* [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc()
@ 2016-02-04 15:55 Dmitry Vyukov
2016-02-04 17:49 ` Peter Hurley
0 siblings, 1 reply; 7+ messages in thread
From: Dmitry Vyukov @ 2016-02-04 15:55 UTC (permalink / raw)
To: jslaby, peter, gnomes; +Cc: linux-kernel, syzkaller, kcc, glider, Dmitry Vyukov
Size of kmalloc() in vc_do_resize() is controlled by user.
Too large kmalloc() size triggers WARNING message on console.
Use __GFP_NOWARN for this kmalloc() to not scare admins.
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
---
Example WARNING:
WARNING: CPU: 3 PID: 7642 at mm/page_alloc.c:2999
__alloc_pages_nodemask+0x7d2/0x1760()
Modules linked in:
CPU: 3 PID: 7642 Comm: a.out Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88006d24f610 ffffffff82999e2d 0000000000000000
ffff880060d9af80 ffffffff86475560 ffff88006d24f650 ffffffff81352089
ffffffff816721e2 ffffffff86475560 0000000000000bb7 00000000024240c0
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] __alloc_pages_slowpath mm/page_alloc.c:2999
[<ffffffff816721e2>] __alloc_pages_nodemask+0x7d2/0x1760 mm/page_alloc.c:3253
[<ffffffff8174a799>] alloc_pages_current+0xe9/0x450 mm/mempolicy.c:2090
[< inline >] alloc_pages include/linux/gfp.h:459
[<ffffffff8166df66>] alloc_kmem_pages+0x16/0x100 mm/page_alloc.c:3433
[<ffffffff816c698f>] kmalloc_order+0x1f/0x80 mm/slab_common.c:1008
[<ffffffff816c6a0f>] kmalloc_order_trace+0x1f/0x140 mm/slab_common.c:1019
[< inline >] kmalloc_large include/linux/slab.h:395
[<ffffffff8175b624>] __kmalloc+0x2f4/0x340 mm/slub.c:3557
[< inline >] kmalloc include/linux/slab.h:468
[<ffffffff82d47800>] vc_do_resize+0x2c0/0x1140 drivers/tty/vt/vt.c:874
[<ffffffff82d4878a>] vt_resize+0xaa/0xe0 drivers/tty/vt/vt.c:993
[< inline >] tiocswinsz drivers/tty/tty_io.c:2357
[<ffffffff82cf22b3>] tty_ioctl+0x1083/0x2160 drivers/tty/tty_io.c:2869
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817efdac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817f0c5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
---
drivers/tty/vt/vt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index bd51bdd..2382810 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -871,7 +871,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
if (new_cols == vc->vc_cols && new_rows == vc->vc_rows)
return 0;
- newscreen = kmalloc(new_screen_size, GFP_USER);
+ newscreen = kmalloc(new_screen_size, GFP_USER | __GFP_NOWARN);
if (!newscreen)
return -ENOMEM;
--
2.7.0.rc3.207.g0ac5344
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc()
2016-02-04 15:55 [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc() Dmitry Vyukov
@ 2016-02-04 17:49 ` Peter Hurley
2016-02-04 18:28 ` [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc Dmitry Vyukov
0 siblings, 1 reply; 7+ messages in thread
From: Peter Hurley @ 2016-02-04 17:49 UTC (permalink / raw)
To: Dmitry Vyukov; +Cc: jslaby, gnomes, linux-kernel, syzkaller, kcc, glider
Hi Dmitry,
Just a quick procedural note: tty patches need to be addressed to Greg.
On 02/04/2016 07:55 AM, Dmitry Vyukov wrote:
> Size of kmalloc() in vc_do_resize() is controlled by user.
> Too large kmalloc() size triggers WARNING message on console.
>
> Use __GFP_NOWARN for this kmalloc() to not scare admins.
