WARNING: kmalloc bug in memdup_user (3)
Hello, syzbot found the following crash on: HEAD commit:c5c7d7f3c451 Merge branch 'bpf-sock-hashmap' git tree: bpf-next console output: https://syzkaller.appspot.com/x/log.txt?x=1626ae3780 kernel config: https://syzkaller.appspot.com/x/.config?x=10c4dc62055b68f5 dashboard link: https://syzkaller.appspot.com/bug?extid=0f92a17b0706231d0a09 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=126a519780 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1598c47780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+0f92a17b0706231d0...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) WARNING: CPU: 0 PID: 4531 at mm/slab_common.c:996 kmalloc_slab+0x56/0x70 mm/slab_common.c:996 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4531 Comm: syz-executor594 Not tainted 4.17.0-rc3+ #9 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 panic+0x22f/0x4de kernel/panic.c:184 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 report_bug+0x252/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:kmalloc_slab+0x56/0x70 mm/slab_common.c:996 RSP: 0018:8801ad4b7c48 EFLAGS: 00010246 RAX: RBX: fff4 RCX: 8185e678 RDX: 8185e6eb RSI: RDI: fffd RBP: 8801ad4b7c48 R08: 8801adb3e2c0 R09: ed0035ba1f08 R10: ed0035ba1f08 R11: 8801add0f843 R12: fffd R13: 2240 R14: R15: 014200c0 __do_kmalloc mm/slab.c:3713 [inline] __kmalloc_track_caller+0x21/0x760 mm/slab.c:3733 memdup_user+0x2c/0xa0 mm/util.c:160 map_delete_elem+0x21b/0x4e0 kernel/bpf/syscall.c:796 __do_sys_bpf kernel/bpf/syscall.c:2128 [inline] __se_sys_bpf kernel/bpf/syscall.c:2096 [inline] __x64_sys_bpf+0x33f/0x4f0 kernel/bpf/syscall.c:2096 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x43fd89 RSP: 002b:7ffe3ad9ad78 EFLAGS: 0213 ORIG_RAX: 0141 RAX: ffda RBX: 004002c8 RCX: 0043fd89 RDX: 0010 RSI: 2000 RDI: 0003 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0213 R12: 004016b0 R13: 00401740 R14: R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: WARNING: kmalloc bug in memdup_user
On Wed, Mar 7, 2018 at 1:02 PM, Leon Romanovsky wrote:
> On Wed, Mar 07, 2018 at 09:44:23AM +0100, Dmitry Vyukov wrote:
>> On Wed, Mar 7, 2018 at 8:23 AM, Leon Romanovsky wrote:
>> > On Tue, Mar 06, 2018 at 10:59:02PM -0800, syzbot wrote:
>> >> Hello,
>> >>
>> >> syzbot hit the following crash on upstream commit
>> >> ce380619fab99036f5e745c7a865b21c59f005f6 (Tue Mar 6 04:31:14 2018 +)
>> >> Merge tag 'please-pull-ia64_misc' of
>> >> git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux
>> >>
>> >> So far this crash happened 52 times on upstream.
>> >> C reproducer is attached.
>> >> syzkaller reproducer is attached.
>> >> Raw console output is attached.
>> >> compiler: gcc (GCC) 7.1.1 20170620
>> >> .config is attached.
>> >>
>> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> >> Reported-by: syzbot+a38b0e9f694c379ca...@syzkaller.appspotmail.com
>> >> It will help syzbot understand when the bug is fixed. See footer for
>> >> details.
>> >> If you forward the report, please keep this part and the footer.
>> >>
>> >> audit: type=1400 audit(1520367364.281:6): avc: denied { map } for
>> >> pid=4138 comm="bash" path="/bin/bash" dev="sda1" ino=1457
>> >> scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
>> >> tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
>> >> audit: type=1400 audit(1520367370.605:7): avc: denied { map } for
>> >> pid=4152 comm="syzkaller100190" path="/root/syzkaller100190328" dev="sda1"
>> >> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
>> >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>> >> WARNING: CPU: 0 PID: 4152 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70
>> >> mm/slab_common.c:1012
>> >> Kernel panic - not syncing: panic_on_warn set ...
