[Linux Kernel Bug][mm/gup] 3 Warning Crashes: kmalloc bug in gup_test_ioctl, is_valid_gup_args, pin_user_pages_fast

[Chenyuan Yang]

Dear Developers for Linux Memory Management,

We encountered 3 warning crashes when testing the memory management
with Syzkaller and our generated specifications:

1. WARNING: kmalloc bug in gup_test_ioctl
2. WARNING in is_valid_gup_args
3. WARNING in pin_user_pages_fast

The C and syz reproducers and config for the kernel are attached.

For the first one "WARNING: kmalloc bug in gup_test_ioctl", it seems
that the check `if (gup->size > ULONG_MAX)`
(https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup_test.c#L111)
is not accurate, which should be INT_MAX * PAGE_SIZE / sizeof(void *),
based o `pages = kvcalloc(nr_pages, sizeof(void *), GFP_KERNEL);`
(https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup_test.c#L115).

For the second one "WARNING in is_valid_gup_args" and "WARNING in
pin_user_pages_fast“, the root causes are kind of similar. They both
fail to check the `gup_flags` in `is_valid_gup_args`
(https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup.c#L2245) and
`internal_get_user_pages_fast`
(https://elixir.bootlin.com/linux/v6.7-rc8/source/mm/gup.c#L3185)
respectively. `gup_flags` is provided by user, thus, it could be
arbitrary value. I think it would be better not to use `WARN_ON_ONCE`
to check the validity of this flag.

If you have any questions or require more information, please feel
free to contact us.

Reported-by: Chenyuan Yang <chenyuan0y@xxxxxxxxx>

Best,
Chenyuan

Attachment: gup_test_ioctl.report
Description: Binary data

Attachment: config
Description: Binary data

Attachment: pin_user_pages_fast.report
Description: Binary data

Attachment: is_valid_gup_args.report
Description: Binary data