Dear Developers for Linux Memory Management, We encountered 3 warning crashes when testing the memory management with Syzkaller and our generated specifications: 1. WARNING: kmalloc bug in gup_test_ioctl 2. WARNING in is_valid_gup_args 3. WARNING in pin_user_pages_fast The C and syz reproducers and config for the kernel are attached. For the first one "WARNING: kmalloc bug in gup_test_ioctl", it seems that the check `if (gup->size > ULONG_MAX)` (https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup_test.c#L111) is not accurate, which should be INT_MAX * PAGE_SIZE / sizeof(void *), based o `pages = kvcalloc(nr_pages, sizeof(void *), GFP_KERNEL);` (https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup_test.c#L115). For the second one "WARNING in is_valid_gup_args" and "WARNING in pin_user_pages_fast“, the root causes are kind of similar. They both fail to check the `gup_flags` in `is_valid_gup_args` (https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup.c#L2245) and `internal_get_user_pages_fast` (https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup.c#L3185) respectively. `gup_flags` is provided by user, thus, it could be arbitrary value. I think it would be better not to use `WARN_ON_ONCE` to check the validity of this flag. If you have any questions or require more information, please feel free to contact us. Reported-by: Chenyuan Yang <chenyuan0y@xxxxxxxxx> Best, Chenyuan
Attachment:
gup_test_ioctl.report
Description: Binary data
Attachment:
config
Description: Binary data
Attachment:
pin_user_pages_fast.report
Description: Binary data
Attachment:
is_valid_gup_args.report
Description: Binary data