From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Björn Töpel" <bjorn.topel@gmail.com>
Cc: "Daniel Borkmann" <daniel@iogearbox.net>,
"Willy Tarreau" <w@1wt.eu>,
syzbot <syzbot+11421fbbff99b989670e@syzkaller.appspotmail.com>,
akpm@linux-foundation.org, "Andrii Nakryiko" <andrii@kernel.org>,
"Alexei Starovoitov" <ast@kernel.org>,
"Björn Töpel" <bjorn.topel@intel.com>, bpf <bpf@vger.kernel.org>,
"David Miller" <davem@davemloft.net>,
fgheet255t@gmail.com, "Jesper Dangaard Brouer" <hawk@kernel.org>,
"John Fastabend" <john.fastabend@gmail.com>,
"Jonathan Lemon" <jonathan.lemon@gmail.com>,
"Martin KaFai Lau" <kafai@fb.com>,
"KP Singh" <kpsingh@kernel.org>,
"Jakub Kicinski" <kuba@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org, "Karlsson,
Magnus" <magnus.karlsson@intel.com>,
mudongliangabcd@gmail.com, Netdev <netdev@vger.kernel.org>,
"Song Liu" <songliubraving@fb.com>,
syzkaller-bugs@googlegroups.com,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Yonghong Song" <yhs@fb.com>
Subject: Re: [syzbot] WARNING: kmalloc bug in xdp_umem_create (2)
Date: Thu, 10 Feb 2022 20:45:08 +0300 [thread overview]
Message-ID: <20220210174507.GK1951@kadam> (raw)
In-Reply-To: <CAJ+HfNjeapa=2Ue19L3EWF8z5vxFB0k2QO_LuBu4Meqs0=AE4Q@mail.gmail.com>
On Thu, Feb 10, 2022 at 05:18:52PM +0100, Björn Töpel wrote:
> On Thu, 10 Feb 2022 at 09:35, Daniel Borkmann <daniel@iogearbox.net> wrote:
> >
> > On 2/10/22 9:11 AM, Willy Tarreau wrote:
> > > On Wed, Feb 09, 2022 at 10:08:07PM -0800, syzbot wrote:
> > >> syzbot has bisected this issue to:
> > >>
> > >> commit 7661809d493b426e979f39ab512e3adf41fbcc69
> > >> Author: Linus Torvalds <torvalds@linux-foundation.org>
> > >> Date: Wed Jul 14 16:45:49 2021 +0000
> > >>
> > >> mm: don't allow oversized kvmalloc() calls
> > >>
> > >> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13bc74c2700000
> > >> start commit: f4bc5bbb5fef Merge tag 'nfsd-5.17-2' of git://git.kernel.o..
> > >> git tree: upstream
> > >> final oops: https://syzkaller.appspot.com/x/report.txt?x=107c74c2700000
> > >> console output: https://syzkaller.appspot.com/x/log.txt?x=17bc74c2700000
> > >> kernel config: https://syzkaller.appspot.com/x/.config?x=5707221760c00a20
> > >> dashboard link: https://syzkaller.appspot.com/bug?extid=11421fbbff99b989670e
> > >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12e514a4700000
> > >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15fcdf8a700000
> > >>
> > >> Reported-by: syzbot+11421fbbff99b989670e@syzkaller.appspotmail.com
> > >> Fixes: 7661809d493b ("mm: don't allow oversized kvmalloc() calls")
> > >>
> > >> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> > >
> > > Interesting, so in fact syzkaller has shown that the aforementioned
> > > patch does its job well and has spotted a call path by which a single
> > > userland setsockopt() can request more than 2 GB allocation in the
> > > kernel. Most likely that's in fact what needs to be addressed.
> > >
> > > FWIW the call trace at the URL above is:
> > >
> > > Call Trace:
> > > kvmalloc include/linux/mm.h:806 [inline]
> > > kvmalloc_array include/linux/mm.h:824 [inline]
> > > kvcalloc include/linux/mm.h:829 [inline]
> > > xdp_umem_pin_pages net/xdp/xdp_umem.c:102 [inline]
> > > xdp_umem_reg net/xdp/xdp_umem.c:219 [inline]
> > > xdp_umem_create+0x6a5/0xf00 net/xdp/xdp_umem.c:252
> > > xsk_setsockopt+0x604/0x790 net/xdp/xsk.c:1068
> > > __sys_setsockopt+0x1fd/0x4e0 net/socket.c:2176
> > > __do_sys_setsockopt net/socket.c:2187 [inline]
> > > __se_sys_setsockopt net/socket.c:2184 [inline]
> > > __x64_sys_setsockopt+0xb5/0x150 net/socket.c:2184
> > > do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > > entry_SYSCALL_64_after_hwframe+0x44/0xae
> > >
> > > and the meaningful part of the repro is:
> > >
> > > syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
> > > syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
> > > syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
> > > intptr_t res = 0;
> > > res = syscall(__NR_socket, 0x2cul, 3ul, 0);
> > > if (res != -1)
> > > r[0] = res;
> > > *(uint64_t*)0x20000080 = 0;
> > > *(uint64_t*)0x20000088 = 0xfff02000000;
> > > *(uint32_t*)0x20000090 = 0x800;
> > > *(uint32_t*)0x20000094 = 0;
> > > *(uint32_t*)0x20000098 = 0;
> > > syscall(__NR_setsockopt, r[0], 0x11b, 4, 0x20000080ul, 0x20ul);
> >
> > Bjorn had a comment back then when the issue was first raised here:
> >
> > https://lore.kernel.org/bpf/3f854ca9-f5d6-4065-c7b1-5e5b25ea742f@iogearbox.net/
> >
> > There was earlier discussion from Andrew to potentially retire the warning:
> >
> > https://lore.kernel.org/bpf/20211201202905.b9892171e3f5b9a60f9da251@linux-foundation.org/
> >
> > Bjorn / Magnus / Andrew, anyone planning to follow-up on this issue?
> >
>
> Honestly, I would need some guidance on how to progress. I could just
> change from U32_MAX to INT_MAX
It would have to be lower than that. The limit is on "npgs" but we are
allocating npgs * sizeof(struct page *) so it would have to:
if (npgs > INT_MAX / sizeof(void *))
return -EINVAL;
Is it normally going to huge? You could call vmalloc() instead of
kvmalloc().
When Linus added the WARN_ON() for huge kvmalloc sizes, it was as a
reaction to a security bug where the size which was more than UINT_MAX
but not everything was prepared to handle ulong sizes. He wanted
people who allocated large amounts of RAM to do it in a deliberate way
instead of by accident.
regards,
dan carpenter
next prev parent reply other threads:[~2022-02-10 17:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-06 10:55 [syzbot] WARNING: kmalloc bug in xdp_umem_create (2) syzbot
2021-12-07 8:49 ` Björn Töpel
2021-12-07 9:19 ` Daniel Borkmann
2022-02-10 2:59 ` syzbot
2022-02-10 6:08 ` syzbot
2022-02-10 8:11 ` Willy Tarreau
2022-02-10 8:35 ` Daniel Borkmann
2022-02-10 16:18 ` Björn Töpel
2022-02-10 17:45 ` Dan Carpenter [this message]
2022-02-10 17:56 ` Dan Carpenter
2022-02-10 18:04 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220210174507.GK1951@kadam \
--to=dan.carpenter@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bjorn.topel@gmail.com \
--cc=bjorn.topel@intel.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=fgheet255t@gmail.com \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jonathan.lemon@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=magnus.karlsson@intel.com \
--cc=mudongliangabcd@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=syzbot+11421fbbff99b989670e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.