From: Greg KH <gregkh@linuxfoundation.org>
To: Hillf Danton <hdanton@sina.com>, Thomas Gleixner <tglx@linutronix.de>
Cc: syzbot <syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com>,
bp@alien8.de, dave.hansen@linux.intel.com,
dmitry.torokhov@gmail.com, ebiederm@xmission.com, hpa@zytor.com,
jeremy.linton@arm.com, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org, luto@kernel.org, mingo@redhat.com,
peterz@infradead.org, stern@rowland.harvard.edu,
syzkaller-bugs@googlegroups.com, x86@kernel.org
Subject: Re: WARNING in memtype_reserve
Date: Wed, 13 May 2020 18:55:40 +0200 [thread overview]
Message-ID: <20200513165540.GA1366700@kroah.com> (raw)
In-Reply-To: <87zhab249p.fsf@nanos.tec.linutronix.de>
On Wed, May 13, 2020 at 06:22:58PM +0200, Thomas Gleixner wrote:
> Greg KH <gregkh@linuxfoundation.org> writes:
> > On Sat, May 09, 2020 at 12:00:57PM +0200, Thomas Gleixner wrote:
> >> Greg KH <gregkh@linuxfoundation.org> writes:
> >> > On Sat, May 09, 2020 at 12:20:14AM -0700, syzbot wrote:
> >> >> memtype_reserve failed: [mem 0xffffffffff000-0x00008fff], req write-back
> >> >> WARNING: CPU: 1 PID: 7025 at arch/x86/mm/pat/memtype.c:589 memtype_reserve+0x69f/0x820 arch/x86/mm/pat/memtype.c:589
> >> >
> >> > So should memtype_reserve() not do a WARN if given invalid parameters as
> >> > it can be triggered by userspace requests?
> >> >
> >> > A normal "invalid request" debug line is probably all that is needed,
> >> > right?
> >>
> >> I disagree. The callsite espcially if user space triggerable should not
> >> attempt to ask for a reservation where start > end:
> >>
> >> >> memtype_reserve failed: [mem 0xffffffffff000-0x00008fff], req write-back
> >>
> >> The real question is which part of the call chain is responsible for
> >> this. That needs to be fixed.
> >
> > This is caused by 2bef9aed6f0e ("usb: usbfs: correct kernel->user page
> > attribute mismatch") which changed a call to remap_pfn_range() to
> > dma_mmap_coherent(). Looks like the error checking in remap_pfn_range()
> > handled the invalid options better than dma_mma_coherent() when odd
> > values are passed in.
> >
> > We can add the check to dma_mmap_coherent(), again, but really, this
> > type of check should probably only be needed in one place to ensure we
> > always get it correct, right?
>
> That might be correct for this particular call chain, but this check
> really is the last defense before stuff goes down the drain. None of the
> last line functions should ever be reached with crappy arguments.
Looking at the other callers of dma_mmap_coherent(), it looks like this
needs to be done in that function, as other drivers are passing in "raw"
data as well. So Hillf's patch is probably the best one.
Hillf, can you resend it in a format we can apply it in and have syzbot
test?
thanks,
greg k-h
next prev parent reply other threads:[~2020-05-13 16:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-09 7:20 WARNING in memtype_reserve syzbot
2020-05-09 7:45 ` Greg KH
2020-05-09 10:00 ` Thomas Gleixner
2020-05-09 13:41 ` Alan Stern
2020-05-13 16:21 ` Thomas Gleixner
2020-05-13 12:44 ` Greg KH
2020-05-13 16:22 ` Thomas Gleixner
2020-05-13 16:55 ` Greg KH [this message]
[not found] ` <20200514035458.14760-1-hdanton@sina.com>
2020-05-14 6:14 ` Christoph Hellwig
2020-05-14 6:19 ` Dmitry Vyukov
2020-05-14 6:27 ` Validating dma_mmap_coherent() parameters before calling (was Re: WARNING in memtype_reserve) Greg KH
2020-05-14 6:31 ` Christoph Hellwig
2020-05-14 7:46 ` Greg KH
2020-05-14 11:17 ` Jeremy Linton
2020-05-14 11:22 ` Greg KH
2020-05-14 11:10 ` Jeremy Linton
2020-05-14 11:14 ` Christoph Hellwig
2020-05-14 11:16 ` Jeremy Linton
2020-05-14 9:08 ` WARNING in memtype_reserve syzbot
2020-05-09 17:42 ` Jeremy Linton
[not found] ` <20200509154728.1548-1-hdanton@sina.com>
2020-05-13 12:41 ` Greg KH
2020-05-14 9:20 ` Greg KH
2020-05-14 10:44 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200513165540.GA1366700@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=dmitry.torokhov@gmail.com \
--cc=ebiederm@xmission.com \
--cc=hdanton@sina.com \
--cc=hpa@zytor.com \
--cc=jeremy.linton@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.