>> >>
>> >> CPU: 0 PID: 4152 Comm: syzkaller100190 Not tainted 4.16.0-rc4+ #343
>> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> >> Google 01/01/2011
>> >> Call Trace:
>> >> __dump_stack lib/dump_stack.c:17 [inline]
>> >> dump_stack+0x194/0x24d lib/dump_stack.c:53
>> >> panic+0x1e4/0x41c kernel/panic.c:183
>> >> __warn+0x1dc/0x200 kernel/panic.c:547
>> >> report_bug+0x211/0x2d0 lib/bug.c:184
>> >> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>> >> fixup_bug arch/x86/kernel/traps.c:247 [inline]
>> >> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>> >> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>> >> invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
>> >> RIP: 0010:kmalloc_slab+0x5d/0x70 mm/slab_common.c:1012
>> >> RSP: 0018:8801bf76f970 EFLAGS: 00010246
>> >> RAX: RBX: fff4 RCX: 819733cb
>> >> RDX: 8423372f RSI: RDI: 3efef4b4
>> >> RBP: 8801bf76f970 R08: R09:
>> >> R10: 88613380 R11: R12: 3efef4b4
>> >> R13: 2080 R14: 014200c0 R15: 8801bf76fa68
>> >> __do_kmalloc mm/slab.c:3700 [inline]
>> >> __kmalloc_track_caller+0x21/0x760 mm/slab.c:3720
>> >> memdup_user+0x2c/0x90 mm/util.c:160
>> >> ucma_set_option+0x11f/0x4d0 drivers/infiniband/core/ucma.c:1297
>> >> ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1627
>> >> __vfs_write+0xef/0x970 fs/read_write.c:480
>> >> vfs_write+0x189/0x510 fs/read_write.c:544
>> >> SYSC_write fs/read_write.c:589 [inline]
>> >> SyS_write+0xef/0x220 fs/read_write.c:581
>> >> do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
>> >> entry_SYSCALL_64_after_hwframe+0x42/0xb7
>> >> RIP: 0033:0x43fe69
>> >> RSP: 002b:7ffe099a6388 EFLAGS: 0217 ORIG_RAX: 0001
>> >> RAX: ffda RBX: 004002c8 RCX: 0043fe69
>> >> RDX: 006b RSI: 20c0 RDI: 0003
>> >> RBP: 006ca018 R08: 004002c8 R09: 004002c8
>> >> R10: 004002c8 R11: 0217 R12: 00401790
>> >> R13: 00401820 R14: R15:
>> >> Dumping ftrace buffer:
>> >>(ftrace buffer empty)
>> >> Kernel Offset: disabled
>> >> Rebooting in 86400 seconds..
>> >
>> > I'm surprised that it surfed only now.
>> > It is clear bug, user's input wasn't checked.
>>
>>
>> This is very simple. syzkaller did not test rdma_cm before.
>
> :), Dmitry, this complain was addressed to my RDMA colleagues and not to you.
I just wanted to attract your and your colleagues attention to the
fact that this part is not well tested, and probably other parts
around. And that there is an efficient instrument to test kernel code
-- syzkaller -- but it needs your help to do it.
>> Just yesterday I added descriptions for /dev/infiniband/rdma_cm API:
>> https://github.com/google/syzkaller/blob/master/sys/linux/rdma_cm.txt
>> This gave me ~10 different crashes immediately, but syzkaller wasn't
>> able to progress too far because for now all VMs crash on these
>> previous bugs within seconds.
>
> Expec
Re: WARNING: kmalloc bug in memdup_user
On Wed, Mar 07, 2018 at 09:44:23AM +0100, Dmitry Vyukov wrote:
> On Wed, Mar 7, 2018 at 8:23 AM, Leon Romanovsky wrote:
> > On Tue, Mar 06, 2018 at 10:59:02PM -0800, syzbot wrote:
> >> Hello,
> >>
> >> syzbot hit the following crash on upstream commit
> >> ce380619fab99036f5e745c7a865b21c59f005f6 (Tue Mar 6 04:31:14 2018 +)
> >> Merge tag 'please-pull-ia64_misc' of
> >> git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux
> >>
> >> So far this crash happened 52 times on upstream.
