From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86440C433F5 for ; Sat, 28 May 2022 15:40:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8E4D58D0003; Sat, 28 May 2022 11:40:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8902E8D0002; Sat, 28 May 2022 11:40:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 77EAA8D0003; Sat, 28 May 2022 11:40:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 6561A8D0002 for ; Sat, 28 May 2022 11:40:12 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 3C02533FBE for ; Sat, 28 May 2022 15:40:12 +0000 (UTC) X-FDA: 79515563064.04.C4A20ED Received: from m12-14.163.com (m12-14.163.com [220.181.12.14]) by imf26.hostedemail.com (Postfix) with ESMTP id 94D58140039 for ; Sat, 28 May 2022 15:40:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=BkvE0YAcS6ajpnfn1S LDj2iO+a4qJNSD4+BxpVUka5I=; b=kTppOQcerw7gfF1+7K8NAaZcKeBWvoY0Gv o6O3hpG+XDLjasvH7B0QwUYkY65JupKwbw95+jFCzlcb8AhJxjw1F+xlruWCNDNo Nrp+mviSa6KsKnoRS2QVbswnKJRKUEIuOQMFKd5yGgrNyknWeaCy0cj44Nw8pBii 3q2XAcq88= Received: from localhost.localdomain (unknown [171.221.147.90]) by smtp10 (Coremail) with SMTP id DsCowABHJBZMQpJiLxowEw--.19256S2; Sat, 28 May 2022 23:40:00 +0800 (CST) From: Chen Lin To: akpm@linux-foundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Chen Lin Subject: [PATCH] mm: page_frag: Warn_on when frag_alloc size is bigger than PAGE_SIZE Date: Sat, 28 May 2022 23:39:33 +0800 Message-Id: <1653752373-3172-1-git-send-email-chen45464546@163.com> X-Mailer: git-send-email 1.7.9.5 X-CM-TRANSID:DsCowABHJBZMQpJiLxowEw--.19256S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7tr17tw1fGFWkur17WF4rXwb_yoW8XFy7pF ZrCr15ZFs0qwnxCw4kta1vyr45J398WFWjgrWFv3s09w13Wr10kwnrKr4jvFyrAr4UKFy7 tan8tw15ua1UZ3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pi5CzdUUUUU= X-Originating-IP: [171.221.147.90] X-CM-SenderInfo: hfkh0kqvuwkkiuw6il2tof0z/xtbCqRYPnl0DftRC8wAAsr X-Stat-Signature: ng7k1ond68a9wd1ufzqg6bx3wa3r5q3s X-Rspam-User: Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=163.com header.s=s110527 header.b=kTppOQce; spf=pass (imf26.hostedemail.com: domain of chen45464546@163.com designates 220.181.12.14 as permitted sender) smtp.mailfrom=chen45464546@163.com; dmarc=pass (policy=none) header.from=163.com X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 94D58140039 X-HE-Tag: 1653752400-700921 X-Bogosity: Ham, tests=bogofilter, spamicity=0.045628, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: netdev_alloc_frag->page_frag_alloc may cause memory corruption in the following process: 1. A netdev_alloc_frag function call need alloc 200 Bytes to build a skb. 2. Insufficient memory to alloc PAGE_FRAG_CACHE_MAX_ORDER(32K) in __page_frag_cache_refill to fill frag cache, then one page(eg:4K) is allocated, now current frag cache is 4K, alloc is success, nc->pagecnt_bias--. 3. Then this 200 bytes skb in step 1 is freed, page->_refcount--. 4. Another netdev_alloc_frag function call need alloc 5k, page->_refcount is equal to nc->pagecnt_bias, reset page count bias and offset to start of new frag. page_frag_alloc will return the 4K memory for a 5K memory request. 5. The caller write on the extra 1k memory which is not actual allocated will cause memory corruption. page_frag_alloc is for fragmented allocation. We should warn the caller to avoid memory corruption. Signed-off-by: Chen Lin --- mm/page_alloc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index e008a3d..6c0db52 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -5574,6 +5574,11 @@ void *page_frag_alloc_align(struct page_frag_cache *nc, struct page *page; int offset; + /* frag_alloc is not suitable for memory alloc which fragsz + * is bigger than PAGE_SIZE, use kmalloc or alloc_pages instead. + */ + WARN_ON(fragsz > PAGE_SIZE); + if (unlikely(!nc->va)) { refill: page = __page_frag_cache_refill(nc, gfp_mask); -- 1.7.9.5