From: Vlastimil Babka <vbabka@suse.cz>
To: Christian Borntraeger <borntraeger@de.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
christoffer.dall@linaro.org, cl@linux.com,
dave.kleikamp@oracle.com, dave@nullcore.net, davem@davemloft.net,
hch@infradead.org, iamjoonsoo.kim@lge.com, jack@suse.cz,
jannh@google.com, jslaby@suse.cz, jwi@linux.ibm.com,
labbott@redhat.com, linux-mm@kvack.org, luisbg@kernel.org,
luto@kernel.org, marc.zyngier@arm.com, mark.rutland@arm.com,
martin.petersen@oracle.com, mjg59@google.com, mkubecek@suse.cz,
mm-commits@vger.kernel.org, pbonzini@redhat.com,
penberg@kernel.org, riel@surriel.com, rientjes@google.com,
torvalds@linux-foundation.org, ubraun@linux.ibm.com,
viro@zeniv.linux.org.uk
Subject: Re: [patch 007/128] usercopy: mark dma-kmalloc caches as usercopy caches
Date: Mon, 15 Jun 2020 14:53:07 +0200 [thread overview]
Message-ID: <c6e0ce24-463b-251a-4f8f-7b0311ba298f@suse.cz> (raw)
In-Reply-To: <169e8ca1-bc47-10b7-7a07-39c0cd722e9a@de.ibm.com>
On 6/15/20 1:04 PM, Christian Borntraeger wrote:
>
>
> On 02.06.20 22:10, Andrew Morton wrote:
>> From: Vlastimil Babka <vbabka@suse.cz>
>> Subject: usercopy: mark dma-kmalloc caches as usercopy caches
>>
>> We have seen a "usercopy: Kernel memory overwrite attempt detected to SLUB
>> object 'dma-kmalloc-1 k' (offset 0, size 11)!" error on s390x, as IUCV
>> uses kmalloc() with __GFP_DMA because of memory address restrictions. The
>> issue has been discussed [2] and it has been noted that if all the kmalloc
>> caches are marked as usercopy, there's little reason not to mark
>> dma-kmalloc caches too. The 'dma' part merely means that __GFP_DMA is
>> used to restrict memory address range.
>>
>> As Jann Horn put it [3]:
>>
>> "I think dma-kmalloc slabs should be handled the same way as normal
>> kmalloc slabs. When a dma-kmalloc allocation is freshly created, it is
>> just normal kernel memory - even if it might later be used for DMA -, and
>> it should be perfectly fine to copy_from_user() into such allocations at
>> that point, and to copy_to_user() out of them at the end. If you look at
>> the places where such allocations are created, you can see things like
>> kmemdup(), memcpy() and so on - all normal operations that shouldn't
>> conceptually be different from usercopy in any relevant way."
>>
>> Thus this patch marks the dma-kmalloc-* caches as usercopy.
>>
>> [1] https://bugzilla.suse.com/show_bug.cgi?id=1156053
>> [2] https://lore.kernel.org/kernel-hardening/bfca96db-bbd0-d958-7732-76e36c667c68@suse.cz/
>> [3] https://lore.kernel.org/kernel-hardening/CAG48ez1a4waGk9kB0WLaSbs4muSoK0AYAVk8=XYaKj4_+6e6Hg@mail.gmail.com/
>>
>> Link: http://lkml.kernel.org/r/7d810f6d-8085-ea2f-7805-47ba3842dc50@suse.cz
>> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
>> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
>> Acked-by: Jiri Slaby <jslaby@suse.cz>
>
> We have also seen this with other drivers (vmur). Shouldnt this also go via stable?
Why not, will you send it there?
