Revision b71dbf1032f546bf3efd60fb5d9d0cefd200a508 authored by Darrick J. Wong on 15 September 2016, 03:20:44 UTC, committed by Linus Torvalds on 15 September 2016, 20:29:52 UTC
Kirill A Shutemov reports that the kernel doesn't try to cap dest_count in any way, and uses the number to allocate kernel memory. This causes high order allocation warnings in the kernel log if someone passes in a big enough value. We should clamp the allocation at PAGE_SIZE to avoid stressing the VM. The two existing users of the dedupe ioctl never send more than 120 requests, so we can safely clamp dest_range at PAGE_SIZE, because with 4k pages we can handle up to 127 dedupe candidates. Given the max extent length of 16MB, we can end up doing 2GB of IO which is plenty. [ Note: the "offsetof()" can't overflow, because 'count' is just a 16-bit integer. That's not obvious in the limited context of the patch, so I'm noting it here because it made me go look. - Linus ] Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 5297e0f
| File | Mode | Size |
|---|---|---|
| Makefile | -rw-r--r-- | 377 bytes |
| compat.c | -rw-r--r-- | 19.1 KB |
| compat_mq.c | -rw-r--r-- | 3.9 KB |
| ipc_sysctl.c | -rw-r--r-- | 5.4 KB |
| mq_sysctl.c | -rw-r--r-- | 2.9 KB |
| mqueue.c | -rw-r--r-- | 35.6 KB |
| msg.c | -rw-r--r-- | 24.1 KB |
| msgutil.c | -rw-r--r-- | 3.6 KB |
| namespace.c | -rw-r--r-- | 3.9 KB |
| sem.c | -rw-r--r-- | 55.9 KB |
| shm.c | -rw-r--r-- | 33.3 KB |
| syscall.c | -rw-r--r-- | 2.3 KB |
| util.c | -rw-r--r-- | 21.1 KB |
| util.h | -rw-r--r-- | 6.4 KB |
Computing file changes ...
