[PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc
@ 2016-01-29 19:24 Cong Wang
  2016-01-29 19:46 ` Eric Dumazet
       [not found] ` <1454095465-16685-1-git-send-email-xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
  0 siblings, 2 replies; 8+ messages in thread
From: Cong Wang @ 2016-01-29 19:24 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: dvyukov-hpIqsD4AKlfQT0dZR+AlfA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA,
	julian.calaby-Re5JQEeQqe8AvxtiuMwx3w,
	eric.dumazet-Re5JQEeQqe8AvxtiuMwx3w, Cong Wang,
	Lauro Ramos Venancio, Aloisio Almeida Jr, Samuel Ortiz

These two functions are called in sendmsg path, and the
'len' is passed from user-space, so we should not allow
malicious users to OOM kernel on purpose.

Reported-by: Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Cc: Lauro Ramos Venancio <lauro.venancio-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
Cc: Aloisio Almeida Jr <aloisio.almeida-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
Cc: Samuel Ortiz <sameo-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
Signed-off-by: Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 net/nfc/llcp_commands.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 3621a90..3425532 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
 		return -ENOBUFS;
 	}
 
-	msg_data = kzalloc(len, GFP_KERNEL);
+	msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
 	if (msg_data == NULL)
 		return -ENOMEM;
 
@@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
 	if (local == NULL)
 		return -ENODEV;
 
-	msg_data = kzalloc(len, GFP_KERNEL);
+	msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
 	if (msg_data == NULL)
 		return -ENOMEM;
 
-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc
  2016-01-29 19:24 [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc Cong Wang
@ 2016-01-29 19:46 ` Eric Dumazet
  2016-01-29 22:01   ` Julian Calaby
       [not found] ` <1454095465-16685-1-git-send-email-xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
  1 sibling, 1 reply; 8+ messages in thread
From: Eric Dumazet @ 2016-01-29 19:46 UTC (permalink / raw)
  To: Cong Wang
  Cc: netdev, dvyukov, linux-wireless, julian.calaby,
	Lauro Ramos Venancio, Aloisio Almeida Jr, Samuel Ortiz

On Fri, 2016-01-29 at 11:24 -0800, Cong Wang wrote:
> These two functions are called in sendmsg path, and the
> 'len' is passed from user-space, so we should not allow
> malicious users to OOM kernel on purpose.
> 
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
> Cc: Samuel Ortiz <sameo@linux.intel.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> ---

Note that the issue is not OOM the kernel (as the allocation is
attempted even after your patch), but having a way to
spill stack traces in the syslog.

Acked-by: Eric Dumazet <edumazet@google.com>

Thanks!

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc
  2016-01-29 19:46 ` Eric Dumazet
@ 2016-01-29 22:01   ` Julian Calaby
  0 siblings, 0 replies; 8+ messages in thread
From: Julian Calaby @ 2016-01-29 22:01 UTC (permalink / raw)
  To: Cong Wang
  Cc: netdev, Dmitry Vyukov, Eric Dumazet, linux-wireless,
	Lauro Ramos Venancio, Aloisio Almeida Jr, Samuel Ortiz

Hi Cong

On Sat, Jan 30, 2016 at 6:46 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Fri, 2016-01-29 at 11:24 -0800, Cong Wang wrote:
>> These two functions are called in sendmsg path, and the
>> 'len' is passed from user-space, so we should not allow
>> malicious users to OOM kernel on purpose.
>>
>> Reported-by: Dmitry Vyukov <dvyukov@google.com>
>> Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
>> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
>> Cc: Samuel Ortiz <sameo@linux.intel.com>
>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
>> ---
>
> Note that the issue is not OOM the kernel (as the allocation is
> attempted even after your patch), but having a way to
> spill stack traces in the syslog.
>
> Acked-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Julian Calaby <julian.calaby@gmail.com>

Thanks,

-- 
Julian Calaby

Email: julian.calaby@gmail.com
Profile: http://www.google.com/profiles/julian.calaby/

^ permalink raw reply	[flat|nested] 8+ messages in thread

[parent not found: <1454095465-16685-1-git-send-email-xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]

