lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Aug 2021 17:10:56 +0300 From: Pavel Skripkin <paskripkin@...il.com> To: syzbot <syzbot+e9cd3122a37c5d6c51e8@...kaller.appspotmail.com>, christian.koenig@....com, dongwon.kim@...el.com, dri-devel@...ts.freedesktop.org, kraxel@...hat.com, linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org, linux-media@...r.kernel.org, sumit.semwal@...aro.org, syzkaller-bugs@...glegroups.com, vivek.kasireddy@...el.com Subject: Re: [syzbot] general protection fault in udmabuf_create On 8/10/21 4:47 PM, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 7999516e20bd Add linux-next specific files for 20210806 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=10f15f8e300000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2f518e910b029c31 > dashboard link: https://syzkaller.appspot.com/bug?extid=e9cd3122a37c5d6c51e8 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1181099a300000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b6fce9300000 > > The issue was bisected to: > > commit 16c243e99d335e1ef3059871897119affc98b493 > Author: Vivek Kasireddy <vivek.kasireddy@...el.com> > Date: Wed Jun 9 18:29:15 2021 +0000 > > udmabuf: Add support for mapping hugepages (v4) > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12f73dc9300000 > final oops: https://syzkaller.appspot.com/x/report.txt?x=11f73dc9300000 > console output: https://syzkaller.appspot.com/x/log.txt?x=16f73dc9300000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+e9cd3122a37c5d6c51e8@...kaller.appspotmail.com > Fixes: 16c243e99d33 ("udmabuf: Add support for mapping hugepages (v4)") > > general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN > KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] > CPU: 0 PID: 6603 Comm: syz-executor127 Not tainted 5.14.0-rc4-next-20210806-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > RIP: 0010:_compound_head include/linux/page-flags.h:187 [inline] > RIP: 0010:get_page include/linux/mm.h:1203 [inline] > RIP: 0010:udmabuf_create+0x664/0x16f0 drivers/dma-buf/udmabuf.c:236 > Code: 03 48 89 84 24 90 00 00 00 e9 38 01 00 00 e8 23 7a f7 fc 4d 89 f4 49 c1 e4 06 4c 03 24 24 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 d3 0d 00 00 4d 8b 6c 24 08 31 ff 4c 89 eb 83 > RSP: 0018:ffffc90002d7fc70 EFLAGS: 00010202 > RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000 > RDX: ffff888023f69c80 RSI: ffffffff847e4f3d RDI: 0000000000000008 > RBP: 0000000000000000 R08: fffffffffffff000 R09: 0000000000000000 > R10: ffffffff847e50f5 R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000 > FS: 0000000000935300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000002000020c CR3: 0000000018d16000 CR4: 00000000001506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > udmabuf_ioctl_create drivers/dma-buf/udmabuf.c:305 [inline] The problem is wrong error handling: hpage = find_get_page_flags(mapping, pgoff, FGP_ACCESSED); if (IS_ERR(hpage)) { ret = PTR_ERR(hpage); goto err; } find_get_page_flags() return NULL on failure, so this patch should work: diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 8df761a10251..c57a609db75b 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -227,8 +227,8 @@ static long udmabuf_create(struct miscdevice *device, if (!hpage) { hpage = find_get_page_flags(mapping, pgoff, FGP_ACCESSED); - if (IS_ERR(hpage)) { - ret = PTR_ERR(hpage); + if (!hpage) { + ret = -EINVAL; goto err; } } I am not sure about ret value in case of failure, so I am looking for any reviews :) > udmabuf_ioctl+0x152/0x2c0 drivers/dma-buf/udmabuf.c:336 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:874 [inline] > __se_sys_ioctl fs/ioctl.c:860 [inline] > __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae With regards, Pavel Skripkin
Powered by blists - more mailing lists