| Message ID | 20230919230909.530174-2-gregory.price@memverge.com |
|---|---|
| State | Accepted |
| Commit | 229e2253766c7cdfe024f1fe280020cc4711087c |
| Headers | show |
| Series | move_phys_pages syscall | expand |
On Tue, Sep 19, 2023, at 19:09, Gregory Price wrote: > do_pages_move does not handle compat pointers for the page list. > correctly. Add in_compat_syscall check and appropriate get_user > fetch when iterating the page list. > > Signed-off-by: Gregory Price <gregory.price@memverge.com> > Reported-by: Arnd Bergmann <arnd@arndb.de> > Co-developed-by: Arnd Bergmann <arnd@arndb.de> Looks correct to me, thanks for fixing it! Reviewed-by: Arnd Bergmann <arnd@arndb.de> You can also blame me for breaking it in the first place Fixes: 5b1b561ba73c ("mm: simplify compat_sys_move_pages") Arnd
diff --git a/mm/migrate.c b/mm/migrate.c index b7fa020003f3..a0b0c5a7f8a5 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -2159,6 +2159,7 @@ static int do_pages_move(struct mm_struct *mm, nodemask_t task_nodes, const int __user *nodes, int __user *status, int flags) { + compat_uptr_t __user *compat_pages = (void __user *)pages; int current_node = NUMA_NO_NODE; LIST_HEAD(pagelist); int start, i; @@ -2171,8 +2172,17 @@ static int do_pages_move(struct mm_struct *mm, nodemask_t task_nodes, int node; err = -EFAULT; - if (get_user(p, pages + i)) - goto out_flush; + if (in_compat_syscall()) { + compat_uptr_t cp; + + if (get_user(cp, compat_pages + i)) + goto out_flush; + + p = compat_ptr(cp); + } else { + if (get_user(p, pages + i)) + goto out_flush; + } if (get_user(node, nodes + i)) goto out_flush;
do_pages_move does not handle compat pointers for the page list. correctly. Add in_compat_syscall check and appropriate get_user fetch when iterating the page list. Signed-off-by: Gregory Price <gregory.price@memverge.com> Reported-by: Arnd Bergmann <arnd@arndb.de> Co-developed-by: Arnd Bergmann <arnd@arndb.de> --- mm/migrate.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)