> >> C reproducer is attached.
> >> syzkaller reproducer is attached.
> >> Raw console output is attached.
> >> compiler: gcc (GCC) 7.1.1 20170620
> >> .config is attached.
> >>
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+a38b0e9f694c379ca...@syzkaller.appspotmail.com
> >> It will help syzbot understand when the bug is fixed. See footer for
> >> details.
> >> If you forward the report, please keep this part and the footer.
> >>
> >> audit: type=1400 audit(1520367364.281:6): avc: denied { map } for
> >> pid=4138 comm="bash" path="/bin/bash" dev="sda1" ino=1457
> >> scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> >> tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
> >> audit: type=1400 audit(1520367370.605:7): avc: denied { map } for
> >> pid=4152 comm="syzkaller100190" path="/root/syzkaller100190328" dev="sda1"
> >> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> >> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> >> WARNING: CPU: 0 PID: 4152 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70
> >> mm/slab_common.c:1012
> >> Kernel panic - not syncing: panic_on_warn set ...
> >>
> >> CPU: 0 PID: 4152 Comm: syzkaller100190 Not tainted 4.16.0-rc4+ #343
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> >> Google 01/01/2011
> >> Call Trace:
> >> __dump_stack lib/dump_stack.c:17 [inline]
> >> dump_stack+0x194/0x24d lib/dump_stack.c:53
> >> panic+0x1e4/0x41c kernel/panic.c:183
> >> __warn+0x1dc/0x200 kernel/panic.c:547
> >> report_bug+0x211/0x2d0 lib/bug.c:184
> >> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
> >> fixup_bug arch/x86/kernel/traps.c:247 [inline]
> >> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
> >> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> >> invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
> >> RIP: 0010:kmalloc_slab+0x5d/0x70 mm/slab_common.c:1012
> >> RSP: 0018:8801bf76f970 EFLAGS: 00010246
> >> RAX: RBX: fff4 RCX: 819733cb
> >> RDX: 8423372f RSI: RDI: 3efef4b4
> >> RBP: 8801bf76f970 R08: R09:
> >> R10: 88613380 R11: R12: 3efef4b4
> >> R13: 2080 R14: 014200c0 R15: 8801bf76fa68
> >> __do_kmalloc mm/slab.c:3700 [inline]
> >> __kmalloc_track_caller+0x21/0x760 mm/slab.c:3720
> >> memdup_user+0x2c/0x90 mm/util.c:160
> >> ucma_set_option+0x11f/0x4d0 drivers/infiniband/core/ucma.c:1297
> >> ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1627
> >> __vfs_write+0xef/0x970 fs/read_write.c:480
> >> vfs_write+0x189/0x510 fs/read_write.c:544
> >> SYSC_write fs/read_write.c:589 [inline]
> >> SyS_write+0xef/0x220 fs/read_write.c:581
> >> do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
> >> entry_SYSCALL_64_after_hwframe+0x42/0xb7
> >> RIP: 0033:0x43fe69
> >> RSP: 002b:7ffe099a6388 EFLAGS: 0217 ORIG_RAX: 0001
> >> RAX: ffda RBX: 004002c8 RCX: 0043fe69
> >> RDX: 006b RSI: 20c0 RDI: 0003
> >> RBP: 006ca018 R08: 004002c8 R09: 004002c8
> >> R10: 004002c8 R11: 0217 R12: 00401790
> >> R13: 00401820 R14: R15:
> >> Dumping ftrace buffer:
> >>(ftrace buffer empty)
> >> Kernel Offset: disabled
> >> Rebooting in 86400 seconds..
> >
> > I'm surprised that it surfed only now.
> > It is clear bug, user's input wasn't checked.
>
>
> This is very simple. syzkaller did not test rdma_cm before.
:), Dmitry, this complain was addressed to my RDMA colleagues and not to you.
> Just yesterday I added descriptions for /dev/infiniband/rdma_cm API:
> https://github.com/google/syzkaller/blob/master/sys/linux/rdma_cm.txt
> This gave me ~10 different crashes immediately, but syzkaller wasn't
> able to progress too far because for now all VMs crash on these
> previous bugs within seconds.
