* [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions
@ 2025-09-22 17:03 I Viswanath
2025-09-22 17:59 ` Harry Yoo
2025-09-22 21:36 ` Matthew Wilcox
0 siblings, 2 replies; 6+ messages in thread
From: I Viswanath @ 2025-09-22 17:03 UTC (permalink / raw)
To: vbabka, akpm, cl, rientjes, roman.gushchin, harry.yoo
Cc: linux-mm, linux-kernel, skhan, david.hunter.linux,
linux-kernel-mentees, I Viswanath, syzbot+94d20db923b9f51be0df
syzbot reported WARNING in max_vclocks_store.
This occurs when the size argument fits into a u32 but is too large
to allocate, i.e., when it's between KMALLOC_MAX_SIZE + 1
and UINT_MAX (both limits included)
Add validation to kmalloc_array_noprof() and related functions to
return early if the requested size exceeds KMALLOC_MAX_SIZE.
This seems like the most reasonable place for this guard.
Would it be a good idea to move the check down to
the lower level functions like __kmalloc_node_noprof()?
Moving it up is not a good idea because
max_vclocks_store shouldn't reason around KMALLOC_MAX_SIZE,
a mm specific macro.
Should the Fixes: commit here be the one in which this file
was added?
Reported-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com
Tested-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=94d20db923b9f51be0df
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: I Viswanath <viswanathiyyappan@gmail.com>
---
include/linux/slab.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/slab.h b/include/linux/slab.h
index d5a8ab98035c..6db15c5b2ce7 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -943,7 +943,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_noprof(size_t n, size_t siz
{
size_t bytes;
- if (unlikely(check_mul_overflow(n, size, &bytes)))
+ if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
return NULL;
return kmalloc_noprof(bytes, flags);
}
@@ -973,7 +973,7 @@ static inline __realloc_size(2, 3) void * __must_check krealloc_array_noprof(voi
{
size_t bytes;
- if (unlikely(check_mul_overflow(new_n, new_size, &bytes)))
+ if (unlikely(check_mul_overflow(new_n, new_size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
return NULL;
return krealloc_noprof(p, bytes, flags);
@@ -1013,7 +1013,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_node_noprof(size_t n, size_
{
size_t bytes;
- if (unlikely(check_mul_overflow(n, size, &bytes)))
+ if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
return NULL;
if (__builtin_constant_p(n) && __builtin_constant_p(size))
return kmalloc_node_noprof(bytes, flags, node);
@@ -1059,7 +1059,7 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node)
{
size_t bytes;
- if (unlikely(check_mul_overflow(n, size, &bytes)))
+ if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
return NULL;
return kvmalloc_node_noprof(bytes, flags, node);
--
2.47.3
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions
2025-09-22 17:03 [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions I Viswanath
@ 2025-09-22 17:59 ` Harry Yoo
2025-09-23 5:11 ` viswanath
2025-09-22 21:36 ` Matthew Wilcox
1 sibling, 1 reply; 6+ messages in thread
From: Harry Yoo @ 2025-09-22 17:59 UTC (permalink / raw)
To: I Viswanath
Cc: vbabka, akpm, cl, rientjes, roman.gushchin, linux-mm,
linux-kernel, skhan, david.hunter.linux, linux-kernel-mentees,
syzbot+94d20db923b9f51be0df
Hi I, thanks for looking into the syzbot report.
On Mon, Sep 22, 2025 at 10:33:57PM +0530, I Viswanath wrote:
> syzbot reported WARNING in max_vclocks_store.
>
> This occurs when the size argument fits into a u32 but is too large
> to allocate, i.e., when it's between KMALLOC_MAX_SIZE + 1
> and UINT_MAX (both limits included)
This is not quite.
When bytes > KKMALLOC_MAX_SIZE (8K on my system), kmalloc redirects allocation
to the buddy allocator, which can allocate up to (PAGE_SIZE << MAX_PAGE_ORDER)
bytes (4M on my system).
Because allocating a page with order > MAX_PAGE_ORDER page is never
supposed to succeed, the caller of kmalloc should be fixed rather than
kmalloc itself.
