From patchwork Sat Dec 26 07:42:10 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yang Yingliang X-Patchwork-Id: 7921391 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 038ECBEEE5 for ; Sat, 26 Dec 2015 07:46:17 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 040BC20383 for ; Sat, 26 Dec 2015 07:46:16 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 30C722035E for ; Sat, 26 Dec 2015 07:46:14 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1aCjW1-0007z7-03; Sat, 26 Dec 2015 07:43:49 +0000 Received: from szxga03-in.huawei.com ([119.145.14.66]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1aCjVw-0007vt-Lv for linux-arm-kernel@lists.infradead.org; Sat, 26 Dec 2015 07:43:46 +0000 Received: from 172.24.1.47 (EHLO szxeml428-hub.china.huawei.com) ([172.24.1.47]) by szxrg03-dlp.huawei.com (MOS 4.4.3-GA FastPath queued) with ESMTP id BTL05123; Sat, 26 Dec 2015 15:42:34 +0800 (CST) Received: from localhost (10.177.19.219) by szxeml428-hub.china.huawei.com (10.82.67.183) with Microsoft SMTP Server id 14.3.235.1; Sat, 26 Dec 2015 15:42:25 +0800 From: Yang Yingliang To: Subject: [RFC PATCH] ARM64: mm: check if the read/write block is in memblock Date: Sat, 26 Dec 2015 15:42:10 +0800 Message-ID: <1451115730-4244-1-git-send-email-yangyingliang@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.1 MIME-Version: 1.0 X-Originating-IP: [10.177.19.219] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.567E44EB.008B, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-05-26 15:14:31, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: abd538c48502261e3a6accbaf342b102 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20151225_234345_089059_CF5D797D X-CRM114-Status: GOOD ( 16.43 ) X-Spam-Score: -4.2 (----) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Ard Biesheuvel , Catalin Marinas , Will Deacon , Leif Lindholm , Yang Yingliang , Xishi Qiu Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If the address is non-RAM address, when we read/write the /dev/mem it will cause an exception. It is not enough that just check if the address is out of high_memory in valid_phys_addr_range(), when we read/write the /dev/mem. Because it may have memory holes below the high_memory, when the system tries to access them, it will trigger an exception. To avoid the exception, it needs to check if the read/write range is a subset of a System RAM in valid_phys_addr_range(). Reproduce the problem by command: # cat /dev/mem > /tmp/mem Unable to handle kernel paging request at virtual address ffff80007fc00000 pgd = ffff8011f5ee8000 [ffff80007fc00000] *pgd=0000000000000000 Internal error: Oops: 96000006 [#1] SMP Modules linked in: CPU: 2 PID: 885 Comm: cat Not tainted 4.1.12+ #3 task: ffff8011f604a100 ti: ffff8011f54b4000 task.ti: ffff8011f54b4000 PC is at __copy_to_user+0xc/0x60 LR is at read_mem+0xc8/0x150 pc : [] lr : [] pstate: 20000145 sp : ffff8011f54b7d70 x29: ffff8011f54b7d70 x28: ffff800000987000 x27: 0000fffffcda5c70 x26: 000000007fc00000 x25: 0000000000001000 x24: ffff8011f54b4000 x23: ffff800000000000 x22: 0000000000001000 x21: 0000000000000000 x20: ffff8011f54b7ec8 x19: 0000000000001000 x18: 0000000000000000 x17: 0000ffff7c4e8e10 x16: ffff8000001aabd0 x15: 000000000000579b