From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com,
Bixuan Cui <cuibixuan@huawei.com>,
Alexei Starovoitov <ast@kernel.org>, Yonghong Song <yhs@fb.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 080/103] bpf: Add oversize check before call kvcalloc()
Date: Mon, 27 Sep 2021 19:02:52 +0200 [thread overview]
Message-ID: <20210927170228.531386981@linuxfoundation.org> (raw)
In-Reply-To: <20210927170225.702078779@linuxfoundation.org>
From: Bixuan Cui <cuibixuan@huawei.com>
[ Upstream commit 0e6491b559704da720f6da09dd0a52c4df44c514 ]
Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the
oversize check. When the allocation is larger than what kmalloc() supports,
the following warning triggered:
WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597
Modules linked in:
CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597
Call Trace:
kvmalloc include/linux/mm.h:806 [inline]
kvmalloc_array include/linux/mm.h:824 [inline]
kvcalloc include/linux/mm.h:829 [inline]
check_btf_line kernel/bpf/verifier.c:9925 [inline]
check_btf_info kernel/bpf/verifier.c:10049 [inline]
bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759
bpf_prog_load kernel/bpf/syscall.c:2301 [inline]
__sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587
__do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index cba1f86e75cd..0c26757ea7fb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8822,6 +8822,8 @@ static int check_btf_line(struct bpf_verifier_env *env,
nr_linfo = attr->line_info_cnt;
if (!nr_linfo)
return 0;
+ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info))
+ return -EINVAL;
rec_size = attr->line_info_rec_size;
if (rec_size < MIN_BPF_LINEINFO_SIZE ||
--
2.33.0
next prev parent reply other threads:[~2021-09-27 17:13 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-27 17:01 [PATCH 5.10 000/103] 5.10.70-rc1 review Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 001/103] PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 002/103] ocfs2: drop acl cache for directories too Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 003/103] mm: fix uninitialized use in overcommit_policy_handler Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 004/103] usb: gadget: r8a66597: fix a loop in set_feature() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 005/103] usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 006/103] usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 007/103] usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 008/103] cifs: fix incorrect check for null pointer in header_assemble Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 009/103] xen/x86: fix PV trap handling on secondary processors Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 010/103] usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 011/103] USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 012/103] USB: cdc-acm: fix minor-number release Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 013/103] Revert "USB: bcma: Add a check for devm_gpiod_get" Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 014/103] binder: make sure fd closes complete Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 015/103] staging: greybus: uart: fix tty use after free Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 016/103] Re-enable UAS for LaCie Rugged USB3-FW with fk quirk Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 017/103] usb: dwc3: core: balance phy init and exit Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 018/103] usb: core: hcd: Add support for deferring roothub registration Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 019/103] USB: serial: mos7840: remove duplicated 0xac24 device ID Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 020/103] USB: serial: option: add Telit LN920 compositions Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 021/103] USB: serial: option: remove duplicate USB device ID Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 022/103] USB: serial: option: add device id for Foxconn T99W265 Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 023/103] mcb: fix error handling in mcb_alloc_bus() Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 024/103] erofs: fix up erofs_lookup tracepoint Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 025/103] btrfs: prevent __btrfs_dump_space_info() to underflow its free space Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 026/103] xhci: Set HCD flag to defer primary roothub registration Greg Kroah-Hartman
2021-09-27 17:01 ` [PATCH 5.10 027/103] serial: 8250: 8250_omap: Fix RX_LVL register offset Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 028/103] serial: mvebu-uart: fix drivers tx_empty callback Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 029/103] scsi: sd_zbc: Ensure buffer size is aligned to SECTOR_SIZE Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 030/103] drm/amd/pm: Update intermediate power state for SI Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 031/103] net: hso: fix muxed tty registration Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 032/103] comedi: Fix memory leak in compat_insnlist() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 033/103] afs: Fix incorrect triggering of sillyrename on 3rd-party invalidation Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 034/103] afs: Fix updating of i_blocks on file/dir extension Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 035/103] platform/x86/intel: punit_ipc: Drop wrong use of ACPI_PTR() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 036/103] enetc: Fix illegal access when reading affinity_hint Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 037/103] enetc: Fix uninitialized struct dim_sample field usage Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 038/103] bnxt_en: Fix TX timeout when TX ring size is set to the smallest Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 039/103] net: hns3: fix change RSS hfunc ineffective issue Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 040/103] net: hns3: check queue id range before using Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 041/103] net/smc: add missing error check in smc_clc_prfx_set() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 042/103] net/smc: fix workqueue leaked lock in smc_conn_abort_work Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 043/103] net: dsa: dont allocate the slave_mii_bus using devres Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 044/103] net: dsa: realtek: register the MDIO bus under devres Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 045/103] kselftest/arm64: signal: Add SVE to the set of features we can check for Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 046/103] kselftest/arm64: signal: Skip tests if required features are missing Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 047/103] s390/qeth: fix NULL deref in qeth_clear_working_pool_list() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 048/103] s390/qeth: fix deadlock during failing recovery Greg Kroah-Hartman
