Received: by 2002:a4a:311b:0:0:0:0:0 with SMTP id k27-v6csp4264164ooa; Tue, 14 Aug 2018 03:42:01 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwST0F4DahqqIFHv3+3ZDZvft3bmgBppYTSUea0+P3YT+Iwx0/yBLQOXzNW1d86Vf7oQgEA X-Received: by 2002:a17:902:8506:: with SMTP id bj6-v6mr19793340plb.210.1534243321876; Tue, 14 Aug 2018 03:42:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534243321; cv=none; d=google.com; s=arc-20160816; b=eOdzc44dl2dDZqN5OZGg/b2P5ufJ5GbrxQBsM7Aan5bqj7MCmagzcblqLd8M+i1Cr5 x1RNOdtN5NaUhsp+E5zMHIrafwabzGSvgRxIQqn+Zd0b5xDwMen2vn1bxlL3gMuwUpDq 0fp4drm6e1doJC2tclkuzouw+rdAX70nnZznZsQ4ZrvdzSc+37wXFy2r8Evoo5nRYe2p ITP24upAcd0Wcz48z1ToMA7JrVpZEnOQan372xCG4BaeAIzu8YUnIrgkzoRraVf4hA+z sNELG1Ice1egn5DE43wTVU36lIxVrmtwpBcKevFeCMHX1+T+fXDcn3Td8iEsGkXucPvH 8OKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=H8kuVstOcArJr+SIuS5obDCKEhPxjqyDIGJ8XDnRSbU=; b=uy6Dl2VdAQ4fOW48+urfw2hXAeLMLdtj1O1gy9IFwbBZWRcD96CDpVRNpDbHWSJ0uk svJdHy6xRpO9vUVoZYKElPbLrMwEx1fR5FKUKGi/TwliUr5dsHhJiB/joQoHh/cXFz9G 4pyPDAL7jToATxoZsn5HOjT+Ax43bva4257GkoDtXaZ20p543fTwQc6eTPNXStpdAnag jUyByvhbpsflTg3dO4r50rqH4KMRWJ4d4h7v4eB2lLVB4ER+dbO3lSI6CAf//DztBAtB 9+IRDJ8jZopQx/eAsQKx4BzqsP1qBOztQYNOF22fo9c3P2sEWCfEyJNKkbcBCvsYLjwg WtZw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y18-v6si17459467pll.82.2018.08.14.03.41.46; Tue, 14 Aug 2018 03:42:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732155AbeHNN1L (ORCPT + 99 others); Tue, 14 Aug 2018 09:27:11 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:41318 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731485AbeHNN1L (ORCPT ); Tue, 14 Aug 2018 09:27:11 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B68C57A9; Tue, 14 Aug 2018 03:40:35 -0700 (PDT) Received: from edgewater-inn.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 8522C3F73C; Tue, 14 Aug 2018 03:40:35 -0700 (PDT) Received: by edgewater-inn.cambridge.arm.com (Postfix, from userid 1000) id 1AA251AE015E; Tue, 14 Aug 2018 11:40:42 +0100 (BST) Date: Tue, 14 Aug 2018 11:40:42 +0100 From: Will Deacon To: Greg Hackmann Cc: linux-arm-kernel@lists.infradead.org, kernel-team@android.com, Greg Hackmann , Catalin Marinas , Andrew Morton , Robin Murphy , Laura Abbott , Steve Capper , Kristina Martsenko , Stefan Agner , CHANDAN VN , Johannes Weiner , linux-kernel@vger.kernel.org Subject: Re: [PATCH] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() Message-ID: <20180814104041.GB28664@arm.com> References: <20180813193013.236362-1-ghackmann@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180813193013.236362-1-ghackmann@google.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Greg, On Mon, Aug 13, 2018 at 12:30:11PM -0700, Greg Hackmann wrote: > ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input > before seeing if the PFN is valid. This leads to false positives when > some of the upper bits are set, but the lower bits match a valid PFN. > > For example, the following userspace code looks up a bogus entry in > /proc/kpageflags: > > int pagemap = open("/proc/self/pagemap", O_RDONLY); > int pageflags = open("/proc/kpageflags", O_RDONLY); > uint64_t pfn, val; > > lseek64(pagemap, [...], SEEK_SET); > read(pagemap, &pfn, sizeof(pfn)); > if (pfn & (1UL << 63)) { /* valid PFN */ > pfn &= ((1UL << 55) - 1); /* clear flag bits */ > pfn |= (1UL << 55); > lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET); > read(pageflags, &val, sizeof(val)); > } > > On ARM64 this causes the userspace process to crash with SIGSEGV rather > than reading (1 << KPF_NOPAGE). kpageflags_read() treats the offset as > valid, and stable_page_flags() will try to access an address between the > user and kernel address ranges. > > Signed-off-by: Greg Hackmann > --- > arch/arm64/mm/init.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) Thanks, this looks like a sensible fix to me. Do you think it warrants a CC stable? Will > diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c > index 9abf8a1e7b25..787e27964ab9 100644 > --- a/arch/arm64/mm/init.c > +++ b/arch/arm64/mm/init.c > @@ -287,7 +287,11 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max) > #ifdef CONFIG_HAVE_ARCH_PFN_VALID > int pfn_valid(unsigned long pfn) > { > - return memblock_is_map_memory(pfn << PAGE_SHIFT); > + phys_addr_t addr = pfn << PAGE_SHIFT; > + > + if ((addr >> PAGE_SHIFT) != pfn) > + return 0; > + return memblock_is_map_memory(addr); > } > EXPORT_SYMBOL(pfn_valid); > #endif > -- > 2.18.0.597.ga71716f1ad-goog >