From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 886D4C43334
	for <linux-mm@archiver.kernel.org>; Mon, 11 Jul 2022 15:34:40 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 115248E0007; Mon, 11 Jul 2022 11:34:40 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 09E138E0002; Mon, 11 Jul 2022 11:34:40 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E32E98E0007; Mon, 11 Jul 2022 11:34:39 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id CF47E8E0002
	for <linux-mm@kvack.org>; Mon, 11 Jul 2022 11:34:39 -0400 (EDT)
Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 995176EE
	for <linux-mm@kvack.org>; Mon, 11 Jul 2022 15:34:39 +0000 (UTC)
X-FDA: 79675216278.01.AD63382
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44])
	by imf21.hostedemail.com (Postfix) with ESMTP id 3D9D21C006A
	for <linux-mm@kvack.org>; Mon, 11 Jul 2022 15:34:39 +0000 (UTC)
Received: by mail-wr1-f44.google.com with SMTP id a5so7504371wrx.12
        for <linux-mm@kvack.org>; Mon, 11 Jul 2022 08:34:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=LLprjPtcQ5OaxbKSQkYbSQBstfe7hI1X1CVRdWTn7lM=;
        b=cdK23pl6KgNzy76HvNrQaiqkiECrGHxtSAmq/ADaZBjp0DracO+r5MJsbXarut4sht
         SHmJJjZQoxXhf1G4EvOUkSSdwtrR8XOv7zuXG0SWiLWJHdbWxlhHk0Mtp4xB/ocRn6pa
         bhjnGqHED0Db4Tr/uisFM6vhQLEvcVMZ6W8YT5bAXs/7kD8bUCpCF8TWcnHXnZOLc8K1
         AedyxkqgHNm6pRhIbpZW8CFNBCUo/GlrB9zWiQrqI7YTiJHRR+v7b6erxkqCpuzbmNI6
         QDY4mNC119cjhh6NL9wwBc4/67oStzKLZmmPhbE3/xg0X66zHyvhBrnjPp3xTq4kO54V
         u62A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=LLprjPtcQ5OaxbKSQkYbSQBstfe7hI1X1CVRdWTn7lM=;
        b=JWiaR5syEZM0lqf3FrVPMProV7XRl798sQ1JViL5cEbvq0v0be+4HlMWuCpnJM5R+s
         kiQm8H6fAgBR6s6gm72eXPUWZ7VhORMbbP5pavD5d2REt6RVwnhwlr3ixDe5i1TH2ypM
         lG/rNfjDE+LsBB6w0Mb1c4mgTNcarsLpIshmWz6EI8hj67rp0MwMKgIZSCttCh5Amr7u
         BAlrL7mNjmrHbDHrtOMJT4gqRSJMtJe8EDJaBIbZIQHPg8rtSAdlI7Cy1GS7FoPdloxd
         2zum7k9tox2Ek2fNRZdvyzGp/Kb/8cJ6mCD+lx+VX+fq2UQaExedcbFbFes+K+kGhjIY
         JQXQ==
X-Gm-Message-State: AJIora/XFw6uu51GYa87ACRXr69Z2bHwt+nCUIuFmg3+TPn+mU5j0ylE
	XCVJQ7xpgsxkSapDvWo5jLeWwRn8Wrf5MR/9NMU=
X-Google-Smtp-Source: AGRyM1scU6NQgsUnPUl6eDjF1ng/eOFwcnayrhN43P5Z6Vwwhroymkpku+EBG1WqQ+/nW4sKbfPXEedHQOinRGfaclU=
X-Received: by 2002:adf:f90c:0:b0:21a:3dcb:d106 with SMTP id
 b12-20020adff90c000000b0021a3dcbd106mr17203559wrr.448.1657553677725; Mon, 11
 Jul 2022 08:34:37 -0700 (PDT)
MIME-Version: 1.0
References: <20220711075225.15687-1-mlombard@redhat.com>
In-Reply-To: <20220711075225.15687-1-mlombard@redhat.com>
From: Alexander Duyck <alexander.duyck@gmail.com>
Date: Mon, 11 Jul 2022 08:34:26 -0700
Message-ID: <CAKgT0UedQL-Yeum8m=j6oX5s2SjzjtwcwFXBZQde+FzmkmL5bQ@mail.gmail.com>
Subject: Re: [PATCH] mm: prevent page_frag_alloc() from corrupting the memory
To: Maurizio Lombardi <mlombard@redhat.com>
Cc: Jakub Kicinski <kuba@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, 
	linux-mm <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, 
	Netdev <netdev@vger.kernel.org>, Chen Lin <chen45464546@163.com>
Content-Type: text/plain; charset="UTF-8"
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1657553679; a=rsa-sha256;
	cv=none;
	b=TxWiOPIqtyKlARkzwdFYAC8Kh7ifwdhpmfFnZX7X+Z/8ZPqBDUKVWgwbHQpuhPcSkz+BeZ
	1dCyto4mwbs9MzVkYbidcm26v91MruOeFOpV/7sX+q3FXLI1TFSitU6tgo7/pgt3Gr8hdT
