From patchwork Wed Jan 20 10:34:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 12031879 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F70DC433E0 for ; Wed, 20 Jan 2021 10:34:55 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 5363523339 for ; Wed, 20 Jan 2021 10:34:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5363523339 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id A10346B0007; Wed, 20 Jan 2021 05:34:53 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 998B56B0008; Wed, 20 Jan 2021 05:34:53 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8AF476B000A; Wed, 20 Jan 2021 05:34:53 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0179.hostedemail.com [216.40.44.179]) by kanga.kvack.org (Postfix) with ESMTP id 70AEC6B0007 for ; Wed, 20 Jan 2021 05:34:53 -0500 (EST) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 2A2A83622 for ; Wed, 20 Jan 2021 10:34:53 +0000 (UTC) X-FDA: 77725795266.29.brake91_43072c527559 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin29.hostedemail.com (Postfix) with ESMTP id 0E7E3180868EC for ; Wed, 20 Jan 2021 10:34:53 +0000 (UTC) X-HE-Tag: brake91_43072c527559 X-Filterd-Recvd-Size: 2794 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by imf45.hostedemail.com (Postfix) with ESMTP for ; Wed, 20 Jan 2021 10:34:51 +0000 (UTC) Received: from fsav104.sakura.ne.jp (fsav104.sakura.ne.jp [27.133.134.231]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 10KAYi1h019405; Wed, 20 Jan 2021 19:34:44 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav104.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav104.sakura.ne.jp); Wed, 20 Jan 2021 19:34:44 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav104.sakura.ne.jp) Received: from localhost.localdomain (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 10KAYXhc019296 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 20 Jan 2021 19:34:44 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) From: Tetsuo Handa To: akpm@linux-foundation.org, linux-mm@kvack.org Cc: Tetsuo Handa Subject: [PATCH v2] mm: memdup_user*() should use same gfp flags Date: Wed, 20 Jan 2021 19:34:36 +0900 Message-Id: <20210120103436.11830-1-penguin-kernel@I-love.SAKURA.ne.jp> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210120041843.5090-1-penguin-kernel@I-love.SAKURA.ne.jp> References: <20210120041843.5090-1-penguin-kernel@I-love.SAKURA.ne.jp> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: syzbot is reporting that memdup_user_nul() which receives user-controlled size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit order >= MAX_ORDER path [1]. Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER"). [1] https://syzkaller.appspot.com/bug?id=8bf7efb3db19101b4008dc9198522ef977d098a6 Reported-by: syzbot Signed-off-by: Tetsuo Handa --- mm/util.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/mm/util.c b/mm/util.c index 8c9b7d1e7c49..265b40a86856 100644 --- a/mm/util.c +++ b/mm/util.c @@ -252,12 +252,7 @@ void *memdup_user_nul(const void __user *src, size_t len) { char *p; - /* - * Always use GFP_KERNEL, since copy_from_user() can sleep and - * cause pagefault, which makes it pointless to use GFP_NOFS - * or GFP_ATOMIC. - */ - p = kmalloc_track_caller(len + 1, GFP_KERNEL); + p = kmalloc_track_caller(len + 1, GFP_USER | __GFP_NOWARN); if (!p) return ERR_PTR(-ENOMEM);