From patchwork Mon Dec 20 13:00:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Ren X-Patchwork-Id: 12687837 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B712C433F5 for ; Mon, 20 Dec 2021 13:00:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D11246B0071; Mon, 20 Dec 2021 08:00:19 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id CBFBB6B0073; Mon, 20 Dec 2021 08:00:19 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B88906B0074; Mon, 20 Dec 2021 08:00:19 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0160.hostedemail.com [216.40.44.160]) by kanga.kvack.org (Postfix) with ESMTP id A5DA76B0071 for ; Mon, 20 Dec 2021 08:00:19 -0500 (EST) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 6196F180D6FB6 for ; Mon, 20 Dec 2021 13:00:19 +0000 (UTC) X-FDA: 78938180958.29.B47BF6A Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by imf31.hostedemail.com (Postfix) with ESMTP id 4B2E920037 for ; Mon, 20 Dec 2021 13:00:08 +0000 (UTC) Received: by mail-pg1-f176.google.com with SMTP id 200so9333205pgg.3 for ; Mon, 20 Dec 2021 05:00:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=bHGl+thi566lLkqEM3W8OiPpX0IeNMe3UigGXwhsDUI=; b=GUwf2ohT/FJTOyL0GJdzYcpNELzU7T3WNz/BQi252+uWkgEy95lI6whwIsSAk5yvcZ MzNyb9VPwz9o5N3+bJeo6K0HJFaqlMoe+CG4RV+B8I6tGC2H7jgolIABUD8TUlFc1ZEr ci3p2cmN6tJY3jrfxfP3qJn5YdsMw0RL3i8l/PDBSWJNTEuG2HxfAaCfu0BJvOD6B03W 3NXw1XRZnCQVK7E5ddTnaiyQZfBRvoNoYnLcqNXAF5HYjg/bdQMqGr/K0rXM/MtB4VTn YpUPxqb9ETTCnyBxahNKCQ6/YSnbxnrsmtL+wNyuycFFUlaecbAA0bvGfIavO0MczGBe e/xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=bHGl+thi566lLkqEM3W8OiPpX0IeNMe3UigGXwhsDUI=; b=u8DDXyTaBcQPWk73cSHD3W/y4uUia8/6hXR3H0bgbA0qPwhwdQWy0EuNTUrHYWDnjp VgRgMo2AZXvJtPCocp8HDHq22mrxsAqskWJXNTcaGQhRPVbetx/1BSIAAR9L/f5QJcO8 f7ZbS0W0iQU/oZLwviVzavUFE10Y8Ie3l45rJqeozAlUKPGW+fm/blsMpxatE7KLvJ8t o+qz2/XFJ4qNeZCYY29Ly6/cvRTxus95Dxk/ztH3nbfcqfiPIR/u8xI4knv1fOfRHtgi PZkrvXsRS4U+MKMY41NEw98UwG5HpimmE5aBE0bN2J6iDGXt/T2sqPJbi2jzPnPLsAl8 oEdw== X-Gm-Message-State: AOAM531Q/UYUx9DyGGmyZI2S50JE3OCZMVzHnLjRg0l63BA+URQPr7Z3 4DftPfgeRFGlJ4grZZ+MzlA= X-Google-Smtp-Source: ABdhPJxU5Yo1ezBNCUdtyyl59Q55E+qvwSkLKO5A8RfULH7f4kQ2GMYzUz/orAvdm9G6SPBfdgg3dg== X-Received: by 2002:a05:6a00:22d2:b0:4bb:721:7337 with SMTP id f18-20020a056a0022d200b004bb07217337mr116186pfj.76.1640005217976; Mon, 20 Dec 2021 05:00:17 -0800 (PST) Received: from localhost.localdomain ([205.204.117.115]) by smtp.gmail.com with ESMTPSA id k141sm2937168pfd.144.2021.12.20.05.00.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Dec 2021 05:00:17 -0800 (PST) From: Eric Ren To: david@redhat.com, linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, vbabka@suse.cz, ziy@nvidia.com, renzhengeek@gmail.com Subject: [PATCH] virtio_mem: fix panic on mb_states indexing overflow Date: Mon, 20 Dec 2021 21:00:00 +0800 Message-Id: <9a2f66123f74e8c452b0fa61cb5da6e0c2804070.1640004743.git.renzhen.rz@alibaba-inc.com> X-Mailer: git-send-email 2.30.1 (Apple Git-130) MIME-Version: 1.0 X-Rspamd-Queue-Id: 4B2E920037 X-Stat-Signature: q3awo45z37fuqckwazi8rkhhtjtpjqmo Authentication-Results: imf31.