linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* tty: kmalloc size WARNING in vc_do_resize
@ 2016-01-24 11:24 Dmitry Vyukov
  2016-01-25 16:12 ` One Thousand Gnomes
  0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Vyukov @ 2016-01-24 11:24 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Jiri Slaby, Daniel Vetter, David Herrmann,
	Peter Hurley, Imre Deak, Lad, Prabhakar, Nicolas Pitre,
	Nicholas Mc Guire, Scot Doyle, Denys Vlasenko, Takashi Iwai,
	LKML
  Cc: syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin

Hello,

The following program triggers kmalloc size WARNING in vc_do_resize:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <termios.h>
#include <sys/ioctl.h>

int main()
{
  int fd = open("/dev/tty1", O_RDWR);
  struct winsize ws;
  ws.ws_row = 0x1000;
  ws.ws_col = 0x5dc;
  ws.ws_xpixel = 0x2;
  ws.ws_ypixel = 0x0;
  ioctl(fd, TIOCSWINSZ, &ws);
  return 0;
}


------------[ cut here ]------------
WARNING: CPU: 3 PID: 7642 at mm/page_alloc.c:2999
__alloc_pages_nodemask+0x7d2/0x1760()
Modules linked in:
CPU: 3 PID: 7642 Comm: a.out Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff88006d24f610 ffffffff82999e2d 0000000000000000
 ffff880060d9af80 ffffffff86475560 ffff88006d24f650 ffffffff81352089
 ffffffff816721e2 ffffffff86475560 0000000000000bb7 00000000024240c0
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
 [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
 [<     inline     >] __alloc_pages_slowpath mm/page_alloc.c:2999
 [<ffffffff816721e2>] __alloc_pages_nodemask+0x7d2/0x1760 mm/page_alloc.c:3253
 [<ffffffff8174a799>] alloc_pages_current+0xe9/0x450 mm/mempolicy.c:2090
 [<     inline     >] alloc_pages include/linux/gfp.h:459
 [<ffffffff8166df66>] alloc_kmem_pages+0x16/0x100 mm/page_alloc.c:3433
 [<ffffffff816c698f>] kmalloc_order+0x1f/0x80 mm/slab_common.c:1008
 [<ffffffff816c6a0f>] kmalloc_order_trace+0x1f/0x140 mm/slab_common.c:1019
 [<     inline     >] kmalloc_large include/linux/slab.h:395
 [<ffffffff8175b624>] __kmalloc+0x2f4/0x340 mm/slub.c:3557
 [<     inline     >] kmalloc include/linux/slab.h:468
 [<ffffffff82d47800>] vc_do_resize+0x2c0/0x1140 drivers/tty/vt/vt.c:874
 [<ffffffff82d4878a>] vt_resize+0xaa/0xe0 drivers/tty/vt/vt.c:993
 [<     inline     >] tiocswinsz drivers/tty/tty_io.c:2357
 [<ffffffff82cf22b3>] tty_ioctl+0x1083/0x2160 drivers/tty/tty_io.c:2869
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff817efdac>] do_vfs_ioctl+0x18c/0xfb0 fs/ioctl.c:674
 [<     inline     >] SYSC_ioctl fs/ioctl.c:689
 [<ffffffff817f0c5f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680
 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace cc28f7cc9d447282 ]---


I think that either the kmalloc should use __GFP_NOWARN or
vc_do_resize should do stricter size check.

On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: tty: kmalloc size WARNING in vc_do_resize
  2016-01-24 11:24 tty: kmalloc size WARNING in vc_do_resize Dmitry Vyukov
@ 2016-01-25 16:12 ` One Thousand Gnomes
  2016-01-25 17:02   ` Dmitry Vyukov
  0 siblings, 1 reply; 3+ messages in thread
From: One Thousand Gnomes @ 2016-01-25 16:12 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: Greg Kroah-Hartman, Jiri Slaby, Daniel Vetter, David Herrmann,
	Peter Hurley, Imre Deak, Lad, Prabhakar, Nicolas Pitre,
	Nicholas Mc Guire, Scot Doyle, Denys Vlasenko, Takashi Iwai,
	LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
	Sasha Levin

> I think that either the kmalloc should use __GFP_NOWARN or
> vc_do_resize should do stricter size check.

vc_do_resize doesn't know enough to do a stricter size check. There are
not many methods it calls but those are:

vgacon_resize doesn't error when stupid things happen because of a silly
hack for legacy svgatextmode tools.

sisusbcon_resize does the right checks but we can get in a situation
where we unplug during a resize so attempting to resize and size back
might fail.

fbcon_resize does the right thing, but again can error if we go
size/resize/size back.

That means we really have to guess or would have to add 'max size' info
the structures. Right now it's clamped to 1Gbyte which is a 32767 x 32767
character display and probably ludicrous. Clamping to 4048 x 1024 chars
would cover displays up to 16K x 6K even with the 4x6 font (which is
insane on a 4K display, let alone 4 of them).

Alan

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: tty: kmalloc size WARNING in vc_do_resize
  2016-01-25 16:12 ` One Thousand Gnomes
@ 2016-01-25 17:02   ` Dmitry Vyukov
  0 siblings, 0 replies; 3+ messages in thread
From: Dmitry Vyukov @ 2016-01-25 17:02 UTC (permalink / raw)
  To: One Thousand Gnomes
  Cc: Greg Kroah-Hartman, Jiri Slaby, Daniel Vetter, David Herrmann,
	Peter Hurley, Imre Deak, Lad, Prabhakar, Nicolas Pitre,
	Nicholas Mc Guire, Scot Doyle, Denys Vlasenko, Takashi Iwai,
	LKML, syzkaller, Kostya Serebryany, Alexander Potapenko,
	Sasha Levin

On Mon, Jan 25, 2016 at 5:12 PM, One Thousand Gnomes
<gnomes@lxorguk.ukuu.org.uk> wrote:
>> I think that either the kmalloc should use __GFP_NOWARN or
>> vc_do_resize should do stricter size check.
>
> vc_do_resize doesn't know enough to do a stricter size check. There are
> not many methods it calls but those are:
>
> vgacon_resize doesn't error when stupid things happen because of a silly
> hack for legacy svgatextmode tools.
>
> sisusbcon_resize does the right checks but we can get in a situation
> where we unplug during a resize so attempting to resize and size back
> might fail.
>
> fbcon_resize does the right thing, but again can error if we go
> size/resize/size back.
>
> That means we really have to guess or would have to add 'max size' info
> the structures. Right now it's clamped to 1Gbyte which is a 32767 x 32767
> character display and probably ludicrous. Clamping to 4048 x 1024 chars
> would cover displays up to 16K x 6K even with the 4x6 font (which is
> insane on a 4K display, let alone 4 of them).


OK, then kmalloc call needs to include __GFP_NOWARN for cases when
size is too large (large than 8MB).

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-01-25 17:02 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-24 11:24 tty: kmalloc size WARNING in vc_do_resize Dmitry Vyukov
2016-01-25 16:12 ` One Thousand Gnomes
2016-01-25 17:02   ` Dmitry Vyukov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).