[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20251009000356.8e18395dd9979045e0c66de2@linux-foundation.org>
Date: Thu, 9 Oct 2025 00:03:56 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: "Huang, Ying" <ying.huang@...ux.alibaba.com>
Cc: Yadong Qi <yadong.qi@...ux.alibaba.com>, urezki@...il.com,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] mm: vmalloc: WARN_ON if mapping size is not
PAGE_SIZE aligned
On Thu, 09 Oct 2025 14:38:27 +0800 "Huang, Ying" <ying.huang@...ux.alibaba.com> wrote:
> Yadong Qi <yadong.qi@...ux.alibaba.com> writes:
>
> > In mm/vmalloc.c, the function vmap_pte_range() assumes that the
> > mapping size is aligned to PAGE_SIZE. If this assumption is
> > violated, the loop will become infinite because the termination
> > condition (`addr != end`) will never be met. This can lead to
> > overwriting other VA ranges and/or random pages physically follow
> > the page table.
> >
> > It's the caller's responsibility to ensure that the mapping size
> > is aligned to PAGE_SIZE. However, the memory corruption is hard
> > to root cause. To identify the programming error in the caller
> > easier, check whether the mapping size is PAGE_SIZE aligned with
> > WARN_ON().
> >
> > Signed-off-by: Yadong Qi <yadong.qi@...ux.alibaba.com>
> > Reviewed-by: Huang Ying <ying.huang@...ux.alibaba.com>
> > ---
> > v1 -> v2:
> > * Use WARN_ON instead of BUG_ON
> > ---
> > mm/vmalloc.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/mm/vmalloc.c b/mm/vmalloc.c
> > index 5edd536ba9d2..2cad593e4677 100644
> > --- a/mm/vmalloc.c
> > +++ b/mm/vmalloc.c
> > @@ -100,6 +100,9 @@ static int vmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
> > struct page *page;
> > unsigned long size = PAGE_SIZE;
> >
> > + if (WARN_ON(!PAGE_ALIGNED(end - addr)))
> > + return -ENOMEM;
> > +
>
> EINVAL?
>
If this errno gets returned to userspace somehow, programmer is going
to wonder what was invalid about the arguments which the program passed
to the kernel.
But either way, the callers of vmap_pte_range() should be audited, to
verify that they take appropriate action when this happens.
Powered by blists - more mailing lists