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=GUwf2ohT; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf31.hostedemail.com: domain of renzhengeek@gmail.com designates 209.85.215.176 as permitted sender) smtp.mailfrom=renzhengeek@gmail.com X-Rspamd-Server: rspam02 X-HE-Tag: 1640005208-429521 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: `mb_id` is unsigned integer, which is used to index `mb_states` array in reverse order. `mb_id` can decrease to `0UL - 1` that is a very large number, causing invalid address access. The calltrace is like below: ``` [ 286.344977] BUG: unable to handle page fault for address: ffffa95180cf8fff [ 286.345800] #PF: supervisor read access in kernel mode [ 286.346738] #PF: error_code(0x0000) - not-present page [ 286.347440] PGD 1000067 P4D 1000067 PUD 138c067 PMD 1840435067 PTE 0 [ 286.348156] Oops: 0000 [#1] SMP PTI [ 286.348556] CPU: 1 PID: 122 Comm: kworker/1:2 Tainted: G OE ... [ 286.350740] Workqueue: events_freezable virtio_mem_run_wq [virtio_mem] [ 286.351605] RIP: 0010:virtio_mem_unplug_request+0x418/0x890 [virtio_mem] [ 286.352519] Code: 0f 87 fc 00 00 00 4a 63 54 ac 30 48 83 bc d5 f8 00 00 00 00 48 89 d0 0f 8 4 e5 00 00 00 48 8b b5 38 01 00 00 4c 89 e2 48 29 ca <0f> b6 34 16 39 c6 75 c7 40 80 fe 02 0f 82 a4 01 00 00 40 80 fe 03 [ 286.355030] RSP: 0018:ffffa95181c4bd50 EFLAGS: 00010286 [ 286.355737] RAX: 0000000000000005 RBX: 0000000000006100 RCX: 0000000000000000 [ 286.356752] RDX: ffffffffffffffff RSI: ffffa95180cf9000 RDI: ffff8e5dc393b348 [ 286.357649] RBP: ffff8e5dc393b200 R08: ffff8e463cd2b610 R09: 0000000000000021 [ 286.358627] R10: ffffa95181c4bcd0 R11: ffffa95181c4baa0 R12: ffffffffffffffff [ 286.359617] R13: 0000000000000003 R14: ffff8e5dc393b348 R15: 00000000fffffff0 [ 286.360503] FS: 0000000000000000(0000) GS:ffff8e463cd00000(0000) knlGS:0000000000000000 [ 286.361532] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 286.362229] CR2: ffffa95180cf8fff CR3: 0000001846234000 CR4: 00000000000006e0 [ 286.363168] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 286.364162] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 286.365054] Call Trace: [ 286.365431] ? virtio_mem_run_wq+0x5a4/0x870 [virtio_mem] [ 286.366132] ? __schedule+0x4b3/0x800 [ 286.366547] ? process_one_work+0x18b/0x350 [ 286.367041] ? worker_thread+0x4f/0x3a0 [ 286.367675] ? rescuer_thread+0x350/0x350 [ 286.368234] ? kthread+0xfa/0x130 [ 286.368605] ? kthread_create_worker_on_cpu+0x70/0x70 [ 286.369155] ? ret_from_fork+0x1f/0x30 ``` Fixes by also checking its up boundary. Signed-off-by: Eric Ren Signed-off-by: Eric Ren --- drivers/virtio/virtio_mem.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/virtio/virtio_mem.c b/drivers/virtio/virtio_mem.c index 96e5a8782769..e403e6d95c0b 100644 --- a/drivers/virtio/virtio_mem.c +++ b/drivers/virtio/virtio_mem.c @@ -486,7 +486,9 @@ static int virtio_mem_sbm_mb_states_prepare_next_mb(struct virtio_mem *vm) #define virtio_mem_sbm_for_each_mb_rev(_vm, _mb_id, _state) \ for (_mb_id = _vm->sbm.next_mb_id - 1; \ - _mb_id >= _vm->sbm.first_mb_id && _vm->sbm.mb_count[_state]; \ + _mb_id >= _vm->sbm.first_mb_id && \ + _mb_id < vm->sbm.next_mb_id && \ + _vm->sbm.mb_count[_state]; \ _mb_id--) \ if (virtio_mem_sbm_get_mb_state(_vm, _mb_id) == _state)