All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Maurizio Lombardi <mlombard@redhat.com>,
	Alexander Duyck <alexanderduyck@fb.com>,
	Chen Lin <chen45464546@163.com>, Jakub Kicinski <kuba@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 5.4 12/30] mm: prevent page_frag_alloc() from corrupting the memory
Date: Mon,  3 Oct 2022 09:11:54 +0200	[thread overview]
Message-ID: <20221003070716.648085562@linuxfoundation.org> (raw)
In-Reply-To: <20221003070716.269502440@linuxfoundation.org>

From: Maurizio Lombardi <mlombard@redhat.com>

commit dac22531bbd4af2426c4e29e05594415ccfa365d upstream.

A number of drivers call page_frag_alloc() with a fragment's size >
PAGE_SIZE.

In low memory conditions, __page_frag_cache_refill() may fail the order
3 cache allocation and fall back to order 0; In this case, the cache
will be smaller than the fragment, causing memory corruptions.

Prevent this from happening by checking if the newly allocated cache is
large enough for the fragment; if not, the allocation will fail and
page_frag_alloc() will return NULL.

Link: https://lkml.kernel.org/r/20220715125013.247085-1-mlombard@redhat.com
Fixes: b63ae8ca096d ("mm/net: Rename and move page fragment handling from net/ to mm/")
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Cc: Chen Lin <chen45464546@163.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/page_alloc.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -4979,6 +4979,18 @@ refill:
 		/* reset page count bias and offset to start of new frag */
 		nc->pagecnt_bias = PAGE_FRAG_CACHE_MAX_SIZE + 1;
 		offset = size - fragsz;
+		if (unlikely(offset < 0)) {
+			/*
+			 * The caller is trying to allocate a fragment
+			 * with fragsz > PAGE_SIZE but the cache isn't big
+			 * enough to satisfy the request, this may
+			 * happen in low memory conditions.
+			 * We don't release the cache page because
+			 * it could make memory pressure worse
+			 * so we simply return NULL here.
+			 */
+			return NULL;
+		}
 	}
 
 	nc->pagecnt_bias--;



  parent reply	other threads:[~2022-10-03  7:39 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-03  7:11 [PATCH 5.4 00/30] 5.4.216-rc1 review Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 01/30] uas: add no-uas quirk for Hiksemi usb_disk Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 02/30] usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 03/30] uas: ignore UAS for Thinkplus chips Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 04/30] net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 05/30] clk: ingenic-tcu: Properly enable registers before accessing timers Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 06/30] ARM: dts: integrator: Tag PCI host with device_type Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 07/30] ntfs: fix BUG_ON in ntfs_lookup_inode_by_name() Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 08/30] Revert "net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()" Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 09/30] libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 10/30] mmc: moxart: fix 4-bit bus width and remove 8-bit bus width Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 11/30] mm/page_alloc: fix race condition between build_all_zonelists and page allocation Greg Kroah-Hartman
2022-10-03  7:11 ` Greg Kroah-Hartman [this message]
2022-10-03  7:11 ` [PATCH 5.4 13/30] mm/migrate_device.c: flush TLB while holding PTL Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 14/30] mm: fix madivse_pageout mishandling on non-LRU page Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 15/30] media: dvb_vb2: fix possible out of bound access Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 16/30] ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver Greg Kroah-Hartman
2022-10-03  7:11 ` [PATCH 5.4 17/30] ARM: dts: am33xx: Fix MMCHS0 dma properties Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 18/30] soc: sunxi: sram: Actually claim SRAM regions Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 19/30] soc: sunxi: sram: Prevent the driver from being unbound Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 20/30] soc: sunxi_sram: Make use of the helper function devm_platform_ioremap_resource() Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 21/30] soc: sunxi: sram: Fix probe function ordering issues Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 22/30] soc: sunxi: sram: Fix debugfs info for A64 SRAM C Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 23/30] Revert "drm: bridge: analogix/dp: add panel prepare/unprepare in suspend/resume time" Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 24/30] Input: melfas_mip4 - fix return value check in mip4_probe() Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 25/30] usbnet: Fix memory leak in usbnet_disconnect() Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 26/30] nvme: add new line after variable declatation Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 27/30] nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 28/30] selftests: Fix the if conditions of in test_extra_filter() Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 29/30] clk: imx: imx6sx: remove the SET_RATE_PARENT flag for QSPI clocks Greg Kroah-Hartman
2022-10-03  7:12 ` [PATCH 5.4 30/30] clk: iproc: Do not rely on node name for correct PLL setup Greg Kroah-Hartman
2022-10-03 11:31 ` [PATCH 5.4 00/30] 5.4.216-rc1 review Jon Hunter
2022-10-03 17:44 ` Florian Fainelli
2022-10-03 17:58 ` Guenter Roeck
2022-10-03 23:49 ` Shuah Khan
2022-10-04 17:37   ` Greg Kroah-Hartman
2022-10-04 17:39     ` Shuah Khan
2022-10-05 10:39       ` Greg Kroah-Hartman
2022-10-04  8:55 ` Naresh Kamboju
2022-10-04 11:30 ` Sudip Mukherjee (Codethink)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221003070716.648085562@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=alexanderduyck@fb.com \
    --cc=chen45464546@163.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mlombard@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.