>
> Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
> ---
> Example WARNING:
>
> WARNING: CPU: 3 PID: 7642 at mm/page_alloc.c:2999
> __alloc_pages_nodemask+0x7d2/0x1760()
> Modules linked in:
> CPU: 3 PID: 7642 Comm: a.out Not tainted 4.4.0+ #276
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> 00000000ffffffff ffff88006d24f610 ffffffff82999e2d 0000000000000000
> ffff880060d9af80 ffffffff86475560 ffff88006d24f650 ffffffff81352089
> ffffffff816721e2 ffffffff86475560 0000000000000bb7 00000000024240c0
> Call Trace:
> [< inline >] __dump_stack lib/dump_stack.c:15
> [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
> [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
> [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
> [< inline >] __alloc_pages_slowpath mm/page_alloc.c:2999
> [<ffffffff816721e2>] __alloc_pages_nodemask+0x7d2/0x1760 mm/page_alloc.c:3253
> [<ffffffff8174a799>] alloc_pages_current+0xe9/0x450 mm/mempolicy.c:2090
> [< inline >] alloc_pages include/linux/gfp.h:459
> [<ffffffff8166df66>] alloc_kmem_pages+0x16/0x100 mm/page_alloc.c:3433
> [<ffffffff816c698f>] kmalloc_order+0x1f/0x80 mm/slab_common.c:1008
> [<ffffffff816c6a0f>] kmalloc_order_trace+0x1f/0x140 mm/slab_common.c:1019
> [< inline >] kmalloc_large include/linux/slab.h:395
> [<ffffffff8175b624>] __kmalloc+0x2f4/0x340 mm/slub.c:3557
> [< inline >] kmalloc include/linux/slab.h:468
> [<ffffffff82d47800>] vc_do_resize+0x2c0/0x1140 drivers/tty/vt/vt.c:874
> [<ffffffff82d4878a>] vt_resize+0xaa/0xe0 drivers/tty/vt/vt.c:993
> [< inline >] tiocswinsz drivers/tty/tty_io.c:2357
> [<ffffffff82cf22b3>] tty_ioctl+0x1083/0x2160 drivers/tty/tty_io.c:2869
> [< inline >] vfs_ioctl fs/ioctl.c:43
> [<ffffffff817efdac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
> [< inline >] SYSC_ioctl fs/ioctl.c:689
> [<ffffffff817f0c5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
> ---
> drivers/tty/vt/vt.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index bd51bdd..2382810 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -871,7 +871,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
> if (new_cols == vc->vc_cols && new_rows == vc->vc_rows)
> return 0;
>
> - newscreen = kmalloc(new_screen_size, GFP_USER);
> + newscreen = kmalloc(new_screen_size, GFP_USER | __GFP_NOWARN);
> if (!newscreen)
> return -ENOMEM;
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc
2016-02-04 17:49 ` Peter Hurley
@ 2016-02-04 18:28 ` Dmitry Vyukov
2016-02-04 22:11 ` David Rientjes
0 siblings, 1 reply; 7+ messages in thread
From: Dmitry Vyukov @ 2016-02-04 18:28 UTC (permalink / raw)
To: gregkh, jslaby, peter, gnomes
Cc: linux-kernel, syzkaller, kcc, glider, Dmitry Vyukov
Size of kmalloc() in vc_do_resize() is controlled by user.
Too large kmalloc() size triggers WARNING message on console.
Use __GFP_NOWARN for this kmalloc() to not scare admins.