x14: 0000ffff7c42daa0 x13: 0000ffff7c430aa8 x12: 000000000000081a x11: 0101010101010101 x10: 0000ffff7c645cb0 x9 : 6b6872731f203c1f x8 : 000000000000003f x7 : 0000000000000000 x6 : ffff8000006c5c68 x5 : ffff8000004020b0 x4 : 0000fffffcda6c70 x3 : 0000000000000001 x2 : 0000000000000ff8 x1 : ffff80007fc00000 x0 : 0000fffffcda5c70 Process cat (pid: 885, stack limit = 0xffff8011f54b4020) Stack: (0xffff8011f54b7d70 to 0xffff8011f54b8000) 7d60: ffff8011 f54b7dd0 ffff8000 001a96c8 7d80: ffff8011 f51b3a00 ffff8011 f54b7ec8 ffff8011 f54b7ec8 00000000 00001000 7da0: 00000000 60000000 00000000 00000015 00000000 0000011a 00000000 0000003f 7dc0: ffff8000 00674000 ffff8011 f54b4000 ffff8011 f54b7e50 ffff8000 001aa00c 7de0: ffff8011 f51b3a00 0000ffff fcda5c70 00000000 00000000 00000000 00000000 7e00: ffff8011 f54b7e30 ffff8000 001a9ee4 00000000 00001000 ffff8011 f51b3a00 7e20: ffff8011 f54b7ec8 00000000 00001000 ffff8011 f54b7e50 ffff8000 001a9ff0 7e40: ffff8011 f51b3a00 0000ffff fcda5c70 ffff8011 f54b7e90 ffff8000 001aac14 7e60: ffff8011 f51b3a00 ffff8011 f51b3a00 0000ffff fcda5c70 00000000 00001000 7e80: 00000000 60000000 00000000 00001000 0000ffff fcda6d90 ffff8000 00084c30 7ea0: 00000000 00000000 00000000 00001000 ffffffff ffffffff 0000ffff 7c4e8df8 7ec0: 00000000 00000038 00000000 7fc00000 00000000 00000003 0000ffff fcda5c70 7ee0: 00000000 00001000 00000000 00000000 00000000 00000000 00000000 00000001 7f00: 00000000 00000080 00000000 00000000 00000000 0000003f 6b687273 1f203c1f 7f20: 0000ffff 7c645cb0 01010101 01010101 00000000 0000081a 0000ffff 7c430aa8 7f40: 0000ffff 7c42daa0 00000000 0000579b 00000000 00000000 0000ffff 7c4e8e10 7f60: 00000000 00000000 00000000 0049e000 00000000 00001000 0000ffff fcda5c70 7f80: 00000000 00000003 00000000 00000003 00000000 00000001 00000000 00000001 7fa0: 00000000 00001000 00000000 00000038 00000000 00000000 0000ffff fcda6d90 7fc0: 00000000 0040a9a4 0000ffff fcda5bf0 0000ffff 7c4e8df8 00000000 60000000 7fe0: 00000000 00000003 00000000 0000003f afafafaf afafafaf afafafaf afafafaf Call trace: [] __copy_to_user+0xc/0x60 [] __vfs_read+0x24/0x110 [] vfs_read+0x78/0x150 [] SyS_read+0x40/0xa0 Code: 1f2003d5 0400028b 422000f1 a4000054 (238440f8) ---[ end trace 0fa00f6f46f79c5a ]--- Signed-off-by: Yang Yingliang Cc: Catalin Marinas Cc: Will Deacon Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Xishi Qiu --- arch/arm64/mm/mmap.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/arch/arm64/mm/mmap.c b/arch/arm64/mm/mmap.c index ed17747..5e89dcf 100644 --- a/arch/arm64/mm/mmap.c +++ b/arch/arm64/mm/mmap.c @@ -26,6 +26,7 @@ #include #include #include +#include #include @@ -100,12 +101,24 @@ EXPORT_SYMBOL_GPL(arch_pick_mmap_layout); */ int valid_phys_addr_range(phys_addr_t addr, size_t size) { + int i; + int cnt = memblock.memory.cnt; + phys_addr_t addr_end = addr + size; + if (addr < PHYS_OFFSET) return 0; - if (addr + size > __pa(high_memory - 1) + 1) + if (addr_end > __pa(high_memory - 1) + 1) return 0; - return 1; + for (i = 0; i < cnt; i++) { + phys_addr_t mem_start = memblock.memory.regions[i].base; + phys_addr_t mem_end = memblock.memory.regions[i].base + memblock.memory.regions[i].size; + + if (addr >= mem_start && addr_end <= mem_end) + return 1; + } + + return 0; } /*