On Tue 13-02-18 16:03:09, Paolo Bonzini wrote: > On 13/02/2018 15:48, Michal Hocko wrote: > > On Thu 08-02-18 13:35:08, David Rientjes wrote: > >> The KVM_SET_GSI_ROUTING ioctl does a vmalloc() of > >> sizeof(struct kvm_irq_routing_entry) multiplied by a user-supplied value. > >> This can be up to 4096 entries on architectures such as arm64 and s390 > >> (and the upper bound may be increased on s390 eventually). > >> > >> This can produce a vmalloc allocation failure warning: > >> > >> vmalloc: allocation failure: 0 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) > > > > I am not arguing about the kvm change but do we actaully want to warn > > for 0 sized allocations? This just doesn't make much sense to me. > > In other words don't we want this? > > > > diff --git a/mm/vmalloc.c b/mm/vmalloc.c > > index 673942094328..c5d832510c54 100644 > > --- a/mm/vmalloc.c > > +++ b/mm/vmalloc.c > > @@ -1748,7 +1748,9 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align, > > unsigned long real_size = size; > > > > size = PAGE_ALIGN(size); > > - if (!size || (size >> PAGE_SHIFT) > totalram_pages) > > + if (!size) > > + return NULL; > > + if ((size >> PAGE_SHIFT) > totalram_pages) > > goto fail; > > > > area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNINITIALIZED | > > > > There have been quite a few reports of this from syzkaller and generally > we've fixed them. It does seem like a recipe for NULL-pointer > dereferences when the size is user-controlled (as in this case). We do return NULL for that case regardless the above. The patch just doesn't warn. Or do you think it is helpful to warn? -- Michal Hocko SUSE Labs
