On 01/08/2018 04:51 PM, Alexei Starovoitov wrote: > From: Alexei Starovoitov <a...@fb.com> > > syzbot reported the following panic in the verifier triggered > by kmalloc error injection: > > kasan: GPF could be caused by NULL-ptr deref or user memory access > RIP: 0010:copy_func_state kernel/bpf/verifier.c:403 [inline] > RIP: 0010:copy_verifier_state+0x364/0x590 kernel/bpf/verifier.c:431 > Call Trace: > pop_stack+0x8c/0x270 kernel/bpf/verifier.c:449 > push_stack kernel/bpf/verifier.c:491 [inline] > check_cond_jmp_op kernel/bpf/verifier.c:3598 [inline] > do_check+0x4b60/0xa050 kernel/bpf/verifier.c:4731 > bpf_check+0x3296/0x58c0 kernel/bpf/verifier.c:5489 > bpf_prog_load+0xa2a/0x1b00 kernel/bpf/syscall.c:1198 > SYSC_bpf kernel/bpf/syscall.c:1807 [inline] > SyS_bpf+0x1044/0x4420 kernel/bpf/syscall.c:1769 > > when copy_verifier_state() aborts in the middle due to kmalloc failure > some of the frames could have been partially copied while > current free_verifier_state() loop > for (i = 0; i <= state->curframe; i++) > assumed that all frames are non-null. > Simply fix it by adding 'if (!state)' to free_func_state(). > Also avoid stressing copy frame logic more if kzalloc fails > in push_stack() free env->cur_state right away. > > Reported-by: syzbot+32ac5a3e473f2e01c...@syzkaller.appspotmail.com > Reported-by: syzbot+fa99e24f3c29d269a...@syzkaller.appspotmail.com > Signed-off-by: Alexei Starovoitov <a...@kernel.org>
Applied to bpf-next with Fixes tags, thanks Alexei!
