From patchwork Tue Jan 29 05:38:30 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wilcox X-Patchwork-Id: 10785459 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 00B6113BF for ; Tue, 29 Jan 2019 05:38:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E22FE26538 for ; Tue, 29 Jan 2019 05:38:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D4FD626E3D; Tue, 29 Jan 2019 05:38:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 19BC52A76C for ; Tue, 29 Jan 2019 05:38:48 +0000 (UTC) Received: (qmail 18287 invoked by uid 550); 29 Jan 2019 05:38:47 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 18251 invoked from network); 29 Jan 2019 05:38:46 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=t8fkzWMHxXDIkytKtq4mCKfuJ+XlIbmSP26+VZ3R6Tw=; b=jDg0qNhQ8VD/4F9eDb3TAcCXx KgrHXFD4VUcQ7FG4aqXzx+03Sz9cGxs8Fu1XTbjulAd4M9G9ltw8J72wpUM4eG8/t3t26w6TYpkZ+ 9j0Di4upLo9PJrngncDKQ60gYIFuZITAk1kfiOHP6UwoEHolJKTbn3p4iK2STBQpOh+bhac4NIyhr Srd2fjPNNoh/yaxeszJy1KPd41ffdRnUZ0VEWvUHxnsiAkVS2CI2HQaqK+6A9DdWP0pGCsjSU1rkA wuDjExz/IA8gHWwZ0TjoqfdZ7sVZ1TM3TjwAyCAaSW2NrFESAE5jqaGaCohDGut/W01IpjUZFZdZz W3aRK/IkA==; From: Matthew Wilcox To: Andrew Morton Cc: Matthew Wilcox , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Kees Cook , Michael Ellerman , Will Deacon Subject: [PATCH] mm: Prevent mapping typed pages to userspace Date: Mon, 28 Jan 2019 21:38:30 -0800 Message-Id: <20190129053830.3749-1-willy@infradead.org> X-Mailer: git-send-email 2.14.5 X-Virus-Scanned: ClamAV using ClamSMTP Pages which use page_type must never be mapped to userspace as it would destroy their page type. Add an explicit check for this instead of assuming that kernel drivers always get this right. Signed-off-by: Matthew Wilcox Reviewed-by: Kees Cook Reviewed-by: David Hildenbrand --- mm/memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/memory.c b/mm/memory.c index ce8c90b752be..db3534bbd652 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1451,7 +1451,7 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, spinlock_t *ptl; retval = -EINVAL; - if (PageAnon(page) || PageSlab(page)) + if (PageAnon(page) || PageSlab(page) || page_has_type(page)) goto out; retval = -ENOMEM; flush_dcache_page(page);