Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4524725imm; Tue, 9 Oct 2018 00:34:54 -0700 (PDT) X-Google-Smtp-Source: ACcGV62vf6LIUOgGmXw9addAkWm2IslZqxelDlZUqzmYMHJKIJJMX49+qN2wLLSO1GQNV4t3GQc7 X-Received: by 2002:a63:1752:: with SMTP id 18-v6mr24843761pgx.131.1539070494773; Tue, 09 Oct 2018 00:34:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539070494; cv=none; d=google.com; s=arc-20160816; b=pcB9wzaMJNn7L7ugKfOsP8jBGgTYqOyiUKIlSORyALzukIkXa4hoflBLBPyKesXCZC hLz+IkuSVsE3y4x4RBfRdXk6O9RV7vbocUUovYaZZqP/GLH+FebYieTzgY6aZ9PR5Dv1 OQHNN3knadNz7U5y5mQrw7FCUiGZQeS8Ee1P7tdXCG4kREOmkDyUrPU6B3yKSyfOwKRK CGrYUoj968C2s3uAqaDjd7Un2EZo6ymxcwloAZ8Vd+3gr+s542Yj8yopkpzXU32CsB04 Y07WhxMJa/CRaIW2HQMwS8OyzgNEDfh/56cXYRpLdewaXuNtxeaphNQnZRNhVtkd5ueG Claw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=FGhTpVcoCkwFxuALNcYHdAIDUtbdyYJ2TCNHfxIRU8s=; b=SU5rT7yYG/OQcaOy02USKoajp1KyAxj01N4f9zpy4L+piOF1xBFHodSlhu6q97ojga WqF7xk7wcifwTAn9TnjO6EK0+GZjesx9pebS0+O6NCYyXKUG4PCW4EQQwN8e1pIq4Hm9 9RwvVpo/2h5hphWRnslODUpXH4SE5xZOTJB6Wm5hBun3DXi4gS+vNq8fFr/Ez2bQve4L pcEUf9SKDeWnmaY7cqDpNA77mrI+Y3TvBrTIp7kbM5dAiHG1fw0TZNh3eEgpIJGSeK/i 2jx5dysf7tySbi9tlXs2Dtb1mrKi6On4mG70LPhufBYTRJr6NZmjWLu+mzxE6zdFGC0Q J51w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si22518717pfm.51.2018.10.09.00.34.40; Tue, 09 Oct 2018 00:34:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726663AbeJIOts (ORCPT + 99 others); Tue, 9 Oct 2018 10:49:48 -0400 Received: from mail-qt1-f175.google.com ([209.85.160.175]:42284 "EHLO mail-qt1-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725927AbeJIOts (ORCPT ); Tue, 9 Oct 2018 10:49:48 -0400 Received: by mail-qt1-f175.google.com with SMTP id j46-v6so551785qtc.9; Tue, 09 Oct 2018 00:34:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FGhTpVcoCkwFxuALNcYHdAIDUtbdyYJ2TCNHfxIRU8s=; b=cvjGxrAeq3s75daP1P7cyMaEZAMM/7xPF9s1s2LiEPXIi9b1lofJ0AIFlEgHFG+Byf TOGBYIE1la6S0CgNSFjUb5Rw+pRgQ4wRAesIaZB4dfFbcDswPEtrnAtapZ3b9i1zC2RZ F7XNZmG5INFHIBXwLiw3HFM3T0dtammD6DxCDviwN4uXsF9kg+3a7eWTExlN+rce15Wx 1sKiWh1P4v5o+Pd5qA3sOsSViBnwjFT1PvILX/ypBdtpUwmxWQwwnYAnEJKyP7Yb5rrH D9WHzaK2mCxrkL3aNjh7DbP15G+AfEzDEzp4oXc1yBY5DhGbYzA8UXG+y5CX4+rxkN0i vJEw== X-Gm-Message-State: ABuFfoiTUlaOZYWhHZvU3iU+U+DrvqSiHDJhHQ+zokx8D21c663hQyGN P/Br0gyQSrI8Kj0qhzwogTZNpoyC04C+U8ieZzA= X-Received: by 2002:a0c:9e59:: with SMTP id z25-v6mr21543805qve.180.1539070452969; Tue, 09 Oct 2018 00:34:12 -0700 (PDT) MIME-Version: 1.0 References: <20181005161333.765973-1-arnd@arndb.de> <20181008202209.GA6597@zn.tnic> In-Reply-To: From: Arnd Bergmann Date: Tue, 9 Oct 2018 09:33:56 +0200 Message-ID: Subject: Re: [tip:x86/urgent] x86/mm: Avoid VLA in pgd_alloc() To: Kees Cook Cc: Borislav Petkov , linux-tip-commits@vger.kernel.org, Andy Lutomirski , Linux Kernel Mailing List , Linus Torvalds , Andrew Morton , Thomas Gleixner , Dave Hansen , Joerg Roedel , Peter Zijlstra , Ingo Molnar , Toshimitsu Kani , "H. Peter Anvin" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 9, 2018 at 1:28 AM Kees Cook wrote: > On Mon, Oct 8, 2018 at 1:22 PM, Borislav Petkov wrote: > > On Fri, Oct 05, 2018 at 09:24:53AM -0700, tip-bot for Arnd Bergmann wrote: > > > > For whatever reason - probably because it forced > > MAX_PREALLOCATED_USER_PMDS be KERNEL_PGD_PTRS and not 0 (and I don't > > have CONFIG_PAGE_TABLE_ISOLATION so it was 0 here with my .config > > before) but this patch causes the fun below. > > > > If I revert it, no splat. > > > > Also, config has CONFIG_X86_PAE=y. And CONFIG_STACKPROTECTOR_STRONG=y. If I > > disable _STRONG, it boots too. Attached. > > This really should mean that the stack canary changed. Either the > stack canary wasn't prepared yet (but this is from run_init_process(), > which is WELL after boot_init_stack_canary()), or the canary was > actually stomped on, which would certainly be a bug in the existing > code. > > Ah! I see it now. "pmds" shouldn't have changed, it's not .._USER_PMDS... > > - pmd_t *u_pmds[PREALLOCATED_USER_PMDS]; > - pmd_t *pmds[PREALLOCATED_PMDS]; > + pmd_t *u_pmds[MAX_PREALLOCATED_USER_PMDS]; > + pmd_t *pmds[MAX_PREALLOCATED_USER_PMDS]; Ah, cool, thanks for the analysis. Is the patch already reverted? I.e. should I send a replacement patch, or a relative fix, or is someone else already on it? Arnd