Received: by 2002:a4a:311b:0:0:0:0:0 with SMTP id k27-v6csp4648126ooa; Tue, 14 Aug 2018 08:41:39 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyVY+7i+NnLMw7kpD8UNyhpkjd+tyurAuLOhNRDfU+r/+BKBe2lFVF0TrDd5DqmeL/w0/UT X-Received: by 2002:a17:902:7e06:: with SMTP id b6-v6mr20927394plm.230.1534261299018; Tue, 14 Aug 2018 08:41:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534261298; cv=none; d=google.com; s=arc-20160816; b=vBdhVZREKcQEXFBXp3sKTb/32EdhcouyvEOcO8QWSOxywCEZAwrWMeWwQB0d8Eo0kF jZo7JS8ORi+cWw4P6paq7LUj9OwBM1sE90uYPZtBRs+ubykDJvL57QFdojCFKEht3ZAI DuvcUfglGhrUyc15kBXHta0eII7DkeazxgV6IHqhxPYn+d2xQWlnAgAft6Sax11Qn2f5 K7t+/kVl6Z4HAb7XW8YPziYN4qjnoWd/CrLPXhiOh0MAZn5zEtlGO9Q7FsxqsPg00Vtl cDCyLepvtvNbMSygQHXiC+W4dc6Co0DwRaCk5KeFNSIytEYAeF6PGk20A+KxwE0yZCOb nJAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=0KUGf3Rgl9eBMAKOp5pTiwUG3wsS1sMmNfyCtdPFBKU=; b=QV3zhsMkJV5Qfuy9ua0BRHeNzIHrJber7QzvSgUmi3FQu/AydOSYprgKG7pQTrovI/ j9LuS42t4SFjf55/sJGBxxq4WJ4RplARLWdt59DK2jVKX2MsQZ9OzHPbiZ/EhpQAA9iF diLsh7O5K81x7KSqKzfojncR4JM4dUgN8Nc3Pk1ZsYcO0N4qjguz19mkrgIOIrfErFF8 29acH6DoVNxixmmt2FWerUuoVqHR/934fwLBFIqgDUpLsEzKJoZCqsafupyKmQtBPUis rV95rE7Rrr9z/1I0vsWWniZgqLjDkj7nxEO4Km6TZzXHKimdbYdNLb0Ek3VGvE/WJxEL ky4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c3-v6si16226757pld.457.2018.08.14.08.41.17; Tue, 14 Aug 2018 08:41:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732362AbeHNSRb (ORCPT + 99 others); Tue, 14 Aug 2018 14:17:31 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:45086 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729108AbeHNSRa (ORCPT ); Tue, 14 Aug 2018 14:17:30 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C3DB680D; Tue, 14 Aug 2018 08:29:52 -0700 (PDT) Received: from edgewater-inn.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 943A03F5D0; Tue, 14 Aug 2018 08:29:52 -0700 (PDT) Received: by edgewater-inn.cambridge.arm.com (Postfix, from userid 1000) id 39CAD1AE015E; Tue, 14 Aug 2018 16:29:59 +0100 (BST) Date: Tue, 14 Aug 2018 16:29:59 +0100 From: Will Deacon To: Greg Hackmann Cc: Greg Hackmann , linux-arm-kernel@lists.infradead.org, kernel-team@android.com, Catalin Marinas , Andrew Morton , Robin Murphy , Laura Abbott , Steve Capper , Kristina Martsenko , Stefan Agner , CHANDAN VN , Johannes Weiner , linux-kernel@vger.kernel.org Subject: Re: [PATCH] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() Message-ID: <20180814152958.GD567@arm.com> References: <20180813193013.236362-1-ghackmann@google.com> <20180814104041.GB28664@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 14, 2018 at 08:17:48AM -0700, Greg Hackmann wrote: > On 08/14/2018 03:40 AM, Will Deacon wrote: > > Hi Greg, > > > > On Mon, Aug 13, 2018 at 12:30:11PM -0700, Greg Hackmann wrote: > >> ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input > >> before seeing if the PFN is valid. This leads to false positives when > >> some of the upper bits are set, but the lower bits match a valid PFN. > >> > >> For example, the following userspace code looks up a bogus entry in > >> /proc/kpageflags: > >> > >> int pagemap = open("/proc/self/pagemap", O_RDONLY); > >> int pageflags = open("/proc/kpageflags", O_RDONLY); > >> uint64_t pfn, val; > >> > >> lseek64(pagemap, [...], SEEK_SET); > >> read(pagemap, &pfn, sizeof(pfn)); > >> if (pfn & (1UL << 63)) { /* valid PFN */ > >> pfn &= ((1UL << 55) - 1); /* clear flag bits */ > >> pfn |= (1UL << 55); > >> lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET); > >> read(pageflags, &val, sizeof(val)); > >> } > >> > >> On ARM64 this causes the userspace process to crash with SIGSEGV rather > >> than reading (1 << KPF_NOPAGE). kpageflags_read() treats the offset as > >> valid, and stable_page_flags() will try to access an address between the > >> user and kernel address ranges. > >> > >> Signed-off-by: Greg Hackmann > >> --- > >> arch/arm64/mm/init.c | 6 +++++- > >> 1 file changed, 5 insertions(+), 1 deletion(-) > > > > Thanks, this looks like a sensible fix to me. Do you think it warrants a > > CC stable? > > > > Will > > Yes, I think so. Should I resend with a "Fixes" field? Could do, but I think this goes all the way back to day 1! Doesn't arch/arm/ also suffer from the same issue? Will