Thanks,
Vlastimil
next prev parent reply other threads:[~2020-06-15 12:53 UTC|newest]
Thread overview: 132+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-02 20:09 incoming Andrew Morton
2020-06-02 20:09 ` [patch 001/128] squashfs: migrate from ll_rw_block usage to BIO Andrew Morton
2020-06-02 20:09 ` [patch 002/128] ocfs2: add missing annotation for dlm_empty_lockres() Andrew Morton
2020-06-02 20:10 ` [patch 003/128] ocfs2: mount shared volume without ha stack Andrew Morton
2020-06-02 20:10 ` [patch 004/128] arch/parisc/include/asm/pgtable.h: remove unused `old_pte' Andrew Morton
2020-06-02 20:10 ` [patch 005/128] vfs: track per-sb writeback errors and report them to syncfs Andrew Morton
2020-06-02 20:10 ` [patch 006/128] fs/buffer.c: record blockdev write errors in super_block that it backs Andrew Morton
2020-06-02 20:10 ` [patch 007/128] usercopy: mark dma-kmalloc caches as usercopy caches Andrew Morton
2020-06-15 11:04 ` Christian Borntraeger
2020-06-15 12:53 ` Vlastimil Babka [this message]
2020-06-02 20:10 ` [patch 008/128] mm/slub.c: fix corrupted freechain in deactivate_slab() Andrew Morton
2020-06-02 20:10 ` [patch 009/128] slub: Remove userspace notifier for cache add/remove Andrew Morton
2020-06-02 20:10 ` [patch 010/128] slub: remove kmalloc under list_lock from list_slab_objects() V2 Andrew Morton
2020-06-02 20:10 ` [patch 011/128] mm/slub: fix stack overruns with SLUB_STATS Andrew Morton
2020-06-02 20:10 ` [patch 012/128] Documentation/vm/slub.rst: s/Toggle/Enable/ Andrew Morton
2020-06-02 20:10 ` [patch 013/128] mm, dump_page(): do not crash with invalid mapping pointer Andrew Morton
2020-06-02 20:10 ` [patch 014/128] mm: move readahead prototypes from mm.h Andrew Morton
2020-06-02 20:10 ` [patch 015/128] mm: return void from various readahead functions Andrew Morton
2020-06-02 20:10 ` [patch 016/128] mm: ignore return value of ->readpages Andrew Morton
2020-06-02 20:10 ` [patch 017/128] mm: move readahead nr_pages check into read_pages Andrew Morton
2020-06-02 20:10 ` [patch 018/128] mm: add new readahead_control API Andrew Morton
2020-06-02 20:11 ` [patch 019/128] mm: use readahead_control to pass arguments Andrew Morton
2020-06-02 20:11 ` [patch 020/128] mm: rename various 'offset' parameters to 'index' Andrew Morton
2020-06-02 20:11 ` [patch 021/128] mm: rename readahead loop variable to 'i' Andrew Morton
2020-06-02 20:11 ` [patch 022/128] mm: remove 'page_offset' from readahead loop Andrew Morton
2020-06-02 20:11 ` [patch 023/128] mm: put readahead pages in cache earlier Andrew Morton
2020-06-02 20:11 ` [patch 024/128] mm: add readahead address space operation Andrew Morton
2020-06-02 20:11 ` [patch 025/128] mm: move end_index check out of readahead loop Andrew Morton
2020-06-02 20:11 ` [patch 026/128] mm: add page_cache_readahead_unbounded Andrew Morton
2020-06-02 20:11 ` [patch 027/128] mm: document why we don't set PageReadahead Andrew Morton
2020-06-02 20:11 ` [patch 028/128] mm: use memalloc_nofs_save in readahead path Andrew Morton
2020-06-02 20:11 ` [patch 029/128] fs: convert mpage_readpages to mpage_readahead Andrew Morton
2020-06-02 20:11 ` [patch 030/128] btrfs: convert from readpages to readahead Andrew Morton
2020-06-02 20:11 ` [patch 031/128] erofs: convert uncompressed files " Andrew Morton
2020-06-02 20:11 ` [patch 032/128] erofs: convert compressed " Andrew Morton
2020-06-02 20:11 ` [patch 033/128] ext4: convert " Andrew Morton
