[PATCH 4.9 12/25] net/qrtr: fix __netdev_alloc_skb call

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com,
	Pavel Skripkin <paskripkin@gmail.com>,
	Alexander Lobakin <alobakin@pm.me>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 12/25] net/qrtr: fix __netdev_alloc_skb call
Date: Mon, 22 Mar 2021 13:29:02 +0100	[thread overview]
Message-ID: <20210322121920.790030672@linuxfoundation.org> (raw)
In-Reply-To: <20210322121920.399826335@linuxfoundation.org>

From: Pavel Skripkin <paskripkin@gmail.com>

commit 093b036aa94e01a0bea31a38d7f0ee28a2749023 upstream.

syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= MAX_ORDER.
It was caused by a huge length value passed from userspace to qrtr_tun_write_iter(),
which tries to allocate skb. Since the value comes from the untrusted source
there is no need to raise a warning in __alloc_pages_nodemask().

[1] WARNING in __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5014
Call Trace:
 __alloc_pages include/linux/gfp.h:511 [inline]
 __alloc_pages_node include/linux/gfp.h:524 [inline]
 alloc_pages_node include/linux/gfp.h:538 [inline]
 kmalloc_large_node+0x60/0x110 mm/slub.c:3999
 __kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496
 __kmalloc_reserve net/core/skbuff.c:150 [inline]
 __alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210
 __netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446
 netdev_alloc_skb include/linux/skbuff.h:2832 [inline]
 qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442
 qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x791/0xa30 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Acked-by: Alexander Lobakin <alobakin@pm.me>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/qrtr/qrtr.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -232,7 +232,7 @@ int qrtr_endpoint_post(struct qrtr_endpo
 	if (dst != QRTR_PORT_CTRL && type != QRTR_TYPE_DATA)
 		return -EINVAL;
 
-	skb = netdev_alloc_skb(NULL, len);
+	skb = __netdev_alloc_skb(NULL, len, GFP_ATOMIC | __GFP_NOWARN);
 	if (!skb)
 		return -ENOMEM;

next prev parent reply	other threads:[~2021-03-22 13:09 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-22 12:28 [PATCH 4.9 00/25] 4.9.263-rc1 review Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 01/25] ext4: handle error of ext4_setup_system_zone() on remount Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 02/25] ext4: dont allow overlapping system zones Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 03/25] ext4: check journal inode extents more carefully Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 04/25] net: dsa: b53: Support setting learning on port Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 05/25] ixgbe: check for Tx timestamp timeouts during watchdog Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 06/25] ixgbe: prevent ptp_rx_hang from running when in FILTER_ALL mode Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 07/25] btrfs: fix race when cloning extent buffer during rewind of an old root Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 08/25] nvmet: dont check iosqes,iocqes for discovery controllers Greg Kroah-Hartman
2021-03-22 12:28 ` [PATCH 4.9 09/25] NFSD: Repair misuse of sv_lock in 5.10.16-rt30 Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 10/25] svcrdma: disable timeouts on rdma backchannel Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 11/25] sunrpc: fix refcount leak for rpc auth modules Greg Kroah-Hartman
2021-03-22 12:29 ` Greg Kroah-Hartman [this message]
2021-03-22 12:29 ` [PATCH 4.9 13/25] scsi: lpfc: Fix some error codes in debugfs Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 14/25] USB: replace hardcode maximum usb string length by definition Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 15/25] usb: gadget: configfs: Fix KASAN use-after-free Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 16/25] iio: adis16400: Fix an error code in adis16400_initial_setup() Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 17/25] PCI: rpadlpar: Fix potential drc_name corruption in store functions Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 18/25] perf/x86/intel: Fix a crash caused by zero PEBS status Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 19/25] x86/ioapic: Ignore IRQ2 again Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 20/25] kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 21/25] x86: Move TS_COMPAT back to asm/thread_info.h Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 22/25] x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 23/25] ext4: find old entry again if failed to rename whiteout Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 24/25] ext4: fix potential error in ext4_do_update_inode Greg Kroah-Hartman
2021-03-22 12:29 ` [PATCH 4.9 25/25] genirq: Disable interrupts for force threaded handlers Greg Kroah-Hartman
2021-03-22 14:35 ` [PATCH 4.9 00/25] 4.9.263-rc1 review Jon Hunter
2021-03-22 19:23 ` Florian Fainelli
2021-03-22 21:54 ` Guenter Roeck
2021-03-23 13:12 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210322121920.790030672@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=alobakin@pm.me \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paskripkin@gmail.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.