2021-09-27 17:45 ` Naresh Kamboju
2021-09-27 18:25 ` Naresh Kamboju
2021-09-28 7:16 ` Greg Kroah-Hartman
2021-09-28 10:29 ` Julian Wiedmann
2021-09-27 17:02 ` [PATCH 5.10 049/103] gpio: uniphier: Fix void functions to remove return value Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 050/103] qed: rdma - dont wait for resources under hw error recovery flow Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 051/103] net/mlx4_en: Dont allow aRFS for encapsulated packets Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 052/103] atlantic: Fix issue in the pm resume flow Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 053/103] scsi: iscsi: Adjust iface sysfs attr detection Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 054/103] scsi: target: Fix the pgr/alua_support_store functions Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 055/103] tty: synclink_gt, drop unneeded forward declarations Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 056/103] tty: synclink_gt: rename a conflicting function name Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 057/103] fpga: machxo2-spi: Return an error on failure Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 058/103] fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 059/103] nvme-tcp: fix incorrect h2cdata pdu offset accounting Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 060/103] treewide: Change list_sort to use const pointers Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 061/103] nvme: keep ctrl->namespaces ordered Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 062/103] thermal/core: Potential buffer overflow in thermal_build_list_of_policies() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 063/103] cifs: fix a sign extension bug Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 064/103] scsi: qla2xxx: Restore initiator in dual mode Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 065/103] scsi: lpfc: Use correct scnprintf() limit Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 066/103] irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 067/103] irqchip/gic-v3-its: Fix potential VPE leak on error Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 068/103] md: fix a lock order reversal in md_alloc Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 069/103] x86/asm: Add a missing __iomem annotation in enqcmds() Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 070/103] x86/asm: Fix SETZ size enqcmds() build failure Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 071/103] io_uring: put provided buffer meta data under memcg accounting Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 072/103] blktrace: Fix uaf in blk_trace access after removing by sysfs Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 073/103] net: phylink: Update SFP selected interface on advertising changes Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 074/103] net: macb: fix use after free on rmmod Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 075/103] net: stmmac: allow CSR clock of 300MHz Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 076/103] blk-mq: avoid to iterate over stale request Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 077/103] m68k: Double cast io functions to unsigned long Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 078/103] ipv6: delay fib6_sernum increase in fib6_add Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 079/103] cpufreq: intel_pstate: Override parameters if HWP forced by BIOS Greg Kroah-Hartman
2021-09-27 17:02 ` Greg Kroah-Hartman [this message]
2021-09-27 17:02 ` [PATCH 5.10 081/103] xen/balloon: use a kernel thread instead a workqueue Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 082/103] nvme-multipath: fix ANA state updates when a namespace is not present Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 083/103] nvme-rdma: destroy cm id before destroy qp to avoid use after free Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 084/103] sparc32: page align size in arch_dma_alloc Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 085/103] amd/display: downgrade validation failure log level Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 086/103] block: check if a profile is actually registered in blk_integrity_unregister Greg Kroah-Hartman
2021-09-27 17:02 ` [PATCH 5.10 087/103] block: flush the integrity workqueue " Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 088/103] blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 089/103] compiler.h: Introduce absolute_pointer macro Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 090/103] net: i825xx: Use absolute_pointer for memcpy from fixed memory location Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 091/103] sparc: avoid stringop-overread errors Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 092/103] qnx4: " Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 093/103] parisc: Use absolute_pointer() to define PAGE0 Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 094/103] arm64: Mark __stack_chk_guard as __ro_after_init Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 095/103] alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 096/103] net: 6pack: Fix tx timeout and slot time Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 097/103] spi: Fix tegra20 build with CONFIG_PM=n Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 098/103] EDAC/synopsys: Fix wrong value type assignment for edac_mode Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 099/103] EDAC/dmc520: Assign the proper type to dimm->edac_mode Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 100/103] thermal/drivers/int340x: Do not set a wrong tcc offset on resume Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 101/103] USB: serial: cp210x: fix dropped characters with CP2102 Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 102/103] xen/balloon: fix balloon kthread freezing Greg Kroah-Hartman
2021-09-27 17:03 ` [PATCH 5.10 103/103] qnx4: work around gcc false positive warning bug Greg Kroah-Hartman
2021-09-27 17:43 ` [PATCH 5.10 000/103] 5.10.70-rc1 review Naresh Kamboju
2021-09-27 18:05 ` Florian Fainelli
2021-09-27 20:59 ` Pavel Machek
2021-09-27 22:36 ` Fox Chen
2021-09-27 22:58 ` Shuah Khan
2021-09-28 7:00 ` Jon Hunter
2021-09-28 7:58 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210927170228.531386981@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=cuibixuan@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).