[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Ard Biesheuvel]

Existing code that uses vmalloc_to_page() may assume that any
address for which is_vmalloc_addr() returns true may be passed
into vmalloc_to_page() to retrieve the associated struct page.

This is not un unreasonable assumption to make, but on architectures
that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
need to ensure that vmalloc_to_page() does not go off into the weeds
trying to dereference huge PUDs or PMDs as table entries.

Given that vmalloc() and vmap() themselves never create huge
mappings or deal with compound pages at all, there is no correct
answer in this case, so return NULL instead, and issue a warning.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
v5: - fix typo

v4: - use pud_bad/pmd_bad instead of pud_huge/pmd_huge, which don't require
      changes to hugetlb.h, and give us what we need on all architectures
    - move WARN_ON_ONCE() calls out of conditionals
    - add explanatory comment

 mm/vmalloc.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 34a1c3e46ed7..0fcd371266a4 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -287,10 +287,21 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
 	if (p4d_none(*p4d))
 		return NULL;
 	pud = pud_offset(p4d, addr);
-	if (pud_none(*pud))
+
+	/*
+	 * Don't dereference bad PUD or PMD (below) entries. This will also
+	 * identify huge mappings, which we may encounter on architectures
+	 * that define CONFIG_HAVE_ARCH_HUGE_VMAP=y. Such regions will be
+	 * identified as vmalloc addresses by is_vmalloc_addr(), but are
+	 * not [unambiguously] associated with a struct page, so there is
+	 * no correct value to return for them.
+	 */
+	WARN_ON_ONCE(pud_bad(*pud));
+	if (pud_none(*pud) || pud_bad(*pud))
 		return NULL;
 	pmd = pmd_offset(pud, addr);
-	if (pmd_none(*pmd))
+	WARN_ON_ONCE(pmd_bad(*pmd));
+	if (pmd_none(*pmd) || pmd_bad(*pmd))
 		return NULL;
 
 	ptep = pte_offset_map(pmd, addr);
-- 
2.9.3

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Mark Rutland]

On Fri, Jun 09, 2017 at 08:22:26AM +0000, Ard Biesheuvel wrote:
> Existing code that uses vmalloc_to_page() may assume that any
> address for which is_vmalloc_addr() returns true may be passed
> into vmalloc_to_page() to retrieve the associated struct page.
> 
> This is not un unreasonable assumption to make, but on architectures
> that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
> need to ensure that vmalloc_to_page() does not go off into the weeds
> trying to dereference huge PUDs or PMDs as table entries.
> 
> Given that vmalloc() and vmap() themselves never create huge
> mappings or deal with compound pages at all, there is no correct
> answer in this case, so return NULL instead, and issue a warning.
> 
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> v5: - fix typo
> 
> v4: - use pud_bad/pmd_bad instead of pud_huge/pmd_huge, which don't require
>       changes to hugetlb.h, and give us what we need on all architectures
>     - move WARN_ON_ONCE() calls out of conditionals
>     - add explanatory comment
> 
>  mm/vmalloc.c | 15 +++++++++++++--
>  1 file changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/mm/vmalloc.c b/mm/vmalloc.c
> index 34a1c3e46ed7..0fcd371266a4 100644
> --- a/mm/vmalloc.c
> +++ b/mm/vmalloc.c
> @@ -287,10 +287,21 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
>  	if (p4d_none(*p4d))
>  		return NULL;
>  	pud = pud_offset(p4d, addr);
> -	if (pud_none(*pud))
> +
> +	/*
> +	 * Don't dereference bad PUD or PMD (below) entries. This will also
> +	 * identify huge mappings, which we may encounter on architectures
> +	 * that define CONFIG_HAVE_ARCH_HUGE_VMAP=y. Such regions will be
> +	 * identified as vmalloc addresses by is_vmalloc_addr(), but are
> +	 * not [unambiguously] associated with a struct page, so there is
> +	 * no correct value to return for them.
> +	 */
> +	WARN_ON_ONCE(pud_bad(*pud));
> +	if (pud_none(*pud) || pud_bad(*pud))
>  		return NULL;

Nit: the WARN_ON_ONCE() can be folded into the conditional:

	if (pud_none(*pud) || WARN_ON_ONCE(pud_bad(*pud)))
		reutrn NULL;

>  	pmd = pmd_offset(pud, addr);
> -	if (pmd_none(*pmd))
> +	WARN_ON_ONCE(pmd_bad(*pmd));
> +	if (pmd_none(*pmd) || pmd_bad(*pmd))
>  		return NULL;

Likewise here.

Otherwise, looks good to me. FWIW:

Acked-by: Mark Rutland <mark.rutland@arm.com>

Thanks,
Mark.