> Add validation to kmalloc_array_noprof() and related functions to
> return early if the requested size exceeds KMALLOC_MAX_SIZE.
This is against the point of WARNING in the buddy allocator.
I think the right fix should be to return -EINVAL in max_vclocks_store()
if max * sizeof(int) exceeds PAGE_SIZE << MAX_PAGE_ORDER?
--
Cheers,
Harry / Hyeonggon
> This seems like the most reasonable place for this guard.
>
> Would it be a good idea to move the check down to
> the lower level functions like __kmalloc_node_noprof()?
>
> Moving it up is not a good idea because
> max_vclocks_store shouldn't reason around KMALLOC_MAX_SIZE,
> a mm specific macro.
>
> Should the Fixes: commit here be the one in which this file
> was added?
>
> Reported-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com
> Tested-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=94d20db923b9f51be0df
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: I Viswanath <viswanathiyyappan@gmail.com>
> ---
> include/linux/slab.h | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index d5a8ab98035c..6db15c5b2ce7 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -943,7 +943,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_noprof(size_t n, size_t siz
> {
> size_t bytes;
>
> - if (unlikely(check_mul_overflow(n, size, &bytes)))
> + if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
> return NULL;
> return kmalloc_noprof(bytes, flags);
> }
> @@ -973,7 +973,7 @@ static inline __realloc_size(2, 3) void * __must_check krealloc_array_noprof(voi
> {
> size_t bytes;
>
> - if (unlikely(check_mul_overflow(new_n, new_size, &bytes)))
> + if (unlikely(check_mul_overflow(new_n, new_size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
> return NULL;
>
> return krealloc_noprof(p, bytes, flags);
> @@ -1013,7 +1013,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_node_noprof(size_t n, size_
> {
> size_t bytes;
>
> - if (unlikely(check_mul_overflow(n, size, &bytes)))
> + if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
> return NULL;
> if (__builtin_constant_p(n) && __builtin_constant_p(size))
> return kmalloc_node_noprof(bytes, flags, node);
> @@ -1059,7 +1059,7 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node)
> {
> size_t bytes;
>
> - if (unlikely(check_mul_overflow(n, size, &bytes)))
> + if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE)))
> return NULL;
>
> return kvmalloc_node_noprof(bytes, flags, node);
> --
> 2.47.3
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions
2025-09-22 17:59 ` Harry Yoo
@ 2025-09-23 5:11 ` viswanath
2025-09-23 6:14 ` Harry Yoo
0 siblings, 1 reply; 6+ messages in thread
From: viswanath @ 2025-09-23 5:11 UTC (permalink / raw)
To: Harry Yoo
Cc: vbabka, akpm, cl, rientjes, roman.gushchin, linux-mm,
linux-kernel, skhan, david.hunter.linux, linux-kernel-mentees,
syzbot+94d20db923b9f51be0df
On Mon, 22 Sept 2025 at 23:30, Harry Yoo <harry.yoo@oracle.com> wrote:
> When bytes > KKMALLOC_MAX_SIZE (8K on my system), kmalloc redirects allocation
> to the buddy allocator, which can allocate up to (PAGE_SIZE << MAX_PAGE_ORDER)
> bytes (4M on my system).
In include/linux/slab.h,
KMALLOC_MAX_SIZE is ultimately defined as PAGE_SIZE << MAX_PAGE_ORDER and
KMALLOC_MAX_CACHE_SIZE as PAGE_SIZE << 1
I was using those definitions
> Because allocating a page with order > MAX_PAGE_ORDER page is never
> supposed to succeed, the caller of kmalloc should be fixed rather than
> kmalloc itself.
So, Is it almost never a good idea to add new validation in the allocator code?
> I think the right fix should be to return -EINVAL in max_vclocks_store()
> if max * sizeof(int) exceeds PAGE_SIZE << MAX_PAGE_ORDER?
