{"id":809934,"url":"http://patchwork.ozlabs.org/api/patches/809934/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/1504590062.15310.36.camel@edumazet-glaptop3.roam.corp.google.com/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<1504590062.15310.36.camel@edumazet-glaptop3.roam.corp.google.com>","list_archive_url":null,"date":"2017-09-05T05:41:02","name":"[net-next] bpf: fix numa_node validation","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"ac672355bea9f3ae95b76c421d1d321953f69ed6","submitter":{"id":2404,"url":"http://patchwork.ozlabs.org/api/people/2404/?format=json","name":"Eric Dumazet","email":"eric.dumazet@gmail.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/1504590062.15310.36.camel@edumazet-glaptop3.roam.corp.google.com/mbox/","series":[{"id":1491,"url":"http://patchwork.ozlabs.org/api/series/1491/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=1491","date":"2017-09-05T05:41:02","name":"[net-next] bpf: fix numa_node validation","version":1,"mbox":"http://patchwork.ozlabs.org/series/1491/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/809934/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/809934/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"f0nBwnx1\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xmbDR4gLCz9sNq\n\tfor <patchwork-incoming@ozlabs.org>;\n\tTue,  5 Sep 2017 15:41:11 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1754031AbdIEFlI (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tTue, 5 Sep 2017 01:41:08 -0400","from mail-io0-f196.google.com ([209.85.223.196]:34515 \"EHLO\n\tmail-io0-f196.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1750969AbdIEFlG (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Tue, 5 Sep 2017 01:41:06 -0400","by mail-io0-f196.google.com with SMTP id b142so516562ioe.1\n\tfor <netdev@vger.kernel.org>; Mon, 04 Sep 2017 22:41:05 -0700 (PDT)","from [192.168.86.171] (c-67-180-167-114.hsd1.ca.comcast.net.\n\t[67.180.167.114]) by smtp.googlemail.com with ESMTPSA id\n\tv85sm491067iov.38.2017.09.04.22.41.03\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tMon, 04 Sep 2017 22:41:04 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=gmail.com; s=20161025;\n\th=message-id:subject:from:to:cc:date:mime-version\n\t:content-transfer-encoding;\n\tbh=pKsWSEOltClIWrNvY9cd8bT2GBCeRUlBC0NC9cqP+Kg=;\n\tb=f0nBwnx1uOnY45LSZEfbz4CiO2NqL67A+ql7D/GulLIswGSwWWAoPetzHxn4lGWfW0\n\tzcuEvJ+C6/DvOY2poe6VenzQwrcWrifNOiP9n36wmMjsXOshEIyWzkYPTOHQ6EbFxbQY\n\tIadC74r+BXwE7qjr/l6ujzeBoyYdhgjVarEbZ7ZvBFTcbhFwau04suvYxcxmkx7xvTVu\n\tvQdJoSoOAelcmLqDTiag5d7GlYM5lc8b5pZXObynh1q9sdJOQWbZMQ1XS827zCA8QSuN\n\tMENPjs8ECkJBgiGGlnqmLUMRJqAmcbVo28xMVbhTJmw+qWFb9lYQyCetlZf3cwULSTEc\n\tXuNg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version\n\t:content-transfer-encoding;\n\tbh=pKsWSEOltClIWrNvY9cd8bT2GBCeRUlBC0NC9cqP+Kg=;\n\tb=M7y7+BKe23Dv+7n08Dd7WmOnOhKGrlneO8A3MWDWnW0VSkM0HhR2+vRIwUER+ePi4+\n\toPGT1JQ3EgeIShzTrWQIbE26A6Y8NYxrz0sQusbl9MNLrWos3FwttF5H/jubFBjH7qjG\n\t0NvN/ijp2b3EsmoICiXBFSd19Wt81ryfCG66sFv1XmzUqESBP42XqQsvT2BoQ1Lzs7cg\n\toa/VQHgjtTi3l84Mmkui9ZNf8eugTqr9UyJN/RzSE//iGknG6XBSqQHWui8oLDp6WUfc\n\tcAxS1A5XBvTGdO2FC4ONlJ3eBjvh9e/WPGwDsZx4/lcDa6L9huuleDf9YLq6eKUp4t17\n\tZp9A==","X-Gm-Message-State":"AHPjjUgq3qBf0kUGZ3MhPQi3tZZettj1TdsAR7fTR9sYlci/PaW2YwPv\n\tOt5XIyJ++4/8dg==","X-Google-Smtp-Source":"ADKCNb7QQ2NQ6Iu7YcQZ74doAj+vcEQh3zmUEDdeB0Y2Wc9PLqUzDM5/qqMxYrlK/yi24zAZxIelsw==","X-Received":"by 10.36.201.2 with SMTP id h2mr1151519itg.93.1504590065594;\n\tMon, 04 Sep 2017 22:41:05 -0700 (PDT)","Message-ID":"<1504590062.15310.36.camel@edumazet-glaptop3.roam.corp.google.com>","Subject":"[PATCH net-next] bpf: fix numa_node validation","From":"Eric Dumazet <eric.dumazet@gmail.com>","To":"David Miller <davem@davemloft.net>","Cc":"netdev <netdev@vger.kernel.org>, Martin KaFai Lau <kafai@fb.com>,\n\tDaniel Borkmann <daniel@iogearbox.net>, Alexei Starovoitov <ast@fb.com>","Date":"Mon, 04 Sep 2017 22:41:02 -0700","Content-Type":"text/plain; charset=\"UTF-8\"","X-Mailer":"Evolution 3.10.4-0ubuntu2 ","Mime-Version":"1.0","Content-Transfer-Encoding":"7bit","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"From: Eric Dumazet <edumazet@google.com>\n\nsyzkaller reported crashes in bpf map creation or map update [1]\n\nProblem is that nr_node_ids is a signed integer,\nNUMA_NO_NODE is also an integer, so it is very tempting\nto declare numa_node as a signed integer.