>  
>  	ptep = pte_offset_map(pmd, addr);
> -- 
> 2.9.3
> 

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Ard Biesheuvel]

On 9 June 2017 at 09:22, Mark Rutland <mark.rutland@arm.com> wrote:
> On Fri, Jun 09, 2017 at 08:22:26AM +0000, Ard Biesheuvel wrote:
>> Existing code that uses vmalloc_to_page() may assume that any
>> address for which is_vmalloc_addr() returns true may be passed
>> into vmalloc_to_page() to retrieve the associated struct page.
>>
>> This is not un unreasonable assumption to make, but on architectures
>> that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
>> need to ensure that vmalloc_to_page() does not go off into the weeds
>> trying to dereference huge PUDs or PMDs as table entries.
>>
>> Given that vmalloc() and vmap() themselves never create huge
>> mappings or deal with compound pages at all, there is no correct
>> answer in this case, so return NULL instead, and issue a warning.
>>
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> ---
>> v5: - fix typo
>>
>> v4: - use pud_bad/pmd_bad instead of pud_huge/pmd_huge, which don't require
>>       changes to hugetlb.h, and give us what we need on all architectures
>>     - move WARN_ON_ONCE() calls out of conditionals

^^^

>>     - add explanatory comment
>>
>>  mm/vmalloc.c | 15 +++++++++++++--
>>  1 file changed, 13 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/vmalloc.c b/mm/vmalloc.c
>> index 34a1c3e46ed7..0fcd371266a4 100644
>> --- a/mm/vmalloc.c
>> +++ b/mm/vmalloc.c
>> @@ -287,10 +287,21 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
>>       if (p4d_none(*p4d))
>>               return NULL;
>>       pud = pud_offset(p4d, addr);
>> -     if (pud_none(*pud))
>> +
>> +     /*
>> +      * Don't dereference bad PUD or PMD (below) entries. This will also
>> +      * identify huge mappings, which we may encounter on architectures
>> +      * that define CONFIG_HAVE_ARCH_HUGE_VMAP=y. Such regions will be
>> +      * identified as vmalloc addresses by is_vmalloc_addr(), but are
>> +      * not [unambiguously] associated with a struct page, so there is
>> +      * no correct value to return for them.
>> +      */
>> +     WARN_ON_ONCE(pud_bad(*pud));
>> +     if (pud_none(*pud) || pud_bad(*pud))
>>               return NULL;
>
> Nit: the WARN_ON_ONCE() can be folded into the conditional:
>
>         if (pud_none(*pud) || WARN_ON_ONCE(pud_bad(*pud)))
>                 reutrn NULL;
>
>>       pmd = pmd_offset(pud, addr);
>> -     if (pmd_none(*pmd))
>> +     WARN_ON_ONCE(pmd_bad(*pmd));
>> +     if (pmd_none(*pmd) || pmd_bad(*pmd))
>>               return NULL;
>
> Likewise here.
>

Actually, it was Dave who requested them to be taken out of the conditional.

> Otherwise, looks good to me. FWIW:
>
> Acked-by: Mark Rutland <mark.rutland@arm.com>
>

Thanks,
Ard.

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Mark Rutland]

On Fri, Jun 09, 2017 at 09:27:15AM +0000, Ard Biesheuvel wrote:
> On 9 June 2017 at 09:22, Mark Rutland <mark.rutland@arm.com> wrote:
> > On Fri, Jun 09, 2017 at 08:22:26AM +0000, Ard Biesheuvel wrote:
> >> v4: - use pud_bad/pmd_bad instead of pud_huge/pmd_huge, which don't require
> >>       changes to hugetlb.h, and give us what we need on all architectures
> >>     - move WARN_ON_ONCE() calls out of conditionals
> 
> ^^^

Ah, sorry. Clearly I scanned this too quickly.

> >> +     WARN_ON_ONCE(pud_bad(*pud));
> >> +     if (pud_none(*pud) || pud_bad(*pud))
> >>               return NULL;
> >
> > Nit: the WARN_ON_ONCE() can be folded into the conditional:
> >
> >         if (pud_none(*pud) || WARN_ON_ONCE(pud_bad(*pud)))
> >                 reutrn NULL;

> Actually, it was Dave who requested them to be taken out of the conditional.

Fair enough. My ack stands, either way!

Thanks,
Mark.

