[PATCH v2] mm: memdup_user*() should use same gfp flags

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

syzbot is reporting that memdup_user_nul() which receives user-controlled
size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit
order >= MAX_ORDER path [1].

Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f
("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as
with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER").

[1] https://syzkaller.appspot.com/bug?id=8bf7efb3db19101b4008dc9198522ef977d098a6

Reported-by: syzbot <syzbot+a71a442385a0b2815497@xxxxxxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
---
 mm/util.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/mm/util.c b/mm/util.c
index 8c9b7d1e7c49..265b40a86856 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -252,12 +252,7 @@ void *memdup_user_nul(const void __user *src, size_t len)
 {
 	char *p;
 
-	/*
-	 * Always use GFP_KERNEL, since copy_from_user() can sleep and
-	 * cause pagefault, which makes it pointless to use GFP_NOFS
-	 * or GFP_ATOMIC.
-	 */
-	p = kmalloc_track_caller(len + 1, GFP_KERNEL);
+	p = kmalloc_track_caller(len + 1, GFP_USER | __GFP_NOWARN);
 	if (!p)
 		return ERR_PTR(-ENOMEM);
 
-- 
2.18.4
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux