From patchwork Wed Jul 24 08:55:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Barry Song <21cnbao@gmail.com> X-Patchwork-Id: 13740695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE839C3DA63 for ; Wed, 24 Jul 2024 08:56:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 631756B0092; Wed, 24 Jul 2024 04:56:27 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5E2B96B0093; Wed, 24 Jul 2024 04:56:27 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4A9286B0095; Wed, 24 Jul 2024 04:56:27 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 2D0C66B0092 for ; Wed, 24 Jul 2024 04:56:27 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id AF8BB8071B for ; Wed, 24 Jul 2024 08:56:26 +0000 (UTC) X-FDA: 82374039972.23.3D1623C Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by imf03.hostedemail.com (Postfix) with ESMTP id D55B020002 for ; Wed, 24 Jul 2024 08:56:24 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=XQxKqOpd; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf03.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.214.181 as permitted sender) smtp.mailfrom=21cnbao@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1721811331; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=rO/KuhiD7cRV7bVSkZENzez3YzOBiZzdZbe0gpcAATM=; b=gy+oAwP7Szzqxg3Xw2DMpj7mcvhMDHD6p7NqIeTUOGItVDqjkkGJWnR2u/jKp4Ig2ppV9r T7qKYytPyrVmAuPk8CqcfI21dAUTAdvBaGhDt5WtF6EiKCJqOMR+MRgpdISAGcbBZZJT3d CR3J7LCmflBqxtJ3fxR4+lmumWy/RMI= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721811331; a=rsa-sha256; cv=none; b=0TWY4K5geYrHL7ZQRZUU5nN5v4nv6oKmrS3mn02HhHIzC1nAI/lalejVWv2Ndl4Id/Mo4I QP1QaRZlPyh+W1bgCbwRp/PijMbOJmPm88qmSvaFt16sGAHmqYHzHK7a3J6eQHnCyN9vD0 0PEVrDchiDDegVjSUDfNXERfHnN6L6E= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=XQxKqOpd; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf03.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.214.181 as permitted sender) smtp.mailfrom=21cnbao@gmail.com Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1fd640a6454so13481615ad.3 for ; Wed, 24 Jul 2024 01:56:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721811384; x=1722416184; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rO/KuhiD7cRV7bVSkZENzez3YzOBiZzdZbe0gpcAATM=; b=XQxKqOpdFqha3cw2d7Ody2TY2qhDlqNOOWjdPcLP7cp/2Y+Sc/LyDKQHxngpJBowLq cbNBWukP01Mc0S7yhEBJszFpnYxFpRTynpvzpHAZi/3TlDff7FjYgVoH+9uTtPVsCsbx sriVbsnyV67moEyl1rBwzMBC64QdHj63pS1pqNi8vhnwAa5DbaeegN/O5HGwSHtU6o96 GFyecdngVvH0rww90cyYejLazrBwPTHJjD4APZwhhdN7E+4b35czZUEjEaeYxnJZRKP5 YspK8rR4EWv89R0VTS56G3+TaGo+BbGew/jXRLzBqmGPnF0QN0cTlfPJE04uUul2xgdJ 8tTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721811384; x=1722416184; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rO/KuhiD7cRV7bVSkZENzez3YzOBiZzdZbe0gpcAATM=; b=gWTAqDDc3Yh9zlBtRAD4AcPgbFkGI3yN1PMPxHH7Ny1kOzbTbqXyv8kWBwq6JiIFuv SPpetwXay2xnGqhNTUGevLsH0AbT8X0mAMHoIzEhlP44NtFwNbHpbb7Rcque19KeQy0M mFzSoV93yECDAEj568UyAB0i4kUSopHE67cdrGiP6WopZZB44RJu192j2GYHPUW9ubAu xfs77IUsqScdeoxIfNU7R0nzacwkmSZXEO7ziwvJuK/PefuFXhR1HVMP7onkll0QOwD8 z7m7BA5rhgdHdNtQM/NGjevyjprEITWv+1bUmrXzkvanx54Ut0RkOo62i7KXuOz3ZQZT ufLg== X-Forwarded-Encrypted: i=1; AJvYcCX95WnAFL/w3kvHVCL/If9QEhZFmyamDuwc0LpzuIB7CCdHdT8WCcDpdBI8bfO+UosWOUlWNBZlil3wQXEeiTGnsPo= X-Gm-Message-State: AOJu0YwDgljN+8yTvpxC8s9k/rBnIRnNSywpWk3ko4ZSmNrUxx0PGlZV 0NmjLW4YYfD9QfPj7EfAyTq0Azr26eM1KlwtLJ5YxS3h9XygB89j X-Google-Smtp-Source: AGHT+IF4eJwkNl0CHrSQ4qGU2G1saE6asgKggB5lhcZDmy80CJ5db6LeREGY4Lm0vPdAOVXiTNqh6A== X-Received: by 2002:a17:902:d50b:b0:1fd:d22e:a1bd with SMTP id d9443c01a7336-1fdd54f520bmr13416725ad.13.1721811383522; Wed, 24 Jul 2024 01:56:23 -0700 (PDT) Received: from localhost.localdomain ([2407:7000:8942:5500:aaa1:59ff:fe57:eb97]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fd6f31855fsm89021895ad.156.2024.07.24.01.56.