From patchwork Wed Jan 19 01:21:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yury Norov X-Patchwork-Id: 12717042 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A03A4C433EF for ; Wed, 19 Jan 2022 01:22:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=4lE+I2gYvK3s2jKN3SejXeW+3sqI0Kf85ryQKpjyiTY=; b=YmQ9rlk2n7Fabc 2weieYatHJKCb9S7NiSscAJR7+ayxlFXhFxa9oRTH2iyWpaJ2ZKzyjxDmKTPupDtIUNKPy2UGTFEQ QxiuvQ5E/e9dxRQNTOTD5Vc1AFggCbOyCzsnM5xW5ZsWZjg5RmymBVhJPcldAcZo8/lbN7qJKwV8W UiEE851mZ/esibQNMlKbfRgweoY7AqsU1jKG8i6S2NYMZ9wTDmxRh0GvAPKvByUx1+TgsjiXrP/KL gtMbMf0ArnGRVKTx4UuPCSN8f92IhzNpfLy4vu6VmiOsIedoIR3vkBraia6Ph4vgneHgCiiESHlp6 L005IHj1ftuDwVirKlkQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1n9zf5-003QCc-29; Wed, 19 Jan 2022 01:21:19 +0000 Received: from mail-pf1-x42b.google.com ([2607:f8b0:4864:20::42b]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1n9zf1-003QBn-L6 for linux-arm-kernel@lists.infradead.org; Wed, 19 Jan 2022 01:21:17 +0000 Received: by mail-pf1-x42b.google.com with SMTP id x83so1053302pfc.0 for ; Tue, 18 Jan 2022 17:21:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=OvyGOIk3qoZc/SMHBDXTbJ3GLngZKOnDGVStpr5hHTo=; b=k5sSR4jfneG9GyQNvw3gViTRq7zruzJwjGwN9dPWvF6JxApZsVZdIs4xJKGBMzs9zE VT90XUSyDqNF2duMambNQoML34MfdJYJEsIdcfaTFLNKpOyxg2PAugKv6DoBFGJPOs/C 3WRCzywJqNRAXecxI8xlixNzAtVHNEm0mFhtjL6NKmhRuHIaVtjuB5CfW25tKNXtWuGc 4ZNUWmAqeUwx24d5hUU5hAWSgMKioAFRCMcA9Ahc26sUTp1VnRYD/UjNp2gYm4UaZsrD 35O3tnw2z7hRs9tjZEsuMoXQenhaVZEO9Dw7X7pyBExsjUk46AFMM2aoJVV7ysDVScb1 Ivyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=OvyGOIk3qoZc/SMHBDXTbJ3GLngZKOnDGVStpr5hHTo=; b=ljnlbrLc8OuHewUxUhS1CHyF+gSNV01Bm6RA0wB/yeE5GH5wxNKlxJVhWTakWvKbEj dZ2fZwZh9vOq+/i2KvKQ4udX98osD3ZrzTkl9tTK4CIJDCLvs9DN3jp32rbkroUFb0g7 q+6KUPXw3phgs5u0I1nUMExxIOOEvvx4THTw5VqJYwmZxvF3yDXLVQJUZn5VQG6mW7UO LfG/tETyl3mgPUfv1ffJ2beh5JNGyf6Ga76G38grXFf4aSFE4miZSyWmIkYcYKUzxIRm qB2PfXPHMJRRVs8CwPLWaehtKHmZyAw9aq4zDwNSzeO5dpFBoOp8NRqpdnMIYKL11G+H qTXg== X-Gm-Message-State: AOAM532Sy6biCJ0gww5kW82922rmAhnlmLOFFTEGQlzowVF2pa0ylBB5 uDkrGzoQXctaglnrFWcbtb4= X-Google-Smtp-Source: ABdhPJwlgOaGkDW/htbDV7Ii8N1D21oQGFHjKAzpx671/y8exjCTt4K+oFxMvz6rzbReXfPm4j6eNQ== X-Received: by 2002:a05:6a00:21c2:b0:4bc:fb2d:4b6f with SMTP id t2-20020a056a0021c200b004bcfb2d4b6fmr28112341pfj.62.1642555274457; Tue, 18 Jan 2022 17:21:14 -0800 (PST) Received: from localhost (searspoint.nvidia.com. [216.228.112.21]) by smtp.gmail.com with ESMTPSA id f185sm12462961pfg.159.2022.01.18.17.21.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Jan 2022 17:21:13 -0800 (PST) From: Yury Norov To: Catalin Marinas , Will Deacon , Andrew Morton , Nicholas Piggin , Ding Tianhong , Anshuman Khandual , Matthew Wilcox , Alexey Klimov , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: Yury Norov Subject: [PATCH v2] vmap(): don't allow invalid pages Date: Tue, 18 Jan 2022 17:21:09 -0800 Message-Id: <20220119012109.551931-1-yury.norov@gmail.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220118_172115_750844_A31ABCCA X-CRM114-Status: GOOD ( 13.03 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org vmap() takes struct page *pages as one of arguments, and user may provide an invalid pointer which would lead to data abort at address translation later. Currently, kernel checks the pages against NULL. In my case, however, the address was not NULL, and was big enough so that the hardware generated Address Size Abort on arm64. Interestingly, this abort happens even if copy_from_kernel_nofault() is used, which is quite inconvenient for debugging purposes. This patch adds a pfn_valid() check into vmap() path, so that invalid mapping will not be created. RFC: https://lkml.org/lkml/2022/1/18/815 v1: https://lkml.org/lkml/2022/1/18/1026 v2: Patch description changed. Suggested-by: Matthew Wilcox (Oracle) Signed-off-by: Yury Norov --- mm/vmalloc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index d2a00ad4e1dd..a4134ee56b10 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -477,6 +477,8 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, return -EBUSY; if (WARN_ON(!page)) return -ENOMEM; + if (WARN_ON(!pfn_valid(page_to_pfn(page)))) + return -EINVAL; set_pte_at(&init_mm, addr, pte, mk_pte(page, prot)); (*nr)++; } while (pte++, addr += PAGE_SIZE, addr != end);