* Re: [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc
       [not found] ` <1454095465-16685-1-git-send-email-xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
@ 2016-02-24 18:41   ` Cong Wang
  2016-02-24 18:45     ` David Miller
       [not found]     ` <CAM_iQpX3X6YoFeMw2KYjJM8yBHi9=3iapo0+a9Cqtc0cxM_QNA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  2016-02-25  7:43   ` Samuel Ortiz
  1 sibling, 2 replies; 8+ messages in thread
From: Cong Wang @ 2016-02-24 18:41 UTC (permalink / raw)
  To: Linux Kernel Network Developers, David Miller
  Cc: Dmitry Vyukov, linux-wireless, Julian Calaby, Eric Dumazet,
	Cong Wang, Lauro Ramos Venancio, Aloisio Almeida Jr, Samuel Ortiz

On Fri, Jan 29, 2016 at 11:24 AM, Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> These two functions are called in sendmsg path, and the
> 'len' is passed from user-space, so we should not allow
> malicious users to OOM kernel on purpose.
>
> Reported-by: Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Cc: Lauro Ramos Venancio <lauro.venancio-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
> Cc: Aloisio Almeida Jr <aloisio.almeida-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
> Cc: Samuel Ortiz <sameo-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
> Signed-off-by: Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>

Ping...

David, this patch seems still not applied, I guess you expect NFC
maintainer to take it, but this doesn't happen. Could you take it?

(I can resend it if you need.)

Thanks!

> ---
>  net/nfc/llcp_commands.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
> index 3621a90..3425532 100644
> --- a/net/nfc/llcp_commands.c
> +++ b/net/nfc/llcp_commands.c
> @@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
>                 return -ENOBUFS;
>         }
>
> -       msg_data = kzalloc(len, GFP_KERNEL);
> +       msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
>         if (msg_data == NULL)
>                 return -ENOMEM;
>
> @@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
>         if (local == NULL)
>                 return -ENODEV;
>
> -       msg_data = kzalloc(len, GFP_KERNEL);
> +       msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
>         if (msg_data == NULL)
>                 return -ENOMEM;
>
> --
> 1.8.3.1
>
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc
  2016-02-24 18:41   ` Cong Wang
@ 2016-02-24 18:45     ` David Miller
       [not found]       ` <20160224.134521.961009575129127582.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
       [not found]     ` <CAM_iQpX3X6YoFeMw2KYjJM8yBHi9=3iapo0+a9Cqtc0cxM_QNA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  1 sibling, 1 reply; 8+ messages in thread
From: David Miller @ 2016-02-24 18:45 UTC (permalink / raw)
  To: xiyou.wangcong
  Cc: netdev, dvyukov, linux-wireless, julian.calaby, eric.dumazet,
	lauro.venancio, aloisio.almeida, sameo

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Wed, 24 Feb 2016 10:41:29 -0800

> On Fri, Jan 29, 2016 at 11:24 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
>> These two functions are called in sendmsg path, and the
>> 'len' is passed from user-space, so we should not allow
>> malicious users to OOM kernel on purpose.
>>
>> Reported-by: Dmitry Vyukov <dvyukov@google.com>
>> Cc: Lauro Ramos Venancio <lauro.venancio@openbossa.org>
>> Cc: Aloisio Almeida Jr <aloisio.almeida@openbossa.org>
>> Cc: Samuel Ortiz <sameo@linux.intel.com>
>> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> 
> Ping...
> 
> David, this patch seems still not applied, I guess you expect NFC
> maintainer to take it, but this doesn't happen. Could you take it?

The NFC maintainer needs to take this, ping them explicitly if
you have to.

Thanks.

^ permalink raw reply	[flat|nested] 8+ messages in thread

[parent not found: <20160224.134521.961009575129127582.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>]

* Re: [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc
       [not found]       ` <20160224.134521.961009575129127582.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
@ 2016-02-24 18:53         ` Cong Wang
  0 siblings, 0 replies; 8+ messages in thread
From: Cong Wang @ 2016-02-24 18:53 UTC (permalink / raw)
  To: David Miller
  Cc: Linux Kernel Network Developers, Dmitry Vyukov, linux-wireless,
	Julian Calaby, Eric Dumazet, Lauro Ramos Venancio,
	Aloisio Almeida Jr, Samuel Ortiz

On Wed, Feb 24, 2016 at 10:45 AM, David Miller <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org> wrote:
> From: Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Date: Wed, 24 Feb 2016 10:41:29 -0800
>
>> On Fri, Jan 29, 2016 at 11:24 AM, Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>> These two functions are called in sendmsg path, and the
>>> 'len' is passed from user-space, so we should not allow
>>> malicious users to OOM kernel on purpose.
>>>
>>> Reported-by: Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>>> Cc: Lauro Ramos Venancio <lauro.venancio-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
>>> Cc: Aloisio Almeida Jr <aloisio.almeida-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
>>> Cc: Samuel Ortiz <sameo-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
>>> Signed-off-by: Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>
>> Ping...
>>
>> David, this patch seems still not applied, I guess you expect NFC
>> maintainer to take it, but this doesn't happen. Could you take it?
>
> The NFC maintainer needs to take this, ping them explicitly if
> you have to.

