From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E167C433EF for ; Thu, 2 Dec 2021 21:23:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 17D9E6B0072; Thu, 2 Dec 2021 16:23:26 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 12D356B0074; Thu, 2 Dec 2021 16:23:26 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F36736B0075; Thu, 2 Dec 2021 16:23:25 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0187.hostedemail.com [216.40.44.187]) by kanga.kvack.org (Postfix) with ESMTP id E44CC6B0072 for ; Thu, 2 Dec 2021 16:23:25 -0500 (EST) Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id AC1378249980 for ; Thu, 2 Dec 2021 21:23:15 +0000 (UTC) X-FDA: 78874129950.04.5D656A2 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by imf11.hostedemail.com (Postfix) with ESMTP id 613DFF0000B2 for ; Thu, 2 Dec 2021 21:23:15 +0000 (UTC) Received: by mail-pg1-f182.google.com with SMTP id r138so973955pgr.13 for ; Thu, 02 Dec 2021 13:23:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=f92UhoV+UvtYus8uVnjAiNNc93iRwfX2vlNySXTiZA0=; b=lqmhKbkLMJ4IR225tm3NFDEkQx/1eYQG5+US8z4NtVACMz8mrHupVd4m6BYBmEYdQd acSBob80SxUuj/QjvBX6UKngQDhtyboMKpKrulyrnv90dCPgYM5gWX5JACyQQcDEFN2t mjjafX8urta1pud0A9TL8hOq7xyc+ci0vUN5E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=f92UhoV+UvtYus8uVnjAiNNc93iRwfX2vlNySXTiZA0=; b=F8UhuvJt0FtNQ6F1fCkGTJbx+jwZBsfXavO01l8HK8vIrTfaBQx++vc+9oriTMOid4 bD3ZfMwOBc6ld82DIpa7iOYdeoJw017G1VyoxQWUSl74J6c/p97KVqJEW7KYUGHWk47I lH4Ypo1ffImP0+IeZK3U7eGirP4Nr7ENJ42pWZdurxMwCLCJ/pM3zxBsb5akjp4i4JI4 7pAkbuwt+uIA54MViZTc8en9YZR6fHLBarGCyBZGs2OZyCGS4xrb05Fm0I1fLFid/4Zl e9jAPe1+3+wUay1pGGNid2FBxOepmXqRmvFDnishUbDvh9mDmKg0kDZtmHwoe+xYvb+S NTXw== X-Gm-Message-State: AOAM531GXo9RsMahem8SFszYoyvQYo927KuyWHgPr8/2LoqBoK7AzqfK 46h8CghlQHGu47STKX6jj5b3bw== X-Google-Smtp-Source: ABdhPJynLXbQq+VwjTcfthHvA+r4AoagXGsII57SAR8iwsArMOCPYIqO1c/t31wTiFbEtBwrxc+QwA== X-Received: by 2002:a63:be4e:: with SMTP id g14mr1353293pgo.194.1638480194239; Thu, 02 Dec 2021 13:23:14 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y7sm460527pge.44.2021.12.02.13.23.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Dec 2021 13:23:13 -0800 (PST) Date: Thu, 2 Dec 2021 13:23:13 -0800 From: Kees Cook To: Leon Romanovsky Cc: Matthew Wilcox , Andrew Morton , Bixuan Cui , linux-mm@kvack.org, linux-kernel@vger.kernel.org, torvalds@linux-foundation.org, w@1wt.eu Subject: Re: [PATCH -next] mm: delete oversized WARN_ON() in kvmalloc() calls Message-ID: <202112021320.87AB40A@keescook> References: <1638410784-48646-1-git-send-email-cuibixuan@linux.alibaba.com> <20211201192643.ecb0586e0d53bf8454c93669@linux-foundation.org> <202112021105.C9E64318F@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 613DFF0000B2 X-Stat-Signature: qbt6nrdi9tz8njexwxfikq5j1josboui Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=lqmhKbkL; spf=pass (imf11.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.182 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-HE-Tag: 1638480195-845850 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Dec 02, 2021 at 09:24:08PM +0200, Leon Romanovsky wrote: > On Thu, Dec 02, 2021 at 11:08:34AM -0800, Kees Cook wrote: > > On Thu, Dec 02, 2021 at 06:08:40PM +0200, Leon Romanovsky wrote: > > > On Thu, Dec 02, 2021 at 03:29:47PM +0000, Matthew Wilcox wrote: > > > > On Thu, Dec 02, 2021 at 05:23:42PM +0200, Leon Romanovsky wrote: > > > > > The problem is that this WARN_ON() is triggered by the users. > > > > > > > > ... or the problem is that you don't do a sanity check between the user > > > > and the MM system. I mean, that's what this conversation is about -- > > > > is it a bug to be asking for this much memory in the first place? > > > > > > We do a lot of checks, and in this case, user provided valid input. > > > He asked size that doesn't cross his address space. > > > https://elixir.bootlin.com/linux/v5.16-rc3/source/drivers/infiniband/core/umem_odp.c#L67 > > > > > > start = ALIGN_DOWN(umem_odp->umem.address, page_size); > > > if (check_add_overflow(umem_odp->umem.address, > > > (unsigned long)umem_odp->umem.length, > > > &end)) > > > return -EOVERFLOW; > > > > > > There is a feature called ODP (on-demand-paging) which is supported > > > in some RDMA NICs. It allows to the user "export" their whole address > > > space to the other RDMA node without pinning the pages. And once the > > > other node sends data to not-pinned page, the RDMA NIC will prefetch > > > it. > > > > I think we have two cases: > > > > - limiting kvmalloc allocations to INT_MAX > > - issuing a WARN when that limit is exceeded > > > > The argument for the having the WARN is "that amount should never be > > allocated so we want to find the pathological callers". > > > > But if the actual issue is that >INT_MAX is _acceptable_, then we have > > to do away with the entire check, not just the WARN. > > First we need to get rid from WARN_ON(), which is completely safe thing to do. > > Removal of the check can be done in second step as it will require audit > of whole kvmalloc* path. If those are legit sizes, I'm fine with dropping the WARN. (But I still think if they're legit sizes, we must also drop the INT_MAX limit.) -- Kees Cook