2020-06-02 20:11 ` [patch 034/128] ext4: pass the inode to ext4_mpage_readpages Andrew Morton
2020-06-02 20:12 ` [patch 035/128] f2fs: convert from readpages to readahead Andrew Morton
2020-06-02 20:12 ` [patch 036/128] f2fs: pass the inode to f2fs_mpage_readpages Andrew Morton
2020-06-02 20:12 ` [patch 037/128] fuse: convert from readpages to readahead Andrew Morton
2020-06-02 20:12 ` [patch 038/128] iomap: " Andrew Morton
2020-06-02 20:12 ` [patch 039/128] include/linux/pagemap.h: introduce attach/detach_page_private Andrew Morton
2020-06-02 20:12 ` [patch 040/128] md: remove __clear_page_buffers and use attach/detach_page_private Andrew Morton
2020-06-02 20:12 ` [patch 041/128] btrfs: " Andrew Morton
2020-06-02 20:12 ` [patch 042/128] fs/buffer.c: " Andrew Morton
2020-06-02 20:12 ` [patch 043/128] f2fs: " Andrew Morton
2020-06-02 20:12 ` [patch 044/128] iomap: " Andrew Morton
2020-06-02 20:12 ` [patch 045/128] ntfs: replace attach_page_buffers with attach_page_private Andrew Morton
2020-06-02 20:12 ` [patch 046/128] orangefs: use attach/detach_page_private Andrew Morton
2020-06-02 20:12 ` [patch 047/128] buffer_head.h: remove attach_page_buffers Andrew Morton
2020-06-02 20:12 ` [patch 048/128] mm/migrate.c: call detach_page_private to cleanup code Andrew Morton
2020-06-02 20:12 ` [patch 049/128] mm_types.h: change set_page_private to inline function Andrew Morton
2020-06-02 20:12 ` [patch 050/128] mm/filemap.c: remove misleading comment Andrew Morton
2020-06-02 20:12 ` [patch 051/128] mm/page-writeback.c: remove unused variable Andrew Morton
2020-06-02 20:13 ` [patch 052/128] mm/writeback: replace PF_LESS_THROTTLE with PF_LOCAL_THROTTLE Andrew Morton
2020-06-02 20:13 ` [patch 053/128] mm/writeback: discard NR_UNSTABLE_NFS, use NR_WRITEBACK instead Andrew Morton
2020-06-02 20:13 ` [patch 054/128] mm/gup.c: update the documentation Andrew Morton
2020-06-02 20:13 ` [patch 055/128] mm/gup: introduce pin_user_pages_unlocked Andrew Morton
2020-06-02 20:13 ` [patch 056/128] ivtv: convert get_user_pages() --> pin_user_pages() Andrew Morton
2020-06-02 20:13 ` [patch 057/128] mm/gup.c: further document vma_permits_fault() Andrew Morton
2020-06-02 20:13 ` [patch 058/128] mm/swapfile: use list_{prev,next}_entry() instead of open-coding Andrew Morton
2020-06-02 20:13 ` [patch 059/128] mm/swap_state: fix a data race in swapin_nr_pages Andrew Morton
2020-06-02 20:13 ` [patch 060/128] mm: swap: properly update readahead statistics in unuse_pte_range() Andrew Morton
2020-06-02 20:13 ` [patch 061/128] mm/swapfile.c: offset is only used when there is more slots Andrew Morton
2020-06-02 20:13 ` [patch 062/128] mm/swapfile.c: explicitly show ssd/non-ssd is handled mutually exclusive Andrew Morton
2020-06-02 20:13 ` [patch 063/128] mm/swapfile.c: remove the unnecessary goto for SSD case Andrew Morton
2020-06-02 20:13 ` [patch 064/128] mm/swapfile.c: simplify the calculation of n_goal Andrew Morton
2020-06-02 20:13 ` [patch 065/128] mm/swapfile.c: remove the extra check in scan_swap_map_slots() Andrew Morton
2020-06-02 20:13 ` [patch 066/128] mm/swapfile.c: found_free could be represented by (tmp < max) Andrew Morton
2020-06-02 20:13 ` [patch 067/128] mm/swapfile.c: tmp is always smaller than max Andrew Morton
2020-06-02 20:13 ` [patch 068/128] mm/swapfile.c: omit a duplicate code by compare tmp and max first Andrew Morton
2020-06-02 20:13 ` [patch 069/128] swap: try to scan more free slots even when fragmented Andrew Morton