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
---
Example WARNING:
WARNING: CPU: 3 PID: 7642 at mm/page_alloc.c:2999
__alloc_pages_nodemask+0x7d2/0x1760()
Modules linked in:
CPU: 3 PID: 7642 Comm: a.out Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88006d24f610 ffffffff82999e2d 0000000000000000
ffff880060d9af80 ffffffff86475560 ffff88006d24f650 ffffffff81352089
ffffffff816721e2 ffffffff86475560 0000000000000bb7 00000000024240c0
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] __alloc_pages_slowpath mm/page_alloc.c:2999
[<ffffffff816721e2>] __alloc_pages_nodemask+0x7d2/0x1760 mm/page_alloc.c:3253
[<ffffffff8174a799>] alloc_pages_current+0xe9/0x450 mm/mempolicy.c:2090
[< inline >] alloc_pages include/linux/gfp.h:459
[<ffffffff8166df66>] alloc_kmem_pages+0x16/0x100 mm/page_alloc.c:3433
[<ffffffff816c698f>] kmalloc_order+0x1f/0x80 mm/slab_common.c:1008
[<ffffffff816c6a0f>] kmalloc_order_trace+0x1f/0x140 mm/slab_common.c:1019
[< inline >] kmalloc_large include/linux/slab.h:395
[<ffffffff8175b624>] __kmalloc+0x2f4/0x340 mm/slub.c:3557
[< inline >] kmalloc include/linux/slab.h:468
[<ffffffff82d47800>] vc_do_resize+0x2c0/0x1140 drivers/tty/vt/vt.c:874
[<ffffffff82d4878a>] vt_resize+0xaa/0xe0 drivers/tty/vt/vt.c:993
[< inline >] tiocswinsz drivers/tty/tty_io.c:2357
[<ffffffff82cf22b3>] tty_ioctl+0x1083/0x2160 drivers/tty/tty_io.c:2869
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817efdac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817f0c5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
---
drivers/tty/vt/vt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index bd51bdd..2382810 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -871,7 +871,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
if (new_cols == vc->vc_cols && new_rows == vc->vc_rows)
return 0;
- newscreen = kmalloc(new_screen_size, GFP_USER);
+ newscreen = kmalloc(new_screen_size, GFP_USER | __GFP_NOWARN);
if (!newscreen)
return -ENOMEM;
--
2.7.0.rc3.207.g0ac5344
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc
2016-02-04 18:28 ` [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc Dmitry Vyukov
@ 2016-02-04 22:11 ` David Rientjes
2016-02-05 7:06 ` Dmitry Vyukov
0 siblings, 1 reply; 7+ messages in thread
From: David Rientjes @ 2016-02-04 22:11 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: gregkh, jslaby, peter, gnomes, linux-kernel, syzkaller, kcc,
glider
On Thu, 4 Feb 2016, Dmitry Vyukov wrote:
> Size of kmalloc() in vc_do_resize() is controlled by user.
> Too large kmalloc() size triggers WARNING message on console.
>
> Use __GFP_NOWARN for this kmalloc() to not scare admins.
>
Hmm, this is hitting the WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)) for
order >= MAX_ORDER.
vc_do_resize() has
if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
return -EINVAL;
so the appropriate fix would seem to be to reject sizes that would exceed
the page allocator's ability to return contiguous memory (MAX_ORDER)
rather than ever trying the allocation in the first place.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc
2016-02-04 22:11 ` David Rientjes
@ 2016-02-05 7:06 ` Dmitry Vyukov
2016-02-05 10:32 ` David Rientjes
2016-02-05 10:35 ` One Thousand Gnomes
0 siblings, 2 replies; 7+ messages in thread
From: Dmitry Vyukov @ 2016-02-05 7:06 UTC (permalink / raw)
To: David Rientjes
Cc: Greg Kroah-Hartman, Jiri Slaby, Peter Hurley, One Thousand Gnomes,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko
On Thu, Feb 4, 2016 at 11:11 PM, David Rientjes <rientjes@google.com> wrote:
> On Thu, 4 Feb 2016, Dmitry Vyukov wrote:
>
>> Size of kmalloc() in vc_do_resize() is controlled by user.
>> Too large kmalloc() size triggers WARNING message on console.
>>
>> Use __GFP_NOWARN for this kmalloc() to not scare admins.
>>
>
> Hmm, this is hitting the WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)) for
> order >= MAX_ORDER.
>
> vc_do_resize() has
>
> if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
> return -EINVAL;
>
> so the appropriate fix would seem to be to reject sizes that would exceed
> the page allocator's ability to return contiguous memory (MAX_ORDER)
> rather than ever trying the allocation in the first place.
