From: Dave Jones <davej@redhat.com>
To: netdev@vger.kernel.org
Subject: attempted oversize allocations in tcp_recvmsg.
Date: Wed, 28 Dec 2011 13:44:17 -0500 [thread overview]
Message-ID: <20111228184416.GB7901@redhat.com> (raw)
I got this trace from the page allocator while fuzzing sys_recvfrom
WARNING: at mm/page_alloc.c:2089 __alloc_pages_nodemask+0x39b/0xa50()
Hardware name: X8DTN
Modules linked in: nfnetlink binfmt_misc ip6_queue can_raw can_bcm rfcomm ipt_ULOG cmtp kernelcapi bnep sctp libcrc32c ip_queue dccp_ipv6 dccp_ipv4 >
Pid: 26212, comm: trinity Not tainted 3.1.6-1.fc16.x86_64.debug #1
Call Trace:
[<ffffffff8107940f>] warn_slowpath_common+0x7f/0xc0
[<ffffffff8107946a>] warn_slowpath_null+0x1a/0x20
[<ffffffff811461db>] __alloc_pages_nodemask+0x39b/0xa50
[<ffffffff8117efa3>] alloc_pages_current+0xa3/0x110
[<ffffffff81141604>] __get_free_pages+0x14/0x50
[<ffffffff8118b57f>] kmalloc_order_trace+0x3f/0x170
[<ffffffff8118bc08>] __kmalloc+0x268/0x290
[<ffffffff8139a64d>] dma_pin_iovec_pages+0x9d/0x220
[<ffffffff8157b7e7>] tcp_recvmsg+0x787/0xcb0
[<ffffffff815a34cb>] inet_recvmsg+0x10b/0x180
[<ffffffff81511ead>] sock_recvmsg+0x11d/0x140
[<ffffffff815159e1>] sys_recvfrom+0xf1/0x170
[<ffffffff816698c2>] system_call_fastpath+0x16/0x1b
---[ end trace 9a0c4dd55e1dbe8a ]---
The code in tcp_recvmsg that passes down the enormous size has these checks..
if (skb)
available = TCP_SKB_CB(skb)->seq + skb->len - (*seq);
if ((available < target) &&
(len > sysctl_tcp_dma_copybreak) && !(flags & MSG_PEEK) &&
!sysctl_tcp_low_latency &&
dma_find_channel(DMA_MEMCPY)) {
preempt_enable_no_resched();
tp->ucopy.pinned_list =
dma_pin_iovec_pages(msg->msg_iov, len);
} else {
preempt_enable_no_resched();
}
I'm guessing there should be a (len < 65535) (or similar constant) in that check ?
Or should we be doing this even sooner in one of the earlier functions?
Also, when that dma_pin_iovec_pages fails, we still proceed through the rest of
tcp_recvmsg. Is that expected ? Or should it be doing a goto out; in that case ?
Dave
next reply other threads:[~2011-12-28 18:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-28 18:44 Dave Jones [this message]
2011-12-28 19:06 ` attempted oversize allocations in tcp_recvmsg David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111228184416.GB7901@redhat.com \
--to=davej@redhat.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.