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Laura Abbott]

On 06/09/2017 01:22 AM, Ard Biesheuvel wrote:
> Existing code that uses vmalloc_to_page() may assume that any
> address for which is_vmalloc_addr() returns true may be passed
> into vmalloc_to_page() to retrieve the associated struct page.
> 
> This is not un unreasonable assumption to make, but on architectures
> that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
> need to ensure that vmalloc_to_page() does not go off into the weeds
> trying to dereference huge PUDs or PMDs as table entries.
> 
> Given that vmalloc() and vmap() themselves never create huge
> mappings or deal with compound pages at all, there is no correct
> answer in this case, so return NULL instead, and issue a warning.
> 
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

Reviewed-by: Laura Abbott <labbott@redhat.com>

> ---
> v5: - fix typo
> 
> v4: - use pud_bad/pmd_bad instead of pud_huge/pmd_huge, which don't require
>       changes to hugetlb.h, and give us what we need on all architectures
>     - move WARN_ON_ONCE() calls out of conditionals
>     - add explanatory comment
> 
>  mm/vmalloc.c | 15 +++++++++++++--
>  1 file changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/mm/vmalloc.c b/mm/vmalloc.c
> index 34a1c3e46ed7..0fcd371266a4 100644
> --- a/mm/vmalloc.c
> +++ b/mm/vmalloc.c
> @@ -287,10 +287,21 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
>  	if (p4d_none(*p4d))
>  		return NULL;
>  	pud = pud_offset(p4d, addr);
> -	if (pud_none(*pud))
> +
> +	/*
> +	 * Don't dereference bad PUD or PMD (below) entries. This will also
> +	 * identify huge mappings, which we may encounter on architectures
> +	 * that define CONFIG_HAVE_ARCH_HUGE_VMAP=y. Such regions will be
> +	 * identified as vmalloc addresses by is_vmalloc_addr(), but are
> +	 * not [unambiguously] associated with a struct page, so there is
> +	 * no correct value to return for them.
> +	 */
> +	WARN_ON_ONCE(pud_bad(*pud));
> +	if (pud_none(*pud) || pud_bad(*pud))
>  		return NULL;
>  	pmd = pmd_offset(pud, addr);
> -	if (pmd_none(*pmd))
> +	WARN_ON_ONCE(pmd_bad(*pmd));
> +	if (pmd_none(*pmd) || pmd_bad(*pmd))
>  		return NULL;
>  
>  	ptep = pte_offset_map(pmd, addr);
> 

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Andrew Morton]

On Fri,  9 Jun 2017 08:22:26 +0000 Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:

> Existing code that uses vmalloc_to_page() may assume that any
> address for which is_vmalloc_addr() returns true may be passed
> into vmalloc_to_page() to retrieve the associated struct page.
> 
> This is not un unreasonable assumption to make, but on architectures
> that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
> need to ensure that vmalloc_to_page() does not go off into the weeds
> trying to dereference huge PUDs or PMDs as table entries.
> 
> Given that vmalloc() and vmap() themselves never create huge
> mappings or deal with compound pages at all, there is no correct
> answer in this case, so return NULL instead, and issue a warning.

Is this patch known to fix any current user-visible problem?

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Ard Biesheuvel]

> On 15 Jun 2017, at 23:24, Andrew Morton <akpm@linux-foundation.org> wrote:
> 
>> On Fri,  9 Jun 2017 08:22:26 +0000 Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>> 
>> Existing code that uses vmalloc_to_page() may assume that any
>> address for which is_vmalloc_addr() returns true may be passed
>> into vmalloc_to_page() to retrieve the associated struct page.
>> 
>> This is not un unreasonable assumption to make, but on architectures
>> that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
>> need to ensure that vmalloc_to_page() does not go off into the weeds
>> trying to dereference huge PUDs or PMDs as table entries.
>> 
>> Given that vmalloc() and vmap() themselves never create huge
>> mappings or deal with compound pages at all, there is no correct
>> answer in this case, so return NULL instead, and issue a warning.
> 
> Is this patch known to fix any current user-visible problem?

Yes. When reading /proc/kcore on arm64, you will hit an oops as soon as you hit the huge mappings used for the various segments that make up the mapping of vmlinux. With this patch applied, you will no longer hit the oops, but the kcore contents willl be incorrect (these regions will be zeroed out)

We are fixing this for kcore specifically, so it avoids vread() for  those regions. At least one other problematic user exists, i.e., /dev/kmem, but that is currently broken on arm64 for other reasons.

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Andrew Morton]

On Fri, 16 Jun 2017 00:11:53 +0200 Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:

> 
> 
> > On 15 Jun 2017, at 23:24, Andrew Morton <akpm@linux-foundation.org> wrote:
> > 
> >> On Fri,  9 Jun 2017 08:22:26 +0000 Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> >> 
> >> Existing code that uses vmalloc_to_page() may assume that any
> >> address for which is_vmalloc_addr() returns true may be passed
> >> into vmalloc_to_page() to retrieve the associated struct page.
> >> 
> >> This is not un unreasonable assumption to make, but on architectures
> >> that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
> >> need to ensure that vmalloc_to_page() does not go off into the weeds
> >> trying to dereference huge PUDs or PMDs as table entries.
> >> 
> >> Given that vmalloc() and vmap() themselves never create huge
> >> mappings or deal with compound pages at all, there is no correct
> >> answer in this case, so return NULL instead, and issue a warning.
> > 
> > Is this patch known to fix any current user-visible problem?
> 
> Yes. When reading /proc/kcore on arm64, you will hit an oops as soon as you hit the huge mappings used for the various segments that make up the mapping of vmlinux. With this patch applied, you will no longer hit the oops, but the kcore contents willl be incorrect (these regions will be zeroed out)
> 
> We are fixing this for kcore specifically, so it avoids vread() for  those regions. At least one other problematic user exists, i.e., /dev/kmem, but that is currently broken on arm64 for other reasons.
> 

Do you have any suggestions regarding which kernel version(s) should
get this patch?

