| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2112099.1675441439@warthog.procyon.org.uk>
Date: Fri, 03 Feb 2023 16:23:59 +0000
From: David Howells <dhowells@...hat.com>
To: John Hubbard <jhubbard@...dia.com>
Cc: dhowells@...hat.com, David Hildenbrand <david@...hat.com>,
syzbot <syzbot+a440341a59e3b7142895@...kaller.appspotmail.com>,
hch@....de, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] general protection fault in skb_dequeue (3)
David Howells <dhowells@...hat.com> wrote:
> I think I have managed to isolate the bug to the read side of sendfile() or
> the pipe in the middle by the following:
I did something similar in iov_iter_extract_pipe_pages(), allocating a
permanent page there:
+ mutex_lock(&extract_tmp_lock);
+ if (!extract_tmp) {
+ pr_notice("alloc extract_tmp\n");
+ extract_tmp = alloc_page(GFP_USER);
+ if (extract_tmp) {
+ SetPageDebugMark(extract_tmp);
+ page_ref_add(extract_tmp, 200);
+ }
+ }
+ mutex_unlock(&extract_tmp_lock);
+ if (!extract_tmp)
+ return -ENOMEM;
and then subbing that for the returned page:
chunk = min_t(size_t, left, PAGE_SIZE - offset);
left -= chunk;
- *p++ = page;
+ //*p++ = page;
+ *p++ = extract_tmp;
That makes the oopses stop happening. Pages are still being added to the pipe
at one end and being removed at the other.
So I'm guessing a DMA happens to the destination buffer for the DIO read after
it has been released.
David
Powered by blists - more mailing lists