Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/xdp: fix zero-size allocation warning in xskq_create() #5759

Closed
wants to merge 1 commit into from
Closed

net/xdp: fix zero-size allocation warning in xskq_create() #5759

wants to merge 1 commit into from

Conversation

kernel-patches-daemon-bpf[bot]
Copy link

Pull request for series with
subject: net/xdp: fix zero-size allocation warning in xskq_create()
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=789417

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 2147c8d
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=789417
version: 2

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 93fb277
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=789417
version: 2

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: cbcb199
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=789417
version: 2

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 3157b7c
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=789417
version: 2

@kanner
net/xdp: fix zero-size allocation warning in xskq_create()
6fd277a 
Syzkaller reported the following issue:
 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 2807 at mm/vmalloc.c:3247 __vmalloc_node_range (mm/vmalloc.c:3361)
 Modules linked in:
 CPU: 0 PID: 2807 Comm: repro Not tainted 6.6.0-rc2+ #12
 Hardware name: Generic DT based system
 unwind_backtrace from show_stack (arch/arm/kernel/traps.c:258)
 show_stack from dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
 dump_stack_lvl from __warn (kernel/panic.c:633 kernel/panic.c:680)
 __warn from warn_slowpath_fmt (./include/linux/context_tracking.h:153 kernel/panic.c:700)
 warn_slowpath_fmt from __vmalloc_node_range (mm/vmalloc.c:3361 (discriminator 3))
 __vmalloc_node_range from vmalloc_user (mm/vmalloc.c:3478)
 vmalloc_user from xskq_create (net/xdp/xsk_queue.c:40)
 xskq_create from xsk_setsockopt (net/xdp/xsk.c:953 net/xdp/xsk.c:1286)
 xsk_setsockopt from __sys_setsockopt (net/socket.c:2308)
 __sys_setsockopt from ret_fast_syscall (arch/arm/kernel/entry-common.S:68)

xskq_get_ring_size() uses struct_size() macro to safely calculate the
size of struct xsk_queue and q->nentries of desc members. But the
syzkaller repro was able to set q->nentries with the value initially
taken from copy_from_sockptr() high enough to return SIZE_MAX by
struct_size(). The next PAGE_ALIGN(size) is such case will overflow
the size_t value and set it to 0. This will trigger WARN_ON_ONCE in
vmalloc_user() -> __vmalloc_node_range().

The issue is reproducible on 32-bit arm kernel.

Reported-and-tested-by: syzbot+fae676d3cf469331fc89@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000c84b4705fb31741e@google.com/T/
Link: https://syzkaller.appspot.com/bug?extid=fae676d3cf469331fc89
Fixes: 9f78bf3 ("xsk: support use vaddr as ring")
Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
@kernel-patches-daemon-bpf
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=789417 expired. Closing PR.

@kernel-patches-daemon-bpf kernel-patches-daemon-bpf bot deleted the series/789417=>bpf-next branch October 7, 2023 05:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bpf-next changes-requested V2-ci-pass V2
Projects
None yet
Milestone
No milestone
1 participant
@kanner