tty: kmalloc size WARNING in vc_do_resize

44 views
Skip to first unread message

Dmitry Vyukov

unread,
Jan 24, 2016, 6:24:46 AM1/24/16
to Greg Kroah-Hartman, Jiri Slaby, Daniel Vetter, David Herrmann, Peter Hurley, Imre Deak, Lad, Prabhakar, Nicolas Pitre, Nicholas Mc Guire, Scot Doyle, Denys Vlasenko, Takashi Iwai, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
Hello,

The following program triggers kmalloc size WARNING in vc_do_resize:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <termios.h>
#include <sys/ioctl.h>

int main()
{
int fd = open("/dev/tty1", O_RDWR);
struct winsize ws;
ws.ws_row = 0x1000;
ws.ws_col = 0x5dc;
ws.ws_xpixel = 0x2;
ws.ws_ypixel = 0x0;
ioctl(fd, TIOCSWINSZ, &ws);
return 0;
}


------------[ cut here ]------------
WARNING: CPU: 3 PID: 7642 at mm/page_alloc.c:2999
__alloc_pages_nodemask+0x7d2/0x1760()
Modules linked in:
CPU: 3 PID: 7642 Comm: a.out Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88006d24f610 ffffffff82999e2d 0000000000000000
ffff880060d9af80 ffffffff86475560 ffff88006d24f650 ffffffff81352089
ffffffff816721e2 ffffffff86475560 0000000000000bb7 00000000024240c0
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] __alloc_pages_slowpath mm/page_alloc.c:2999
[<ffffffff816721e2>] __alloc_pages_nodemask+0x7d2/0x1760 mm/page_alloc.c:3253
[<ffffffff8174a799>] alloc_pages_current+0xe9/0x450 mm/mempolicy.c:2090
[< inline >] alloc_pages include/linux/gfp.h:459
[<ffffffff8166df66>] alloc_kmem_pages+0x16/0x100 mm/page_alloc.c:3433
[<ffffffff816c698f>] kmalloc_order+0x1f/0x80 mm/slab_common.c:1008
[<ffffffff816c6a0f>] kmalloc_order_trace+0x1f/0x140 mm/slab_common.c:1019
[< inline >] kmalloc_large include/linux/slab.h:395
[<ffffffff8175b624>] __kmalloc+0x2f4/0x340 mm/slub.c:3557
[< inline >] kmalloc include/linux/slab.h:468
[<ffffffff82d47800>] vc_do_resize+0x2c0/0x1140 drivers/tty/vt/vt.c:874
[<ffffffff82d4878a>] vt_resize+0xaa/0xe0 drivers/tty/vt/vt.c:993
[< inline >] tiocswinsz drivers/tty/tty_io.c:2357
[<ffffffff82cf22b3>] tty_ioctl+0x1083/0x2160 drivers/tty/tty_io.c:2869
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff817efdac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
[< inline >] SYSC_ioctl fs/ioctl.c:689
[<ffffffff817f0c5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
[<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace cc28f7cc9d447282 ]---


I think that either the kmalloc should use __GFP_NOWARN or
vc_do_resize should do stricter size check.

On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2.

One Thousand Gnomes

unread,
Jan 25, 2016, 11:12:12 AM1/25/16
to Dmitry Vyukov, Greg Kroah-Hartman, Jiri Slaby, Daniel Vetter, David Herrmann, Peter Hurley, Imre Deak, Lad, Prabhakar, Nicolas Pitre, Nicholas Mc Guire, Scot Doyle, Denys Vlasenko, Takashi Iwai, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
> I think that either the kmalloc should use __GFP_NOWARN or
> vc_do_resize should do stricter size check.

vc_do_resize doesn't know enough to do a stricter size check. There are
not many methods it calls but those are:

vgacon_resize doesn't error when stupid things happen because of a silly
hack for legacy svgatextmode tools.

sisusbcon_resize does the right checks but we can get in a situation
where we unplug during a resize so attempting to resize and size back
might fail.

fbcon_resize does the right thing, but again can error if we go
size/resize/size back.

That means we really have to guess or would have to add 'max size' info
the structures. Right now it's clamped to 1Gbyte which is a 32767 x 32767
character display and probably ludicrous. Clamping to 4048 x 1024 chars
would cover displays up to 16K x 6K even with the 4x6 font (which is
insane on a 4K display, let alone 4 of them).

Alan

Dmitry Vyukov

unread,
Jan 25, 2016, 12:02:36 PM1/25/16
to One Thousand Gnomes, Greg Kroah-Hartman, Jiri Slaby, Daniel Vetter, David Herrmann, Peter Hurley, Imre Deak, Lad, Prabhakar, Nicolas Pitre, Nicholas Mc Guire, Scot Doyle, Denys Vlasenko, Takashi Iwai, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin
OK, then kmalloc call needs to include __GFP_NOWARN for cases when
size is too large (large than 8MB).
Reply all
Reply to author
Forward
0 new messages