From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com,
syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com,
syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com,
syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com,
Daniel Axtens <dja@axtens.net>,
Andrew Morton <akpm@linux-foundation.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Andrew Donnellan <ajd@linux.ibm.com>,
David Rientjes <rientjes@google.com>,
Akash Goel <akash.goel@intel.com>,
Guenter Roeck <linux@roeck-us.net>,
Salvatore Bonaccorso <carnil@debian.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.9 16/42] kernel/relay.c: handle alloc_percpu returning NULL in relay_open
Date: Tue, 9 Jun 2020 19:44:22 +0200 [thread overview]
Message-ID: <20200609174017.236710601@linuxfoundation.org> (raw)
In-Reply-To: <20200609174015.379493548@linuxfoundation.org>
From: Daniel Axtens <dja@axtens.net>
commit 54e200ab40fc14c863bcc80a51e20b7906608fce upstream.
alloc_percpu() may return NULL, which means chan->buf may be set to NULL.
In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an
invalid pointer:
BUG: Unable to handle kernel data access at 0x7dae0000
Faulting instruction address: 0xc0000000003f3fec
...
NIP relay_open+0x29c/0x600
LR relay_open+0x270/0x600
Call Trace:
relay_open+0x264/0x600 (unreliable)
__blk_trace_setup+0x254/0x600
blk_trace_setup+0x68/0xa0
sg_ioctl+0x7bc/0x2e80
do_vfs_ioctl+0x13c/0x1300
ksys_ioctl+0x94/0x130
sys_ioctl+0x48/0xb0
system_call+0x5c/0x68
Check if alloc_percpu returns NULL.
This was found by syzkaller both on x86 and powerpc, and the reproducer
it found on powerpc is capable of hitting the issue as an unprivileged
user.
Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com
Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com
Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com
Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Akash Goel <akash.goel@intel.com>
Cc: Andrew Donnellan <ajd@linux.ibm.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Salvatore Bonaccorso <carnil@debian.org>
Cc: <stable@vger.kernel.org> [4.10+]
Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/relay.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -578,6 +578,11 @@ struct rchan *relay_open(const char *bas
return NULL;
chan->buf = alloc_percpu(struct rchan_buf *);
+ if (!chan->buf) {
+ kfree(chan);
+ return NULL;
+ }
+
chan->version = RELAYFS_CHANNEL_VERSION;
chan->n_subbufs = n_subbufs;
chan->subbuf_size = subbuf_size;
next prev parent reply other threads:[~2020-06-09 17:47 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 17:44 [PATCH 4.9 00/42] 4.9.227-rc1 review Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 01/42] scsi: scsi_devinfo: fixup string compare Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 02/42] usb: gadget: f_uac2: fix error handling in afunc_bind (again) Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 03/42] esp6: fix memleak on error path in esp6_input Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 04/42] spi: dw: use "smp_mb()" to avoid sending spi data error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 05/42] s390/ftrace: save traced function caller Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 06/42] ARC: Fix ICCM & DCCM runtime size checks Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 07/42] x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 08/42] net: bmac: Fix read of MAC address from ROM Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 09/42] net/ethernet/freescale: rework quiesce/activate for ucc_geth Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 10/42] net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 11/42] net: smsc911x: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 12/42] pppoe: only process PADT targeted at local interfaces Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 13/42] mm: Fix mremap not considering huge pmd devmap Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 14/42] HID: i2c-hid: add Schneider SCL142ALM to descriptor override Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 15/42] p54usb: add AirVasT USB stick device-id Greg Kroah-Hartman
2020-06-09 17:44 ` Greg Kroah-Hartman [this message]
2020-06-09 17:44 ` [PATCH 4.9 17/42] mmc: fix compilation of user API Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 18/42] slcan: Fix double-free on slcan_open() error path Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 19/42] slip: not call free_netdev before rtnl_unlock in slip_open Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 20/42] scsi: ufs: Release clock if DMA map fails Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 21/42] airo: Fix read overflows sending packets Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 22/42] devinet: fix memleak in inetdev_init() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 23/42] l2tp: do not use inet_hash()/inet_unhash() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 24/42] net: usb: qmi_wwan: add Telit LE910C1-EUX composition Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 25/42] NFC: st21nfca: add missed kfree_skb() in an error path Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 26/42] vsock: fix timeout in vsock_accept() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 27/42] l2tp: add sk_family checks to l2tp_validate_socket Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 28/42] USB: serial: qcserial: add DW5816e QDL support Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 29/42] USB: serial: usb_wwan: do not resubmit rx urb on fatal errors Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 30/42] USB: serial: option: add Telit LE910C1-EUX compositions Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 31/42] usb: musb: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 32/42] vt: keyboard: avoid signed integer overflow in k_ascii Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 33/42] tty: hvc_console, fix crashes on parallel open/close Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 34/42] staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 35/42] nvmem: qfprom: remove incorrect write support Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 36/42] x86/cpu: Add a steppings field to struct x86_cpu_id Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 37/42] x86/cpu: Add table argument to cpu_matches() Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 38/42] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 39/42] x86/speculation: Add SRBDS vulnerability and mitigation documentation Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 40/42] x86/speculation: Add Ivy Bridge to affected list Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 41/42] iio: vcnl4000: Fix i2c swapped word reading Greg Kroah-Hartman
2020-06-09 17:44 ` [PATCH 4.9 42/42] uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200609174017.236710601@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ajd@linux.ibm.com \
--cc=akash.goel@intel.com \
--cc=akpm@linux-foundation.org \
--cc=carnil@debian.org \
--cc=dja@axtens.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=mpe@ellerman.id.au \
--cc=rientjes@google.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com \
--cc=syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com \
--cc=syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com \
--cc=syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).