On 2021/01/25 22:32, Michal Hocko wrote: > On Fri 22-01-21 19:47:42, Tetsuo Handa wrote: >> On 2021/01/22 10:35, Andrew Morton wrote: >>> On Wed, 20 Jan 2021 19:34:36 +0900 Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: >>> >>>> syzbot is reporting that memdup_user_nul() which receives user-controlled >>>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit >>>> order >= MAX_ORDER path [1]. > > That is nasty! That's because -EFAULT will not be detected before memory allocation succeeds. Fuzzer is passing huge size without corresponding valid buffer. syscall(__NR_write, r[0], 0x200000c0ul, 0x200000cbul); > >>>> Let's add __GFP_NOWARN to memdup_user_nul() as with commit 6c8fcc096be9d02f >>>> ("mm: don't let userspace spam allocations warnings"). Also use GFP_USER as >>>> with commit 6c2c97a24f096e32 ("memdup_user(): switch to GFP_USER"). > > No, this is papering over a more troubling underlying problem. Userspace > shouldn't be able to trigger an aribitrary higher order allocations. That requires inserting max size checking before calling memdup_user_nul(). Oh, scattering around such checking is not nice. Add max length argument into memdup_user_nul() like strndup_user() ? > Those users with a large size to copy should be really using kvmalloc > based (e.g vmemdup_user). No. The caller in this case (writing an entry to smackfs) is not expecting such large allocations. Sane allocation size would be always less than PAGE_SIZE. > >>> That commit failed to explain why a switch to GFP_USER was performed, >>> so that commit isn't a good substitute for an explanation of this >>> change. >> >> For example, commit 2f77d107050abc14 ("Fix incorrect user space access locking >> in mincore()") silently converted GFP_KERNEL to GFP_USER. >> >> #define GFP_KERNEL (__GFP_RECLAIM | __GFP_IO | __GFP_FS) >> #define GFP_USER (__GFP_RECLAIM | __GFP_IO | __GFP_FS | __GFP_HARDWALL) >> >> * %GFP_KERNEL is typical for kernel-internal allocations. The caller requires >> * %ZONE_NORMAL or a lower zone for direct access but can direct reclaim. >> >> * %GFP_USER is for userspace allocations that also need to be directly >> * accessibly by the kernel or hardware. It is typically used by hardware >> * for buffers that are mapped to userspace (e.g. graphics) that hardware >> * still must DMA to. cpuset limits are enforced for these allocations. >> >> * %__GFP_HARDWALL enforces the cpuset memory allocation policy. >> >>> >>> So... please fully describe the reason for this change right here in >>> this patch's changelog. >> >> I guess that GFP_USER is chosen by cautious developers when memory is >> allocated by userspace request. Is there a guideline for when to use GFP_USER ? > > I do not think we have anything better than the above. GFP_USER is > indeed used for userspace controlable allocations. So they can be a > subject to a more strict cpu policy. memdup_user_nul looks like a good > fit for GFP_USER to me. memdup_user and other variant already does this. > Hmm, Sabyrzhan already proposed a patch that adds size check to the caller, but it seems that that patch missed smk_write_ambient()/smk_write_onlycap()/smk_write_unconfined() etc. Oh, bug-prone approach. Why not handle at memdup_user_nul() side?