[RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions

[RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions

[I Viswanath]

syzbot reported WARNING in max_vclocks_store.

This occurs when the size argument fits into a u32 but is too large 
to allocate, i.e., when it's between KMALLOC_MAX_SIZE + 1 
and UINT_MAX (both limits included)

Add validation to kmalloc_array_noprof() and related functions to 
return early if the requested size exceeds KMALLOC_MAX_SIZE.

This seems like the most reasonable place for this guard.

Would it be a good idea to move the check down to 
the lower level functions like __kmalloc_node_noprof()?

Moving it up is not a good idea because
max_vclocks_store shouldn't reason around KMALLOC_MAX_SIZE, 
a mm specific macro.

Should the Fixes: commit here be the one in which this file 
was added?

Reported-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com
Tested-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=94d20db923b9f51be0df
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: I Viswanath <viswanathiyyappan@gmail.com>
---
 include/linux/slab.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/linux/slab.h b/include/linux/slab.h
index d5a8ab98035c..6db15c5b2ce7 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -943,7 +943,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_noprof(size_t n, size_t siz
 {
 	size_t bytes;
 
-	if (unlikely(check_mul_overflow(n, size, &bytes)))
+	if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
 		return NULL;
 	return kmalloc_noprof(bytes, flags);
 }
@@ -973,7 +973,7 @@ static inline __realloc_size(2, 3) void * __must_check krealloc_array_noprof(voi
 {
 	size_t bytes;
 
-	if (unlikely(check_mul_overflow(new_n, new_size, &bytes)))
+	if (unlikely(check_mul_overflow(new_n, new_size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
 		return NULL;
 
 	return krealloc_noprof(p, bytes, flags);
@@ -1013,7 +1013,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_node_noprof(size_t n, size_
 {
 	size_t bytes;
 
-	if (unlikely(check_mul_overflow(n, size, &bytes)))
+	if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
 		return NULL;
 	if (__builtin_constant_p(n) && __builtin_constant_p(size))
 		return kmalloc_node_noprof(bytes, flags, node);
@@ -1059,7 +1059,7 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node)
 {
 	size_t bytes;
 
-	if (unlikely(check_mul_overflow(n, size, &bytes)))
+	if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
 		return NULL;
 
 	return kvmalloc_node_noprof(bytes, flags, node);
-- 
2.47.3

Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions

[Harry Yoo]

Hi I, thanks for looking into the syzbot report.

On Mon, Sep 22, 2025 at 10:33:57PM +0530, I Viswanath wrote:
> syzbot reported WARNING in max_vclocks_store.
> 
> This occurs when the size argument fits into a u32 but is too large 
> to allocate, i.e., when it's between KMALLOC_MAX_SIZE + 1 
> and UINT_MAX (both limits included)

This is not quite.

When bytes > KKMALLOC_MAX_SIZE (8K on my system), kmalloc redirects allocation
to the buddy allocator, which can allocate up to (PAGE_SIZE << MAX_PAGE_ORDER)
bytes (4M on my system).

Because allocating a page with order > MAX_PAGE_ORDER page is never
supposed to succeed, the caller of kmalloc should be fixed rather than
kmalloc itself.

> Add validation to kmalloc_array_noprof() and related functions to 
> return early if the requested size exceeds KMALLOC_MAX_SIZE.

This is against the point of WARNING in the buddy allocator.

I think the right fix should be to return -EINVAL in max_vclocks_store()
if max * sizeof(int) exceeds PAGE_SIZE << MAX_PAGE_ORDER?

