From: Kefeng Wang <wangkefeng.wang@huawei.com> To: <linuxppc-dev@lists.ozlabs.org>, <mpe@ellerman.id.au>, <benh@kernel.crashing.or>, <paulus@samba.org>, <linux-kernel@vger.kernel.org>, <linux-mm@kvack.org> Cc: <akpm@linux-foundation.org>, <npiggin@gmail.com>, <christophe.leroy@csgroup.eu>, <songyuanzheng@huawei.com>, Kefeng Wang <wangkefeng.wang@huawei.com> Subject: [PATCH v4 2/2] powerpc: Fix virt_addr_valid() check Date: Wed, 16 Feb 2022 20:11:08 +0800 [thread overview] Message-ID: <20220216121109.157605-2-wangkefeng.wang@huawei.com> (raw) In-Reply-To: <20220216121109.157605-1-wangkefeng.wang@huawei.com> When run ethtool eth0 on PowerPC64, the BUG occurred, usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size 1048)! kernel BUG at mm/usercopy.c:99 ... usercopy_abort+0x64/0xa0 (unreliable) __check_heap_object+0x168/0x190 __check_object_size+0x1a0/0x200 dev_ethtool+0x2494/0x2b20 dev_ioctl+0x5d0/0x770 sock_do_ioctl+0xf0/0x1d0 sock_ioctl+0x3ec/0x5a0 __se_sys_ioctl+0xf0/0x160 system_call_exception+0xfc/0x1f0 system_call_common+0xf8/0x200 The code shows below, data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN)); copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true on PowerPC64, which leads to the panic. As commit 4dd7554a6456 ("powerpc/64: Add VIRTUAL_BUG_ON checks for __va and __pa addresses") does, make sure the virt addr above PAGE_OFFSET in the virt_addr_valid() for PowerPC64, also add upper limit check to make sure the virt is below high_memory. Meanwhile, for PowerPC32 PAGE_OFFSET is the virtual address of the start of lowmem, high_memory is the upper low virtual address, the check is suitable for PowerPC32, this will fix the issue mentioned in commit 602946ec2f90 ("powerpc: Set max_mapnr correctly") too. Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com> --- v4: - add upper limit check v3: - update changelog and remove a redundant cast arch/powerpc/include/asm/page.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h index 254687258f42..7a1ba27a7285 100644 --- a/arch/powerpc/include/asm/page.h +++ b/arch/powerpc/include/asm/page.h @@ -132,7 +132,11 @@ static inline bool pfn_valid(unsigned long pfn) #define virt_to_page(kaddr) pfn_to_page(virt_to_pfn(kaddr)) #define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT) -#define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr)) +#define virt_addr_valid(vaddr) ({ \ + unsigned long _addr = (unsigned long)vaddr; \ + _addr >= PAGE_OFFSET && _addr < (unsigned long)high_memory && \ + pfn_valid(virt_to_pfn(_addr)); \ +}) /* * On Book-E parts we need __va to parse the device tree and we can't -- 2.26.2
WARNING: multiple messages have this Message-ID (diff)
From: Kefeng Wang <wangkefeng.wang@huawei.com> To: <linuxppc-dev@lists.ozlabs.org>, <mpe@ellerman.id.au>, <benh@kernel.crashing.or>, <paulus@samba.org>, <linux-kernel@vger.kernel.org>, <linux-mm@kvack.org> Cc: akpm@linux-foundation.org, songyuanzheng@huawei.com, npiggin@gmail.com, Kefeng Wang <wangkefeng.wang@huawei.com> Subject: [PATCH v4 2/2] powerpc: Fix virt_addr_valid() check Date: Wed, 16 Feb 2022 20:11:08 +0800 [thread overview] Message-ID: <20220216121109.157605-2-wangkefeng.wang@huawei.com> (raw) In-Reply-To: <20220216121109.157605-1-wangkefeng.wang@huawei.com> When run ethtool eth0 on PowerPC64, the BUG occurred, usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size 1048)! kernel BUG at mm/usercopy.c:99 ... usercopy_abort+0x64/0xa0 (unreliable) __check_heap_object+0x168/0x190 __check_object_size+0x1a0/0x200 dev_ethtool+0x2494/0x2b20 dev_ioctl+0x5d0/0x770 sock_do_ioctl+0xf0/0x1d0 sock_ioctl+0x3ec/0x5a0 __se_sys_ioctl+0xf0/0x160 system_call_exception+0xfc/0x1f0 system_call_common+0xf8/0x200 The code shows below, data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN)); copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true on PowerPC64, which leads to the panic. As commit 4dd7554a6456 ("powerpc/64: Add VIRTUAL_BUG_ON checks for __va and __pa addresses") does, make sure the virt addr above PAGE_OFFSET in the virt_addr_valid() for PowerPC64, also add upper limit check to make sure the virt is below high_memory. Meanwhile, for PowerPC32 PAGE_OFFSET is the virtual address of the start of lowmem, high_memory is the upper low virtual address, the check is suitable for PowerPC32, this will fix the issue mentioned in commit 602946ec2f90 ("powerpc: Set max_mapnr correctly") too. Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com> --- v4: - add upper limit check v3: - update changelog and remove a redundant cast arch/powerpc/include/asm/page.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h index 254687258f42..7a1ba27a7285 100644 --- a/arch/powerpc/include/asm/page.h +++ b/arch/powerpc/include/asm/page.h @@ -132,7 +132,11 @@ static inline bool pfn_valid(unsigned long pfn) #define virt_to_page(kaddr) pfn_to_page(virt_to_pfn(kaddr)) #define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT) -#define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr)) +#define virt_addr_valid(vaddr) ({ \ + unsigned long _addr = (unsigned long)vaddr; \ + _addr >= PAGE_OFFSET && _addr < (unsigned long)high_memory && \ + pfn_valid(virt_to_pfn(_addr)); \ +}) /* * On Book-E parts we need __va to parse the device tree and we can't -- 2.26.2
next prev parent reply other threads:[~2022-02-16 11:55 UTC|newest] Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-02-16 12:11 [PATCH v4 1/2] Revert "powerpc: Set max_mapnr correctly" Kefeng Wang 2022-02-16 12:11 ` Kefeng Wang 2022-02-16 12:11 ` Kefeng Wang [this message] 2022-02-16 12:11 ` [PATCH v4 2/2] powerpc: Fix virt_addr_valid() check Kefeng Wang 2022-03-09 16:01 ` [v4,2/2] " Christophe Leroy 2022-03-09 16:00 ` [v4,1/2] Revert "powerpc: Set max_mapnr correctly" Christophe Leroy 2022-03-26 7:55 ` [PATCH v4 1/2] " Kefeng Wang 2022-03-26 7:55 ` Kefeng Wang 2022-03-28 10:37 ` Michael Ellerman 2022-03-28 10:37 ` Michael Ellerman 2022-03-28 10:59 ` Christophe Leroy 2022-03-28 10:59 ` Christophe Leroy 2022-04-01 11:23 ` Michael Ellerman 2022-04-01 11:23 ` Michael Ellerman 2022-04-01 12:07 ` Christophe Leroy 2022-04-01 12:07 ` Christophe Leroy 2022-03-28 14:12 ` Christophe Leroy 2022-03-28 14:12 ` Christophe Leroy 2022-03-29 11:32 ` Kefeng Wang 2022-03-29 11:32 ` Kefeng Wang 2022-04-04 12:31 ` Michael Ellerman 2022-04-04 12:31 ` Michael Ellerman 2022-04-06 2:21 ` Kefeng Wang 2022-04-06 2:21 ` Kefeng Wang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220216121109.157605-2-wangkefeng.wang@huawei.com \ --to=wangkefeng.wang@huawei.com \ --cc=akpm@linux-foundation.org \ --cc=benh@kernel.crashing.or \ --cc=christophe.leroy@csgroup.eu \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=mpe@ellerman.id.au \ --cc=npiggin@gmail.com \ --cc=paulus@samba.org \ --cc=songyuanzheng@huawei.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.