| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Oct 2022 10:57:19 +0100
From: Mark Rutland <mark.rutland@....com>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: syzbot <syzbot+96e659d35b9d6b541152@...kaller.appspotmail.com>,
jiebin.sun@...el.com, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com, tim.c.chen@...ux.intel.com
Subject: Re: [syzbot] BUG: unable to handle kernel paging request in
percpu_counter_add_batch
On Thu, Oct 20, 2022 at 07:44:27PM -0700, Andrew Morton wrote:
> On Thu, 20 Oct 2022 19:24:40 -0700 syzbot <syzbot+96e659d35b9d6b541152@...kaller.appspotmail.com> wrote:
> Well. freeque() messes with ns->percpu_msg_hdrs but msg_exit_ns()
> already did percpu_counter_destroy(&ns->percpu_msg_hdrs);
>
> I'm thinking something like this?
>
> --- a/ipc/msg.c~a
> +++ a/ipc/msg.c
> @@ -1329,11 +1329,11 @@ fail_msg_bytes:
> #ifdef CONFIG_IPC_NS
> void msg_exit_ns(struct ipc_namespace *ns)
> {
> - percpu_counter_destroy(&ns->percpu_msg_bytes);
> - percpu_counter_destroy(&ns->percpu_msg_hdrs);
> free_ipcs(ns, &msg_ids(ns), freeque);
> idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr);
> rhashtable_destroy(&ns->ids[IPC_MSG_IDS].key_ht);
> + percpu_counter_destroy(&ns->percpu_msg_bytes);
> + percpu_counter_destroy(&ns->percpu_msg_hdrs);
> }
> #endif
That seems to fix the issue for me, testing with the reproducer in my prior
reply. Previously that would trigger within seconds, and with the above applied
I couldn't get it to trigger after 15+ minutes of repeated test runs.
FWIW:
Tested-by: Mark Rutland <mark.rutland@....com>
Thanks,
Mark.
Powered by blists - more mailing lists