Hi David,
Please see Alan response to original report here:
https://groups.google.com/d/msg/syzkaller/ufjvr5j0URo/lTlpYP0DBQAJ
I can't say that I fully understand it.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc
2016-02-05 7:06 ` Dmitry Vyukov
@ 2016-02-05 10:32 ` David Rientjes
2016-02-05 10:35 ` One Thousand Gnomes
1 sibling, 0 replies; 7+ messages in thread
From: David Rientjes @ 2016-02-05 10:32 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: Greg Kroah-Hartman, Jiri Slaby, Peter Hurley, One Thousand Gnomes,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko
On Fri, 5 Feb 2016, Dmitry Vyukov wrote:
> On Thu, Feb 4, 2016 at 11:11 PM, David Rientjes <rientjes@google.com> wrote:
> > On Thu, 4 Feb 2016, Dmitry Vyukov wrote:
> >
> >> Size of kmalloc() in vc_do_resize() is controlled by user.
> >> Too large kmalloc() size triggers WARNING message on console.
> >>
> >> Use __GFP_NOWARN for this kmalloc() to not scare admins.
> >>
> >
> > Hmm, this is hitting the WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)) for
> > order >= MAX_ORDER.
> >
> > vc_do_resize() has
> >
> > if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
> > return -EINVAL;
> >
> > so the appropriate fix would seem to be to reject sizes that would exceed
> > the page allocator's ability to return contiguous memory (MAX_ORDER)
> > rather than ever trying the allocation in the first place.
>
> Hi David,
>
> Please see Alan response to original report here:
> https://groups.google.com/d/msg/syzkaller/ufjvr5j0URo/lTlpYP0DBQAJ
> I can't say that I fully understand it.
>
vc_do_resize() might not know a stricter limit, but we know the limit that
the page allocator can provide, and that's MAX_ORDER-1. kmalloc() with a
size >= (1 << (PAGE_SHIFT + MAX_ORDER)) will always fail, so if that is
really the upper limit, then so be it. We should return -EINVAL
appropriately and not -ENOMEM.
I'm thinking that the actual limit would actually be
(1 << (PAGE_SHIFT + pageblock_order)) since even memory compaction isn't
going to be able to defragment more than that, but the absolute max would
always be MAX_ORDER-1.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc
2016-02-05 7:06 ` Dmitry Vyukov
2016-02-05 10:32 ` David Rientjes
@ 2016-02-05 10:35 ` One Thousand Gnomes
1 sibling, 0 replies; 7+ messages in thread
From: One Thousand Gnomes @ 2016-02-05 10:35 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: David Rientjes, Greg Kroah-Hartman, Jiri Slaby, Peter Hurley,
LKML, syzkaller, Kostya Serebryany, Alexander Potapenko
On Fri, 5 Feb 2016 08:06:12 +0100
Dmitry Vyukov <dvyukov@google.com> wrote:
> On Thu, Feb 4, 2016 at 11:11 PM, David Rientjes <rientjes@google.com> wrote:
> > On Thu, 4 Feb 2016, Dmitry Vyukov wrote:
> >
> >> Size of kmalloc() in vc_do_resize() is controlled by user.
> >> Too large kmalloc() size triggers WARNING message on console.
> >>
> >> Use __GFP_NOWARN for this kmalloc() to not scare admins.
> >>
> >
> > Hmm, this is hitting the WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)) for
> > order >= MAX_ORDER.
> >
> > vc_do_resize() has
> >
> > if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
> > return -EINVAL;
> >
> > so the appropriate fix would seem to be to reject sizes that would exceed
> > the page allocator's ability to return contiguous memory (MAX_ORDER)
> > rather than ever trying the allocation in the first place.
>
> Hi David,
>
> Please see Alan response to original report here:
> https://groups.google.com/d/msg/syzkaller/ufjvr5j0URo/lTlpYP0DBQAJ
> I can't say that I fully understand it.
I think we can go down to something like cols * lines < 4MB with complete
safety.
Alan
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-02-05 10:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-04 15:55 [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc() Dmitry Vyukov
2016-02-04 17:49 ` Peter Hurley
2016-02-04 18:28 ` [PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc Dmitry Vyukov
2016-02-04 22:11 ` David Rientjes
2016-02-05 7:06 ` Dmitry Vyukov
2016-02-05 10:32 ` David Rientjes
2016-02-05 10:35 ` One Thousand Gnomes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).