From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D73AEC5320E for ; Mon, 19 Aug 2024 09:47:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6D09D6B007B; Mon, 19 Aug 2024 05:47:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 67F6F6B0083; Mon, 19 Aug 2024 05:47:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 547696B008A; Mon, 19 Aug 2024 05:47:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 367E86B007B for ; Mon, 19 Aug 2024 05:47:39 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id A901B1210F1 for ; Mon, 19 Aug 2024 09:47:38 +0000 (UTC) X-FDA: 82468517796.03.B363C05 Received: from mail-vs1-f46.google.com (mail-vs1-f46.google.com [209.85.217.46]) by imf24.hostedemail.com (Postfix) with ESMTP id D0FDC180016 for ; Mon, 19 Aug 2024 09:47:36 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=N1vViV9W; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf24.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.217.46 as permitted sender) smtp.mailfrom=21cnbao@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724060799; a=rsa-sha256; cv=none; b=uMsN1+4gHl0tfYBPWvzgH8HeROSZ/nWaS9/8T/q2lXaqR3Uu4/ZyILDERzu5lYugi7BWAO 3N4D4ZINU8yo8YZOFp3wRXzoxF/sYgbJ0VdqJRsNhXXjlis3kvjj+DXNpgzPF/pDsMbaqS APtsOUhzSouZsaCklfyY6TGaslOxkpA= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=N1vViV9W; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf24.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.217.46 as permitted sender) smtp.mailfrom=21cnbao@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1724060799; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+xbejarYMKiQbEM/kf06MHZ/zKxP3Rp8SKcsyHToWCM=; b=OMJHadP2F9bd7kPlsBM98GKAPd9FWlOJh1+XrUL+XvYYbzg6I3pJFA6xwmGajaJpAX0s/Q dQ+ikeIkg3fJaThETpno2gdRvAW0MYC22Y3pCtK2DKEfEb85xmwr369UDnMQE0AOyWLWip IR9iI57RIw7Rv/XxtmNUWUVfb6N3OLk= Received: by mail-vs1-f46.google.com with SMTP id ada2fe7eead31-493d7455231so1432184137.0 for ; Mon, 19 Aug 2024 02:47:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724060856; x=1724665656; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=+xbejarYMKiQbEM/kf06MHZ/zKxP3Rp8SKcsyHToWCM=; b=N1vViV9WaND7gFFsNBljp7DpmRjbK3aEEeuflVY4sK1luGW2WilopZb3ZpDiSXlz2/ sSezllaE4CkL4xTHAUeDpajmtZHQZTNptHhtT8F+c/y5LDRww9Zqipsqdt1YtGrIVA8h Nyi5o9GV8vEJ5h/sW2GVJ8l9F49/zWAllGxlFinCOCxVrw2bejikmMziqmBVTvJagw2q 48t/wtLplB/4DANN/VjjdCZGgee537QSWbXVGlYNtCM9LXs57Hueyeye2lxdqnYmkoS7 RTmXNaSSEpGV8NHvlEzfGPjaGyzgJcn8JVeWoQ44moXg7GSrBLFTqZgrHDWLFTR+nfU2 +8Rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724060856; x=1724665656; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+xbejarYMKiQbEM/kf06MHZ/zKxP3Rp8SKcsyHToWCM=; b=JVPhJibU351faptiu9FfHUaaH8uFN79ihFWFtQfNswz2HIw7LiijGKcIy/zbtoA8hy