUG: unable to handle page fault for address = ADDR syzbot
2019-04-25 23:13 ` Linus Torvalds [this message]
2019-04-26 11:36 ` Ben Hutchings
2019-04-27 1:27 ` Linus Torvalds
2019-05-09 12:40 BUG: unable to handle page fault for address: ADDR syzbot
2019-05-09 12:52 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wjp-R083To=AVbovNJWrskNfYN8rqz=nZZTPRihCohE4g@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=peter@hurleysoftware.com \
--cc=syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vegard.nossum@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).