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jul 2024 01:56:23 -0700 (PDT) From: Barry Song <21cnbao@gmail.com> To: akpm@linux-foundation.org, linux-mm@kvack.org Cc: 42.hyeyoo@gmail.com, cl@linux.com, hch@infradead.org, iamjoonsoo.kim@lge.com, lstoakes@gmail.com, mhocko@suse.com, penberg@kernel.org, rientjes@google.com, roman.gushchin@linux.dev, urezki@gmail.com, v-songbaohua@oppo.com, vbabka@suse.cz, virtualization@lists.linux.dev, hailong.liu@oppo.com, torvalds@linux-foundation.org, Kees Cook Subject: [PATCH 3/5] mm: BUG_ON to avoid NULL deference while __GFP_NOFAIL fails Date: Wed, 24 Jul 2024 20:55:42 +1200 Message-Id: <20240724085544.299090-4-21cnbao@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240724085544.299090-1-21cnbao@gmail.com> References: <20240724085544.299090-1-21cnbao@gmail.com> MIME-Version: 1.0 X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: D55B020002 X-Stat-Signature: 5zm7nzk4btsk58ggtrjorqijac9duq9m X-Rspam-User: X-HE-Tag: 1721811384-79445 X-HE-Meta: U2FsdGVkX1/ZVhn6ECXzEZ0eqwih2pAI18PcpO1Gi7iJXwaKR5zE+wQ+VrtRIg42rdqgUMgO9vGGodPkzlt8qwx4FwByf/6m5IdIIegzEG2uxBQkBElwngB8B+v6Htoz8MVhVWKSm/rbNVgqDh7MaBcOqkNbgKIpCotmIUCe1NpMitSv4wx6qmWQIiXRTR4QE+Vx8Rq/lLsDsqNBMsYMjLZNxWGuW7ZEr3C1Gw+gu3mhSLEkJjhyGalCJf4opvjDfmdBxpWRZjcKYuU228/KUwDaxb+Mad3PMWJYIQRs3WfTm7ENtNuP0SoFA4L0bvb+2iKJZ7sOseWT/mWbBEbjg9EldfcOhY5UpO/lGu7f1zhyg2C1JsEIyI91xQnKz4RENXPLKW1ecBTASVcDW1wBVwLi93uiCC9atDW2MtQlhcssGC5NuGBs8ID2xCjaxSFTnMGYRIejCYF8fW84NrpgCrBrnZ7U1p278OUzO8nwfuv0t25RxseCbYayhhCfgx3cVkKZ2178RIHWEuV7vvRv+bVmSC9RaF3W0cx4VFcC5ljgyYe9KKr/wsu25o3UXYi/YmR/sKAfeLArmXcCUdaCo2zxSQbPzZ9Wkr/bWP5EAG+3VUNU6CUGKuoFIp2vRDLxuvvbkppFt6K+srDaaDqVDLPSRo+f8xv1KHHimWLc4p3XNHKS3stVsnoICRqQXLMf8uaLT/U74EW1+e+hYUc5KtPkCAl7EIC5a50cRFlDHIG/Vpn/ugP6erK3GiB04Vh/FNwXfkXK1dntrw9KRjr4zwgF5389lKk8BgfF0WNJHUl1Unk3dDLKfmQl9hynf+ypfVqu0tbXula4GugO7vSZKTBvPWT17AkLbDPDXDvmpJ0bK30qItJb+YkxRTTnqOPnzQpaTRd9RKGUKW7WnSiO3ZAH3XdKZvEC32ahDJPvyFzd4ht0pHO6lqDj+rDojIh5NaYfxsxZXQ4xOLLZJhK 5nJGDS+9 yEjv0A1YNRiSaGD0G4PQLxrPu+yvZ/nM+dhOINsbUSvVxMYztU102DxbSDzQV1SZUR+4R7K5IAVF0idp2pUAM6Jkm8tHvWjKLE77luHPjGg++f0mB4gV7BHL++t83K/TIgP4GudXbM+b9fHdFQhP3J3eCBZdFDw75JAy4FRAyct/i/cw6JRVwFmUanoCZjjikFgfMOU48SZqM93nCjH5IaXQiLEaBmTwvZK3LYGiGXw0G4mi/0o04hoGwCsGJcmHqBTcJPosXKpOZd/Kl3DBdPyc0UxOL5O3ku6eAu2ZyQf0nZUWIA5RDudyekJMp0AqOZNXMeR3ToLeI4YTEBMDMWN8O1NPUReRyJ6UHXQ67AZqHdgKc2xrTWCx6QwRidab69caYB1D+pLxyr363DnQyjrCRK4AXObqEAmi1ousBXpCeQffpnKyf4PuuifVzC6HNy33SnF6bUWIEnjmNiNFJIMnoe8dvr9CuU03c7DVWxfM/B4TsBd1vL+F3r+qIJ1tHNA8h2CIfhQvxGk1t9l2xoZ4yiYYsQBuGaeB3i5NOZFrG40J8xuxemqOX6P/f3QIO4fYiGDe71FF6Y8P39F/y2N3ICrXzg64A/nx5KlEhmltHhb7X4XS+vnatbbm6z45vw5D6DQIecrgMY0I85KXUxc63qWY6LDzOt760P2Q9PeCAmTaA43ZMt6LUbwQklfen1soIcSA6lh2SthZmrX8O4bOU8zZ6obnQwKbrGwjCkV27EDwUSiYQ821rirb2WoOCxKgsaB/m7YpW5d7JgR9IoV9qE2FkR2p+4G5knFqvSkd5KKMsW3v3xAQobchCHcqT9Sc7PJfoMfnrwhi2Kq40zvpJcQ2pw3rR2Un32bfSzbCqFCK4/2LyfrykybRZPdKvOLJW1o5Lv8rqaUIJ5/56ndsPB9/E4G/SBg4g X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Barry