Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp279246ybt; Wed, 17 Jun 2020 00:16:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsDHFOdcorkNHu2p+AXrqNVgP1Z5cMqAR4STzS2Ap4VtPAjrvEnh6/uhz0JD2tCkx7YNFb X-Received: by 2002:a50:f05d:: with SMTP id u29mr6061665edl.229.1592378194792; Wed, 17 Jun 2020 00:16:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592378194; cv=none; d=google.com; s=arc-20160816; b=C1bOpv7rIbU6HG0U12Rbj1Wh5Rm/kB6eMKv4iU31z5gDIEB3ISZm3YQVSihbPxNRCW qm8eGVSeEYU+6u0Y95l+M813I3XWirgZU7MBiszgz8b54P8ftOSdqw6wbpo+VkdxYW0F 2qjH00S9DyX/UQ4nlZA5d05BmtYZiwSolMkQFLkkpDMMSnRDvMsuqSfFSJxHOZRdCfab IqCHmLTQ3jb2767gu0wMxaLajh52bv2Mdt+S0TKpikp4ED/ulpeNPJHhdzrE47WWcYTc 1hxum2Hk1RS5Uja/kEbCgxlFyUlhESfl+7smR4xxHZuREYKydQSX4BpSFKW1zBEmYztF pmSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=Hk7lOEy6ZMa9AEbG1WP+/dWreusRwqQLrR2awMiuFEk=; b=m9GqG2v9DUSVKCJteRrLdVHQdL4s4daZfqhJQVkiF/y4d6jZa8RAmq7r6OdZsq0q2T RtXKAkh2755F4H75ZDFWboxMMFb6DB6cdPoa3DUx4f+AphxuMWU/tEB6dUtNh4vAjGq6 lTAzzfeZeAv2g1Uxo7fteLyzb5AY8VwwCoj6EID8MuF2NeMhQuWtoZgu+sKdTClLuPyo vz+lhBc30M3sQNvTRXi7Y5YDGAoG3/ysZF8cKQPG4lFF6d1LGH2lcwAt3IUPudQq4pzI S4ofZBUyPprxVLeW9JTp+qPg2ewNUUWqE+qFtiPxwar/gj+f1QQD+ipddnULWZFxsclD wFTg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gu20si12480535ejb.13.2020.06.17.00.16.11; Wed, 17 Jun 2020 00:16:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726634AbgFQHOX (ORCPT + 99 others); Wed, 17 Jun 2020 03:14:23 -0400 Received: from 107-174-27-60-host.colocrossing.com ([107.174.27.60]:43456 "EHLO ozlabs.ru" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1725846AbgFQHOX (ORCPT ); Wed, 17 Jun 2020 03:14:23 -0400 X-Greylist: delayed 573 seconds by postgrey-1.27 at vger.kernel.org; Wed, 17 Jun 2020 03:14:23 EDT Received: from fstn1-p1.ozlabs.ibm.com (localhost [IPv6:::1]) by ozlabs.ru (Postfix) with ESMTP id 82849AE8000E; Wed, 17 Jun 2020 03:02:25 -0400 (EDT) From: Alexey Kardashevskiy To: linux-kernel@vger.kernel.org Cc: Alexey Kardashevskiy , Greg Kroah-Hartman , Jiri Slaby Subject: [PATCH kernel] tty/vt: Do not warn when huge selection requested Date: Wed, 17 Jun 2020 17:04:44 +1000 Message-Id: <20200617070444.116704-1-aik@ozlabs.ru> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The tty TIOCL_SETSEL ioctl allocates a memory buffer big enough for text selection area. The maximum allowed console size is VC_RESIZE_MAXCOL * VC_RESIZE_MAXROW == 32767*32767 == ~1GB and typical MAX_ORDER is set to allow allocations lot less than than (circa 16MB). So it is quite possible to trigger huge allocation (and syzkaller just did that) which is going to fail (which is fine) with a backtrace in mm/page_alloc.c at WARN_ON_ONCE(!(gfp_mask & __GFP_NOWARN)) and this may trigger panic (if panic_on_warn is enabled) and leak kernel addresses to dmesg. This passes __GFP_NOWARN to kmalloc_array to avoid unnecessary user- triggered WARN_ON. Note that the error is not ignored and the warning is still printed. Signed-off-by: Alexey Kardashevskiy --- Hit this on ppc64 with 64K pages and MAX_ORDER=9 which (2**8)<<16 = 16MB. --- drivers/tty/vt/selection.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/vt/selection.c b/drivers/tty/vt/selection.c index 31bb3647a99c..8e74654c1b27 100644 --- a/drivers/tty/vt/selection.c +++ b/drivers/tty/vt/selection.c @@ -193,7 +193,7 @@ static int vc_selection_store_chars(struct vc_data *vc, bool unicode) /* Allocate a new buffer before freeing the old one ... */ /* chars can take up to 4 bytes with unicode */ bp = kmalloc_array((vc_sel.end - vc_sel.start) / 2 + 1, unicode ? 4 : 1, - GFP_KERNEL); + GFP_KERNEL | __GFP_NOWARN); if (!bp) { printk(KERN_WARNING "selection: kmalloc() failed\n"); clear_selection(); -- 2.17.1