[PATCH] tty: use __GFP_NOWARN for user-controlled kmalloc()

15 views
Skip to first unread message

Dmitry Vyukov

unread,
Feb 4, 2016, 10:55:36 AM2/4/16
to jsl...@suse.com, pe...@hurleysoftware.com, gno...@lxorguk.ukuu.org.uk, linux-...@vger.kernel.org, syzk...@googlegroups.com, k...@google.com, gli...@google.com, Dmitry Vyukov
Size of kmalloc() in vc_do_resize() is controlled by user.
Too large kmalloc() size triggers WARNING message on console.

Use __GFP_NOWARN for this kmalloc() to not scare admins.

Signed-off-by: Dmitry Vyukov <dvy...@google.com>
---
Example WARNING:

WARNING: CPU: 3 PID: 7642 at mm/page_alloc.c:2999
__alloc_pages_nodemask+0x7d2/0x1760()
Modules linked in:
CPU: 3 PID: 7642 Comm: a.out Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88006d24f610 ffffffff82999e2d 0000000000000000
ffff880060d9af80 ffffffff86475560 ffff88006d24f650 ffffffff81352089
ffffffff816721e2 ffffffff86475560 0000000000000bb7 00000000024240c0
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] __alloc_pages_slowpath mm/page_alloc.c:2999
[<ffffffff816721e2>] __alloc_pages_nodemask+0x7d2/0x1760 mm/page_alloc.c:3253
[<ffffffff8174a799>] alloc_pages_current+0xe9/0x450 mm/mempolicy.c:2090
[< inline >] alloc_pages include/linux/gfp.h:459
[<ffffffff8166df66>] alloc_kmem_pages+0x16/0x100 mm/page_alloc.c:3433
[<ffffffff816c698f>] kmalloc_order+0x1f/0x80 mm/slab_common.c:1008
[<ffffffff816c6a0f>] kmalloc_order_trace+0x1f/0x140 mm/slab_common.c:1019
[< inline >] kmalloc_large include/linux/slab.h:395
[<ffffffff8175b624>] __kmalloc+0x2f4/0x340 mm/slub.c:3557
[< inline >] kmalloc include/linux/slab.h:468
[<ffffffff82d47800>] vc_do_resize+0x2c0/0x1140 drivers/tty/vt/vt.c:874
[<ffffffff82d4878a>] vt_resize+0xaa/0xe0 drivers/tty/vt/vt.c:993
[< inline >] tiocswinsz drivers/tty/tty_io.c:2357
[<ffffffff82cf22b3>] tty_ioctl+0x1083/0x2160 drivers/tty/tty_io.c:2869
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817efdac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817f0c5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
---
drivers/tty/vt/vt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index bd51bdd..2382810 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -871,7 +871,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
if (new_cols == vc->vc_cols && new_rows == vc->vc_rows)
return 0;

- newscreen = kmalloc(new_screen_size, GFP_USER);
+ newscreen = kmalloc(new_screen_size, GFP_USER | __GFP_NOWARN);
if (!newscreen)
return -ENOMEM;

--
2.7.0.rc3.207.g0ac5344

Peter Hurley

unread,
Feb 4, 2016, 12:49:54 PM2/4/16
to Dmitry Vyukov, jsl...@suse.com, gno...@lxorguk.ukuu.org.uk, linux-...@vger.kernel.org, syzk...@googlegroups.com, k...@google.com, gli...@google.com
Hi Dmitry,

Just a quick procedural note: tty patches need to be addressed to Greg.

Dmitry Vyukov

unread,
Feb 4, 2016, 1:28:15 PM2/4/16
to gre...@linuxfoundation.org, jsl...@suse.com, pe...@hurleysoftware.com, gno...@lxorguk.ukuu.org.uk, linux-...@vger.kernel.org, syzk...@googlegroups.com, k...@google.com, gli...@google.com, Dmitry Vyukov
--
2.7.0.rc3.207.g0ac5344

David Rientjes

unread,
Feb 4, 2016, 5:11:39 PM2/4/16
to Dmitry Vyukov, gre...@linuxfoundation.org, jsl...@suse.com, pe...@hurleysoftware.com, gno...@lxorguk.ukuu.org.uk, linux-...@vger.kernel.org, syzk...@googlegroups.com, k...@google.com, gli...@google.com
On Thu, 4 Feb 2016, Dmitry Vyukov wrote:

> Size of kmalloc() in vc_do_resize() is controlled by user.
> Too large kmalloc() size triggers WARNING message on console.
>
> Use __GFP_NOWARN for this kmalloc() to not scare admins.
>

Hmm, this is hitting the WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)) for
order >= MAX_ORDER.

vc_do_resize() has

if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW)
return -EINVAL;

so the appropriate fix would seem to be to reject sizes that would exceed
the page allocator's ability to return contiguous memory (MAX_ORDER)
rather than ever trying the allocation in the first place.

Dmitry Vyukov

unread,
Feb 5, 2016, 2:06:32 AM2/5/16
to David Rientjes, Greg Kroah-Hartman, Jiri Slaby, Peter Hurley, One Thousand Gnomes, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko
Hi David,

Please see Alan response to original report here:
https://groups.google.com/d/msg/syzkaller/ufjvr5j0URo/lTlpYP0DBQAJ
I can't say that I fully understand it.

David Rientjes

unread,
Feb 5, 2016, 5:32:03 AM2/5/16
to Dmitry Vyukov, Greg Kroah-Hartman, Jiri Slaby, Peter Hurley, One Thousand Gnomes, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko
vc_do_resize() might not know a stricter limit, but we know the limit that
the page allocator can provide, and that's MAX_ORDER-1. kmalloc() with a
size >= (1 << (PAGE_SHIFT + MAX_ORDER)) will always fail, so if that is
really the upper limit, then so be it. We should return -EINVAL
appropriately and not -ENOMEM.

I'm thinking that the actual limit would actually be
(1 << (PAGE_SHIFT + pageblock_order)) since even memory compaction isn't
going to be able to defragment more than that, but the absolute max would
always be MAX_ORDER-1.

One Thousand Gnomes

unread,
Feb 5, 2016, 5:35:32 AM2/5/16
to Dmitry Vyukov, David Rientjes, Greg Kroah-Hartman, Jiri Slaby, Peter Hurley, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko
I think we can go down to something like cols * lines < 4MB with complete
safety.

Alan
Reply all
Reply to author
Forward
0 new messages