On Wed 27-01-21 15:19:40, Andrew Morton wrote: > On Wed, 27 Jan 2021 23:03:33 +0900 Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > > > On 2021/01/27 21:17, Michal Hocko wrote: > > > On Wed 27-01-21 12:59:28, Michal Hocko wrote: > > >> On Wed 27-01-21 19:55:38, Tetsuo Handa wrote: > > >>> syzbot is reporting that memdup_user_nul() which receives user-controlled > > >>> size (which can be up to (INT_MAX & PAGE_MASK)) via vfs_write() will hit > > >>> order >= MAX_ORDER path [1]. > > >>> > > >>> Making costly allocations (order > PAGE_ALLOC_COSTLY_ORDER) naturally fail > > >>> should be better than trying to enforce PAGE_SIZE upper limit, for some of > > >>> callers accept space-delimited list arguments. > > >>> > > >>> Therefore, let's add __GFP_NOWARN to memdup_user_nul() as with > > >>> commit 6c8fcc096be9d02f ("mm: don't let userspace spam allocations > > >>> warnings"). Also use GFP_USER as with other userspace-controllable > > >>> allocations like memdup_user(). > > >> > > >> I absolutely detest hiding this behind __GFP_NOWARN. There should be no > > >> reason to even try hard for memdup_user_nul. Can you explain why this > > > > > > this should have been "try hard to get a physicaly contiguous memory for memdup_user_nul" > > > > > >> cannot use kvmalloc instead? > > > > > > > There is no point with allowing userspace to allocate 2GB of physically non-contiguous > > memory using kvmalloc(). Size is controlled by userspace, and memdup_user_nul() is used > > for allocating temporary memory which will be released before returning to userspace. > > > > Sane userspace processes should allocate only one or a few pages using memdup_user_nul(). > > Just making insane user processes (like fuzzer) fail memory allocation requests is a > > reasonable decision. > > (cc Casey) > > I'd say that the immediate problem is in smk_write_syslog(). Obviously > it was implemented expecting small writes, but the fuzzer is passing it a > huge write and things fall apart. I am not familiar with this particular caller and having a limit check which suits that particular usage is a reasonable thing to do. I do argue two things - using NOWARN to work around potentially buggy callers is just sweeping the mess under the rug and opens - these helper functions are to help copy user input and that doesn't really need physically contiguous pages. This can even become dangerous as a higher order depleting vector and DoS via OOM in the worst case. >From that it sounds natural that the helper should be using kvmalloc. This will not solve a due size check on the caller side but that is not possible from a generic helper library function anyway. But it will provide a reasonable allocation policy. -- Michal Hocko SUSE Labs