Re: BUG: unable to handle page fault for address = ADDR
From: Linus Torvalds
Date: Thu Apr 25 2019 - 19:22:20 EST
On Thu, Apr 25, 2019 at 3:16 PM syzbot
<syzbot+45474c076a4927533d2e@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> The bug was bisected to:
>
> commit bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20
> Author: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
> Date: Wed Apr 25 11:12:31 2018 +0000
>
> tty: Use __GFP_NOFAIL for tty_ldisc_get()
I think this just makes slhc_init() fail more easily, but the bug was
pre-existing.
The *real* source of the bug seems to be
4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters
completely")
from back in 2015.
We have (in drivers/net/slip/slip.c: sl_alloc_bufs())
slcomp = slhc_init(16, 16);
if (IS_ERR(slcomp))
goto err_exit;
....
err_exit:
#ifdef SL_INCLUDE_CSLIP
kfree(cbuff);
slhc_free(slcomp);
#endif
so we do "slhc_free()" on an error pointer, which results in
BUG: unable to handle page fault for address = fffffffffffffff4
and the fix might be something like the appended whitespace-damaged
trivial one-liner: just make slhc_free() silently ignore an error
pointer, to match the slhc_init() return behavior.
Ben? David?
Linus
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index f4e93f5fc204..ea90db3c7705 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -153,7 +153,7 @@ slhc_init(int rslots, int tslots)
void
slhc_free(struct slcompress *comp)
{
- if ( comp == NULLSLCOMPR )
+ if ( IS_ERR_OR_NULL(comp) )
return;
if ( comp->tstate != NULLSLSTATE )