From: Alan Stern <stern@rowland.harvard.edu>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: syzbot <syzbot+882a85c0c8ec4a3e2281@syzkaller.appspotmail.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
syzkaller-bugs@googlegroups.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-usb@vger.kernel.org
Subject: Re: [syzbot] WARNING in do_proc_bulk
Date: Mon, 3 May 2021 20:47:00 -0400 [thread overview]
Message-ID: <20210504004700.GA638732@rowland.harvard.edu> (raw)
In-Reply-To: <20210503122428.30ebfddbaf8f5184dc73e1a7@linux-foundation.org>
On Mon, May 03, 2021 at 12:24:28PM -0700, Andrew Morton wrote:
> On Mon, 3 May 2021 14:56:14 -0400 Alan Stern <stern@rowland.harvard.edu> wrote:
>
> > >
> > > do_proc_bulk() is asking kmalloc for more than MAX_ORDER bytes, in
> > >
> > > tbuf = kmalloc(len1, GFP_KERNEL);
> >
> > This doesn't seem to be a bug. do_proc_bulk is simply trying to
> > allocate a kernel buffer for data passed to/from userspace. If a user
> > wants too much space all at once, that's their problem.
> >
> > As far as I know, the kmalloc API doesn't require the caller to filter
> > out requests for more the MAX_ORDER bytes. Only to be prepared to
> > handle failures -- which do_proc_bulk is all set for.
> >
> > Am I wrong about this? Should we add __GFP_NOWARN to the gfp flags?
>
> Yes, if the oversized request is a can-happen and the resulting error is handled
> appropriately, __GFP_NOWARN is the way to go.
Okay, let's see how this does.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git d2b6f8a1
Index: usb-devel/drivers/usb/core/devio.c
===================================================================
--- usb-devel.orig/drivers/usb/core/devio.c
+++ usb-devel/drivers/usb/core/devio.c
@@ -1218,7 +1218,12 @@ static int do_proc_bulk(struct usb_dev_s
ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
if (ret)
return ret;
- tbuf = kmalloc(len1, GFP_KERNEL);
+
+ /*
+ * len1 can be almost arbitrarily large. Don't WARN if it's
+ * too big, just fail the request.
+ */
+ tbuf = kmalloc(len1, GFP_KERNEL | __GFP_NOWARN);
if (!tbuf) {
ret = -ENOMEM;
goto done;
next prev parent reply other threads:[~2021-05-04 0:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-02 20:00 [syzbot] WARNING in do_proc_bulk syzbot
2021-05-03 10:25 ` syzbot
2021-05-03 17:53 ` Andrew Morton
2021-05-03 18:56 ` Alan Stern
2021-05-03 19:24 ` Andrew Morton
2021-05-04 0:47 ` Alan Stern [this message]
2021-05-04 1:07 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210504004700.GA638732@rowland.harvard.edu \
--to=stern@rowland.harvard.edu \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-usb@vger.kernel.org \
--cc=syzbot+882a85c0c8ec4a3e2281@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).