2020-06-02 20:14 ` [patch 070/128] mm/swapfile.c: classify SWAP_MAP_XXX to make it more readable Andrew Morton
2020-06-02 20:14 ` [patch 071/128] mm/swapfile.c: __swap_entry_free() always free 1 entry Andrew Morton
2020-06-02 20:14 ` [patch 072/128] mm/swapfile.c: use prandom_u32_max() Andrew Morton
2020-06-02 20:14 ` [patch 073/128] swap: reduce lock contention on swap cache from swap slots allocation Andrew Morton
2020-06-02 20:14 ` [patch 074/128] mm: swapfile: fix /proc/swaps heading and Size/Used/Priority alignment Andrew Morton
2020-06-02 20:14 ` [patch 075/128] include/linux/swap.h: delete meaningless __add_to_swap_cache() declaration Andrew Morton
2020-06-02 20:14 ` [patch 076/128] mm, memcg: add workingset_restore in memory.stat Andrew Morton
2020-06-02 20:14 ` [patch 077/128] mm: memcontrol: simplify value comparison between count and limit Andrew Morton
2020-06-02 20:14 ` [patch 078/128] memcg: expose root cgroup's memory.stat Andrew Morton
2020-06-02 20:14 ` [patch 079/128] mm/memcg: prepare for swap over-high accounting and penalty calculation Andrew Morton
2020-06-02 20:14 ` [patch 080/128] mm/memcg: move penalty delay clamping out of calculate_high_delay() Andrew Morton
2020-06-02 20:14 ` [patch 081/128] mm/memcg: move cgroup high memory limit setting into struct page_counter Andrew Morton
2020-06-02 20:14 ` [patch 082/128] mm/memcg: automatically penalize tasks with high swap use Andrew Morton
2020-06-02 20:14 ` [patch 083/128] memcg: fix memcg_kmem_bypass() for remote memcg charging Andrew Morton
2020-06-02 20:14 ` [patch 084/128] x86: mm: ptdump: calculate effective permissions correctly Andrew Morton
2020-06-02 20:14 ` [patch 085/128] mm: ptdump: expand type of 'val' in note_page() Andrew Morton
2020-06-02 20:14 ` [patch 086/128] /proc/PID/smaps: Add PMD migration entry parsing Andrew Morton
2020-06-02 20:15 ` [patch 087/128] mm/memory: remove unnecessary pte_devmap case in copy_one_pte() Andrew Morton
2020-06-02 20:15 ` [patch 088/128] mm, memory_failure: don't send BUS_MCEERR_AO for action required error Andrew Morton
2020-06-02 20:15 ` [patch 089/128] x86/hyperv: use vmalloc_exec for the hypercall page Andrew Morton
2020-06-02 20:15 ` [patch 090/128] x86: fix vmap arguments in map_irq_stack Andrew Morton
2020-06-02 20:15 ` [patch 091/128] staging: android: ion: use vmap instead of vm_map_ram Andrew Morton
2020-06-02 20:15 ` [patch 092/128] staging: media: ipu3: use vmap instead of reimplementing it Andrew Morton
2020-06-02 20:15 ` [patch 093/128] dma-mapping: use vmap insted " Andrew Morton
2020-06-02 20:15 ` [patch 094/128] powerpc: add an ioremap_phb helper Andrew Morton
2020-06-02 20:15 ` [patch 095/128] powerpc: remove __ioremap_at and __iounmap_at Andrew Morton
2020-06-02 20:15 ` [patch 096/128] mm: remove __get_vm_area Andrew Morton
2020-06-02 20:15 ` [patch 097/128] mm: unexport unmap_kernel_range_noflush Andrew Morton
2020-06-02 20:15 ` [patch 098/128] mm: rename CONFIG_PGTABLE_MAPPING to CONFIG_ZSMALLOC_PGTABLE_MAPPING Andrew Morton
2020-06-02 20:15 ` [patch 099/128] mm: only allow page table mappings for built-in zsmalloc Andrew Morton
2020-06-02 20:15 ` [patch 100/128] mm: pass addr as unsigned long to vb_free Andrew Morton
2020-06-02 20:16 ` [patch 101/128] mm: remove vmap_page_range_noflush and vunmap_page_range Andrew Morton
2020-06-02 20:16 ` [patch 102/128] mm: rename vmap_page_range to map_kernel_range Andrew Morton
2020-06-02 20:16 ` [patch 103/128] mm: don't return the number of pages from map_kernel_range{,_noflush} Andrew Morton