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Ard Biesheuvel]

> On 16 Jun 2017, at 00:16, Andrew Morton <akpm@linux-foundation.org> wrote:
> 
>> On Fri, 16 Jun 2017 00:11:53 +0200 Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>> 
>> 
>> 
>>>> On 15 Jun 2017, at 23:24, Andrew Morton <akpm@linux-foundation.org> wrote:
>>>> 
>>>> On Fri,  9 Jun 2017 08:22:26 +0000 Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>>>> 
>>>> Existing code that uses vmalloc_to_page() may assume that any
>>>> address for which is_vmalloc_addr() returns true may be passed
>>>> into vmalloc_to_page() to retrieve the associated struct page.
>>>> 
>>>> This is not un unreasonable assumption to make, but on architectures
>>>> that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
>>>> need to ensure that vmalloc_to_page() does not go off into the weeds
>>>> trying to dereference huge PUDs or PMDs as table entries.
>>>> 
>>>> Given that vmalloc() and vmap() themselves never create huge
>>>> mappings or deal with compound pages at all, there is no correct
>>>> answer in this case, so return NULL instead, and issue a warning.
>>> 
>>> Is this patch known to fix any current user-visible problem?
>> 
>> Yes. When reading /proc/kcore on arm64, you will hit an oops as soon as you hit the huge mappings used for the various segments that make up the mapping of vmlinux. With this patch applied, you will no longer hit the oops, but the kcore contents willl be incorrect (these regions will be zeroed out)
>> 
>> We are fixing this for kcore specifically, so it avoids vread() for  those regions. At least one other problematic user exists, i.e., /dev/kmem, but that is currently broken on arm64 for other reasons.
>> 
> 
> Do you have any suggestions regarding which kernel version(s) should
> get this patch?
> 

Good question. v4.6 was the first one to enable the huge vmap feature on arm64 iirc, but that does not necessarily mean it needs to be backported at all imo. What is kcore used for? Production grade stuff?

[PATCH v5] mm: huge-vmap: fail gracefully on unexpected huge vmap mappings

[Ard Biesheuvel]

On 16 June 2017 at 00:29, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>
>> On 16 Jun 2017, at 00:16, Andrew Morton <akpm@linux-foundation.org> wrote:
>>
>>> On Fri, 16 Jun 2017 00:11:53 +0200 Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>>>
>>>
>>>
>>>>> On 15 Jun 2017, at 23:24, Andrew Morton <akpm@linux-foundation.org> wrote:
>>>>>
>>>>> On Fri,  9 Jun 2017 08:22:26 +0000 Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>>>>>
>>>>> Existing code that uses vmalloc_to_page() may assume that any
>>>>> address for which is_vmalloc_addr() returns true may be passed
>>>>> into vmalloc_to_page() to retrieve the associated struct page.
>>>>>
>>>>> This is not un unreasonable assumption to make, but on architectures
>>>>> that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we
>>>>> need to ensure that vmalloc_to_page() does not go off into the weeds
>>>>> trying to dereference huge PUDs or PMDs as table entries.
>>>>>
>>>>> Given that vmalloc() and vmap() themselves never create huge
>>>>> mappings or deal with compound pages at all, there is no correct
>>>>> answer in this case, so return NULL instead, and issue a warning.
>>>>
>>>> Is this patch known to fix any current user-visible problem?
>>>
>>> Yes. When reading /proc/kcore on arm64, you will hit an oops as soon as you hit the huge mappings used for the various segments that make up the mapping of vmlinux. With this patch applied, you will no longer hit the oops, but the kcore contents willl be incorrect (these regions will be zeroed out)
>>>
>>> We are fixing this for kcore specifically, so it avoids vread() for  those regions. At least one other problematic user exists, i.e., /dev/kmem, but that is currently broken on arm64 for other reasons.
>>>
>>
>> Do you have any suggestions regarding which kernel version(s) should
>> get this patch?
>>
>
> Good question. v4.6 was the first one to enable the huge vmap feature on arm64 iirc, but that does not necessarily mean it needs to be backported at all imo. What is kcore used for? Production grade stuff?

In any case, could you perhaps simply queue it for v4.13? If it needs
to go into -stable, we can always do it later.

Thanks,
Ard.