| Message ID | 20220713145854.147356-1-mlombard@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | mm: prevent page_frag_alloc() from corrupting the memory | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
st 13. 7. 2022 v 16:59 odesílatel Maurizio Lombardi <mlombard@redhat.com> napsal: > > A number of drivers call page_frag_alloc() with a > fragment's size > PAGE_SIZE. > In low memory conditions, __page_frag_cache_refill() may fail the order 3 > cache allocation and fall back to order 0; > In this case, the cache will be smaller than the fragment, causing > memory corruptions. Oops, I didn't modify the subject, I'm going to resend it. Maurizio > > Prevent this from happening by checking if the newly allocated cache > is large enough for the fragment; if not, the allocation will fail > and page_frag_alloc() will return NULL. > > V2: do not free the cache page because this could make memory pressure > even worse, just return NULL. > > Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> > --- > mm/page_alloc.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/mm/page_alloc.c b/mm/page_alloc.c > index e008a3df0485..b1407254a826 100644 > --- a/mm/page_alloc.c > +++ b/mm/page_alloc.c > @@ -5617,6 +5617,8 @@ void *page_frag_alloc_align(struct page_frag_cache *nc, > /* reset page count bias and offset to start of new frag */ > nc->pagecnt_bias = PAGE_FRAG_CACHE_MAX_SIZE + 1; > offset = size - fragsz; > + if (unlikely(offset < 0)) > + return NULL; > } > > nc->pagecnt_bias--; > -- > 2.31.1 >
diff --git a/mm/page_alloc.c b/mm/page_alloc.c index e008a3df0485..b1407254a826 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -5617,6 +5617,8 @@ void *page_frag_alloc_align(struct page_frag_cache *nc, /* reset page count bias and offset to start of new frag */ nc->pagecnt_bias = PAGE_FRAG_CACHE_MAX_SIZE + 1; offset = size - fragsz; + if (unlikely(offset < 0)) + return NULL; } nc->pagecnt_bias--;
A number of drivers call page_frag_alloc() with a fragment's size > PAGE_SIZE. In low memory conditions, __page_frag_cache_refill() may fail the order 3 cache allocation and fall back to order 0; In this case, the cache will be smaller than the fragment, causing memory corruptions. Prevent this from happening by checking if the newly allocated cache is large enough for the fragment; if not, the allocation will fail and page_frag_alloc() will return NULL. V2: do not free the cache page because this could make memory pressure even worse, just return NULL. Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> --- mm/page_alloc.c | 2 ++ 1 file changed, 2 insertions(+)