From patchwork Sat Aug 17 06:24:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Barry Song <21cnbao@gmail.com> X-Patchwork-Id: 13767004 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F9D7C531DC for ; Sat, 17 Aug 2024 06:25:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 60CFC6B0411; Sat, 17 Aug 2024 02:25:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 596706B0412; Sat, 17 Aug 2024 02:25:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 436B16B0413; Sat, 17 Aug 2024 02:25:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 24E986B0411 for ; Sat, 17 Aug 2024 02:25:33 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id C4B03804FD for ; Sat, 17 Aug 2024 06:25:32 +0000 (UTC) X-FDA: 82460750904.20.8135F7F Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by imf17.hostedemail.com (Postfix) with ESMTP id D3AFD40003 for ; Sat, 17 Aug 2024 06:25:30 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=KRbCGmj3; spf=pass (imf17.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.215.172 as permitted sender) smtp.mailfrom=21cnbao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723875857; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=s+kupNqvjc4VbaeRrHIrzKXfEz1ha5uSEm43pSCHOkE=; b=2E8yho6iZfHpwuqFnRyjRa4fyeisrcbyfgF9e5Qpi5EQtjM3dhvkON53zhtULtwtRrI+Xx zCDm3GYzb6KW5Ew9pVhBBapxrNBOE03q0LbunZ2WWIeDLiqvxEwNj88Uf8/pls0ZK3u6X1 YfRfbHB7LYwi86hf356qvkPQLR1Mn/I= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723875857; a=rsa-sha256; cv=none; b=yqsEqCmQbe1W4vtMAsUr+IRhq1hVWK6n0h/uK4lBM9rvmStIeK+td0KHMp9Q5VbgViPYWx BN3Q/yTqzsIr67D8DtuMH9+TbNed9wWGBemuo9RVL0N8tfnCpDOaTF2YE/+JVzE9vxnh9b rKfAXB2WyQz5jTE7MfHtLS4u6n0dvII= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=KRbCGmj3; spf=pass (imf17.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.215.172 as permitted sender) smtp.mailfrom=21cnbao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-7a23fbb372dso1870785a12.0 for ; Fri, 16 Aug 2024 23:25:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723875929; x=1724480729; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=s+kupNqvjc4VbaeRrHIrzKXfEz1ha5uSEm43pSCHOkE=; b=KRbCGmj36etsP753QQsMTRHOrR8sUl5ntmIsJ2usUOocpfCPk867Gjzxcl25OIatKY EAFj3X4HGxu8DWUoNSXucKhvZB+0kf8VRjREcJkhrs3INyWdUJUp2ycQLP70oZ5fEKt6 fTRYmtfoR9zi9UJ5zGbM5UGKWWz+Gb7m6EXS1avfKRLy0bDnubqpjhlUhncQ647LXKBW ViGDcvIErvgP7Nwrj8VJxMrEUYBKHJi2wNpIrCT5vu433NhWEf7XEMX4eKM7il8Sf4wf yh70EGP/8x4NjoxPeHUUxMNkMva7CkBzb4Gxnr0zqFMf1P387eHZLK+zKM/ChAA0d37a oaJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723875929; x=1724480729; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=s+kupNqvjc4VbaeRrHIrzKXfEz1ha5uSEm43pSCHOkE=; b=FA2lSKq1Q+YmM7lDzmw/kdbCdVEaIqRNqJUo8ma+Nu+dygSgg6K4O7StGbH4XEW5vA LN5cLmSDVHMNkkoIJUua9iD/OWIuHdsNN5wswaP6rQkmGqO0ShUtCr2hkCGJN5qyHK0p SF3RfPSyCBAx6wjk9t9Mg7xVswI0LKIvzZOzsIlFrhrYY0C7ovkvkQw12tw6XGuEL06w /2RFKhVroeA8/sSi0r660mDBsFpyZbL8cUK36AqG1NHkoPdgEDP72LyKdGa9xE5HeJMI 2TVeXuPszx1Vt26JY5koDftyOKbbr2km6FgHZAMRPMvnQHNywZoGwYd/GzwDGtQrxwCQ rllQ== X-Forwarded-Encrypted: i=1; AJvYcCWzBVKPRxXQio65kuAZZRU9toK25ElYKGOp/4Uj7qKRKl+jTNIXPmyKQ95zi4Nf0Z88xQOk0yzxyS1OydU2ETI1lKo= X-Gm-Message-State: AOJu0YzwMs46yMV9oKDn2tbZW3axzcWhE1xhh0M2OzwKiBeKciBiB5bN MfDEEjveo+0pVNFF4X03phpou81jCp3wLa+7CwUH4ubrszl+4+NR X-Google-Smtp-Source: