From: Zhang Yi <yi.z.zhang@linux.intel.com> To: linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org, dan.j.williams@intel.com, jack@suse.cz, zwisler@kernel.org, dave.jiang@intel.com, yu.c.zhang@intel.com Cc: yi.z.zhang@intel.com Subject: [PATCH V2 1/1] device-dax: check for vma range while dax_mmap. Date: Mon, 13 Aug 2018 20:02:56 +0800 [thread overview] Message-ID: <46441800c43f029757c70d8386e3112701081503.1534160958.git.yi.z.zhang@linux.intel.com> (raw) This patch prevents a user mapping an illegal vma range that is larger than a dax device physical resource. When qemu maps the dax device for virtual nvdimm's backend device, the v-nvdimm label area is defined at the end of mapped range. By using an illegal size that exceeds the range of the device dax, it will trigger a fault with qemu. Signed-off-by: Zhang Yi <yi.z.zhang@linux.intel.com> --- drivers/dax/device.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/drivers/dax/device.c b/drivers/dax/device.c index 108c37f..6fe8c30 100644 --- a/drivers/dax/device.c +++ b/drivers/dax/device.c @@ -177,6 +177,33 @@ static const struct attribute_group *dax_attribute_groups[] = { NULL, }; +static int check_vma_range(struct dev_dax *dev_dax, struct vm_area_struct *vma, + const char *func) +{ + struct device *dev = &dev_dax->dev; + struct resource *res; + unsigned long size; + int ret, i; + + if (!dax_alive(dev_dax->dax_dev)) + return -ENXIO; + + size = vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT); + ret = -EINVAL; + for (i = 0; i < dev_dax->num_resources; i++) { + res = &dev_dax->res[i]; + if (size > resource_size(res)) { + dev_info_ratelimited(dev, + "%s: %s: fail, vma range overflow\n", + current->comm, func); + ret = -EINVAL; + continue; + } else + return 0; + } + return ret; +} + static int check_vma(struct dev_dax *dev_dax, struct vm_area_struct *vma, const char *func) { @@ -469,6 +496,8 @@ static int dax_mmap(struct file *filp, struct vm_area_struct *vma) */ id = dax_read_lock(); rc = check_vma(dev_dax, vma, __func__); + if (!rc) + rc = check_vma_range(dev_dax, vma, __func__); dax_read_unlock(id); if (rc) return rc; -- 2.7.4 _______________________________________________ Linux-nvdimm mailing list Linux-nvdimm@lists.01.org https://lists.01.org/mailman/listinfo/linux-nvdimm
WARNING: multiple messages have this Message-ID (diff)
From: Zhang Yi <yi.z.zhang@linux.intel.com> To: linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org, dan.j.williams@intel.com, jack@suse.cz, zwisler@kernel.org, dave.jiang@intel.com, yu.c.zhang@intel.com Cc: yi.z.zhang@intel.com, Zhang Yi <yi.z.zhang@linux.intel.com> Subject: [PATCH V2 1/1] device-dax: check for vma range while dax_mmap. Date: Mon, 13 Aug 2018 20:02:56 +0800 [thread overview] Message-ID: <46441800c43f029757c70d8386e3112701081503.1534160958.git.yi.z.zhang@linux.intel.com> (raw) This patch prevents a user mapping an illegal vma range that is larger than a dax device physical resource. When qemu maps the dax device for virtual nvdimm's backend device, the v-nvdimm label area is defined at the end of mapped range. By using an illegal size that exceeds the range of the device dax, it will trigger a fault with qemu. Signed-off-by: Zhang Yi <yi.z.zhang@linux.intel.com> --- drivers/dax/device.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/drivers/dax/device.c b/drivers/dax/device.c index 108c37f..6fe8c30 100644 --- a/drivers/dax/device.c +++ b/drivers/dax/device.c @@ -177,6 +177,33 @@ static const struct attribute_group *dax_attribute_groups[] = { NULL, }; +static int check_vma_range(struct dev_dax *dev_dax, struct vm_area_struct *vma, + const char *func) +{ + struct device *dev = &dev_dax->dev; + struct resource *res; + unsigned long size; + int ret, i; + + if (!dax_alive(dev_dax->dax_dev)) + return -ENXIO; + + size = vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT); + ret = -EINVAL; + for (i = 0; i < dev_dax->num_resources; i++) { + res = &dev_dax->res[i]; + if (size > resource_size(res)) { + dev_info_ratelimited(dev, + "%s: %s: fail, vma range overflow\n", + current->comm, func); + ret = -EINVAL; + continue; + } else + return 0; + } + return ret; +} + static int check_vma(struct dev_dax *dev_dax, struct vm_area_struct *vma, const char *func) { @@ -469,6 +496,8 @@ static int dax_mmap(struct file *filp, struct vm_area_struct *vma) */ id = dax_read_lock(); rc = check_vma(dev_dax, vma, __func__); + if (!rc) + rc = check_vma_range(dev_dax, vma, __func__); dax_read_unlock(id); if (rc) return rc; -- 2.7.4
next reply other threads:[~2018-08-13 3:24 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-08-13 12:02 Zhang Yi [this message] 2018-08-13 12:02 ` [PATCH V2 1/1] device-dax: check for vma range while dax_mmap Zhang Yi 2018-08-20 17:53 ` Verma, Vishal L 2018-08-20 17:53 ` Verma, Vishal L 2018-08-20 19:50 ` Dave Jiang 2018-08-20 19:50 ` Dave Jiang 2018-08-21 16:16 ` Yi Zhang 2018-08-21 16:16 ` Yi Zhang 2018-12-11 0:10 ` Dan Williams 2018-12-11 0:10 ` Dan Williams 2018-12-13 6:12 ` Yi Zhang 2018-12-13 6:12 ` Yi Zhang 2018-12-20 1:41 ` Dan Williams 2018-12-20 1:41 ` Dan Williams
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=46441800c43f029757c70d8386e3112701081503.1534160958.git.yi.z.zhang@linux.intel.com \ --to=yi.z.zhang@linux.intel.com \ --cc=dan.j.williams@intel.com \ --cc=dave.jiang@intel.com \ --cc=jack@suse.cz \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-nvdimm@lists.01.org \ --cc=yi.z.zhang@intel.com \ --cc=yu.c.zhang@intel.com \ --cc=zwisler@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.