Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1164578imm; Wed, 15 Aug 2018 12:33:00 -0700 (PDT) X-Google-Smtp-Source: AA+uWPz3SbZxrqlu3LXLMWmJdBIw0h2JBk7ya19xfviJXBzHQIA6ji3vNKVetFFJImWtanNPCEUK X-Received: by 2002:a63:9619:: with SMTP id c25-v6mr25774006pge.75.1534361580547; Wed, 15 Aug 2018 12:33:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534361580; cv=none; d=google.com; s=arc-20160816; b=UHGKBU1e8YfNvkpyWPrk2khp2hQ48+rDoLU+XL02zlV5cpqRR1+BFqZw9ffXQan3ui pSLLlOLMakHiQBtWl5c52Nof9K98sPpER+wjIDpdJtjxwMAzpClpw7KYWebgu87aLni9 c9msaGcZr9mNW28wiLvwLayJG4Okl5T8BCwsGVGfkLrJuhDn78cih9HayY3xkHZ6XNYi AohAuCAx5qlfB2HMgpr/5aAwxNgT0N0mWv5AsnmiudteFmZkvPmfoyue/5LF2jlizhDG ZK9wpuhHB0eMQDrt9lVUB+RjmURte+l7N1cANc0P2Znd3H2GOnCt13jEF5HiGxKPlySe XDEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=lqC5wsFIGsfGvtWuKKPTJQujYWbgAaQRHR7fQCh8LzU=; b=DTYEgE36OGbN/WYBUTHuePr0rPiwFK7dczEiIzfXnc5+QHEnOCgb6n0/zOzFCIcgAt X+1AIGUPORBCpEIIWyD4vVKyH0BIzNTjBlaCxWLPedTiDlX/ZbITCVkZrLw1IGY4PqUt XGSFxh61ZNPAIh3DMlHJ8hwo58icRWw3GFVtm5X8XSWualwNL+XTdbPkdOBVBp4hD0nA uBBYSP6zi0sx2bfjNOH7wTL7C4TB+YwQjrnolEhKpA/R/eIS0ZFbmO6nOquvmn2SWEcg 2TiMEcrPDgWBxveQ3tkfg010FmW47EbgkJEVT3iXuJL3lkjT96+48EjjEQuyVl4hg+M7 1m8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="EjM/EEpN"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5-v6si19287102plt.342.2018.08.15.12.32.22; Wed, 15 Aug 2018 12:33:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="EjM/EEpN"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727621AbeHOWXv (ORCPT + 99 others); Wed, 15 Aug 2018 18:23:51 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:33754 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725941AbeHOWXv (ORCPT ); Wed, 15 Aug 2018 18:23:51 -0400 Received: by mail-pg1-f193.google.com with SMTP id r5-v6so937794pgv.0 for ; Wed, 15 Aug 2018 12:30:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=lqC5wsFIGsfGvtWuKKPTJQujYWbgAaQRHR7fQCh8LzU=; b=EjM/EEpNA987O8Vh6w2ppuWjemtNotweRhRyePa5kAG+ldAdVEVyPKwUZ18Ni24SV/ 2cXBmMPrkm87yKKj8DW+C+2saODSjYAaVVH6kyi8PKNbvzxwaF0S6VcskZpYCycHR4n8 JASmmtjllFAMajAsXD1SygyWj0JNb7rk197YTBACSfPtNt45KfpLtVp6HyTi0muYI5du RV2f+2eL48YWOydg+iKrK+e1H2c35FePgDMF6iS7sKr5xtt8UFNUCY8su7oV1US/c1dM hVdKn2VW4KN899SBtNjBZM5KpqnmhormUDmaxqEsmMF3a1ulKG9s3GokgO6P5cTOZ2ly hScQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=lqC5wsFIGsfGvtWuKKPTJQujYWbgAaQRHR7fQCh8LzU=; b=c6kq/gWH1IlV2uptw1WQ6d0nCcXkDUqSNPgoK4h3+/4h7fRH6VUU5OvW4HK3E/Nppr 0wtaRYnKv858+hcBv9TCsHOXa0R1Z+/bq/mmqvX08NycVSsH5XSw46EViwidbYmSkyjE +aEjSy9WlG292v8Ch3Ps3R+0e0bVF46rZRrdrFs2QC36eQ8P1d7PK/6xwxBbrP9o1lz7 4+MzV8DjZKC9GzcQxOpBMQ0S0aDhlC4CsMMKBeY1HCUQcx4AUnkgjNSsrGaTTyGhektK HUpB04AQfZ2EI8pd6v+Xj22h6fnu/uqFytt79G6Ff6usHznrJjnTAzF16hE46RWyOOXx 4m2Q== X-Gm-Message-State: AOUpUlESVY5mz6PVLXhL2LqhKPfGrwklNVper+DKJxf2tMgGQE6ux9QQ HAl3Ab2re4b0jqfOoEaATrxaUhIKde54DQ== X-Received: by 2002:a62:c4c3:: with SMTP id h64-v6mr28886572pfk.39.1534361421766; Wed, 15 Aug 2018 12:30:21 -0700 (PDT) Received: from hackmann.mtv.corp.google.com ([2620:0:1000:1601:82f7:8f1:8c08:a97a]) by smtp.gmail.com with ESMTPSA id 22-v6sm39300161pfl.126.2018.08.15.12.30.