AGHT+IHe4enXKrYqepTLb9GIUtBMG+QjR/xJ8dLQmWYjir/99r3pZcvKGo1qg+vP8DI56Lbbx94MwA== X-Received: by 2002:a05:6a20:9c8a:b0:1c3:ff33:277e with SMTP id adf61e73a8af0-1c904fc2c46mr6039325637.32.1723875929471; Fri, 16 Aug 2024 23:25:29 -0700 (PDT) Received: from Barrys-MBP.hub ([2407:7000:8942:5500:fd84:292a:c6d0:8b67]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d3ac854f3bsm6768404a91.51.2024.08.16.23.25.21 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Fri, 16 Aug 2024 23:25:29 -0700 (PDT) From: Barry Song <21cnbao@gmail.com> To: akpm@linux-foundation.org, linux-mm@kvack.org Cc: 42.hyeyoo@gmail.com, cl@linux.com, hailong.liu@oppo.com, hch@infradead.org, iamjoonsoo.kim@lge.com, mhocko@suse.com, penberg@kernel.org, rientjes@google.com, roman.gushchin@linux.dev, torvalds@linux-foundation.org, urezki@gmail.com, v-songbaohua@oppo.com, vbabka@suse.cz, virtualization@lists.linux.dev, Christoph Hellwig , Lorenzo Stoakes , Kees Cook , =?utf-8?q?Eugenio_P=C3=A9rez?= , Jason Wang , Maxime Coquelin , "Michael S. Tsirkin" , Xuan Zhuo Subject: [PATCH v3 3/4] mm: BUG_ON to avoid NULL deference while __GFP_NOFAIL fails Date: Sat, 17 Aug 2024 18:24:48 +1200 Message-Id: <20240817062449.21164-4-21cnbao@gmail.com> X-Mailer: git-send-email 2.39.3 (Apple Git-146) In-Reply-To: <20240817062449.21164-1-21cnbao@gmail.com> References: <20240817062449.21164-1-21cnbao@gmail.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: D3AFD40003 X-Stat-Signature: cm5q61aihcpis5hpaxfz4x7oejna8w5r X-Rspamd-Server: rspam09 X-Rspam-User: X-HE-Tag: 1723875930-25874 X-HE-Meta: U2FsdGVkX1906tR7RFQXvVejebxypbQp6grBbTJ3rsY3Kvbuk3Ws6zztP9oXo/DDl4QTwlLK8HSTwXMC0FrNMgEoMGbDYoN9ojom6waqnkKP6L5oa0GLwxl3Qklfil+TpgEvMMcrWAiCTqtSmbysmBUH+soIbNA1XaMbuuZ1IXFSJNdqeuThAT23cz6OYVd652lZqrL3ewI7fDfwEwfTB4EvXvBmxbeCOUSJAaaNAlLChzZICFGdg63IM8nbIhCuhPX5NTXD+FQrYz7CGjYNfTrbBsAazSKViIn6o27a8zgi7SyrxOMTlFnO18QUG9Vbbv+ktYMCAudS4QBzwK4WHjNFZx9Yd85hYe3IMm6OjcjnEm5Iuq0mBmuQTxoV4FZHDiDhAlgOEzR26isC/wlnC3DPKN8GxpHR+8j4NkCIreOKDbxW0qMd+Z4BHio8z5FG6OjiNXULsk1qzcMU5UAlUGBmgPcl8Yboi354xSPjGHevUMLFkIUTIdExhaJPp1YZ8Hzkbtk/AtXn8WATHZ9v/Dpiq/edLThbyqE1c8jWThc7pVmt5lhGfoqNQBPqX5+CZBEt2zg3PGvqjxnMxaRmqO95kl3cK868lXIasfYBFANBErFQP8DWJxpqJUoFxQtfNNf84+Vr5yk4Kmv9PQQ+DGcyFDXI/udWmPt2QP1oDQw/lvWx6ejqDZXrCd2SEk5MlqyBDDrotfSdKH0Wz5Uw+XpvuSNR4nlicO5X4VAkg5tbmt67j7fMRDjULbFJztFPCSo2azs67ZnJliZgm/TSvrHS+51EJ8rrZj9qnUQLFjUzKaQ38lz3hzt3HdH2UtXQuL98qbzcK4j/qiwekdnkAgCApl66H4lJu8sJQdRY97tPBdBMf7dSt9hhDLlUNvrWay0iIEseGLy3EWe9b4eZu81/28UwIDufjZSM/WZ+8bys3eRJYVk1vmtO9sJRZpVLRs1kzbDkRxmuLDIDARv utSj/iZQ oRXypArG7oumNmUZI4kmRQM+dcKqdzfMWtUl0nCzxGEIPW6/0R5sm8j3nPUlS3L5v+dbGy4VqPnCGPlgzGNggA65deiX3bdpbAVHqW25n2lVPcRRn1eJeO0AZcpFf9XE/4D+QK4dhdjZLoa+jeIwJzfsa79OPmCVhP5txZUQjv/N+Kd62UiCXIsMs2Y6+tYoTeNWpzT25msziSqcwolisLGI7v7HcGVRMIfBLMzdW9h8UABz+KagGFJmOPUNhVRdDzfWYcEBACPK8ojYBU3JXUG4P3neqsyZrchK/6i+LHbkR+L1ghsh42Wb74WWm1bcBusdyyioqMFPjlZH+AZa13L0TzF4LM2uR2Vggz761pW+/bjc/W1wwWzRDrqn3+CrFmYO/IYwZqkuaYOfeuWh1nVKLVGnPvmCdYuvDrvA+rFHuslX+yZl7dG/ANf86HN3MB1bRdMfJhMe2HDc9v9Y/mBKSt9Ys7RLSsrMzKmfaUuLr3hC3mX6YaN+/E3z8j4RIfvYP0PvWocQbzFan2KHzcr33xYqtiqlfHNVFLYYaDoqsQrTtA6KxTVeqath4dP63GG8hb57Gdd6x6LnWO3sOM4p1HqZlYMw1qZ+vCwMimsbBRpK4BiLj6kNzS8c6bH7HQHPTzGPYOgRDDdek8coLFwL/bTE5O/hAYhn9SN0wRgwlHyCCRQhIEeofJBszwI68F17XznS7bNCB/1Z3J9MT3WVYrx9Uzq65VKU9Xy8rbfANzMQZQfme5h3LLuIG+n0rQzxQgF4vk2AzgdvtIseuvvnt7Cx7FGm6/jOAgcv2WR3DzSluMVfXoSE2TO9xwcFOAt7ZglziRcITZJJdxe+nyWJnkY8yymFxvrxGmuQX5povYZyl4SWL1HtjeqbqBrCMdyF9ZztibCTpgL+kJ5XSNqMUDv+Yqgq7T5+5+JnBRXcfn8rIwSK1lbCsEWJBy2RyEdf9NcaDhJWzRrY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Barry