Received: by 10.192.165.156 with SMTP id m28csp1087034imm; Wed, 11 Apr 2018 12:09:39 -0700 (PDT) X-Google-Smtp-Source: AIpwx490C8VUkV9mAp+V5HzsuHsve3Z/wcsZLXH794+kHcHFOcZYTwqdKyrKFJD6q1o86rJH3qkC X-Received: by 2002:a17:902:2006:: with SMTP id n6-v6mr6407889pla.150.1523473779477; Wed, 11 Apr 2018 12:09:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523473779; cv=none; d=google.com; s=arc-20160816; b=SXkRDkCMc6ipwsa3bEdnTcJERHoVNEoDnj2wArDjp4pB+hW23AFRHcVTJgKzAe3KHx ePhNkziZFQ3ULbuHpLnjzVtuaTNnayNzlRd0dM7oPIZI0vC0m72seceaqKQ7CnLpMnCU HDo6JzIA4ZceS09wP6+arVjqksCsbkCB4TURyS2CGFqXmMO7QGTaY3Qi06wHFjms+tsd S2mrX2YUJ3LQ6d420Arb9qyay115VytJLfS46R/+xhF8GSggMppB3l38aTNAvM0/OLql ggnrPOfiXeOHFuTyXcWwtj0zBk8o+ZXmyK1Q35Mmy4RTaiVEVm44BcGJMMY2nDuCZTyZ Xs8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=0t8x8d+1R7bl26qkr3keGeY/sIPMGhfDpqQGy30FcTc=; b=EFJmTmiAGS9tkTiuXgBAvSu9UbiM05LgLhIEzFIGqssmNwWK8qmIeO8NOilAbRONwS BUhcAoCpbLyZaAzE71259mZdwPDOO/mnETFQocgWlVRcrky56oF9n23vI33L1jVyOURh KWPnrXawyYIMTjBQ2ck7hbK6tKYkXqct6H90TTDwTPxw8jfJu76wZjMcI5+fZq6gORAh 7FNaZQ6vA9VCM0s4FQ1W1OmV9k3jBZdFx+fc6U6zAIFAnLgFW3AYPtbDRCqrMBXZMoMg r4QjyRUSO8Wxpgx/2OBv9SMnh9qNXYdRY/WsjZ9lm9ExcNhgm7U6Wh1HH3ZOgVdgDQbc Qmgg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2si1170156pgr.67.2018.04.11.12.09.02; Wed, 11 Apr 2018 12:09:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934477AbeDKTC1 (ORCPT + 99 others); Wed, 11 Apr 2018 15:02:27 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:38510 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934460AbeDKTCX (ORCPT ); Wed, 11 Apr 2018 15:02:23 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id EC2AAE39; Wed, 11 Apr 2018 19:02:22 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexander Graf , Ard Biesheuvel , Will Deacon , Sasha Levin Subject: [PATCH 4.9 179/310] arm64: kernel: restrict /dev/mem read() calls to linear region Date: Wed, 11 Apr 2018 20:35:18 +0200 Message-Id: <20180411183630.312958431@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180411183622.305902791@linuxfoundation.org> References: <20180411183622.305902791@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ard Biesheuvel [ Upstream commit 1151f838cb626005f4d69bf675dacaaa5ea909d6 ] When running lscpu on an AArch64 system that has SMBIOS version 2.0 tables, it will segfault in the following way: Unable to handle kernel paging request at virtual address ffff8000bfff0000 pgd = ffff8000f9615000 [ffff8000bfff0000] *pgd=0000000000000000 Internal error: Oops: 96000007 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 1284 Comm: lscpu Not tainted 4.11.0-rc3+ #103 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 task: ffff8000fa78e800 task.stack: ffff8000f9780000 PC is at __arch_copy_to_user+0x90/0x220 LR is at read_mem+0xcc/0x140 This is caused by the fact that lspci issues a read() on /dev/mem at the offset where it expects to find the SMBIOS structure array. However, this region is classified as EFI_RUNTIME_SERVICE_DATA (as per the UEFI spec), and so it is omitted from the linear mapping. So let's restrict /dev/mem read/write access to those areas that are covered by the linear region. Reported-by: Alexander Graf Fixes: 4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP") Signed-off-by: Ard Biesheuvel Signed-off-by: Will Deacon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/arm64/mm/mmap.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) --- a/arch/arm64/mm/mmap.c +++ b/arch/arm64/mm/mmap.c @@ -18,6 +18,7 @@ #include #include +#include #include #include #include @@ -102,12 +103,18 @@ void arch_pick_mmap_layout(struct mm_str */ int valid_phys_addr_range(phys_addr_t addr, size_t size) { - if (addr < PHYS_OFFSET) - return 0; - if (addr + size > __pa(high_memory - 1) + 1) - return 0; - - return 1; + /* + * Check whether addr is covered by a memory region without the + * MEMBLOCK_NOMAP attribute, and whether that region covers the + * entire range. In theory, this could lead to false negatives + * if the range is covered by distinct but adjacent memory regions + * that only differ in other attributes. However, few of such + * attributes have been defined, and it is debatable whether it + * follows that /dev/mem read() calls should be able traverse + * such boundaries. + */ + return memblock_is_region_memory(addr, size) && + memblock_is_map_memory(addr); } /*