J3YmU4whgof11BP+Z5ZrKPD1ikfwYI2A1ezBeOkal0QNa6/AHRDyIIyUDieIcq0IUO1c eDi2+KR3LymKPNQLnIfvnm5EVwWhwqym3KJv3KSt4cJ1UdwFZWKZo5cUoOv6B9L9HcK6 YtquGuD3ZrHgKtZHfL7QBscEzUtIDfPTqoqk2D6ygwmovwprfUfd4N/Iy9LRBNLs/vbe zvP2mBCvy1tIqVrDn2DtoFgUPBkppiZHta6Q9879xk2b9gjs7+o9YaCIQ53x32AEZrQQ wgAg== X-Forwarded-Encrypted: i=1; AJvYcCWZPArTINdzIK+nV7Ke49nDYJErWfd1UMQX1GaaCzLcBXLw5lQjLt7no82HsGekRMwxoCsipsQ1jJBd1qon1dbecRE= X-Gm-Message-State: AOJu0Yx8il4Z7/JSR4eoK/kxn2p7c3QPx/AUmL5B/tMzK7LeiwP5bFxG uWZ7GOcP2ovDnw+4ePuPm3xEiOF7OvqqKt5PfhaU25aGt1UmOg9hZqV0WOLZ6y96aoMCv4qcY4/ dGLOOm+7BlD0qcjnoZTz4BlxM/qA= X-Google-Smtp-Source: AGHT+IEk7c1sRiQ8T7Kj2zOqlRKg8J4U5Q2AmFztIv5napM84afxAVkC8YWWSFfC0mCSRYx76qLETWBETO5UiTFZFI0= X-Received: by 2002:a05:6102:32d2:b0:493:c89b:1c8f with SMTP id ada2fe7eead31-49779883c70mr13098485137.3.1724060855801; Mon, 19 Aug 2024 02:47:35 -0700 (PDT) MIME-Version: 1.0 References: <20240817062449.21164-1-21cnbao@gmail.com> <20240817062449.21164-4-21cnbao@gmail.com> <5654b71c-1d9d-4c48-b28b-664662da8897@redhat.com> In-Reply-To: <5654b71c-1d9d-4c48-b28b-664662da8897@redhat.com> From: Barry Song <21cnbao@gmail.com> Date: Mon, 19 Aug 2024 21:47:25 +1200 Message-ID: Subject: Re: [PATCH v3 3/4] mm: BUG_ON to avoid NULL deference while __GFP_NOFAIL fails To: David Hildenbrand Cc: akpm@linux-foundation.org, linux-mm@kvack.org, 42.hyeyoo@gmail.com, cl@linux.com, hailong.liu@oppo.com, hch@infradead.org, iamjoonsoo.kim@lge.com, mhocko@suse.com, penberg@kernel.org, rientjes@google.com, roman.gushchin@linux.dev, torvalds@linux-foundation.org, urezki@gmail.com, v-songbaohua@oppo.com, vbabka@suse.cz, virtualization@lists.linux.dev, Christoph Hellwig , Lorenzo Stoakes , Kees Cook , =?UTF-8?Q?Eugenio_P=C3=A9rez?= , Jason Wang , Maxime Coquelin , "Michael S. Tsirkin" , Xuan Zhuo Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: D0FDC180016 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: ze5r47x1upn51rmyk6t8eiysmnfoheq6 X-HE-Tag: 1724060856-340805 X-HE-Meta: U2FsdGVkX187/Qn+WbyqKold7Rop844yZQT50/Pe8umtFyXi9CkuiYf7cwga0L6StF7Q7X34FXMl0sJA/1gTDehezQEe39QtGrhkPO6euBWrm2YDJgTE9qPafN6sZKQVWYX3rv/n3t2hgIi8cYxCN5pyV1HfKmcUDxnuvm8sqEX8vZp/D+vWfaG6n/BG2blqnGp0Tj9DMtmVzAQ3RA7imC9YX4nc9peb36S6Qi0bunZpW4leT2+ITKgwxEro6IRYti8hiDxDWVSFuqYTkpUTi2zWQbVGEqxI1EFPkb1EQJflS/P1I2LVUJ2GH0dl0j5GSXCtLCu/8+qtpCVwW5EWvHkg/vOh2RYxHuB06Dpph4uxpcdl9a3MAGuvfAnnD4iB20Ty8U9Ni/RXRQxgAy/vfxRY9War4ydfEfYHv72TXPHNGm02R/omtbop4bp13xziVt/kRvEOTn9/2u68gJmRat553jlJTtiBirJ37ymR/3WzF1dc8pvdEu9W3bYeljdKOQjluce0vozDLKinuWkGL8DlKImqOlBovEgYyAPkFFwAflS70