Song We have cases we still fail though callers might have __GFP_NOFAIL. Since they don't check the return, we are exposed to the security risks for NULL deference. Though BUG_ON() is not encouraged by Linus, this is an unrecoverable situation. Christoph Hellwig: The whole freaking point of __GFP_NOFAIL is that callers don't handle allocation failures. So in fact a straight BUG is the right thing here. Vlastimil Babka: It's just not a recoverable situation (WARN_ON is for recoverable situations). The caller cannot handle allocation failure and at the same time asked for an impossible allocation. BUG_ON() is a guaranteed oops with stracktrace etc. We don't need to hope for the later NULL pointer dereference (which might if really unlucky happen from a different context where it's no longer obvious what lead to the allocation failing). Michal Hocko: Linus tends to be against adding new BUG() calls unless the failure is absolutely unrecoverable (e.g. corrupted data structures etc.). I am not sure how he would look at simply incorrect memory allocator usage to blow up the kernel. Now the argument could be made that those failures could cause subtle memory corruptions or even be exploitable which might be a sufficient reason to stop them early. Signed-off-by: Barry Song Reviewed-by: Christoph Hellwig Acked-by: Vlastimil Babka Acked-by: Michal Hocko Cc: Uladzislau Rezki (Sony) Cc: Lorenzo Stoakes Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Cc: Roman Gushchin Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Linus Torvalds Cc: Kees Cook Cc: "Eugenio PĂ©rez" Cc: Hailong.Liu Cc: Jason Wang Cc: Maxime Coquelin Cc: "Michael S. Tsirkin" Cc: Xuan Zhuo --- include/linux/slab.h | 4 +++- mm/page_alloc.c | 4 +++- mm/util.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/include/linux/slab.h b/include/linux/slab.h index c9cb42203183..4a4d1fdc2afe 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -827,8 +827,10 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node) { size_t bytes; - if (unlikely(check_mul_overflow(n, size, &bytes))) + if (unlikely(check_mul_overflow(n, size, &bytes))) { + BUG_ON(flags & __GFP_NOFAIL); return NULL; + } return kvmalloc_node_noprof(bytes, flags, node); } diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 60742d057b05..d2c37f8f8d09 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -4668,8 +4668,10 @@ struct page *__alloc_pages_noprof(gfp_t gfp, unsigned int order, * There are several places where we assume that the order value is sane * so bail out early if the request is out of bound. */ - if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) + if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) { + BUG_ON(gfp & __GFP_NOFAIL); return NULL; + } gfp &= gfp_allowed_mask; /* diff --git a/mm/util.c b/mm/util.c index ac01925a4179..678c647b778f 100644 --- a/mm/util.c +++ b/mm/util.c @@ -667,6 +667,7 @@ void *__kvmalloc_node_noprof(DECL_BUCKET_PARAMS(size, b), gfp_t flags, int node) /* Don't even allow crazy sizes */ if (unlikely(size > INT_MAX)) { + BUG_ON(flags & __GFP_NOFAIL); WARN_ON_ONCE(!(flags & __GFP_NOWARN)); return NULL; }