OK. I think Samuel is looking at it now.

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

[parent not found: <CAM_iQpX3X6YoFeMw2KYjJM8yBHi9=3iapo0+a9Cqtc0cxM_QNA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]

* Re: [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc
       [not found]     ` <CAM_iQpX3X6YoFeMw2KYjJM8yBHi9=3iapo0+a9Cqtc0cxM_QNA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2016-02-24 18:52       ` Samuel Ortiz
  0 siblings, 0 replies; 8+ messages in thread
From: Samuel Ortiz @ 2016-02-24 18:52 UTC (permalink / raw)
  To: Cong Wang
  Cc: Linux Kernel Network Developers, David Miller, Dmitry Vyukov,
	linux-wireless, Julian Calaby, Eric Dumazet, Lauro Ramos Venancio,
	Aloisio Almeida Jr

On Wed, Feb 24, 2016 at 10:41:29AM -0800, Cong Wang wrote:
> On Fri, Jan 29, 2016 at 11:24 AM, Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > These two functions are called in sendmsg path, and the
> > 'len' is passed from user-space, so we should not allow
> > malicious users to OOM kernel on purpose.
> >
> > Reported-by: Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> > Cc: Lauro Ramos Venancio <lauro.venancio-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
> > Cc: Aloisio Almeida Jr <aloisio.almeida-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
> > Cc: Samuel Ortiz <sameo-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
> > Signed-off-by: Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> 
> Ping...
> 
> David, this patch seems still not applied, I guess you expect NFC
> maintainer to take it, but this doesn't happen. Could you take it?
I'll look at it later today.

Cheers,
Samuel.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc
       [not found] ` <1454095465-16685-1-git-send-email-xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
  2016-02-24 18:41   ` Cong Wang
@ 2016-02-25  7:43   ` Samuel Ortiz
  1 sibling, 0 replies; 8+ messages in thread
From: Samuel Ortiz @ 2016-02-25  7:43 UTC (permalink / raw)
  To: Cong Wang
  Cc: netdev-u79uwXL29TY76Z2rM5mHXA, dvyukov-hpIqsD4AKlfQT0dZR+AlfA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA,
	julian.calaby-Re5JQEeQqe8AvxtiuMwx3w,
	eric.dumazet-Re5JQEeQqe8AvxtiuMwx3w, Lauro Ramos Venancio,
	Aloisio Almeida Jr

Hi Cong,

On Fri, Jan 29, 2016 at 11:24:24AM -0800, Cong Wang wrote:
> These two functions are called in sendmsg path, and the
> 'len' is passed from user-space, so we should not allow
> malicious users to OOM kernel on purpose.
> 
> Reported-by: Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
> Cc: Lauro Ramos Venancio <lauro.venancio-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
> Cc: Aloisio Almeida Jr <aloisio.almeida-430g2QfJUUCGglJvpFV4uA@public.gmane.org>
> Cc: Samuel Ortiz <sameo-VuQAYsv1563Yd54FQh9/CA@public.gmane.org>
> Signed-off-by: Cong Wang <xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  net/nfc/llcp_commands.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
Applied to nfc-next, thanks.

Cheers,
Samuel.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2016-02-25  7:43 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-29 19:24 [PATCH v2 net] nfc: use GFP_USER for user-controlled kmalloc Cong Wang
2016-01-29 19:46 ` Eric Dumazet
2016-01-29 22:01   ` Julian Calaby
     [not found] ` <1454095465-16685-1-git-send-email-xiyou.wangcong-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-02-24 18:41   ` Cong Wang
2016-02-24 18:45     ` David Miller
     [not found]       ` <20160224.134521.961009575129127582.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2016-02-24 18:53         ` Cong Wang
     [not found]     ` <CAM_iQpX3X6YoFeMw2KYjJM8yBHi9=3iapo0+a9Cqtc0cxM_QNA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-02-24 18:52       ` Samuel Ortiz
2016-02-25  7:43   ` Samuel Ortiz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).