| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <edc4e8fa-af0a-46c2-bf07-20a0c4e20af5@arm.com> Date: Wed, 31 Jan 2024 21:20:49 +0000 From: Robin Murphy <robin.murphy@....com> To: "Russell King (Oracle)" <linux@...linux.org.uk> Cc: Yongqiang Liu <liuyongqiang13@...wei.com>, linux-arm-kernel@...ts.infradead.org, yanaijie@...wei.com, zhangxiaoxu5@...wei.com, wangkefeng.wang@...wei.com, sunnanyong@...wei.com, rppt@...ux.ibm.com, linux-kernel@...r.kernel.org, keescook@...omium.org, arnd@...db.de, m.szyprowski@...sung.com, willy@...radead.org Subject: Re: [PATCH] arm: flush: don't abuse pfn_valid() to check if pfn is in RAM On 2024-01-31 7:00 pm, Russell King (Oracle) wrote: > On Wed, Jan 31, 2024 at 06:39:31PM +0000, Robin Murphy wrote: >> On 31/01/2024 12:59 pm, Yongqiang Liu wrote: >>> @@ -292,7 +293,7 @@ void __sync_icache_dcache(pte_t pteval) >>> /* only flush non-aliasing VIPT caches for exec mappings */ >>> return; >>> pfn = pte_pfn(pteval); >>> - if (!pfn_valid(pfn)) >>> + if (!memblock_is_map_memory(PFN_PHYS(pfn))) >>> return; >>> folio = page_folio(pfn_to_page(pfn)); >> >> Hmm, it's a bit odd in context, since pfn_valid() obviously pairs with this >> pfn_to_page(), whereas it's not necessarily clear that >> memblock_is_map_memory() implies pfn_valid(). >> >> However, in this case we're starting from a PTE - rather than going off to >> do a slow scan of memblock to determine whether a round-trip through >> page_address() is going to give back a mapped VA, can we not trivially >> identify that from whether the PTE itself is valid? > > Depends what you mean by "valid". If you're referring to pte_valid() > and L_PTE_VALID then no. > > On 32-bit non-LPAE, the valid bit is the same as the present bit, and > needs to be set for the PTE to not fault. Any PTE that is mapping > something will be "valid" whether it is memory or not, whether it is > backed by a page or not. > > pfn_valid() should be telling us whether the PFN is suitable to be > passed to pfn_to_page(), and if we have a situation where pfn_valid() > returns true, but pfn_to_page() returns an invalid page, then that in > itself is a bug that needs to be fixed and probably has far reaching > implications for the stability of the kernel. Right, the problem here seems to be the opposite one, wherein we *do* often have a valid struct page for an address which is reserved and thus not mapped by the kernel, but seemingly we then take it down a path which assumes anything !PageHighmem() is lowmem and dereferences page_address() without looking. However I realise I should have looked closer at the caller, and my idea is futile since the PTE here is for a userspace mapping, not a kernel VA, and is already pte_valid_user() && !pte_special(). Plus the fact that the stack trace indicates an mmap() path suggests it most likely is a legitimate mapping of some no-map carveout or MMIO region. Oh well. My first point still stands, though - I think at least a comment to clarify that assumption would be warranted. Thanks, Robin.
Powered by blists - more mailing lists