-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/xdp: fix zero-size allocation warning in xskq_create() #5759
Conversation
Upstream branch: 2147c8d |
339c192
to
f0d6364
Compare
Upstream branch: 93fb277 |
44a800a
to
5dd58cf
Compare
f0d6364
to
1ddd252
Compare
Upstream branch: cbcb199 |
5dd58cf
to
0b090e5
Compare
1ddd252
to
2e7e9fa
Compare
Upstream branch: 3157b7c |
Syzkaller reported the following issue: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 2807 at mm/vmalloc.c:3247 __vmalloc_node_range (mm/vmalloc.c:3361) Modules linked in: CPU: 0 PID: 2807 Comm: repro Not tainted 6.6.0-rc2+ #12 Hardware name: Generic DT based system unwind_backtrace from show_stack (arch/arm/kernel/traps.c:258) show_stack from dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) dump_stack_lvl from __warn (kernel/panic.c:633 kernel/panic.c:680) __warn from warn_slowpath_fmt (./include/linux/context_tracking.h:153 kernel/panic.c:700) warn_slowpath_fmt from __vmalloc_node_range (mm/vmalloc.c:3361 (discriminator 3)) __vmalloc_node_range from vmalloc_user (mm/vmalloc.c:3478) vmalloc_user from xskq_create (net/xdp/xsk_queue.c:40) xskq_create from xsk_setsockopt (net/xdp/xsk.c:953 net/xdp/xsk.c:1286) xsk_setsockopt from __sys_setsockopt (net/socket.c:2308) __sys_setsockopt from ret_fast_syscall (arch/arm/kernel/entry-common.S:68) xskq_get_ring_size() uses struct_size() macro to safely calculate the size of struct xsk_queue and q->nentries of desc members. But the syzkaller repro was able to set q->nentries with the value initially taken from copy_from_sockptr() high enough to return SIZE_MAX by struct_size(). The next PAGE_ALIGN(size) is such case will overflow the size_t value and set it to 0. This will trigger WARN_ON_ONCE in vmalloc_user() -> __vmalloc_node_range(). The issue is reproducible on 32-bit arm kernel. Reported-and-tested-by: syzbot+fae676d3cf469331fc89@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000c84b4705fb31741e@google.com/T/ Link: https://syzkaller.appspot.com/bug?extid=fae676d3cf469331fc89 Fixes: 9f78bf3 ("xsk: support use vaddr as ring") Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com> Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
0b090e5
to
6fd277a
Compare
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=789417 expired. Closing PR. |
Pull request for series with
subject: net/xdp: fix zero-size allocation warning in xskq_create()
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=789417