* Re: BUG: unable to handle kernel paging request in slhc_free
2018-12-29 2:41 BUG: unable to handle kernel paging request in slhc_free syzbot
@ 2019-03-16 14:49 ` syzbot
2019-03-16 17:24 ` Linus Torvalds
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2019-03-16 14:49 UTC (permalink / raw)
To: akinobu.mita, akpm, davem, dvyukov, linux-kernel, mhocko, netdev,
syzkaller-bugs, tejaswit, torvalds
syzbot has bisected this bug to:
commit e41d58185f1444368873d4d7422f7664a68be61d
Author: Dmitry Vyukov <dvyukov@google.com>
Date: Wed Jul 12 21:34:35 2017 +0000
fault-inject: support systematic fault injection
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1415a8a3200000
start commit: e41d5818 fault-inject: support systematic fault injection
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=1615a8a3200000
console output: https://syzkaller.appspot.com/x/log.txt?x=1215a8a3200000
kernel config: https://syzkaller.appspot.com/x/.config?x=7d581260bae0899a
dashboard link: https://syzkaller.appspot.com/bug?extid=6c5d567447bfa30f78e2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=136130fd400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1607c563400000
Reported-by: syzbot+6c5d567447bfa30f78e2@syzkaller.appspotmail.com
Fixes: e41d5818 ("fault-inject: support systematic fault injection")
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: BUG: unable to handle kernel paging request in slhc_free
2018-12-29 2:41 BUG: unable to handle kernel paging request in slhc_free syzbot
2019-03-16 14:49 ` syzbot
@ 2019-03-16 17:24 ` Linus Torvalds
2019-11-16 17:42 ` syzbot
2019-12-05 20:26 ` syzbot
3 siblings, 0 replies; 5+ messages in thread
From: Linus Torvalds @ 2019-03-16 17:24 UTC (permalink / raw)
To: syzbot
Cc: David Miller, Linux List Kernel Mailing, Netdev, syzkaller-bugs,
tejaswit
On Fri, Dec 28, 2018 at 6:41 PM syzbot
<syzbot+6c5d567447bfa30f78e2@syzkaller.appspotmail.com> wrote:
>
> Reported-by: syzbot+6c5d567447bfa30f78e2@syzkaller.appspotmail.com
>
> BUG: unable to handle kernel paging request at fffffffffffffff4
> RIP: slhc_free+0x30/0xb0 drivers/net/slip/slhc.c:159
> Call Trace:
> sl_alloc_bufs drivers/net/slip/slip.c:196 [inline]
> slip_open+0xdee/0x1107 drivers/net/slip/slip.c:821
The error handling in sl_alloc_bufs() is broken.
It does
slcomp = slhc_init(16, 16);
if (IS_ERR(slcomp))
goto err_exit;
and knows that the error case returns an error pointer, but then the
'err_exit:' code just does
slhc_free(slcomp);
which doesn't handle error pointers.
The slhc code in general is pretty odd, presumably for some legacy
reason. It does things like
if ( comp == NULLSLCOMPR )
return;
to compare against NULL. That's some crazy stuff.
I don't think anybody really wants to bother with slip any more, and
the simplest fix seems to just be to let slhc_free() handle all the
error pointers that slhc_init() can return, and do something like
this:
drivers/net/slip/slhc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index f4e93f5fc204..3ee19a5b03a1 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -153,7 +153,7 @@ slhc_init(int rslots, int tslots)
void
slhc_free(struct slcompress *comp)
{
- if ( comp == NULLSLCOMPR )
+ if (IS_ERR_OR_NULL(comp))
return;
if ( comp->tstate != NULLSLSTATE )
which is obviously and intentionally whitespace-damaged, but you get the idea.
David?
Linus
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: BUG: unable to handle kernel paging request in slhc_free
2018-12-29 2:41 BUG: unable to handle kernel paging request in slhc_free syzbot
2019-03-16 14:49 ` syzbot
2019-03-16 17:24 ` Linus Torvalds
@ 2019-11-16 17:42 ` syzbot
2019-12-05 20:26 ` syzbot
3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2019-11-16 17:42 UTC (permalink / raw)
To: akinobu.mita, akpm, davem, dvyukov, linux-kernel, mhocko, netdev,
syzkaller-bugs, tejaswit, torvalds
syzbot has bisected this bug to:
commit e41d58185f1444368873d4d7422f7664a68be61d
Author: Dmitry Vyukov <dvyukov@google.com>
Date: Wed Jul 12 21:34:35 2017 +0000
fault-inject: support systematic fault injection
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=144b8772e00000
start commit: 8fe28cb5 Linux 4.20
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=164b8772e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=124b8772e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7d581260bae0899a
dashboard link: https://syzkaller.appspot.com/bug?extid=6c5d567447bfa30f78e2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=136130fd400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1607c563400000
Reported-by: syzbot+6c5d567447bfa30f78e2@syzkaller.appspotmail.com
Fixes: e41d58185f14 ("fault-inject: support systematic fault injection")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: BUG: unable to handle kernel paging request in slhc_free
2018-12-29 2:41 BUG: unable to handle kernel paging request in slhc_free syzbot
` (2 preceding siblings ...)
2019-11-16 17:42 ` syzbot
@ 2019-12-05 20:26 ` syzbot
3 siblings, 0 replies; 5+ messages in thread
From: syzbot @ 2019-12-05 20:26 UTC (permalink / raw)
To: adobriyan, akinobu.mita, akpm, ben, davem, dvyukov, linux-kernel,
mhocko, netdev, syzkaller-bugs, tejaswit, torvalds
syzbot suspects this bug was fixed by commit:
commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu Apr 25 23:13:58 2019 +0000
slip: make slhc_free() silently accept an error pointer
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=114af97ee00000
start commit: 8fe28cb5 Linux 4.20
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=7d581260bae0899a
dashboard link: https://syzkaller.appspot.com/bug?extid=6c5d567447bfa30f78e2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=136130fd400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1607c563400000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: slip: make slhc_free() silently accept an error pointer
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 5+ messages in thread