Song We have cases we still fail though callers might have __GFP_NOFAIL. Since they don't check the return, we are exposed to the security risks for NULL deference. Though BUG_ON() is not encouraged by Linus, this is an unrecoverable situation. Christoph Hellwig: The whole freaking point of __GFP_NOFAIL is that callers don't handle allocation failures. So in fact a straight BUG is the right thing here. Vlastimil Babka: It's just not a recoverable situation (WARN_ON is for recoverable situations). The caller cannot handle allocation failure and at the same time asked for an impossible allocation. BUG_ON() is a guaranteed oops with stracktrace etc. We don't need to hope for the later NULL pointer dereference (which might if really unlucky happen from a different context where it's no longer obvious what lead to the allocation failing). Michal Hocko: Linus tends to be against adding new BUG() calls unless the failure is absolutely unrecoverable (e.g. corrupted data structures etc.). I am not sure how he would look at simply incorrect memory allocator usage to blow up the kernel. Now the argument could be made that those failures could cause subtle memory corruptions or even be exploitable which might be a sufficient reason to stop them early. Cc: Michal Hocko Cc: Uladzislau Rezki (Sony) Cc: Christoph Hellwig Cc: Lorenzo Stoakes Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Cc: Vlastimil Babka Cc: Roman Gushchin Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Linus Torvalds Cc: Kees Cook Signed-off-by: Barry Song --- include/linux/slab.h | 4 +++- mm/page_alloc.c | 10 +++++----- mm/util.c | 1 + 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/include/linux/slab.h b/include/linux/slab.h index c9cb42203183..4a4d1fdc2afe 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -827,8 +827,10 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node) { size_t bytes; - if (unlikely(check_mul_overflow(n, size, &bytes))) + if (unlikely(check_mul_overflow(n, size, &bytes))) { + BUG_ON(flags & __GFP_NOFAIL); return NULL; + } return kvmalloc_node_noprof(bytes, flags, node); } diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 45d2f41b4783..4d6af00fccd4 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -4435,11 +4435,11 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order, */ if (gfp_mask & __GFP_NOFAIL) { /* - * All existing users of the __GFP_NOFAIL are blockable, so warn - * of any new users that actually require GFP_NOWAIT + * All existing users of the __GFP_NOFAIL are blockable + * otherwise we introduce a busy loop with inside the page + * allocator from non-sleepable contexts */ - if (WARN_ON_ONCE_GFP(!can_direct_reclaim, gfp_mask)) - goto fail; + BUG_ON(!can_direct_reclaim); /* * PF_MEMALLOC request from this context is rather bizarre @@ -4470,7 +4470,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order, cond_resched(); goto retry; } -fail: + warn_alloc(gfp_mask, ac->nodemask, "page allocation failure: order:%u", order); got_pg: diff --git a/mm/util.c b/mm/util.c index 0ff5898cc6de..a1be50c243f1 100644 --- a/mm/util.c +++ b/mm/util.c @@ -668,6 +668,7 @@ void *__kvmalloc_node_noprof(DECL_BUCKET_PARAMS(size, b), gfp_t flags, int node) /* Don't even allow crazy sizes */ if (unlikely(size > INT_MAX)) { WARN_ON_ONCE(!(flags & __GFP_NOWARN)); + BUG_ON(flags & __GFP_NOFAIL); return NULL; }