\n\nThis means the typical test to validate a user provided value :\n\n        if (numa_node != NUMA_NO_NODE &&\n            (numa_node >= nr_node_ids ||\n             !node_online(numa_node)))\n\nmust be written :\n\n        if (numa_node != NUMA_NO_NODE &&\n            ((unsigned int)numa_node >= nr_node_ids ||\n             !node_online(numa_node)))\n\n\n[1]\nkernel BUG at mm/slab.c:3256!\ninvalid opcode: 0000 [#1] SMP KASAN\nDumping ftrace buffer:\n   (ftrace buffer empty)\nModules linked in:\nCPU: 0 PID: 2946 Comm: syzkaller916108 Not tainted 4.13.0-rc7+ #35\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\ntask: ffff8801d2bc60c0 task.stack: ffff8801c0c90000\nRIP: 0010:____cache_alloc_node+0x1d4/0x1e0 mm/slab.c:3292\nRSP: 0018:ffff8801c0c97638 EFLAGS: 00010096\nRAX: ffffffffffff8b7b RBX: 0000000001080220 RCX: 0000000000000000\nRDX: 00000000ffff8b7b RSI: 0000000001080220 RDI: ffff8801dac00040\nRBP: ffff8801c0c976c0 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff8801c0c97620 R11: 0000000000000001 R12: ffff8801dac00040\nR13: ffff8801dac00040 R14: 0000000000000000 R15: 00000000ffff8b7b\nFS:  0000000002119940(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020001fec CR3: 00000001d2980000 CR4: 00000000001406f0\nCall Trace:\n __do_kmalloc_node mm/slab.c:3688 [inline]\n __kmalloc_node+0x33/0x70 mm/slab.c:3696\n kmalloc_node include/linux/slab.h:535 [inline]\n alloc_htab_elem+0x2a8/0x480 kernel/bpf/hashtab.c:740\n htab_map_update_elem+0x740/0xb80 kernel/bpf/hashtab.c:820\n map_update_elem kernel/bpf/syscall.c:587 [inline]\n SYSC_bpf kernel/bpf/syscall.c:1468 [inline]\n SyS_bpf+0x20c5/0x4c40 kernel/bpf/syscall.c:1443\n entry_SYSCALL_64_fastpath+0x1f/0xbe\nRIP: 0033:0x440409\nRSP: 002b:00007ffd1f1792b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\nRAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440409\nRDX: 0000000000000020 RSI: 0000000020006000 RDI: 0000000000000002\nRBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401d70\nR13: 0000000000401e00 R14: 0000000000000000 R15: 0000000000000000\nCode: 83 c2 01 89 50 18 4c 03 70 08 e8 38 f4 ff ff 4d 85 f6 0f 85 3e ff ff ff 44 89 fe 4c 89 ef e8 94 fb ff ff 49 89 c6 e9 2b ff ff ff <0f> 0b 0f 0b 0f 0b 66 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 \nRIP: ____cache_alloc_node+0x1d4/0x1e0 mm/slab.c:3292 RSP: ffff8801c0c97638\n---[ end trace d745f355da2e33ce ]---\nKernel panic - not syncing: Fatal exception\n\nFixes: 96eabe7a40aa (\"bpf: Allow selecting numa node during map creation\")\nSigned-off-by: Eric Dumazet <edumazet@google.com>\nCc: Martin KaFai Lau <kafai@fb.com>\nCc: Alexei Starovoitov <ast@fb.com>\nCc: Daniel Borkmann <daniel@iogearbox.net>\n---\n kernel/bpf/syscall.c |    3 ++-\n 1 file changed, 2 insertions(+), 1 deletion(-)","diff":"diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c\nindex 021a05d9d80095303bdfed51ee85bd9067582774..70ad8e220343c7825c8e331f19c1f65c78fdb796 100644\n--- a/kernel/bpf/syscall.c\n+++ b/kernel/bpf/syscall.c\n@@ -323,7 +323,8 @@ static int map_create(union bpf_attr *attr)\n \t\treturn -EINVAL;\n \n \tif (numa_node != NUMA_NO_NODE &&\n-\t    (numa_node >= nr_node_ids || !node_online(numa_node)))\n+\t    ((unsigned int)numa_node >= nr_node_ids ||\n+\t     !node_online(numa_node)))\n \t\treturn -EINVAL;\n \n \t/* find map type and init map: hashtable vs rbtree vs bloom vs ... */\n","prefixes":["net-next"]}