2020-06-02 20:16 ` [patch 104/128] mm: remove map_vm_range Andrew Morton
2020-06-02 20:16 ` [patch 105/128] mm: remove unmap_vmap_area Andrew Morton
2020-06-02 20:16 ` [patch 106/128] mm: remove the prot argument from vm_map_ram Andrew Morton
2020-06-02 20:16 ` [patch 107/128] mm: enforce that vmap can't map pages executable Andrew Morton
2020-06-02 20:16 ` [patch 108/128] gpu/drm: remove the powerpc hack in drm_legacy_sg_alloc Andrew Morton
2020-06-02 20:16 ` [patch 109/128] mm: remove the pgprot argument to __vmalloc Andrew Morton
2020-06-02 20:16 ` [patch 110/128] mm: remove the prot argument to __vmalloc_node Andrew Morton
2020-06-02 20:16 ` [patch 111/128] mm: remove both instances of __vmalloc_node_flags Andrew Morton
2020-06-02 20:16 ` [patch 112/128] mm: remove __vmalloc_node_flags_caller Andrew Morton
2020-06-02 20:16 ` [patch 113/128] mm: switch the test_vmalloc module to use __vmalloc_node Andrew Morton
2020-06-02 20:16 ` [patch 114/128] mm: remove vmalloc_user_node_flags Andrew Morton
2020-06-02 20:17 ` [patch 115/128] arm64: use __vmalloc_node in arch_alloc_vmap_stack Andrew Morton
2020-06-02 20:17 ` [patch 116/128] powerpc: use __vmalloc_node in alloc_vm_stack Andrew Morton
2020-06-02 20:17 ` [patch 117/128] s390: use __vmalloc_node in stack_alloc Andrew Morton
2020-06-02 20:17 ` [patch 118/128] mm: add functions to track page directory modifications Andrew Morton
2020-06-02 20:17 ` [patch 119/128] mm/vmalloc: track which page-table levels were modified Andrew Morton
2020-06-02 20:17 ` [patch 120/128] mm/ioremap: " Andrew Morton
2020-06-02 20:17 ` [patch 121/128] x86/mm/64: implement arch_sync_kernel_mappings() Andrew Morton
2020-06-02 20:17 ` [patch 122/128] x86/mm/32: " Andrew Morton
2020-06-02 20:17 ` [patch 123/128] mm: remove vmalloc_sync_(un)mappings() Andrew Morton
2020-06-02 20:17 ` [patch 124/128] x86/mm: remove vmalloc faulting Andrew Morton
2020-06-02 20:17 ` [patch 125/128] kasan: fix clang compilation warning due to stack protector Andrew Morton
2020-06-02 20:17 ` [patch 126/128] ubsan: entirely disable alignment checks under UBSAN_TRAP Andrew Morton
2020-06-02 20:17 ` [patch 127/128] mm/mm_init.c: report kasan-tag information stored in page->flags Andrew Morton
2020-06-02 20:17 ` [patch 128/128] kasan: move kasan_report() into report.c Andrew Morton
-- strict thread matches above, loose matches on Subject: below --
2020-06-02 4:44 incoming Andrew Morton
2020-06-02 4:45 ` [patch 007/128] usercopy: mark dma-kmalloc caches as usercopy caches Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c6e0ce24-463b-251a-4f8f-7b0311ba298f@suse.cz \
--to=vbabka@suse.cz \
--cc=akpm@linux-foundation.org \
--cc=borntraeger@de.ibm.com \
--cc=christoffer.dall@linaro.org \
--cc=cl@linux.com \
--cc=dave.kleikamp@oracle.com \
--cc=dave@nullcore.net \
--cc=davem@davemloft.net \
--cc=hch@infradead.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=jslaby@suse.cz \
--cc=jwi@linux.ibm.com \
--cc=labbott@redhat.com \
--cc=linux-mm@kvack.org \
--cc=luisbg@kernel.org \
--cc=luto@kernel.org \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=martin.petersen@oracle.com \
--cc=mjg59@google.com \
--cc=mkubecek@suse.cz \
--cc=mm-commits@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=penberg@kernel.org \
--cc=riel@surriel.com \
--cc=rientjes@google.com \
--cc=torvalds@linux-foundation.org \
--cc=ubraun@linux.ibm.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).