Wrx9Rcq0tTzoKKv5n324l/FHeT8KzJ24OlW3MOBLpiLWmjo0884M6jiKGB48PLjF8wB6q+Oji6C8ahwlQijCKe1H8p6bkmH6M5CxZijc3erXZ+Q7VWvXjP8Qm1MJOELuT6vIN4DiDPY8rxLwcRwD1FW3t/62zLSoFe0aKDuoZxbLXt21vUgyab7RHTsMMSn58gPn7sBYZ4MN+7pD91rBMc7EJNRTJ0XLDHHkvXmNpwNvq8NEXDeL8mYkk1l8XJh1FTxpSkBJ3Fc/6mO4R1xRwUMwpywkxdVZp3FAFFoDWsD6jzTQhVxfBSxGSN1t+T2dhqcW4/YzN1v+rYEKw7v46hwRz2RXg73uhQOr+VdZdQRTmTo8HmKSSD9KVe+Zoq5x+7Ng8H0qjnFOsqB014ibkQ6mbTV6HVRSqK xcS1CAOS 0YR/uL4Jl4/tu3AR9YgJzfVdt/hnRtn6mSg3+N4JtIU0T5YnXT9hK2WeXKCNwOKPEUXEleZMVXzzbOQniH0YZDMNwtg24ghcI9+H4ifPrUrsFpTTfb+1AwfkDx5F5NAJgkVs++3jUm9cxAfacNMaIUnVz+41axqhWqgfY+I/cdtRpYlAT+uml7d0sZ1vpnO+wyljs++GabiI8oUnQjzy/Jzrk0813EeVy3lrxospz4N5JUt+13cfZugU3dp0qCDVzmG1O6w2fFwRYt+AmxH7rE56Nz7p0982H+c3bmTEon5pB6lz1fLSpvIJetC6R2rdo+XkezQiK9P3/2LMgg03gz3OU4Udl+7Sm0A4pC8Lbq7LWCiyVuqrOVPfPQd8U1HNgDyHuLNJtVrLFbKUH285fvjEJ/HiLGWlpj6GNysl/MXCMMe7VIwyID+OlRnIx3JGiVfcS92m1OeKYsshkmmOS8HbehBlkVQI8ovkR9VYi7jDVr+c1UIfpXvDQSTOyt8wcw5q70F9xKZtTdKOcuwwPn5abobvko0cKR8AxxLkQMjvC3NnH9bj7xOqvZIjYxukJlJlxae6/p+5aRdVFLXKsuFNrPzdXK1ojpvxSstDKLLzdQe4YJIFMU/yXFmbENGxjAlrXCz+aW7iCyjkMC8/ryNdTpL0OazP85xpm2qMi9RE2I1wRNMlZX90LSksCr+ZHCfG+qREn6PoteJgKaH62ywd8TKqVX06fnCpePutQ3Avd4zCs9Kd+xgO830kjZj5ADqr5qZ1mHKzg/62n1gi4qXebzeb+ge9vF7VRGAZb95lHp+I4LzSLdmNKAKfWO9orxn/wg78ukF4i01+0u0PTWSL40Qdike3yzTEISrBXnUTZbw0D7cDVIkCT7b2n1flGCMmt X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Aug 19, 2024 at 9:43=E2=80=AFPM David Hildenbrand wrote: > > On 17.08.24 08:24, Barry Song wrote: > > From: Barry Song > > > > We have cases we still fail though callers might have __GFP_NOFAIL. Si= nce > > they don't check the return, we are exposed to the security risks for N= ULL > > deference. > > > > Though BUG_ON() is not encouraged by Linus, this is an unrecoverable > > situation. > > > > Christoph Hellwig: > > The whole freaking point of __GFP_NOFAIL is that callers don't handle > > allocation failures. So in fact a straight BUG is the right thing > > here. > > > > Vlastimil Babka: > > It's just not a recoverable situation (WARN_ON is for recoverable > > situations). The caller cannot handle allocation failure and at the sam= e > > time asked for an impossible allocation. BUG_ON() is a guaranteed oops > > with stracktrace etc. We don't need to hope for the later NULL pointer > > dereference (which might if really unlucky happen from a different > > context where it's no longer obvious what lead to the allocation failin= g). > > > > Michal Hocko: > > Linus tends to be against adding new BUG() calls unless the failure is > > absolutely unrecoverable (e.g. corrupted data structures etc.). I am > > not sure how he would look