| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4cb12137-2944-7973-b0f0-070f6f48bead@huawei.com>
Date: Tue, 26 Jan 2021 14:49:34 +0800
From: Miaohe Lin <linmiaohe@...wei.com>
To: Nicholas Piggin <npiggin@...il.com>
CC: <linux-kernel@...r.kernel.org>, <linux-arch@...r.kernel.org>,
<linuxppc-dev@...ts.ozlabs.org>,
Jonathan Cameron <Jonathan.Cameron@...wei.com>,
Christoph Hellwig <hch@...radead.org>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Rick Edgecombe <rick.p.edgecombe@...el.com>,
Ding Tianhong <dingtianhong@...wei.com>,
Christoph Hellwig <hch@....de>, Linux-MM <linux-mm@...ck.org>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v11 02/13] mm: apply_to_pte_range warn and fail if a large
pte is encountered
Hi:
On 2021/1/26 12:44, Nicholas Piggin wrote:
> apply_to_pte_range might mistake a large pte for bad, or treat it as a
> page table, resulting in a crash or corruption. Add a test to warn and
> return error if large entries are found.
>
> Reviewed-by: Christoph Hellwig <hch@....de>
> Signed-off-by: Nicholas Piggin <npiggin@...il.com>
> ---
> mm/memory.c | 66 +++++++++++++++++++++++++++++++++++++++--------------
> 1 file changed, 49 insertions(+), 17 deletions(-)
>
> diff --git a/mm/memory.c b/mm/memory.c
> index feff48e1465a..672e39a72788 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -2440,13 +2440,21 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
> }
> do {
> next = pmd_addr_end(addr, end);
> - if (create || !pmd_none_or_clear_bad(pmd)) {
> - err = apply_to_pte_range(mm, pmd, addr, next, fn, data,
> - create, mask);
> - if (err)
> - break;
> + if (pmd_none(*pmd) && !create)
> + continue;
> + if (WARN_ON_ONCE(pmd_leaf(*pmd)))
> + return -EINVAL;
> + if (!pmd_none(*pmd) && WARN_ON_ONCE(pmd_bad(*pmd))) {
> + if (!create)
> + continue;
> + pmd_clear_bad(pmd);
> }
> + err = apply_to_pte_range(mm, pmd, addr, next,
> + fn, data, create, mask);
> + if (err)
> + break;
> } while (pmd++, addr = next, addr != end);
> +
> return err;
> }
>
> @@ -2468,13 +2476,21 @@ static int apply_to_pud_range(struct mm_struct *mm, p4d_t *p4d,
> }
> do {
> next = pud_addr_end(addr, end);
> - if (create || !pud_none_or_clear_bad(pud)) {
> - err = apply_to_pmd_range(mm, pud, addr, next, fn, data,
> - create, mask);
> - if (err)
> - break;
> + if (pud_none(*pud) && !create)
> + continue;
> + if (WARN_ON_ONCE(pud_leaf(*pud)))
> + return -EINVAL;
> + if (!pud_none(*pud) && WARN_ON_ONCE(pud_bad(*pud))) {
> + if (!create)
> + continue;
> + pud_clear_bad(pud);
> }
> + err = apply_to_pmd_range(mm, pud, addr, next,
> + fn, data, create, mask);
> + if (err)
> + break;
> } while (pud++, addr = next, addr != end);
> +
> return err;
> }
>
> @@ -2496,13 +2512,21 @@ static int apply_to_p4d_range(struct mm_struct *mm, pgd_t *pgd,
> }
> do {
> next = p4d_addr_end(addr, end);
> - if (create || !p4d_none_or_clear_bad(p4d)) {
> - err = apply_to_pud_range(mm, p4d, addr, next, fn, data,
> - create, mask);
> - if (err)
> - break;
> + if (p4d_none(*p4d) && !create)
> + continue;
> + if (WARN_ON_ONCE(p4d_leaf(*p4d)))
> + return -EINVAL;
> + if (!p4d_none(*p4d) && WARN_ON_ONCE(p4d_bad(*p4d))) {
> + if (!create)
> + continue;
> + p4d_clear_bad(p4d);
> }
> + err = apply_to_pud_range(mm, p4d, addr, next,
> + fn, data, create, mask);
> + if (err)
> + break;
> } while (p4d++, addr = next, addr != end);
> +
> return err;
> }
>
> @@ -2522,9 +2546,17 @@ static int __apply_to_page_range(struct mm_struct *mm, unsigned long addr,
> pgd = pgd_offset(mm, addr);
> do {
> next = pgd_addr_end(addr, end);
> - if (!create && pgd_none_or_clear_bad(pgd))
> + if (pgd_none(*pgd) && !create)
> continue;
> - err = apply_to_p4d_range(mm, pgd, addr, next, fn, data, create, &mask);
> + if (WARN_ON_ONCE(pgd_leaf(*pgd)))
> + return -EINVAL;
> + if (!pgd_none(*pgd) && WARN_ON_ONCE(pgd_bad(*pgd))) {
> + if (!create)
> + continue;
> + pgd_clear_bad(pgd);
> + }
> + err = apply_to_p4d_range(mm, pgd, addr, next,
> + fn, data, create, &mask);
> if (err)
> break;
> } while (pgd++, addr = next, addr != end);
>
Looks good to me, thanks.
Reviewed-by: Miaohe Lin <linmiaohe@...wei.com>
Powered by blists - more mailing lists