Expected, we had similar thing with /dev/infiniband/uverbs.
See all my latest patches to RDMA with fixes.
>
> I am pretty sure syzkaller still does not test lots of other
> rdma-related things, but there is no reason to believe that they
> contain fewer bugs (like these easily exploitable bugs on
> world-writable device).
Right
> In order to teach syzkaller to test other rdma stuff one needs to add
> de
Re: WARNING: kmalloc bug in memdup_user
On Wed, Mar 7, 2018 at 8:23 AM, Leon Romanovsky wrote:
> On Tue, Mar 06, 2018 at 10:59:02PM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot hit the following crash on upstream commit
>> ce380619fab99036f5e745c7a865b21c59f005f6 (Tue Mar 6 04:31:14 2018 +)
>> Merge tag 'please-pull-ia64_misc' of
>> git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux
>>
>> So far this crash happened 52 times on upstream.
>> C reproducer is attached.
>> syzkaller reproducer is attached.
>> Raw console output is attached.
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+a38b0e9f694c379ca...@syzkaller.appspotmail.com
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>> audit: type=1400 audit(1520367364.281:6): avc: denied { map } for
>> pid=4138 comm="bash" path="/bin/bash" dev="sda1" ino=1457
>> scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
>> audit: type=1400 audit(1520367370.605:7): avc: denied { map } for
>> pid=4152 comm="syzkaller100190" path="/root/syzkaller100190328" dev="sda1"
>> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>> WARNING: CPU: 0 PID: 4152 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70
>> mm/slab_common.c:1012
>> Kernel panic - not syncing: panic_on_warn set ...
>>
>> CPU: 0 PID: 4152 Comm: syzkaller100190 Not tainted 4.16.0-rc4+ #343
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:17 [inline]
>> dump_stack+0x194/0x24d lib/dump_stack.c:53
>> panic+0x1e4/0x41c kernel/panic.c:183
>> __warn+0x1dc/0x200 kernel/panic.c:547
>> report_bug+0x211/0x2d0 lib/bug.c:184
>> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>> fixup_bug arch/x86/kernel/traps.c:247 [inline]
>> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>> invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
>> RIP: 0010:kmalloc_slab+0x5d/0x70 mm/slab_common.c:1012
>> RSP: 0018:8801bf76f970 EFLAGS: 00010246
>> RAX: RBX: fff4 RCX: 819733cb
>> RDX: 8423372f RSI: RDI: 3efef4b4
>> RBP: 8801bf76f970 R08: R09:
>> R10: 88613380 R11: R12: 3efef4b4
>> R13: 2080 R14: 014200c0 R15: 8801bf76fa68
>> __do_kmalloc mm/slab.c:3700 [inline]
>> __kmalloc_track_caller+0x21/0x760 mm/slab.c:3720
>> memdup_user+0x2c/0x90 mm/util.c:160
>> ucma_set_option+0x11f/0x4d0 drivers/infiniband/core/ucma.c:1297
>> ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1627
>> __vfs_write+0xef/0x970 fs/read_write.c:480
>> vfs_write+0x189/0x510 fs/read_write.c:544
>> SYSC_write fs/read_write.c:589 [inline]
>> SyS_write+0xef/0x220 fs/read_write.c:581
>> do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
>> entry_SYSCALL_64_after_hwframe+0x42/0xb7
>> RIP: 0033:0x43fe69
>> RSP: 002b:7ffe099a6388 EFLAGS: 0217 ORIG_RAX: 0001
>> RAX: ffda RBX: 004002c8 RCX: 0043fe69
>> RDX: 006b RSI: 20c0 RDI: 0003
>> RBP: 006ca018 R08: 004002c8 R09: 004002c8
>> R10: 004002c8 R11: 0217 R12: 00401790
>> R13: 00401820 R14: R15:
>> Dumping ftrace buffer:
>>(ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>
> I'm surprised that it surfed only now.
> It is clear bug, user's input wasn't checked.
