[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <F5DF708C-0235-4D21-AF7A-4C4CC37462EB@oracle.com>
Date: Mon, 1 Feb 2021 20:40:57 +0000
From: Santosh Shilimkar <santosh.shilimkar@...cle.com>
To: Sabyrzhan Tasbolatov <snovitoll@...il.com>
CC: "davem@...emloft.net" <davem@...emloft.net>,
"kuba@...nel.org" <kuba@...nel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>,
"rds-devel@....oracle.com" <rds-devel@....oracle.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"syzbot+1bd2b07f93745fa38425@...kaller.appspotmail.com"
<syzbot+1bd2b07f93745fa38425@...kaller.appspotmail.com>
Subject: Re: [PATCH] net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
On Feb 1, 2021, at 12:32 PM, Sabyrzhan Tasbolatov <snovitoll@...il.com> wrote:
>
> syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
> control message is passed with user-controlled
> 0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.
>
> The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
> So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
> is the closest limit, with 0x10 leftover.
>
> Same condition is currently done in rds_cmsg_rdma_args().
>
> [1] WARNING: mm/page_alloc.c:5011
> [..]
> Call Trace:
> alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
> alloc_pages include/linux/gfp.h:547 [inline]
> kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
> kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
> kmalloc_array include/linux/slab.h:592 [inline]
> kcalloc include/linux/slab.h:621 [inline]
> rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568
> rds_rm_size net/rds/send.c:928 [inline]
>
> Reported-by: syzbot+1bd2b07f93745fa38425@...kaller.appspotmail.com
> Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@...il.com>
> —
Looks fine by me.
Acked-by: Santosh Shilimkar <santosh.shilimkar@...cle.com>
Powered by blists - more mailing lists