From patchwork Wed Jul 31 00:01:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Barry Song <21cnbao@gmail.com> X-Patchwork-Id: 13747976 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC40BC3DA7F for ; Wed, 31 Jul 2024 00:03:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 386E26B0093; Tue, 30 Jul 2024 20:03:08 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 336786B0095; Tue, 30 Jul 2024 20:03:08 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1B0CD6B0096; Tue, 30 Jul 2024 20:03:08 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id ED5A96B0093 for ; Tue, 30 Jul 2024 20:03:07 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 7D9644016A for ; Wed, 31 Jul 2024 00:03:07 +0000 (UTC) X-FDA: 82398097614.30.842E9DC Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by imf30.hostedemail.com (Postfix) with ESMTP id A937E80012 for ; Wed, 31 Jul 2024 00:03:04 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=EFtnjNRk; spf=pass (imf30.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.210.170 as permitted sender) smtp.mailfrom=21cnbao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722384141; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=k6IAlVIqmCTe+Zj/VuVI82him0OCvVTLcevbDuX4T7M=; b=WcFgx3K1FrPcu5ezjzDJN8++cgRusnEesQOJegyqRq8qbZXNkcyVHOFJDlZiGlLuIC8Or3 SRnylu6FPHpjHQKoqn0R6DtIu0LCA9NSqqeZcTuTVwRG/zEaoPut/AMTZ/ZKmwvCqpmw3P O19xlIqK34ZxhP5z4BpQD5xKJrxA7xg= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=EFtnjNRk; spf=pass (imf30.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.210.170 as permitted sender) smtp.mailfrom=21cnbao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722384141; a=rsa-sha256; cv=none; b=aXskIt36NB7B/pCty8zbf3ANAa1VWq7LVQhVbEaJOL3flhG3CFsYclMo2MSHZj9hTmMFTj Vpz8GpN7v+EbKxCJL+iQNh36/6tI6BJSLazdIRcSwLIuQszCosrcZfFrq7NYAJLnU2cb+4 eL+31Dy5UgLQgPyiHARDuevoaU9h3PQ= Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-70d1a74a43bso3588429b3a.1 for ; Tue, 30 Jul 2024 17:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722384183; x=1722988983; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=k6IAlVIqmCTe+Zj/VuVI82him0OCvVTLcevbDuX4T7M=; b=EFtnjNRk0GaMs+v7y25tuSSZ1GGyTiuaD/szZDo9HcpXbXjygFcYYdbuUROXxCKMv3 J6Qq4+t9r/oDqDIPa0ouYVQ/zTwzjszAV5qYfFRStqobOiOdQT1bCb8h5Z6zurYNrpn5 Y/lrBGRFIHGg30fgKBXE8+YpWEUytodlK3fwEFeqITAOWtqzcrBMOU+AYXsTdmIyup6K hFVQI7DrP7NR5ekg9XFiA3+/8wZrzqNVE4B+zY5E34pIt6X3gc3V05ylG9QAyTKuM8kv oJ8dmGg5PR5+9gs7ktsnBzY0JZU2RkMSffK9oDvtRHCsIkh8pv50q8hX+kPcqJBqSPi+ eBow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722384183; x=1722988983; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=k6IAlVIqmCTe+Zj/VuVI82him0OCvVTLcevbDuX4T7M=; b=cpRcpihJw5DfskyNO7P4KsXxiWvOdcX0WLKyGtwx7Crd6x6rQfk9p5CgnozXVlqW1X DihicDRJpomruOLbC80+HH7hsV7kN4RoquHvZOAoYRirWfq66Do+X8X1LkkUqD7fTA+y GzYq7Iexsk/OKlxksHxe8Weg6ddWBiY7+4crdfaypGSo/SDTfPj0ADV7xnSmH3vtpLb7 VjG0GQlUmmIwNK2bEZWNVu61Gg0W2r9nnqcu5Fsg/G17o/e0kstFlo/1cgWVnAA//+gI xDlxhZw5F89sRCmO2kKEMC1W2wyBcRagJ1m2mUPEBjWL9T5GX+JsJtVKWOnZCG5oVV/A XYLw== X-Forwarded-Encrypted: i=1; AJvYcCVKLsQD+K5ld+pbJ9K8l3l+B524HnFOXUSkjUlH7yAJfJTgTpUXbGefWEV064Mygj0rfgaRBVbRSxf7/n1WNZZCQj4= X-Gm-Message-State: AOJu0YxkCzhl6FhlsU2QvxuK/SCE29PGBMah7dUkxDMsKPAWJmfQiaap xxnCh380Vma7/DVlZ/lMuvysNbZOVYEOHbzZYCgLxU/333ch5WZy X-Google-Smtp-Source: AGHT+IEvqORC52ugeEnsqSAyqtbRxOFkMYqpRahUk759EpBN+ls4SEtKkToegphbJ9Hdp34S/VFYXw== X-Received: by 2002:a05:6a00:9a6:b0:70a:f3de:3f2 with SMTP id d2e1a72fcca58-70ece9ec023mr12463396b3a.3.1722384183249; Tue, 30 Jul 2024 17:03:03 -0700 (PDT) Received: from localhost.localdomain ([2407:7000:8942:5500:aaa1:59ff:fe57:eb97]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70ead6e1a2asm8871689b3a.23.2024.07.30.17.02.