Thanks, I will go ahead with this approach
Thanks,
Viswanath
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions
2025-09-23 5:11 ` viswanath
@ 2025-09-23 6:14 ` Harry Yoo
0 siblings, 0 replies; 6+ messages in thread
From: Harry Yoo @ 2025-09-23 6:14 UTC (permalink / raw)
To: viswanath
Cc: vbabka, akpm, cl, rientjes, roman.gushchin, linux-mm,
linux-kernel, skhan, david.hunter.linux, linux-kernel-mentees,
syzbot+94d20db923b9f51be0df
On Tue, Sep 23, 2025 at 10:41:39AM +0530, viswanath wrote:
> On Mon, 22 Sept 2025 at 23:30, Harry Yoo <harry.yoo@oracle.com> wrote:
>
> > When bytes > KKMALLOC_MAX_SIZE (8K on my system), kmalloc redirects allocation
> > to the buddy allocator, which can allocate up to (PAGE_SIZE << MAX_PAGE_ORDER)
> > bytes (4M on my system).
>
> In include/linux/slab.h,
> KMALLOC_MAX_SIZE is ultimately defined as PAGE_SIZE << MAX_PAGE_ORDER and
> KMALLOC_MAX_CACHE_SIZE as PAGE_SIZE << 1
>
> I was using those definitions
Err, you're right :) you mentioned KMALLOC_MAX_SIZE, not
KMALLOC_MAX_CACHE_SIZE. Apologies for the confusion.
> > Because allocating a page with order > MAX_PAGE_ORDER page is never
> > supposed to succeed, the caller of kmalloc should be fixed rather than
> > kmalloc itself.
>
> So, Is it almost never a good idea to add new validation in the allocator code?
Yes, because such allocations will always fail and that's never a good
thing.
> > I think the right fix should be to return -EINVAL in max_vclocks_store()
> > if max * sizeof(int) exceeds PAGE_SIZE << MAX_PAGE_ORDER?
>
> Thanks, I will go ahead with this approach
>
> Thanks,
> Viswanath
--
Cheers,
Harry / Hyeonggon
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions
2025-09-22 17:03 [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions I Viswanath
2025-09-22 17:59 ` Harry Yoo
@ 2025-09-22 21:36 ` Matthew Wilcox
2025-09-23 4:28 ` viswanath
1 sibling, 1 reply; 6+ messages in thread
From: Matthew Wilcox @ 2025-09-22 21:36 UTC (permalink / raw)
To: I Viswanath
Cc: vbabka, akpm, cl, rientjes, roman.gushchin, harry.yoo, linux-mm,
linux-kernel, skhan, david.hunter.linux, linux-kernel-mentees,
syzbot+94d20db923b9f51be0df
On Mon, Sep 22, 2025 at 10:33:57PM +0530, I Viswanath wrote:
> This occurs when the size argument fits into a u32 but is too large
> to allocate, i.e., when it's between KMALLOC_MAX_SIZE + 1
> and UINT_MAX (both limits included)
Is it really a good idea to support 2^28 vclocks? Surely there's a
limit that makes sense to the PTP driver.
Beyond that, this should probably be using kvmalloc_array rather than
kcalloc_array().
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions
2025-09-22 21:36 ` Matthew Wilcox
@ 2025-09-23 4:28 ` viswanath
0 siblings, 0 replies; 6+ messages in thread
From: viswanath @ 2025-09-23 4:28 UTC (permalink / raw)
To: Matthew Wilcox
Cc: vbabka, akpm, cl, rientjes, roman.gushchin, harry.yoo, linux-mm,
linux-kernel, skhan, david.hunter.linux, linux-kernel-mentees,
syzbot+94d20db923b9f51be0df
On Tue, 23 Sept 2025 at 03:06, Matthew Wilcox <willy@infradead.org> wrote:
> Is it really a good idea to support 2^28 vclocks? Surely there's a
> limit that makes sense to the PTP driver.
I think I will add a new macro for the limit and validate against that
Thanks
Viswanath
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-09-23 6:14 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-22 17:03 [RFC PATCH] mm/slab: Add size validation in kmalloc_array_* functions I Viswanath
2025-09-22 17:59 ` Harry Yoo
2025-09-23 5:11 ` viswanath
2025-09-23 6:14 ` Harry Yoo
2025-09-22 21:36 ` Matthew Wilcox
2025-09-23 4:28 ` viswanath
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox