From: Vlastimil Babka <vbabka@suse.cz>
To: Barry Song <21cnbao@gmail.com>,
akpm@linux-foundation.org, linux-mm@kvack.org
Cc: 42.hyeyoo@gmail.com, cl@linux.com, hailong.liu@oppo.com,
hch@infradead.org, iamjoonsoo.kim@lge.com, lstoakes@gmail.com,
mhocko@suse.com, penberg@kernel.org, rientjes@google.com,
roman.gushchin@linux.dev, torvalds@linux-foundation.org,
urezki@gmail.com, v-songbaohua@oppo.com,
virtualization@lists.linux.dev, Kees Cook <kees@kernel.org>
Subject: Re: [PATCH v2 3/4] mm: BUG_ON to avoid NULL deference while __GFP_NOFAIL fails
Date: Wed, 31 Jul 2024 12:29:32 +0200 [thread overview]
Message-ID: <b1f4d2eb-ad6d-4ddf-91f5-f1ad0171789a@suse.cz> (raw)
In-Reply-To: <20240731000155.109583-4-21cnbao@gmail.com>
On 7/31/24 2:01 AM, Barry Song wrote:
> From: Barry Song <v-songbaohua@oppo.com>
>
> We have cases we still fail though callers might have __GFP_NOFAIL.
> Since they don't check the return, we are exposed to the security
> risks for NULL deference.
>
> Though BUG_ON() is not encouraged by Linus, this is an unrecoverable
> situation.
>
> Christoph Hellwig:
> The whole freaking point of __GFP_NOFAIL is that callers don't handle
> allocation failures. So in fact a straight BUG is the right thing
> here.
>
> Vlastimil Babka:
> It's just not a recoverable situation (WARN_ON is for recoverable
> situations). The caller cannot handle allocation failure and at the same
> time asked for an impossible allocation. BUG_ON() is a guaranteed oops
> with stracktrace etc. We don't need to hope for the later NULL pointer
> dereference (which might if really unlucky happen from a different
> context where it's no longer obvious what lead to the allocation failing).
>
> Michal Hocko:
> Linus tends to be against adding new BUG() calls unless the failure is
> absolutely unrecoverable (e.g. corrupted data structures etc.). I am
> not sure how he would look at simply incorrect memory allocator usage to
> blow up the kernel. Now the argument could be made that those failures
> could cause subtle memory corruptions or even be exploitable which might
> be a sufficient reason to stop them early.
>
> Cc: Michal Hocko <mhocko@suse.com>
> Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
> Cc: Christoph Hellwig <hch@infradead.org>
> Cc: Lorenzo Stoakes <lstoakes@gmail.com>
> Cc: Christoph Lameter <cl@linux.com>
> Cc: Pekka Enberg <penberg@kernel.org>
> Cc: David Rientjes <rientjes@google.com>
> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Roman Gushchin <roman.gushchin@linux.dev>
> Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Kees Cook <kees@kernel.org>
> Signed-off-by: Barry Song <v-songbaohua@oppo.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
> ---
> include/linux/slab.h | 4 +++-
> mm/page_alloc.c | 4 +++-
> mm/util.c | 1 +
> 3 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index c9cb42203183..4a4d1fdc2afe 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -827,8 +827,10 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node)
> {
> size_t bytes;
>
> - if (unlikely(check_mul_overflow(n, size, &bytes)))
> + if (unlikely(check_mul_overflow(n, size, &bytes))) {
> + BUG_ON(flags & __GFP_NOFAIL);
Shouldn't we produce some kind of warning also in the no-NOFAIL case?
Returning a NULL completely silently feels wrong.
> return NULL;
> + }
>
> return kvmalloc_node_noprof(bytes, flags, node);
> }
> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> index c700d2598a26..cc179c3e68df 100644
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -4708,8 +4708,10 @@ struct page *__alloc_pages_noprof(gfp_t gfp, unsigned int order,
> * There are several places where we assume that the order value is sane
> * so bail out early if the request is out of bound.
> */
> - if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp))
> + if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) {
Because here we do warn (although I'd argue even __GFP_NOWARN shouldn't
suppress a warning for such a reason).
> + BUG_ON(gfp & __GFP_NOFAIL);
> return NULL;
> + }
>
> gfp &= gfp_allowed_mask;
> /*
> diff --git a/mm/util.c b/mm/util.c
> index 0ff5898cc6de..bad3258523b6 100644
> --- a/mm/util.c
> +++ b/mm/util.c
> @@ -667,6 +667,7 @@ void *__kvmalloc_node_noprof(DECL_BUCKET_PARAMS(size, b), gfp_t flags, int node)
>
> /* Don't even allow crazy sizes */
> if (unlikely(size > INT_MAX)) {
> + BUG_ON(flags & __GFP_NOFAIL);
> WARN_ON_ONCE(!(flags & __GFP_NOWARN));
And here, would argue the same. But maybe there's code that relies on this
so dunno. In that case we could at least convert to WARN_ON_ONCE_GFP.
> return NULL;
> }
next prev parent reply other threads:[~2024-07-31 10:29 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-31 0:01 [PATCH v2 0/4] mm: clarify nofail memory allocation Barry Song
2024-07-31 0:01 ` [PATCH RFT v2 1/4] vpda: try to fix the potential crash due to misusing __GFP_NOFAIL Barry Song
2024-07-31 3:09 ` Jason Wang
2024-07-31 3:15 ` Barry Song
2024-07-31 3:58 ` Jason Wang
2024-07-31 4:11 ` Barry Song
2024-07-31 4:13 ` Jason Wang
2024-07-31 5:05 ` Barry Song
2024-07-31 10:20 ` Tetsuo Handa
2024-08-01 2:37 ` Jason Wang
2024-08-05 1:32 ` Barry Song
2024-08-05 8:19 ` Jason Wang
2024-08-01 2:30 ` Jason Wang
2024-07-31 0:01 ` [PATCH v2 2/4] mm: Document __GFP_NOFAIL must be blockable Barry Song
2024-07-31 10:18 ` Vlastimil Babka
2024-07-31 16:26 ` Christoph Hellwig
2024-07-31 0:01 ` [PATCH v2 3/4] mm: BUG_ON to avoid NULL deference while __GFP_NOFAIL fails Barry Song
2024-07-31 7:11 ` Michal Hocko
2024-07-31 10:29 ` Vlastimil Babka [this message]
2024-07-31 10:44 ` Tetsuo Handa
2024-07-31 10:48 ` Vlastimil Babka
2024-07-31 10:57 ` Barry Song
2024-07-31 16:28 ` Christoph Hellwig
2024-07-31 0:01 ` [PATCH v2 4/4] mm: prohibit NULL deference exposed for unsupported non-blockable __GFP_NOFAIL Barry Song
2024-07-31 7:15 ` Michal Hocko
2024-07-31 10:55 ` Vlastimil Babka
2024-07-31 11:08 ` Barry Song
2024-07-31 11:31 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b1f4d2eb-ad6d-4ddf-91f5-f1ad0171789a@suse.cz \
--to=vbabka@suse.cz \
--cc=21cnbao@gmail.com \
--cc=42.hyeyoo@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=hailong.liu@oppo.com \
--cc=hch@infradead.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=kees@kernel.org \
--cc=linux-mm@kvack.org \
--cc=lstoakes@gmail.com \
--cc=mhocko@suse.com \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=torvalds@linux-foundation.org \
--cc=urezki@gmail.com \
--cc=v-songbaohua@oppo.com \
--cc=virtualization@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox