Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2979899imu; Sun, 9 Dec 2018 14:11:14 -0800 (PST) X-Google-Smtp-Source: AFSGD/UbaPhaKk+quGzVm9OVk9WYochMZNYkgaMIJhltbqE7Tqa6sL5s6fYHZtD+MYee7kq2xT/m X-Received: by 2002:a63:62c3:: with SMTP id w186mr8888148pgb.345.1544393474799; Sun, 09 Dec 2018 14:11:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544393474; cv=none; d=google.com; s=arc-20160816; b=heR66Drsm24WiHyCMPHmSKKho3avlmh75YQUgAuzw69HChz2oUqIHkxxxaDzQRAdll 63+X3z7uMQQmLOOM0Plvdg2g4rDBURVSX78ML0a6K/YfCz+CshCIBOGQzkNr78hFyBYv rSzPCwCdgvT6A2rDK869btP+VAw/5+OBBVCCFrQfE00tsgUQkn4/KgR7PX5r96mGwf9r 2ae2SrMIvEww8SLRsWD3pbtHOyQA6gBlqHGNHW4XnJz3kbfOrYhiibyJuHviivdoOUFg UqKdNkcF7QKde10aqqLU2aewYKm2ogLDEhSo6PuWPCXiQQ3yRzeg9NlYiG09H5EbkQVI 4hSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=I9PmDDMvRv9cdxnXjq2JRbj8s4mhEagnUJb/7CVsJsA=; b=FFrwEsv7DYuupW8AUr6q8YM/3QrQ7Bc5uGlkRkIHU9nwoeR7DWjym7ZDQnS9Daeuem ZbQFtclIcYtTLF4lbSIOnD14VguXxZiTM49xW0Dhz20P1ZqNkjgdUHo9j3Hjm9AIH5Kv R5ZIeBYaBZbWwR2WmFoa7t6BUQRR7K5YLCCpr8K67enL1RdwypjVkIZaSF0OrmLaIHxi hXHKQsIzCk/NjSRPrOzv7IT3VIv9A8fTx3dDw666BOdKtyd1rM7iRc71lhyj0UA2ok80 LlZHWn+3FwHD2L6z0lkcO7zBHouaryZKiA6OCpwBr6bEwrM80SJIpIfO5MoMen2qjhj4 WBVA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d9si7561828pgv.123.2018.12.09.14.10.59; Sun, 09 Dec 2018 14:11:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728064AbeLIWJL (ORCPT + 99 others); Sun, 9 Dec 2018 17:09:11 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:37396 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726641AbeLIWJJ (ORCPT ); Sun, 9 Dec 2018 17:09:09 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW73C-0002if-9n; Sun, 09 Dec 2018 21:55:46 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72d-0003PD-SB; Sun, 09 Dec 2018 21:55:11 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Will Deacon" , "Greg Hackmann" , "Greg Hackmann" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 147/328] arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid() In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Greg Hackmann commit 5ad356eabc47d26a92140a0c4b20eba471c10de3 upstream. ARM64's pfn_valid() shifts away the upper PAGE_SHIFT bits of the input before seeing if the PFN is valid. This leads to false positives when some of the upper bits are set, but the lower bits match a valid PFN. For example, the following userspace code looks up a bogus entry in /proc/kpageflags: int pagemap = open("/proc/self/pagemap", O_RDONLY); int pageflags = open("/proc/kpageflags", O_RDONLY); uint64_t pfn, val; lseek64(pagemap, [...], SEEK_SET); read(pagemap, &pfn, sizeof(pfn)); if (pfn & (1UL << 63)) { /* valid PFN */ pfn &= ((1UL << 55) - 1); /* clear flag bits */ pfn |= (1UL << 55); lseek64(pageflags, pfn * sizeof(uint64_t), SEEK_SET); read(pageflags, &val, sizeof(val)); } On ARM64 this causes the userspace process to crash with SIGSEGV rather than reading (1 << KPF_NOPAGE). kpageflags_read() treats the offset as valid, and stable_page_flags() will try to access an address between the user and kernel address ranges. Fixes: c1cc1552616d ("arm64: MMU initialisation") Signed-off-by: Greg Hackmann Signed-off-by: Will Deacon [bwh: Backported to 3.16: Keep using memblock_is_memory()] Signed-off-by: Ben Hutchings --- arch/arm64/mm/init.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/arch/arm64/mm/init.c +++ b/arch/arm64/mm/init.c @@ -113,7 +113,11 @@ static void __init zone_sizes_init(unsig #ifdef CONFIG_HAVE_ARCH_PFN_VALID int pfn_valid(unsigned long pfn) { - return memblock_is_memory(pfn << PAGE_SHIFT); + phys_addr_t addr = pfn << PAGE_SHIFT; + + if ((addr >> PAGE_SHIFT) != pfn) + return 0; + return memblock_is_memory(addr); } EXPORT_SYMBOL(pfn_valid); #endif