at simply incorrect memory allocator usage t= o > > blow up the kernel. Now the argument could be made that those failures > > could cause subtle memory corruptions or even be exploitable which migh= t > > be a sufficient reason to stop them early. > > > > Signed-off-by: Barry Song > > Reviewed-by: Christoph Hellwig > > Acked-by: Vlastimil Babka > > Acked-by: Michal Hocko > > Cc: Uladzislau Rezki (Sony) > > Cc: Lorenzo Stoakes > > Cc: Christoph Lameter > > Cc: Pekka Enberg > > Cc: David Rientjes > > Cc: Joonsoo Kim > > Cc: Roman Gushchin > > Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> > > Cc: Linus Torvalds > > Cc: Kees Cook > > Cc: "Eugenio P=C3=A9rez" > > Cc: Hailong.Liu > > Cc: Jason Wang > > Cc: Maxime Coquelin > > Cc: "Michael S. Tsirkin" > > Cc: Xuan Zhuo > > --- > > include/linux/slab.h | 4 +++- > > mm/page_alloc.c | 4 +++- > > mm/util.c | 1 + > > 3 files changed, 7 insertions(+), 2 deletions(-) > > > > diff --git a/include/linux/slab.h b/include/linux/slab.h > > index c9cb42203183..4a4d1fdc2afe 100644 > > --- a/include/linux/slab.h > > +++ b/include/linux/slab.h > > @@ -827,8 +827,10 @@ kvmalloc_array_node_noprof(size_t n, size_t size, = gfp_t flags, int node) > > { > > size_t bytes; > > > > - if (unlikely(check_mul_overflow(n, size, &bytes))) > > + if (unlikely(check_mul_overflow(n, size, &bytes))) { > > + BUG_ON(flags & __GFP_NOFAIL); > > return NULL; > > + } > > > > return kvmalloc_node_noprof(bytes, flags, node); > > } > > diff --git a/mm/page_alloc.c b/mm/page_alloc.c > > index 60742d057b05..d2c37f8f8d09 100644 > > --- a/mm/page_alloc.c > > +++ b/mm/page_alloc.c > > @@ -4668,8 +4668,10 @@ struct page *__alloc_pages_noprof(gfp_t gfp, uns= igned int order, > > * There are several places where we assume that the order value = is sane > > * so bail out early if the request is out of bound. > > */ > > - if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) > > + if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) { > > + BUG_ON(gfp & __GFP_NOFAIL); > > return NULL; > > + } > > > > gfp &=3D gfp_allowed_mask; > > /* > > diff --git a/mm/util.c b/mm/util.c > > index ac01925a4179..678c647b778f 100644 > > --- a/mm/util.c > > +++ b/mm/util.c > > @@ -667,6 +667,7 @@ void *__kvmalloc_node_noprof(DECL_BUCKET_PARAMS(siz= e, b), gfp_t flags, int node) > > > > /* Don't even allow crazy sizes */ > > if (unlikely(size > INT_MAX)) { > > + BUG_ON(flags & __GFP_NOFAIL); > > No new BUG_ON please. WARN_ON_ONCE() + recovery code might be suitable he= re. Hi David, WARN_ON_ONCE() might be fine but I don't see how it is possible to recover= . > > -- > Cheers, > > David / dhildenb >