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jul 2024 17:03:02 -0700 (PDT) From: Barry Song <21cnbao@gmail.com> To: akpm@linux-foundation.org, linux-mm@kvack.org Cc: 42.hyeyoo@gmail.com, cl@linux.com, hailong.liu@oppo.com, hch@infradead.org, iamjoonsoo.kim@lge.com, lstoakes@gmail.com, mhocko@suse.com, penberg@kernel.org, rientjes@google.com, roman.gushchin@linux.dev, torvalds@linux-foundation.org, urezki@gmail.com, v-songbaohua@oppo.com, vbabka@suse.cz, virtualization@lists.linux.dev, Kees Cook Subject: [PATCH v2 3/4] mm: BUG_ON to avoid NULL deference while __GFP_NOFAIL fails Date: Wed, 31 Jul 2024 12:01:54 +1200 Message-Id: <20240731000155.109583-4-21cnbao@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240731000155.109583-1-21cnbao@gmail.com> References: <20240731000155.109583-1-21cnbao@gmail.com> MIME-Version: 1.0 X-Stat-Signature: ggbqoa1wcwjb7h9jumk5y3me3fqtr5d7 X-Rspam-User: X-Rspamd-Queue-Id: A937E80012 X-Rspamd-Server: rspam02 X-HE-Tag: 1722384184-955836 X-HE-Meta: U2FsdGVkX19n7ETX5psm/cyLLJMbYELts2pwWEjET1cH9T3Pf5rkVOkEeaTi2szDLvABZZtte4M5b9Ma6D4ApzdkuYWiqpVXZ7cbLCOy2Ts4ysJviXguuqpBFADI5GpYlhZLTYgz/kLldHK1RqurQ/XsFMhCZA179EgfKM24YxqVSw1Bcv+0VZakGLz7ZLi+simmYGcqFVhqjJpTshdTHJpJL7a766Jaiw5wZ7h4n/cc0QcWRaD9eGeKbu6JUSHnuurMaMObH+kTcqOFbtof5U8oktSEQ0ByGZesY8MjAn0avEwu/gCaN3zpRbO5yMqG54lDSxPqqHgdPUNg5ioKvHYweumuF0mseWrkUdpEQntpnD3LcGg5DP5FWnIZAiSZEcfC6QYuxfimSviL81F8/DdBW6jRSeuEhB9KgYSykg7LfyERorpMEcSua3mu+cZkK5F4JP9Yh9UxulORBE7DTDJA1vqgsyw59GjwlqNt9Qu/xsJyt1w583bTBAxKRWgQW9nGFLzb5FoZGFrzYQ6ijHljzazJ56OAuCkxiOlQV9jt+HEvO2PkFAVPpoDbIAsuCUdV/UPd+Qcij6+k+RAhNkfbobtaVaBqld3M04tLRiBmlokiIFqmMKfpDPf//NKa3uKDAEz/pVoEZdraBfEo8/XjIK5vWMIGZSoh5uuyt21EFdRNe3dSVC+YrRnK+/JlVu0aPXdsHOWd8rgJ3I9lrttqzMvxIZgiNLtlXN2ff5iFLw4yY1b4r8uif83CC+n8MG7M2dw/tzNeoqZJ7LwQ7egdC5s3zNs5cqRPNWjtQTw4NjDINic1V2FqDnf+luO5nCYLOWv7Nr+3Nu5QweMqAgEA5VZBO1jtmKOn/xvDQmte8O/btQ4uqJLETEy1IFf+HDDuXeeMVcyAKh+oI1mpBDPgjhzO7CQu5jRIGJ5A0nvv1xuZ9tI3GybT5Eft7x4HfvKCcPwTpbRMhpWgNH3 BbzWFre+ stiVV+yt1tyZOY3qfGZ60aewEyFpycuMeWB8rFoy+Xl02wTp2wTEp9PUI9uv32Xdomip/yNvo3PK/H09vwR150K0G5qEpeFXV06z13hdyaIaVSb140j67mBE9IkhyOfKPC2MnkVJc4rlfv9ekvOWcumQckNCmS2Hs0IF/SIQai0x5hk+taEPqY0fajNELD3yAlZ9NF5u1roPTC66GAFHpydM+A/9Fct+SAK/c5J1IlnVEhbX5n1L0vEJj2j37fF8PSwT/j3fXv3fAtVPmkKSVSLuZqFMk7k2e6OjQLJtZDnRg0gziNy8uDunqlq+CoJJoFkoPakiBoO0WBQdCqzF2Jmsy2D8N1xPm0QmbP781q9ruuWWx8U/+vP7OFWDT9ewGpzHVG5ss3dqkrOSTVKl/8LbqSTV7rSePNoda7NEDaVNN8BVxTbaGoG1xjwz6PJQr0b4lRsnv2aI1WpPgEijax8Ihh0jh2v65zEW7VyKu3MSeI2VGgMwI6rTNeQSZeWPJfh5qVqoSg12PW2n+LZz0gn04C0BQhaf3LRUiots4OSCFvUDAiLyQP3mTkIANe3M5NFp5VURqOFoGLDOUZiga4LDLA2WEevwpwPiX3VjEmS0vVV1puUIALzYi9bEMgvHdK5qNCPy2uWk5iXlHkOKNF0yIGK9tCTjjArPFH0vz+qqWkHDassee+mA3jAUsr1QjpYe5YExTDEgF6YU01meDtcikOK7wA5iB/4IU99JdhuLWKkIgt+iIoG74RlajbbYRgdI2yTmWlu6JUYwsDIsbBfBRn8piBe4OBQNEhyU0Au2Ebm1WYVKRVxLQpLtHqh8S00UvL0WcQ9X2rXWs/LidINyXRSOXxPZ1Fbb4KZTvwcgwIrY96DOL5NNsLEP1ztVdqD+TKZum1ItHn+AG5fk1P4OXzWz20KzSEKYL