From: Pavel Skripkin <paskripkin@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>,
davem@davemloft.net, kuba@kernel.org, linmiaohe@huawei.com,
Sabyrzhan Tasbolatov <snovitoll@gmail.com>,
Alexander Lobakin <alobakin@pm.me>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com
Subject: Re: [PATCH] net/core/skbuff.c: __netdev_alloc_skb fix when len is greater than KMALLOC_MAX_SIZE
Date: Mon, 01 Mar 2021 16:40:36 +0300 [thread overview]
Message-ID: <4d22ecbe776ada30c8f4b553204e2776fc0d48ac.camel@gmail.com> (raw)
In-Reply-To: <24d966a7-ed2e-eb50-23e9-71ff2e43371f@gmail.com>
Hi, thanks for your reply!
On Mon, 2021-03-01 at 14:09 +0100, Eric Dumazet wrote:
>
> On 2/26/21 8:11 PM, Pavel Skripkin wrote:
> > syzbot found WARNING in __alloc_pages_nodemask()[1] when order >=
> > MAX_ORDER.
> > It was caused by __netdev_alloc_skb(), which doesn't check len
> > value after adding NET_SKB_PAD.
> > Order will be >= MAX_ORDER and passed to __alloc_pages_nodemask()
> > if size > KMALLOC_MAX_SIZE.
> >
> > static void *kmalloc_large_node(size_t size, gfp_t flags, int node)
> > {
> > struct page *page;
> > void *ptr = NULL;
> > unsigned int order = get_order(size);
> > ...
> > page = alloc_pages_node(node, flags, order);
> > ...
> >
> > [1] WARNING in __alloc_pages_nodemask+0x5f8/0x730
> > mm/page_alloc.c:5014
> > Call Trace:
> > __alloc_pages include/linux/gfp.h:511 [inline]
> > __alloc_pages_node include/linux/gfp.h:524 [inline]
> > alloc_pages_node include/linux/gfp.h:538 [inline]
> > kmalloc_large_node+0x60/0x110 mm/slub.c:3999
> > __kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496
> > __kmalloc_reserve net/core/skbuff.c:150 [inline]
> > __alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210
> > __netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446
> > netdev_alloc_skb include/linux/skbuff.h:2832 [inline]
> > qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442
> > qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98
> > call_write_iter include/linux/fs.h:1901 [inline]
> > new_sync_write+0x426/0x650 fs/read_write.c:518
> > vfs_write+0x791/0xa30 fs/read_write.c:605
> > ksys_write+0x12d/0x250 fs/read_write.c:658
> > do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >
> > Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com
> > Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> > Change-Id: I480a6d6f818a4c0a387db0cd3f230b68a7daeb16
> > ---
> > net/core/skbuff.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> > index 785daff48030..dc28c8f7bf5f 100644
> > --- a/net/core/skbuff.c
> > +++ b/net/core/skbuff.c
> > @@ -443,6 +443,9 @@ struct sk_buff *__netdev_alloc_skb(struct
> > net_device *dev, unsigned int len,
> > if (len <= SKB_WITH_OVERHEAD(1024) ||
> > len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
> > (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
> > + if (len > KMALLOC_MAX_SIZE)
> > + return NULL;
> > +
> > skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX,
> > NUMA_NO_NODE);
> > if (!skb)
> > goto skb_fail;
> >
>
>
> No, please fix the offender instead.
Yesterday I already send newer patch version to Alexander Lobakin,
where I added __GFP_NOWARN in qrtr_endpoint_post(). I think, You can
check it in this thread.
>
> Offender tentative fix was in
>
> commit 2a80c15812372e554474b1dba0b1d8e467af295d
> Author: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
> Date: Tue Feb 2 15:20:59 2021 +0600
>
> net/qrtr: restrict user-controlled length in
> qrtr_tun_write_iter()
>
This patch fixes kzalloc() call, but the warning was caused by
__netdev_alloc_skb().
>
> qrtr maintainers have to tell us what is the maximum datagram length
> they need to support.
>
>
>
With regards,
Pavel Skripkin
prev parent reply other threads:[~2021-03-01 13:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-26 19:11 [PATCH] net/core/skbuff.c: __netdev_alloc_skb fix when len is greater than KMALLOC_MAX_SIZE Pavel Skripkin
2021-02-27 11:03 ` Alexander Lobakin
2021-02-27 16:35 ` [PATCH v2] net/core/skbuff: fix passing wrong size to __alloc_skb Pavel Skripkin
2021-02-27 16:41 ` Pavel Skripkin
2021-02-27 17:51 ` [PATCH v3] " Pavel Skripkin
2021-02-28 18:14 ` Alexander Lobakin
2021-02-28 18:55 ` Jakub Kicinski
2021-02-28 19:11 ` Alexander Lobakin
2021-02-28 19:28 ` Pavel Skripkin
2021-02-28 20:10 ` Alexander Lobakin
2021-02-28 20:27 ` Pavel Skripkin
2021-02-28 23:06 ` [PATCH v4] net/qrtr: fix __netdev_alloc_skb call Pavel Skripkin
2021-02-28 23:22 ` Pavel Skripkin
2021-02-28 23:53 ` Alexander Lobakin
2021-03-01 21:30 ` patchwork-bot+netdevbpf
2021-03-01 13:09 ` [PATCH] net/core/skbuff.c: __netdev_alloc_skb fix when len is greater than KMALLOC_MAX_SIZE Eric Dumazet
2021-03-01 13:40 ` Pavel Skripkin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4d22ecbe776ada30c8f4b553204e2776fc0d48ac.camel@gmail.com \
--to=paskripkin@gmail.com \
--cc=alobakin@pm.me \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=kuba@kernel.org \
--cc=linmiaohe@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=snovitoll@gmail.com \
--cc=syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.