Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp644891imu; Fri, 4 Jan 2019 04:37:30 -0800 (PST) X-Google-Smtp-Source: ALg8bN5LFuCPUhzwky7rSNBi/KoCfWGYVSj9141Ml6O8OW7x8oAJ1PJ8lPInuotzzXzIqyoXSVaH X-Received: by 2002:a63:c451:: with SMTP id m17mr1505132pgg.27.1546605450830; Fri, 04 Jan 2019 04:37:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546605450; cv=none; d=google.com; s=arc-20160816; b=VcL0Qc8j6muymymgeDIp72poR1ZsZnrh8RS6YAwswqd8eawwZ1sPJ5svVSHFaos9sZ HDtGBiGw9jAwiN7AjKx3zGzYqUueaDnF5uNytrtHE6eDFycJ5iqp8af6dSKUpsLgDN6K GbMiX8ofpCxkLaw3Gtkb8MiPsuSAJ5/Bm2dedN5M4OAEztvkFIL8YwKS/snXvxZ3fcT5 tD1XSTB5wkKwBBJ4+fKJjs5m8wsFkGe0jsT8Lgy2eXTr8Xt9jWNNEhPKcrlnyC1OQDWO FT1K1BKIfbCREFZfxIqZ8niI81362XRAWXY+XQUTyBvCpKv+eJM3Xiyjqvovjz5+adF5 zW3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:message-id:references :in-reply-to:subject:cc:to:from:date:content-transfer-encoding :mime-version; bh=E7Coeb0ZvX5KZOb+rsajg3JVqvzh7qmWZPCA+SVnq5o=; b=EuK2fyQVO/gQWmHYTDtabPMG3nYNi0Y1HEvnV/sRDIRD96nk1j+ciIt9/etoRbfiz5 DU4t8Z5ADdeQUl2ZMqMVoVgVWVfC+OP+TljHV/jhza1FmQ5wU5+Pdwbe6org8PK8v0UC d07CTwsCIX7WiZR9HW2YqfY+aVV93ZekDczNPsLowcLdlNNy6C6Nh/AEJVtcJGi5gd9G St+o5MHYhfUwm2AJzYr+jzOIJ8ds9F8AbSb+zuLAXpaosRlDfYOIsqgjm5mIfkNcpwYM Exhzln5E3sduQoXuxzKctLuq3+uz+KDL/dz2qBqBZk/Gns2h+aIAWFaIsA13mWpTG+wv tZlQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1si4939769plc.332.2019.01.04.04.37.15; Fri, 04 Jan 2019 04:37:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726477AbfADKVm (ORCPT + 99 others); Fri, 4 Jan 2019 05:21:42 -0500 Received: from mx2.suse.de ([195.135.220.15]:45404 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725958AbfADKVl (ORCPT ); Fri, 4 Jan 2019 05:21:41 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 474E7AD7E; Fri, 4 Jan 2019 10:21:40 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 04 Jan 2019 11:21:39 +0100 From: Roman Penyaev To: Michal Hocko Cc: Andrew Morton , Andrey Ryabinin , Joe Perches , "Luis R. Rodriguez" , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/3] mm/vmalloc: fix size check for remap_vmalloc_range_partial() In-Reply-To: <20190104093808.GJ31793@dhcp22.suse.cz> References: <20190103145954.16942-1-rpenyaev@suse.de> <20190103145954.16942-2-rpenyaev@suse.de> <20190103151357.GR31793@dhcp22.suse.cz> <20190103194054.GB31793@dhcp22.suse.cz> <5502b64d6c508f5432386d2cfe999844@suse.de> <20190104093808.GJ31793@dhcp22.suse.cz> Message-ID: <4630dd7797fc7934f98c01ea789105a8@suse.de> X-Sender: rpenyaev@suse.de User-Agent: Roundcube Webmail Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019-01-04 10:38, Michal Hocko wrote: [...] >> > >> > OK, my response was more confusing than I intended. I meant to say. Is >> > there any in kernel code that would allow the bug have had in mind? >> > In other words can userspace trick any existing code? >> >> In theory any existing caller of remap_vmalloc_range() which does >> not have an explicit size check should trigger an oops, e.g. this is >> a good candidate: >> >> *** drivers/media/usb/stkwebcam/stk-webcam.c: >> v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, >> sbuf->buffer, >> 0); > > Hmm, sbuf->buffer is allocated in stk_setup_siobuf to have > buf->v4lbuf.length. mmap callback maps this buffer to the vma size and > that is indeed not enforced to be <= length AFAICS. So you are right! > > Can we have an example in the changelog please? You mean to resend this particular patch with the list of possible candidates for oops in a comment message? Sure thing. -- Roman