X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Barry Song We have cases we still fail though callers might have __GFP_NOFAIL. Since they don't check the return, we are exposed to the security risks for NULL deference. Though BUG_ON() is not encouraged by Linus, this is an unrecoverable situation. Christoph Hellwig: The whole freaking point of __GFP_NOFAIL is that callers don't handle allocation failures. So in fact a straight BUG is the right thing here. Vlastimil Babka: It's just not a recoverable situation (WARN_ON is for recoverable situations). The caller cannot handle allocation failure and at the same time asked for an impossible allocation. BUG_ON() is a guaranteed oops with stracktrace etc. We don't need to hope for the later NULL pointer dereference (which might if really unlucky happen from a different context where it's no longer obvious what lead to the allocation failing). Michal Hocko: Linus tends to be against adding new BUG() calls unless the failure is absolutely unrecoverable (e.g. corrupted data structures etc.). I am not sure how he would look at simply incorrect memory allocator usage to blow up the kernel. Now the argument could be made that those failures could cause subtle memory corruptions or even be exploitable which might be a sufficient reason to stop them early. Cc: Michal Hocko Cc: Uladzislau Rezki (Sony) Cc: Christoph Hellwig Cc: Lorenzo Stoakes Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Cc: Vlastimil Babka Cc: Roman Gushchin Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Linus Torvalds Cc: Kees Cook Signed-off-by: Barry Song Acked-by: Michal Hocko Acked-by: Vlastimil Babka Reviewed-by: Christoph Hellwig --- include/linux/slab.h | 4 +++- mm/page_alloc.c | 4 +++- mm/util.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/include/linux/slab.h b/include/linux/slab.h index c9cb42203183..4a4d1fdc2afe 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -827,8 +827,10 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node) { size_t bytes; - if (unlikely(check_mul_overflow(n, size, &bytes))) + if (unlikely(check_mul_overflow(n, size, &bytes))) { + BUG_ON(flags & __GFP_NOFAIL); return NULL; + } return kvmalloc_node_noprof(bytes, flags, node); } diff --git a/mm/page_alloc.c b/mm/page_alloc.c index c700d2598a26..cc179c3e68df 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -4708,8 +4708,10 @@ struct page *__alloc_pages_noprof(gfp_t gfp, unsigned int order, * There are several places where we assume that the order value is sane * so bail out early if the request is out of bound. */ - if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) + if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) { + BUG_ON(gfp & __GFP_NOFAIL); return NULL; + } gfp &= gfp_allowed_mask; /* diff --git a/mm/util.c b/mm/util.c index 0ff5898cc6de..bad3258523b6 100644 --- a/mm/util.c +++ b/mm/util.c @@ -667,6 +667,7 @@ void *__kvmalloc_node_noprof(DECL_BUCKET_PARAMS(size, b), gfp_t flags, int node) /* Don't even allow crazy sizes */ if (unlikely(size > INT_MAX)) { + BUG_ON(flags & __GFP_NOFAIL); WARN_ON_ONCE(!(flags & __GFP_NOWARN)); return NULL; }