Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2390456ioo; Sat, 28 May 2022 12:08:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxePa+dlVcAm93/lXDMrh5VamEcngIPnJtv5dLwFDsT+IDFKwp9KMJFK5UXP6O4e37GgFJH X-Received: by 2002:a62:1609:0:b0:519:2a28:b919 with SMTP id 9-20020a621609000000b005192a28b919mr11036420pfw.78.1653764923297; Sat, 28 May 2022 12:08:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653764923; cv=none; d=google.com; s=arc-20160816; b=rbyeBr+pIxyky4RUIxdyeZIxUpOgfQghnqNM0YgAgxhwibiOflncNoyCnd5HThf7JD Uip2clovSge+3iaJwOIxvtlxbfv9/KrOErDt68lgCvl7Jp5K6BksN3PhmMC1al9FameZ zq1FElH+KWyeshs5mpL32wEybz1fEdPqyzwBw7RyOiY8cCFkRF1W/UTStAVEGHopxh9A H+DyQnKFh29p1unteyza7mVqRuiiDoc23ilEwtvWCxxkfCd8ogtcJatG3gd4KXkqk65s i803fE+WKrxC9BGizRgcjMSyIXGguoDnHBA3fVeIWPPnhfPmgPgO3bUf7cMCPLTwz9zd f9tQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=BkvE0YAcS6ajpnfn1SLDj2iO+a4qJNSD4+BxpVUka5I=; b=E6dXlkrF6e52rQiysliAwV7RPEgMGlJSIXbvPCsN6kTN6X7ZI+Kv2c3SYZoDdAF8MG Qw5CbyWnZQBH4lMiypKEDozzk6oTdudd40gFUJ8a0E+adqMQL4TDhGMDyrlEgU4fhOpD R8NT8jcLSL2Xv+4L32Lq6dLiZLBxmFblyFeyALUbBzRr/MM43wWRopLTk0eX+2LfvS/C Kmboaa84JuvVgUt/MjZylb+v1rmBJqAiHsRZ71HKghPRj8oNEjJzpKhHEsmOvhafB/Y5 2wwd2cfGbDnwihuey+TvozgL6dh6tvPghZvs7tMxbKG44IU3Gia+wMlvYHu6td7lK6v/ Mfzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=kTppOQce; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id ct23-20020a056a000f9700b00517f45a36e3si8476922pfb.101.2022.05.28.12.08.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 May 2022 12:08:43 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=kTppOQce; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A93691B7AF; Sat, 28 May 2022 11:46:56 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237731AbiE1PkX (ORCPT + 99 others); Sat, 28 May 2022 11:40:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52040 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234300AbiE1PkW (ORCPT ); Sat, 28 May 2022 11:40:22 -0400 Received: from m12-14.163.com (m12-14.163.com [220.181.12.14]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6C35F17E24 for ; Sat, 28 May 2022 08:40:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=BkvE0YAcS6ajpnfn1S LDj2iO+a4qJNSD4+BxpVUka5I=; b=kTppOQcerw7gfF1+7K8NAaZcKeBWvoY0Gv o6O3hpG+XDLjasvH7B0QwUYkY65JupKwbw95+jFCzlcb8AhJxjw1F+xlruWCNDNo Nrp+mviSa6KsKnoRS2QVbswnKJRKUEIuOQMFKd5yGgrNyknWeaCy0cj44Nw8pBii 3q2XAcq88= Received: from localhost.localdomain (unknown [171.221.147.90]) by smtp10 (Coremail) with SMTP id DsCowABHJBZMQpJiLxowEw--.19256S2; Sat, 28 May 2022 23:40:00 +0800 (CST) From: Chen Lin To: akpm@linux-foundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Chen Lin Subject: [PATCH] mm: page_frag: Warn_on when frag_alloc size is bigger than PAGE_SIZE Date: Sat, 28 May 2022 23:39:33 +0800 Message-Id: <1653752373-3172-1-git-send-email-chen45464546@163.com> X-Mailer: git-send-email 1.7.9.5 X-CM-TRANSID: DsCowABHJBZMQpJiLxowEw--.19256S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7tr17tw1fGFWkur17WF4rXwb_yoW8XFy7pF ZrCr15ZFs0qwnxCw4kta1vyr45J398WFWjgrWFv3s09w13Wr10kwnrKr4jvFyrAr4UKFy7 tan8tw15ua1UZ3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pi5CzdUUUUU= X-Originating-IP: [171.221.147.90] X-CM-SenderInfo: hfkh0kqvuwkkiuw6il2tof0z/xtbCqRYPnl0DftRC8wAAsr X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org netdev_alloc_frag->page_frag_alloc may cause memory corruption in the following process: 1. A netdev_alloc_frag function call need alloc 200 Bytes to build a skb. 2. Insufficient memory to alloc PAGE_FRAG_CACHE_MAX_ORDER(32K) in __page_frag_cache_refill to fill frag cache, then one page(eg:4K) is allocated, now current frag cache is 4K, alloc is success, nc->pagecnt_bias--. 3. Then this 200 bytes skb in step 1 is freed, page->_refcount--. 4. Another netdev_alloc_frag function call need alloc 5k, page->_refcount is equal to nc->pagecnt_bias, reset page count bias and offset to start of new frag. page_frag_alloc will return the 4K memory for a 5K memory request. 5. The caller write on the extra 1k memory which is not actual allocated will cause memory corruption. page_frag_alloc is for fragmented allocation. We should warn the caller to avoid memory corruption. Signed-off-by: Chen Lin --- mm/page_alloc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index e008a3d..6c0db52 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -5574,6 +5574,11 @@ void *page_frag_alloc_align(struct page_frag_cache *nc, struct page *page; int offset; + /* frag_alloc is not suitable for memory alloc which fragsz + * is bigger than PAGE_SIZE, use kmalloc or alloc_pages instead. + */ + WARN_ON(fragsz > PAGE_SIZE); + if (unlikely(!nc->va)) { refill: page = __page_frag_cache_refill(nc, gfp_mask); -- 1.7.9.5