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Aug 2018 12:30:21 -0700 (PDT) Subject: Re: [PATCH] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() To: Will Deacon Cc: Greg Hackmann , linux-arm-kernel@lists.infradead.org, kernel-team@android.com, Catalin Marinas , Andrew Morton , Robin Murphy , Laura Abbott , Steve Capper , Kristina Martsenko , Stefan Agner , CHANDAN VN , Johannes Weiner , linux-kernel@vger.kernel.org References: <20180813193013.236362-1-ghackmann@google.com> <20180814104041.GB28664@arm.com> <20180814152958.GD567@arm.com> From: Greg Hackmann Message-ID: Date: Wed, 15 Aug 2018 12:30:19 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180814152958.GD567@arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/14/2018 08:29 AM, Will Deacon wrote: > On Tue, Aug 14, 2018 at 08:17:48AM -0700, Greg Hackmann wrote: >> On 08/14/2018 03:40 AM, Will Deacon wrote: >>> Hi Greg, >>> >>> On Mon, Aug 13, 2018 at 12:30:11PM -0700, Greg Hackmann wrote: >>>> ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input >>>> before seeing if the PFN is valid. This leads to false positives when >>>> some of the upper bits are set, but the lower bits match a valid PFN. >>>> >>>> For example, the following userspace code looks up a bogus entry in >>>> /proc/kpageflags: >>>> >>>> int pagemap = open("/proc/self/pagemap", O_RDONLY); >>>> int pageflags = open("/proc/kpageflags", O_RDONLY); >>>> uint64_t pfn, val; >>>> >>>> lseek64(pagemap, [...], SEEK_SET); >>>> read(pagemap, &pfn, sizeof(pfn)); >>>> if (pfn & (1UL << 63)) { /* valid PFN */ >>>> pfn &= ((1UL << 55) - 1); /* clear flag bits */ >>>> pfn |= (1UL << 55); >>>> lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET); >>>> read(pageflags, &val, sizeof(val)); >>>> } >>>> >>>> On ARM64 this causes the userspace process to crash with SIGSEGV rather >>>> than reading (1 << KPF_NOPAGE). kpageflags_read() treats the offset as >>>> valid, and stable_page_flags() will try to access an address between the >>>> user and kernel address ranges. >>>> >>>> Signed-off-by: Greg Hackmann >>>> --- >>>> arch/arm64/mm/init.c | 6 +++++- >>>> 1 file changed, 5 insertions(+), 1 deletion(-) >>> >>> Thanks, this looks like a sensible fix to me. Do you think it warrants a >>> CC stable? >>> >>> Will >> >> Yes, I think so. Should I resend with a "Fixes" field? > > Could do, but I think this goes all the way back to day 1! Doesn't arch/arm/ > also suffer from the same issue? > > Will > Yeah, it looks like this happens on non-LPAE 32-bit kernels too. LPAE kernels aren't affected since __pfn_to_phys() promotes to a 64-bit type. I can submit a fix for that too while I'm at it.