From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id ABA2AC25B06 for ; Fri, 12 Aug 2022 00:09:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C4EE06B0073; Thu, 11 Aug 2022 20:09:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BD7E36B0075; Thu, 11 Aug 2022 20:09:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A9F048E0001; Thu, 11 Aug 2022 20:09:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 979DA6B0073 for ; Thu, 11 Aug 2022 20:09:28 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 67E3C808D4 for ; Fri, 12 Aug 2022 00:09:28 +0000 (UTC) X-FDA: 79789006416.29.7833015 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by imf28.hostedemail.com (Postfix) with ESMTP id 6ED00C016E for ; Fri, 12 Aug 2022 00:09:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1660262967; x=1691798967; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=dsy5j9GJ9M9Knk+/PO+G4slSOO2sVbq/4qP0MG9CW6U=; b=iu+OZDjCDSNSOUr8MBca/LYoJQtXVdzJ+vw6sr4piHZdQZF8n5MMIXsH 8IKnYy4sdPhTxioac1SyBnuuKOO0Zvhk6oZCj7M5ByCAZ/+73zWykNR3x U7LZ70j+2+b9iiQbuoJrXzO/5yFMNAjX9gX4oWzgDOEgoZxwcBHSQQDTv hROZv86PvcbTaAimE6XzncpQew/ku3LIj+wwupZ9b2AmW7XdthAVeD+03 5OUpnooZXrWq0wWOIVwkW55EMTGXO2Hk9ovvg8axhZyonGWEWzbthuEUa TM18VI9RBYExSfZGUMfAJ28x05gzYLlMWw9aDprvLU5/zyiNeP11/hiEi g==; X-IronPort-AV: E=McAfee;i="6400,9594,10436"; a="292283392" X-IronPort-AV: E=Sophos;i="5.93,231,1654585200"; d="scan'208";a="292283392" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Aug 2022 17:09:25 -0700 X-IronPort-AV: E=Sophos;i="5.93,231,1654585200"; d="scan'208";a="634445244" Received: from lewischa-mobl.amr.corp.intel.com (HELO localhost) ([10.212.100.42]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Aug 2022 17:09:25 -0700 From: ira.weiny@intel.com To: Kees Cook Cc: Ira Weiny , syzbot+3250d9c8925ef29e975f@syzkaller.appspotmail.com, "Fabio M. De Francesco" , ebiederm@xmission.com, viro@zeniv.linux.org.uk, sfr@canb.auug.org.au, syzkaller-bugs@googlegroups.com, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] fs/exec: Test patch for syzkaller crash Date: Thu, 11 Aug 2022 17:09:19 -0700 Message-Id: <20220812000919.408614-1-ira.weiny@intel.com> X-Mailer: git-send-email 2.35.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1660262968; a=rsa-sha256; cv=none; b=NRHqErSUDuYHn+QS6FtOs5MnrB2Vt2shIrvsMprXGw1h+x32+NTEieb9WGsIRorhthBSb2 /IhVivLyg4CXbhCD515aBMWogvt2ogCCwpfVVG+U+KNZTlX0d6l9Dy0kaocfDNr2OvahyB 1g+SVX2ts0frqnE8VhlfMdF5egiDDDY= ARC-Authentication-Results: i=1; imf28.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=iu+OZDjC; spf=pass (imf28.hostedemail.com: domain of ira.weiny@intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=ira.weiny@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1660262968; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=gqoh3KXubVKOH/NtVlNfpko1ycJABOJlzVcXubCcGEI=; b=L4YMQPzf48b6ogOdMX5BkWPfS/8OfJ4sIfMKdEa3bmWO7PTQ08hpxVXAS/GU2ZFv1H38I2 UA8MctdxODUoxxo9xRjruwGPxdhypsRSo94IMypAMHjDp3ilx671tIHaSUUFsmYyp96XcB 3pD4mNR8pT0Cfe7t64VWXIdVN0pYeyI= X-Stat-Signature: jjoa5ag6c95ed3st5a8wnhoses1ihct3 X-Rspamd-Queue-Id: 6ED00C016E X-Rspam-User: X-Rspamd-Server: rspam03 Authentication-Results: imf28.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=iu+OZDjC; spf=pass (imf28.hostedemail.com: domain of ira.weiny@intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=ira.weiny@intel.com; dmarc=pass (policy=none) header.from=intel.com X-HE-Tag: 1660262967-830352 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Ira Weiny Kees reported that it looked like the kmap_local_page() conversion in fs/exec.c was causing a crash with the syzkaller.[1] At first glance it appeared this was due to the lack of pagefaults not being disabled as was done by kmap_atomic(). Unfortunately, after deeper investigation we don't see how this is a problem. The crash does not appear to be happening in the memcpy_to_page() call.[2] For testing, add back pagefault disable in copy_string_kernel() to see if it makes syzkaller happy. If so more investigation will need to be done to understand exactly what is happening. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c6e8e36c6ae4b11bed5643317afb66b6c3cadba8 [2] https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/fs/exec.c?id=40d43a7507e1547dd45cb02af2e40d897c591870#n616 Cc: Kees Cook Reported-by: syzbot+3250d9c8925ef29e975f@syzkaller.appspotmail.com Signed-off-by: Ira Weiny --- fs/exec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index b51dd14e7388..e076b228123a 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -640,7 +640,9 @@ int copy_string_kernel(const char *arg, struct linux_binprm *bprm) if (!page) return -E2BIG; flush_arg_page(bprm, pos & PAGE_MASK, page); + pagefault_disable(); memcpy_to_page(page, offset_in_page(pos), arg, bytes_to_copy); + pagefault_enable(); put_arg_page(page); } -- 2.35.3