	AT3HcWxuDvVJjPzf/GWwp8vMt5mQfD8=
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=cdK23pl6;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf21.hostedemail.com: domain of alexander.duyck@gmail.com designates 209.85.221.44 as permitted sender) smtp.mailfrom=alexander.duyck@gmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1657553679;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=LLprjPtcQ5OaxbKSQkYbSQBstfe7hI1X1CVRdWTn7lM=;
	b=4gpWpbHYH3SBA0Ux6mxs7WIqEGSzSDJfQnDsVRqDRD1NiT3J3vz8AMlfDLcPtMwM6qrp7N
	vdE1OFK/tKQgsB8YHEBtxEnQdoLLHXxOjh/vU6tiXEfSFmAyKMNz3G+MRqPZUTFohdF0yf
	fs1S8IZZiJjaTQDb/HPwsf4Y3YR+5Ag=
Authentication-Results: imf21.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=cdK23pl6;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf21.hostedemail.com: domain of alexander.duyck@gmail.com designates 209.85.221.44 as permitted sender) smtp.mailfrom=alexander.duyck@gmail.com
X-Stat-Signature: 3gdddg9hi7b4nkrkzuuscf5dmk3w8yem
X-Rspamd-Queue-Id: 3D9D21C006A
X-Rspam-User: 
X-Rspamd-Server: rspam11
X-HE-Tag: 1657553679-539558
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Jul 11, 2022 at 12:52 AM Maurizio Lombardi <mlombard@redhat.com> wrote:
>
> A number of drivers call page_frag_alloc() with a
> fragment's size > PAGE_SIZE.
> In low memory conditions, __page_frag_cache_refill() may fail the order 3
> cache allocation and fall back to order 0;
> If this happens, the cache will be smaller than the fragment, causing
> memory corruptions.
>
> Prevent this from happening by checking if the newly allocated cache
> is large enough for the fragment; if not, the allocation will fail
> and page_frag_alloc() will return NULL.
>
> Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
> ---
>  mm/page_alloc.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> index e008a3df0485..7fb000d7e90c 100644
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -5611,12 +5611,17 @@ void *page_frag_alloc_align(struct page_frag_cache *nc,
>                 /* if size can vary use size else just use PAGE_SIZE */
>                 size = nc->size;
>  #endif
> -               /* OK, page count is 0, we can safely set it */
> -               set_page_count(page, PAGE_FRAG_CACHE_MAX_SIZE + 1);
> -
>                 /* reset page count bias and offset to start of new frag */
>                 nc->pagecnt_bias = PAGE_FRAG_CACHE_MAX_SIZE + 1;
>                 offset = size - fragsz;
> +               if (unlikely(offset < 0)) {
> +                       free_the_page(page, compound_order(page));
> +                       nc->va = NULL;
> +                       return NULL;
> +               }
> +
> +               /* OK, page count is 0, we can safely set it */
> +               set_page_count(page, PAGE_FRAG_CACHE_MAX_SIZE + 1);
>         }
>
>         nc->pagecnt_bias--;

Rather than forcing us to free the page it might be better to move the
lines getting the size and computing the offset to the top of the "if
(unlikely(offset < 0)) {" block. Then instead of freeing the page we
could just return NULL and don't have to change the value of any
fields in the page_frag_cache.

That way a driver performing bad requests can't force us to start
allocating and freeing pages like mad by repeatedly flushing the
cache.