Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Wed, 2 Dec 2020 11:05:50 +0100
From:   Stefano Garzarella <sgarzare@redhat.com>
To:     Norbert Slusarek <nslusarek@gmx.net>,
        Jorgen Hansen <jhansen@vmware.com>,
        Arnd Bergmann <arnd@kernel.org>
Cc:     gregkh <gregkh@linuxfoundation.org>, Arnd Bergmann <arnd@arndb.de>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RESEND] misc/vmw_vmci: bail out earlier on too big queue
 allocation
Message-ID: <CAGxU2F7-suw3PT0GKw68AHTaOzUOgbBRCZmNOZd+MH+Y+q8EyA@mail.gmail.com>
References: <trinity-56749cfc-536b-45e2-8e6f-621754c07824-1606165260518@3c-app-gmx-bs09>
 <CAK8P3a2dq8VtYARPS9r9aeJipA3hD9M01wmEJ8LuZT1_Taav3w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAK8P3a2dq8VtYARPS9r9aeJipA3hD9M01wmEJ8LuZT1_Taav3w@mail.gmail.com>
Precedence: bulk

On Tue, Dec 1, 2020 at 9:21 PM Arnd Bergmann <arnd@kernel.org> wrote:
>
> On Mon, Nov 23, 2020 at 10:01 PM Norbert Slusarek <nslusarek@gmx.net> wrote:
> >
> > From: Norbert Slusarek <nslusarek@gmx.net>
> > Date: Mon, 23 Nov 2020 21:53:41 +0100
> > Subject: [PATCH RESEND] misc/vmw_vmci: bail out earlier on too big queue allocation
> >
> > For the allocation of a queue pair in qp_host_alloc_queue() an arbitrary value
> > can be passed for produce_size, which can lead to miscalculation of memory we'd
> > like to allocate in one take. A warning is triggered at __alloc_pages_nodemask()
> > in mm/page_alloc.c:4737 which aborts the false allocation, but it results in a
> > VMware machine freezing for an infinite time.
> >
> > Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
>
> Thank you for sending a patch with such a detailed analysis and even
> including a test case!

Yeah agree, very good details!

>
> > diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
> > index c49065887e8f..997ff32475b2 100644
> > --- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
> > +++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
> > @@ -526,6 +526,7 @@ static struct vmci_queue *qp_host_alloc_queue(u64 size)
> >         struct vmci_queue *queue;
> >         size_t queue_page_size;
> >         u64 num_pages;
> > +       unsigned int order;
> >         const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if));
> >
> >         if (size > SIZE_MAX - PAGE_SIZE)
> > @@ -537,6 +538,10 @@ static struct vmci_queue *qp_host_alloc_queue(u64 size)
> >
> >         queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page);
> >
> > +       order = get_order(queue_size + queue_page_size);
> > +       if (order >= MAX_ORDER)
> > +               return NULL;
> > +
> >         queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL);
>
> Calling kzalloc() with that user-provided size may still not be a great
> idea, and MAX_ORDER is probably more than anyone ever needs here
> (I don't know what the interface is needed for, but usually it is).
>
> If there is a reasonable upper bound smaller than MAX_ORDER, I
> would suggest using that. It might also be helpful to use kvzalloc()/kvfree()
> in this case, which can return an arbitrary number of pages
> and suffers less from fragmentation.

I don't know well vmw_vmci, but I took a brief look, and I saw that 
there is a macro (VMCI_MAX_GUEST_QP_MEMORY) used in vmci_qpair_alloc(), 
I'm not sure if we can use the same macro, but maybe something similar.

Honestly I don't know where that limit comes from, maybe it was chosen 
as an arbitrary and reasonable value but I suggest to check if we can 
reuse the same macro here with some adjustments.
I think in some way that limit is related to the max memory that the 
host should allocate.

@Jorgen any thought?

Thanks,
Stefano

>
> Note that both kzalloc() and kvzalloc() will fail for much smaller
> sizes if the kernel is low on memory, so that might have the same
> problem.
>
>        Arnd
>