From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2389C19F2D for ; Tue, 9 Aug 2022 14:33:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2D1EC6B0072; Tue, 9 Aug 2022 10:33:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2817E8E0001; Tue, 9 Aug 2022 10:33:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 14A4C6B0074; Tue, 9 Aug 2022 10:33:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 088926B0072 for ; Tue, 9 Aug 2022 10:33:59 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id B83FE40FED for ; Tue, 9 Aug 2022 14:33:58 +0000 (UTC) X-FDA: 79780298556.07.B2CC5B6 Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46]) by imf16.hostedemail.com (Postfix) with ESMTP id 373DA18016F for ; Tue, 9 Aug 2022 14:33:58 +0000 (UTC) Received: by mail-ot1-f46.google.com with SMTP id y10-20020a9d634a000000b006167f7ce0c5so8633855otk.0 for ; Tue, 09 Aug 2022 07:33:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kjw93QTfVlqJuSptxO5/BqOinS7HQwob28jAAztpcBU=; b=Bbkf6xayIAAXDEo70VAhm0hGrJOV93jWiM4J3o0918fMBzik3wqs+BEYzsqRpnOROX GzERIhUqfFyFSsVD8q6FoKcgVUfP8tDfrLkkccRT5tzVCAopgI/8TKd1odODVYnEeEEd ycjYrrOQsamFKHfChF8/toDN34F2Gcg4y9/5/jKrcLSxd2aK/Mu8QMZVstGBa4sIdJHz rmScCcxo11FnFZTd7IRoKd3LdTVMU22BxgCCiUGdDSkMNxl/gV0KQYWKkuD+KgYp96d3 maieCgv0s2MaHjJGy7JeFbt2tH3R/hmjBxOJYX06VQGvdoFLmVRj0gMAzjuEdBh4OFZ9 LbRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kjw93QTfVlqJuSptxO5/BqOinS7HQwob28jAAztpcBU=; b=T5Zvt8jFbPZxdYv2bzSkeUEWPQQDrycwMZesZPEff5rFsc90ZcEOYTfa6XQA2sPw0T 40IMgXeeVJg9HH1h8cL6ltQyclOmxRftlhy7Z2GPJjwLBt6fpCCqq32ybbvsbqzRK16z 9UDsH+3qXrHcBXdRcJCrbN9rXzLzBkyi+GWlgoZKHBlBT/w8feRczDIyPwo2OE6MDdjI xj4V5cFQJllj249obMs+ugPu8u47TCP1EK7qTb8t0q8BSXgNWW1V6srjGMYVWTRjsg4j 8a8L2uERtzv8r/T2vp330mKKhRkxHXSKRPQ5ro0ou5yHC2QV1WFSelanSUVRiV6pOddG Kqiw== X-Gm-Message-State: ACgBeo361i//bRv7BoiorYS7+LR+sgGGNl+T72zxjxua+kHEmdLXlU2V LsZAgut+ozRYOPuNFyY0DacIijXiBFPGrXozTNs= X-Google-Smtp-Source: AA6agR69QyVQ0npiwVTAvrRokMu0WDClkvi+ZvJhBlh5QlEMkY/NnvYoMFu+DiQhkpwUNZxW6anc8AV2mQO33yu8Ouk= X-Received: by 2002:a05:6830:d0b:b0:61c:1bc2:fbc0 with SMTP id bu11-20020a0568300d0b00b0061c1bc2fbc0mr8516534otb.348.1660055637348; Tue, 09 Aug 2022 07:33:57 -0700 (PDT) MIME-Version: 1.0 References: <20220715125013.247085-1-mlombard@redhat.com> <20220808171452.d870753e1494b92ba2142116@linux-foundation.org> In-Reply-To: From: Alexander Duyck Date: Tue, 9 Aug 2022 07:33:46 -0700 Message-ID: Subject: Re: [PATCH V3] mm: prevent page_frag_alloc() from corrupting the memory To: Maurizio Lombardi Cc: Andrew Morton , Jakub Kicinski , linux-mm , LKML , Netdev , =?UTF-8?B?5oSa5qCR?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1660055638; a=rsa-sha256; cv=none; b=Aq4mmoalvk9DbSzII3n5BPPfmWjisGKLzvsZLjxUYmPauSw4YiVKxqPnkAONPke0pgPKpU T7UgWPohdQASH7Xpbrddd7F1no9PMOKQ5a0r8VLtmu4DvwtDBYxFp68DDug8Nxq5jGa1RM Ts3CjtT2B7zW6sBc7fkKAgwxNZ8KAR0= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=Bbkf6xay; spf=pass (imf16.hostedemail.com: domain of alexander.duyck@gmail.com designates 209.85.210.46 as permitted sender) smtp.mailfrom=alexander.duyck@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1660055638; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=kjw93QTfVlqJuSptxO5/BqOinS7HQwob28jAAztpcBU=; b=lwVmzxzTpOl63y1WKn4WrlA/0ya7xwZVYnlLG3plIEX1yUoAdIGOhgbSaWIwBi8vOCmwZe oq7RT6mhtQ1s18KLCAVbvjxKUbha43hQj9yzwuWK7sDW7I4VmPa1FX3U/9z37iIgqUX+kB s8ddoDJhX3ZC8q63OvwAvkmSu776ssA= X-Rspamd-Queue-Id: 373DA18016F X-Rspam-User: X-Rspamd-Server: rspam11 Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=Bbkf6xay; spf=pass (imf16.hostedemail.com: domain of alexander.duyck@gmail.com designates 209.85.210.46 as permitted sender) smtp.mailfrom=alexander.duyck@gmail.com; dmarc=pass (policy=none) header.from=gmail.com X-Stat-Signature: mhkoce9b3h531ydrngh1d71ejmfbruwo X-HE-Tag: 1660055638-284209 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Aug 9, 2022 at 4:45 AM Maurizio Lombardi wrot= e: > > =C3=BAt 9. 8. 2022 v 2:14 odes=C3=ADlatel Andrew Morton > napsal: > > > > On Fri, 15 Jul 2022 14:50:13 +0200 Maurizio Lombardi wrote: > > > > > A number of drivers call page_frag_alloc() with a > > > fragment's size > PAGE_SIZE. > > > In low memory conditions, __page_frag_cache_refill() may fail the ord= er 3 > > > cache allocation and fall back to order 0; > > > In this case, the cache will be smaller than the fragment, causing > > > memory corruptions. > > > > > > Prevent this from happening by checking if the newly allocated cache > > > is large enough for the fragment; if not, the allocation will fail > > > and page_frag_alloc() will return NULL. > > > > Can we come up with a Fixes: for this? > > I think the bug has been introduced in kernel 3.19-rc1 > Fixes: ffde7328a36d16e626bae8468571858d71cd010b The problem is this patch won't cleanly apply to that since we moved the function. In addition this issue is a bit more complex since it isn't necessarily a problem in the code, but the assumption on how it is can be used by a select few drivers that were using it to allocate to higher order pages. It would probably be best to just go with: Fixes: b63ae8ca096d ("mm/net: Rename and move page fragment handling from net/ to mm/") > > > > Should this fix be backported into -stable kernels? > > Yes, IMO this should be backported to -stable This should be fine for -stable. Basically it just needs to be there to block the drivers that abused the API to allocate high order pages instead of fragments of an order 0 page. Ultimately the correct fix for this is to fix those drivers, but this at least is enough so that they will fail allocations now instead of corrupting memory by overflowing an order 0 page.