On Wed, Feb 7, 2018 at 12:21 AM, Andrew Morton <a...@linux-foundation.org> wrote: > On Tue, 06 Feb 2018 14:58:02 -0800 syzbot > <syzbot+7525b19f9531f76b8...@syzkaller.appspotmail.com> wrote: > >> Hello, >> >> syzbot hit the following crash on upstream commit >> e237f98a9c134c3d600353f21e07db915516875b (Mon Feb 5 21:35:56 2018 +0000) >> Merge tag 'xfs-4.16-merge-5' of >> git://git.kernel.org/pub/scm/fs/xfs/xfs-linux >> >> C reproducer is attached. >> syzkaller reproducer is attached. >> Raw console output is attached. >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached. >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+7525b19f9531f76b8...@syzkaller.appspotmail.com >> It will help syzbot understand when the bug is fixed. See footer for >> details. >> If you forward the report, please keep this part and the footer. >> >> audit: type=1400 audit(1517939984.452:7): avc: denied { map } for >> pid=4159 comm="syzkaller032522" path="/root/syzkaller032522586" dev="sda1" >> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 >> WARNING: CPU: 0 PID: 4159 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70 >> mm/slab_common.c:1012 >> Kernel panic - not syncing: panic_on_warn set ... > > > David sent a fix today which I believe will address this.
Thanks Let's tell syzbot about the fix: #syz fix: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE > From: David Rientjes <rient...@google.com> > Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE > > chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc() > of chan->n_subbufs * sizeof(size_t *). > > kmalloc_slab() will generate a warning when this fails if > chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE. > > Limit chan->n_subbufs to the maximum allowed kmalloc() size. > > Link: > http://lkml.kernel.org/r/alpine.deb.2.10.1802061216100.122...@chino.kir.corp.google.com > Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()") > Signed-off-by: David Rientjes <rient...@google.com> > Reviewed-by: Andrew Morton <a...@linux-foundation.org> > Cc: Jens Axboe <ax...@kernel.dk> > Cc: Dave Jiang <dave.ji...@intel.com> > Cc: Al Viro <v...@zeniv.linux.org.uk> > Cc: Dan Carpenter <dan.carpen...@oracle.com> > Signed-off-by: Andrew Morton <a...@linux-foundation.org> > --- > > kernel/relay.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff -puN kernel/relay.c~kernel-relay-limit-kmalloc-size-to-kmalloc_max_size > kernel/relay.c > --- a/kernel/relay.c~kernel-relay-limit-kmalloc-size-to-kmalloc_max_size > +++ a/kernel/relay.c > @@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_bu > { > struct rchan_buf *buf; > > - if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) > + if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *)) > return NULL; > > buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);