-- 
Cheers,
Harry / Hyeonggon

> This seems like the most reasonable place for this guard.
> 
> Would it be a good idea to move the check down to 
> the lower level functions like __kmalloc_node_noprof()?
> 
> Moving it up is not a good idea because
> max_vclocks_store shouldn't reason around KMALLOC_MAX_SIZE, 
> a mm specific macro.
> 
> Should the Fixes: commit here be the one in which this file 
> was added?
> 
> Reported-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com
> Tested-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=94d20db923b9f51be0df
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: I Viswanath <viswanathiyyappan@gmail.com>
> ---
>  include/linux/slab.h | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index d5a8ab98035c..6db15c5b2ce7 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -943,7 +943,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_noprof(size_t n, size_t siz
>  {
>  	size_t bytes;
>  
> -	if (unlikely(check_mul_overflow(n, size, &bytes)))
> +	if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
>  		return NULL;
>  	return kmalloc_noprof(bytes, flags);
>  }
> @@ -973,7 +973,7 @@ static inline __realloc_size(2, 3) void * __must_check krealloc_array_noprof(voi
>  {
>  	size_t bytes;
>  
> -	if (unlikely(check_mul_overflow(new_n, new_size, &bytes)))
> +	if (unlikely(check_mul_overflow(new_n, new_size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
>  		return NULL;
>  
>  	return krealloc_noprof(p, bytes, flags);
> @@ -1013,7 +1013,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_node_noprof(size_t n, size_
>  {
>  	size_t bytes;
>  
> -	if (unlikely(check_mul_overflow(n, size, &bytes)))
> +	if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
>  		return NULL;
>  	if (__builtin_constant_p(n) && __builtin_constant_p(size))
>  		return kmalloc_node_noprof(bytes, flags, node);
> @@ -1059,7 +1059,7 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node)
>  {
>  	size_t bytes;
>  
> -	if (unlikely(check_mul_overflow(n, size, &bytes)))
> +	if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
>  		return NULL;
>  
>  	return kvmalloc_node_noprof(bytes, flags, node);
> -- 
> 2.47.3
> 

Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions

[Matthew Wilcox]

On Mon, Sep 22, 2025 at 10:33:57PM +0530, I Viswanath wrote:
> This occurs when the size argument fits into a u32 but is too large 
> to allocate, i.e., when it's between KMALLOC_MAX_SIZE + 1 
> and UINT_MAX (both limits included)

Is it really a good idea to support 2^28 vclocks?  Surely there's a
limit that makes sense to the PTP driver.

Beyond that, this should probably be using kvmalloc_array rather than
kcalloc_array().

Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions

[viswanath]

On Tue, 23 Sept 2025 at 03:06, Matthew Wilcox <willy@infradead.org> wrote:
> Is it really a good idea to support 2^28 vclocks?  Surely there's a
> limit that makes sense to the PTP driver.

I think I will add a new macro for the limit and validate against that

Thanks
Viswanath

Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions

[viswanath]

On Mon, 22 Sept 2025 at 23:30, Harry Yoo <harry.yoo@oracle.com> wrote:

> When bytes > KKMALLOC_MAX_SIZE (8K on my system), kmalloc redirects allocation
> to the buddy allocator, which can allocate up to (PAGE_SIZE << MAX_PAGE_ORDER)
> bytes (4M on my system).

In include/linux/slab.h,
KMALLOC_MAX_SIZE is ultimately defined as PAGE_SIZE << MAX_PAGE_ORDER and
KMALLOC_MAX_CACHE_SIZE as PAGE_SIZE << 1

I was using those definitions

> Because allocating a page with order > MAX_PAGE_ORDER page is never
> supposed to succeed, the caller of kmalloc should be fixed rather than
> kmalloc itself.

So, Is it almost never a good idea to add new validation in the allocator code?

> I think the right fix should be to return -EINVAL in max_vclocks_store()
> if max * sizeof(int) exceeds PAGE_SIZE << MAX_PAGE_ORDER?

Thanks, I will go ahead with this approach

Thanks,
Viswanath

Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions

[Harry Yoo]

On Tue, Sep 23, 2025 at 10:41:39AM +0530, viswanath wrote:
> On Mon, 22 Sept 2025 at 23:30, Harry Yoo <harry.yoo@oracle.com> wrote:
> 
> > When bytes > KKMALLOC_MAX_SIZE (8K on my system), kmalloc redirects allocation
> > to the buddy allocator, which can allocate up to (PAGE_SIZE << MAX_PAGE_ORDER)
> > bytes (4M on my system).
> 
> In include/linux/slab.h,
> KMALLOC_MAX_SIZE is ultimately defined as PAGE_SIZE << MAX_PAGE_ORDER and
> KMALLOC_MAX_CACHE_SIZE as PAGE_SIZE << 1
> 
> I was using those definitions

Err, you're right :) you mentioned KMALLOC_MAX_SIZE, not
KMALLOC_MAX_CACHE_SIZE. Apologies for the confusion.

> > Because allocating a page with order > MAX_PAGE_ORDER page is never
> > supposed to succeed, the caller of kmalloc should be fixed rather than
> > kmalloc itself.
> 
> So, Is it almost never a good idea to add new validation in the allocator code?

Yes, because such allocations will always fail and that's never a good
thing.

> > I think the right fix should be to return -EINVAL in max_vclocks_store()
> > if max * sizeof(int) exceeds PAGE_SIZE << MAX_PAGE_ORDER?
> 
> Thanks, I will go ahead with this approach
> 
> Thanks,
> Viswanath

-- 
Cheers,
Harry / Hyeonggon