Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp644529imu; Fri, 4 Jan 2019 04:37:06 -0800 (PST) X-Google-Smtp-Source: ALg8bN6dZ/ACUtea8CqI7WGGCn8mN+Xwh6/KtWq15X8IZZfXpI1BH7ao6Iic0w3GbnsOCgozm//o X-Received: by 2002:a65:6491:: with SMTP id e17mr1512587pgv.418.1546605426764; Fri, 04 Jan 2019 04:37:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546605426; cv=none; d=google.com; s=arc-20160816; b=XuazleM0jfc9zVTCOHxgI90qQomDZdE5neF8bpIJDbBSf3t/1gtwtnmXMtmEPSSzyU IHJPN4S5yKQkIm8rLarIqL4z1knzo6A7ypzVmGm8XNNn4RVmswT24iuWpuVND+zO9vsT ApXRhn+k1UBWMTJ9YQcQysKAZU14KUHGYZhBruNT4mfTVaId1jlYSQuYVrb5TxRaGJO8 G+Nrj4PSIi47+n6VVMqUcoc5+qqiw3PVv9opN4JCDuU7AmvHx9mS/KPGZEH13yx+uGMT 7K3KzwAgg/QBxBtOHv2zT2A3RzmUE9ToxxqTOKE8m+OcYy1gHpNMX5WWCdAQi5NmelYz /rhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=M7zM52CEyK+byeX5JzgGZnSJN2OdjfRbAbJA6obo2A8=; b=PkRJt3m+mc4gFEFzYL8R5LomenDKdjJ1SL1DrTKhYzrAIE0S8qJP7bDbgLglZBGol0 7vmNEbv+7Qsfhv8LULKDhwT+5uxYO9/3ZUPnWzOtv0nqJitqU0/+HHUEWPzq1QOP8lU/ V5zj5hQ8ZHqAGYJTFBsOjolbMiJ9LA/1nmTUQFLoIP3yXWuwPy3smU699hHCP98a1g2T +Z9a1+LJqvHTcVvAHhHCFR6aJDMe0H0mrLnFX5Zs1wO5aPxuGHxn+gBfTNwIDi1d0Jwf C9yW4gnoY518UdNaL/0CG+j8/4jiq2hX4fZ6dF6JujDhJQ64PAVip/MZBsxWR+6dLNcY KDNA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b5si1378549ple.387.2019.01.04.04.36.51; Fri, 04 Jan 2019 04:37:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726950AbfADK2s (ORCPT + 99 others); Fri, 4 Jan 2019 05:28:48 -0500 Received: from mx2.suse.de ([195.135.220.15]:46490 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726749AbfADK2s (ORCPT ); Fri, 4 Jan 2019 05:28:48 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 0F280AE03; Fri, 4 Jan 2019 10:28:47 +0000 (UTC) Date: Fri, 4 Jan 2019 11:28:46 +0100 From: Michal Hocko To: Roman Penyaev Cc: Andrew Morton , Andrey Ryabinin , Joe Perches , "Luis R. Rodriguez" , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial() Message-ID: <20190104102846.GN31793@dhcp22.suse.cz> References: <20190103145954.16942-1-rpenyaev@suse.de> <20190103145954.16942-2-rpenyaev@suse.de> <20190103151357.GR31793@dhcp22.suse.cz> <20190103194054.GB31793@dhcp22.suse.cz> <5502b64d6c508f5432386d2cfe999844@suse.de> <20190104093808.GJ31793@dhcp22.suse.cz> <4630dd7797fc7934f98c01ea789105a8@suse.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4630dd7797fc7934f98c01ea789105a8@suse.de> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri 04-01-19 11:21:39, Roman Penyaev wrote: > On 2019-01-04 10:38, Michal Hocko wrote: > > [...] > > > > > > > > > OK, my response was more confusing than I intended. I meant to say. Is > > > > there any in kernel code that would allow the bug have had in mind? > > > > In other words can userspace trick any existing code? > > > > > > In theory any existing caller of remap_vmalloc_range() which does > > > not have an explicit size check should trigger an oops, e.g. this is > > > a good candidate: > > > > > > *** drivers/media/usb/stkwebcam/stk-webcam.c: > > > v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, > > > sbuf->buffer, > > > 0); > > > > Hmm, sbuf->buffer is allocated in stk_setup_siobuf to have > > buf->v4lbuf.length. mmap callback maps this buffer to the vma size and > > that is indeed not enforced to be <= length AFAICS. So you are right! > > > > Can we have an example in the changelog please? > > You mean to resend this particular patch with the list of possible > candidates for oops in a comment message? Sure thing. I would just reply to the original patch with an updated changelog wording (to include the above example and explain how the vma setup is completely independent on the buffer allocation and ask Andrew to update the changelog of the patch that is already in the mmotm tree). Thanks! -- Michal Hocko SUSE Labs