All of lore.kernel.org
 help / color / mirror / Atom feed
From: Michal Hocko <mhocko@suse.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	linux-mm@kvack.org
Subject: Re: [PATCH v2] mm: memdup_user*() should use same gfp flags
Date: Mon, 25 Jan 2021 14:32:44 +0100	[thread overview]
Message-ID: <20210125133244.GK827@dhcp22.suse.cz> (raw)
In-Reply-To: <5346de21-a404-8476-f2a3-c98c191a2ef9@i-love.sakura.ne.jp>

On Fri 22-01-21 19:47:42, Tetsuo Handa wrote:
> On 2021/01/22 10:35, Andrew Morton wrote:
> > On Wed, 20 Jan 2021 19:34:36 +0900 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> > 
> >> syzbot is reporting that memdup_user_nul() which receives user-controlled
> >> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
> >> order >= MAX_ORDER path [1].

That is nasty!

> >> Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
> >> ("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as
> >> with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER").

No, this is papering over a more troubling underlying problem. Userspace
shouldn't be able to trigger an aribitrary higher order allocations.
Those users with a large size to copy should be really using kvmalloc
based (e.g vmemdup_user).

> > That commit failed to explain why a switch to GFP_USER was performed,
> > so that commit isn't a good substitute for an explanation of this
> > change.
> 
> For example, commit 2f77d107050abc14 ("Fix incorrect user space access locking
> in mincore()") silently converted GFP_KERNEL to GFP_USER.
> 
>   #define GFP_KERNEL	(__GFP_RECLAIM | __GFP_IO | __GFP_FS)
>   #define GFP_USER	(__GFP_RECLAIM | __GFP_IO | __GFP_FS | __GFP_HARDWALL)
> 
>  * %GFP_KERNEL is typical for kernel-internal allocations. The caller requires
>  * %ZONE_NORMAL or a lower zone for direct access but can direct reclaim.
> 
>  * %GFP_USER is for userspace allocations that also need to be directly
>  * accessibly by the kernel or hardware. It is typically used by hardware
>  * for buffers that are mapped to userspace (e.g. graphics) that hardware
>  * still must DMA to. cpuset limits are enforced for these allocations.
> 
>  * %__GFP_HARDWALL enforces the cpuset memory allocation policy.
> 
> > 
> > So...  please fully describe the reason for this change right here in
> > this patch's changelog.
> 
> I guess that GFP_USER is chosen by cautious developers when memory is
> allocated by userspace request. Is there a guideline for when to use GFP_USER ?

I do not think we have anything better than the above. GFP_USER is
indeed used for userspace controlable allocations. So they can be a
subject to a more strict cpu policy. memdup_user_nul looks like a good
fit for GFP_USER to me. memdup_user and other variant already does this.

-- 
Michal Hocko
SUSE Labs


  reply	other threads:[~2021-01-25 13:32 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-20  4:18 [PATCH] mm: add __GFP_NOWARN to memdup_user_nul() Tetsuo Handa
2021-01-20 10:34 ` [PATCH v2] mm: memdup_user*() should use same gfp flags Tetsuo Handa
2021-01-22  1:35   ` Andrew Morton
2021-01-22 10:47     ` Tetsuo Handa
2021-01-25 13:32       ` Michal Hocko [this message]
2021-01-25 14:20         ` Tetsuo Handa
2021-01-25 15:44           ` Michal Hocko
2021-01-26 11:13             ` Sabyrzhan Tasbolatov
2021-01-27 10:55               ` [PATCH v3] " Tetsuo Handa
2021-01-27 11:59                 ` Michal Hocko
2021-01-27 12:17                   ` Michal Hocko
     [not found]                     ` <3e01b180-0a5b-f2aa-6247-1c3bbcabe1ed@i-love.sakura.ne.jp>
2021-01-27 23:19                       ` Andrew Morton
2021-01-27 23:27                         ` Casey Schaufler
2021-01-28  7:42                           ` Tetsuo Handa
2021-01-28  8:06                         ` Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210125133244.GK827@dhcp22.suse.cz \
    --to=mhocko@suse.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-mm@kvack.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.