Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp5135315ioo; Tue, 31 May 2022 21:38:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDzuAxhUqs6JJoCppjd3GMIMrsDtbponh8A+x08liNZ3NVqixSPb3krDM0RBhgZR45sHpJ X-Received: by 2002:a17:907:7b9e:b0:6fe:d8df:d1e7 with SMTP id ne30-20020a1709077b9e00b006fed8dfd1e7mr41791296ejc.225.1654058304202; Tue, 31 May 2022 21:38:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654058304; cv=none; d=google.com; s=arc-20160816; b=FP9kGlPiYEFm1G/GFVzYTq7ib0bqnZ027mDgfS+8mBErBQCn89vt6gnJtthqEvZ+8p YSMEHRo96WZWW3J0JE6CXMlav8e/3CCv3Vi9DDrF9+zoYcbH4SFNNT/SUw8LanNkSfyI lH4WOMwtW8a0eJ+zQCmWpRfVqCu+6aA2yZnisfwjLFuD0kF1vaT6HDhAtLatEsPZAquO SDxdjKQi+a1AaST48fUIxRXIWBATbH8B2x0Rj+hAeNrFBOlycXSMmJt0G5iszOnjwMMf IE0UOGlwdQ3KoNW52xeHuyg3g6blCsXa5D5ZNOg8cM4o3OJmA8rl6lDigHuoAPcSMzD5 zQpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=MkU916QbEgDI+uKTU7yPN/+EjCqkMHLvMrIXE3UBPNo=; b=f7kbQvRTfRPg4QGNNlP1r8QlqL7Nz19YpSB4BY2W/YNB5utlIpabRcvKMYhH7Q4kPI CrYZaUZ6JcSThBmpmqnoDUBN9a2lWqUTagD3S3biLVZN4VZ/DNZeZtRFuZ0+j30rcmTe J2i5xHk+olFJ4FQ1XWvQtZazNG7JgZdzvr4FvVpz6WgIuYNlkFET5pJGNuF5KjokOAur owHhS0znoiEC+ANaIStT1iSi/ntzWLFtCb+121BipePPJBSpDbxB99+8BdDQUAzlzar0 k6qS+tH5rZpui7QZhfp1i7sWXO1rHx8iWONdbUkJs7SHZHuS6inHtlpDkoF2umC8S8GV jENw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=UKcu6oBA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p13-20020a50cd8d000000b0042dca787d25si719459edi.360.2022.05.31.21.37.57; Tue, 31 May 2022 21:38:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=UKcu6oBA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242186AbiE3UHJ (ORCPT + 99 others); Mon, 30 May 2022 16:07:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58546 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238421AbiE3UHJ (ORCPT ); Mon, 30 May 2022 16:07:09 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B94B23A5EA; Mon, 30 May 2022 13:07:07 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 536FD60F07; Mon, 30 May 2022 20:07:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 83F96C385B8; Mon, 30 May 2022 20:07:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1653941226; bh=IceWjrQYTWx7mJhwvWrILoecanQR/v6aI5fgN3w/Z6M=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=UKcu6oBA4OkyYyd4gqvvLzf6pUAiSjmWDo2UTQBcfEzHlVORWQTrDxG26KuK7bVbc uSt0Wn04xLzbkFGtKHtq8LvlOxcrHkPCRPpAVeYS19ZIcCEPrf+V1up1LiDZzEm+1K lYZll9twRNetusEsoa7avPOcR+QpEuZszGyf8at0= Date: Mon, 30 May 2022 13:07:05 -0700 From: Andrew Morton To: Chen Lin Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, alexander.h.duyck@linux.intel.com, netdev@vger.kernel.org Subject: Re: [PATCH v2] mm: page_frag: Warn_on when frag_alloc size is bigger than PAGE_SIZE Message-Id: <20220530130705.29c5fa4a5225265d3736bfa4@linux-foundation.org> In-Reply-To: <1653917942-5982-1-git-send-email-chen45464546@163.com> References: <20220529163029.12425c1e5286d7c7e3fe3708@linux-foundation.org> <1653917942-5982-1-git-send-email-chen45464546@163.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 30 May 2022 21:39:02 +0800 Chen Lin wrote: > netdev_alloc_frag->page_frag_alloc may cause memory corruption in > the following process: > > 1. A netdev_alloc_frag function call need alloc 200 Bytes to build a skb. > > 2. Insufficient memory to alloc PAGE_FRAG_CACHE_MAX_ORDER(32K) in > __page_frag_cache_refill to fill frag cache, then one page(eg:4K) > is allocated, now current frag cache is 4K, alloc is success, > nc->pagecnt_bias--. > > 3. Then this 200 bytes skb in step 1 is freed, page->_refcount--. > > 4. Another netdev_alloc_frag function call need alloc 5k, page->_refcount > is equal to nc->pagecnt_bias, reset page count bias and offset to > start of new frag. page_frag_alloc will return the 4K memory for a > 5K memory request. > > 5. The caller write on the extra 1k memory which is not actual allocated > will cause memory corruption. > > page_frag_alloc is for fragmented allocation. We should warn the caller > to avoid memory corruption. > > When fragsz is larger than one page, we report the failure and return. > I don't think it is a good idea to make efforts to support the > allocation of more than one page in this function because the total > frag cache size(PAGE_FRAG_CACHE_MAX_SIZE 32768) is relatively small. > When the request is larger than one page, the caller should switch to > use other kernel interfaces, such as kmalloc and alloc_Pages. > > This bug is mainly caused by the reuse of the previously allocated > frag cache memory by the following LARGER allocations. This bug existed > before page_frag_alloc was ported from __netdev_alloc_frag in > net/core/skbuff.c, so most Linux versions have this problem. > I won't attempt to address the large issues here (like, should networking be changed to support this). But I can nitpick :) > --- a/mm/page_alloc.c > +++ b/mm/page_alloc.c > @@ -5574,6 +5574,16 @@ void *page_frag_alloc_align(struct page_frag_cache *nc, > struct page *page; > int offset; > > + /* frag_alloc is not suitable for memory alloc which fragsz Like this please: /* * frag_alloc... > + * is bigger than PAGE_SIZE, use kmalloc or alloc_pages instead. > + */ > + if (unlikely(fragsz > PAGE_SIZE)) { > + WARN(1, "alloc fragsz(%d) > PAGE_SIZE(%ld) not supported, > + alloc fail\n", fragsz, PAGE_SIZE); It's neater to do if (WARN(fragsz > PAGE_SIZE, "alloc fragsz(%d...", ...)) return NULL; Also, you have a newline and a bunch of tabs in that string. Also, please consider WARN_ONCE. We don't want to provide misbehaved or malicious userspace with the ability to flood the logs with warnings.