This is very simple. syzkaller did not test rdma_cm before. Just
yesterday I added descriptions for /dev/infiniband/rdma_cm API:
https://github.com/google/syzkaller/blob/master/sys/linux/rdma_cm.txt
This gave me ~10 different crashes immediately, but syzkaller wasn't
able to progress too far because for now all VMs crash on these
previous bugs within seconds.
I am pretty sure syzkaller still does not test lots of other
rdma-related things, but there is no reason to believe that they
contain fewer bugs (like these easily exploitable bugs on
world-writable device).
In order to teach syzkaller to test other rdma stuff one needs to add
descriptions similar to the one above.
> But it is not clear to me why optval wasn't declared as u64.
After deciphering the API (headers and sources really) I came to
conclusion that this is a pointer declared as u64 so that compat
interface is not different from normal one.
This API deciphering is hard for somebody who has absolutely no idea
what's rdma whatsoever. So syzkaller descriptions not written by you
(rdma developers) tend to be l
Re: WARNING: kmalloc bug in memdup_user
On Tue, Mar 06, 2018 at 10:59:02PM -0800, syzbot wrote:
> Hello,
>
> syzbot hit the following crash on upstream commit
> ce380619fab99036f5e745c7a865b21c59f005f6 (Tue Mar 6 04:31:14 2018 +)
> Merge tag 'please-pull-ia64_misc' of
> git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux
>
> So far this crash happened 52 times on upstream.
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a38b0e9f694c379ca...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> audit: type=1400 audit(1520367364.281:6): avc: denied { map } for
> pid=4138 comm="bash" path="/bin/bash" dev="sda1" ino=1457
> scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
> audit: type=1400 audit(1520367370.605:7): avc: denied { map } for
> pid=4152 comm="syzkaller100190" path="/root/syzkaller100190328" dev="sda1"
> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> WARNING: CPU: 0 PID: 4152 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70
> mm/slab_common.c:1012
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 0 PID: 4152 Comm: syzkaller100190 Not tainted 4.16.0-rc4+ #343
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x24d lib/dump_stack.c:53
> panic+0x1e4/0x41c kernel/panic.c:183
> __warn+0x1dc/0x200 kernel/panic.c:547
> report_bug+0x211/0x2d0 lib/bug.c:184
> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
> fixup_bug arch/x86/kernel/traps.c:247 [inline]
> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
> RIP: 0010:kmalloc_slab+0x5d/0x70 mm/slab_common.c:1012
> RSP: 0018:8801bf76f970 EFLAGS: 00010246
> RAX: RBX: fff4 RCX: 819733cb
> RDX: 8423372f RSI: RDI: 3efef4b4
> RBP: 8801bf76f970 R08: R09:
> R10: 88613380 R11: R12: 3efef4b4
> R13: 2080 R14: 014200c0 R15: 8801bf76fa68
> __do_kmalloc mm/slab.c:3700 [inline]
> __kmalloc_track_caller+0x21/0x760 mm/slab.c:3720
> memdup_user+0x2c/0x90 mm/util.c:160
> ucma_set_option+0x11f/0x4d0 drivers/infiniband/core/ucma.c:1297
> ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1627
> __vfs_write+0xef/0x970 fs/read_write.c:480
> vfs_write+0x189/0x510 fs/read_write.c:544
> SYSC_write fs/read_write.c:589 [inline]
> SyS_write+0xef/0x220 fs/read_write.c:581
> do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
> entry_SYSCALL_64_after_hwframe+0x42/0xb7
> RIP: 0033:0x43fe69
> RSP: 002b:7ffe099a6388 EFLAGS: 0217 ORIG_RAX: 0001
> RAX: ffda RBX: 004002c8 RCX: 0043fe69
> RDX: 006b RSI: 20c0 RDI: 0003
> RBP: 006ca018 R08: 004002c8 R09: 004002c8
> R10: 004002c8 R11: 0217 R12: 00401790
> R13: 00401820 R14: R15:
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
I'm surprised that it surfed only now.
It is clear bug, user's input wasn't checked.
But it is not clear to me why optval wasn't declared as u64.
Thanks
signature.asc
Description: PGP signature
