Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp4010370ybl;
        Tue, 20 Aug 2019 05:48:15 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwFqvO+mqnGQxH5wVTOh6bbQtIkaIExPql90XVxxclcVx/+wMODedE0BV+B8DUxMHT9V6Z7
X-Received: by 2002:a63:e807:: with SMTP id s7mr23815577pgh.194.1566305295643;
        Tue, 20 Aug 2019 05:48:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566305295; cv=none;
        d=google.com; s=arc-20160816;
        b=csMfxq33pJ40qi3c578k1Wsg6bR26JkRl90MjCYNP+EQXmKeqVzvZbTi8adkK4+V+m
         Q2TaEcfM6bumVwcOQqgK1y8OGy9waVNWHvkPIr9zRslxfLwBNTvPK6bMOnu4oVP5aYA3
         Vvk2GGZxF405XyImqQNqYelM22wvXuF6JQ4dJR9NeuURyT6EgjbFsZOrdw+1aEqjRkWV
         pUG2Px29uLKB4RyK4lKw5g6SGA8xAMRV/C5h9PJxorB/pQLvVKyAflF4Mf94ZAulvYth
         3T6e4K5Ai1CVyc0EGH90KcUyOdjx2fWvhR4h4m/dNrIAGwEiJazhHEPbeMDQtWnDwRWi
         EA7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=Dp5uXH88QRA/bXVLHIjk15umxtR8CFYdI5CdV0MNwiU=;
        b=AP8R7b+KJSMQG8aAVk7QXYmoPn9kkOR9hP1Ws6+hyUa6mEUO2k6HX9rDS7c8b8SisC
         BOpP887eIgPR5JhZkmkvVPsXtKU7Pu9b5bs7IAL4sfrOBhiKuQOoOLLNdf/cciu67Gr4
         iRZ5ZYj2BYxnnSZ7LhDmSet3EvSeGjkSYiDhtf1daIMMSdIg5XDonNQyLmfdpFKk+Cj2
         YPTaSCojz51M63CX/TdX0PbZCrQVBPUEigNfvUWezMd/rgNBXQYmUMwSIUod0GVlZNMd
         r44Qz5jjcq/KM6Xz3dN73591WVgxNzowvlSqn+44C/ZbiJfshMmrPo7LKbFWZGZ/+DM5
         5qLA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=gFoUHKIQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e129si12086032pgc.344.2019.08.20.05.48.00;
        Tue, 20 Aug 2019 05:48:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=gFoUHKIQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729820AbfHTMpy (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Tue, 20 Aug 2019 08:45:54 -0400
Received: from mail-ed1-f67.google.com ([209.85.208.67]:36068 "EHLO
        mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727006AbfHTMpx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Aug 2019 08:45:53 -0400
Received: by mail-ed1-f67.google.com with SMTP id p28so6162054edi.3
        for <linux-kernel@vger.kernel.org>; Tue, 20 Aug 2019 05:45:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=Dp5uXH88QRA/bXVLHIjk15umxtR8CFYdI5CdV0MNwiU=;
        b=gFoUHKIQv1yKXibRJwJtvKk+vu+slseNa43EK94DMTMmkCFvaM94wiOT9Fc3I8O3Gp
         owKgx2aOBnNfrrJIxy7o6JQfArYlDZl+w4l8CrLMfEKPnUZW/n1oLE1GJv810IbyH/Tg
         EWI59fzKdH+oZ3wg4nPnVx7hucTJpaTDvZq0MLLPVuCnHMLhj9Bwwg1dW9oe5XVcN7B5
         iHqhVLlTqNa6LT+vn2bK2AFjIb81J3YtEp/elLEafYne4r+9oeKT5VjgMmLrNLGf+Fr0
         VJlHVbrdIy7LeF1Ohjtql16muMJl8w8PLKgqOBHczn/DH6IX9D/Ojt73PoKUegb+iSEB
         rJEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=Dp5uXH88QRA/bXVLHIjk15umxtR8CFYdI5CdV0MNwiU=;
        b=AGvnUPM7v0wmvxblQKj5p1gu3RfBLPq9S09nRIeH3pFzWm984I3RyHHq5w4I0uu5bl
         Gexobn6c7Nf3zYOuDzjPy3/y9zylNDhSjS6trbvt5S8S0btusZ6bE/NKOy8HLOUWg31P
         C1cq8lZpby1ioV+bC1KgoTWdtDGLQFGN5+v9+QZJVvzBhNQ8Cq6qb0/B8k2vA2qg+gpL
         WsRbLpuePsFngEqwJrHb/YMQnoDcAvrHbgxxNt2rE4PhRUK85Iqgcks59ejSqBI2o1rW
         IJDr5dbOyEUBcKOo0oWUf2G+vgNK4RHFt75Iz+7D9WidCZTOXlgwuSKlL+DmwZgYAJwa
         WHLA==
X-Gm-Message-State: APjAAAVB/GTGBBvNUdMvPymxGH7o+66c89TROZz9r67fIf7zzLtkHZAW
        rAW3S3kWtsix74dssswjuJBEc5lrWobSp7Nwrec=
X-Received: by 2002:a17:906:7c49:: with SMTP id g9mr23466789ejp.262.1566305152072;
 Tue, 20 Aug 2019 05:45:52 -0700 (PDT)
MIME-Version: 1.0
References: <1566179120-5910-1-git-send-email-huangzhaoyang@gmail.com> <1566193808-9153-1-git-send-email-huangzhaoyang@gmail.com>
In-Reply-To: <1566193808-9153-1-git-send-email-huangzhaoyang@gmail.com>
From:   Zhaoyang Huang <huangzhaoyang@gmail.com>
Date:   Tue, 20 Aug 2019 20:45:41 +0800
Message-ID: <CAGWkznG4hiQGb4uYCAiLTgvJ_tZt5s-2h+X_1T3uOmm+U04fTg@mail.gmail.com>
Subject: [Resend PATCH v3] arch : arm : add a criteria for pfn_valid
To:     Andrew Morton <akpm@linux-foundation.org>,
        Zhaoyang Huang <zhaoyang.huang@unisoc.com>,
        Russell King <linux@armlinux.org.uk>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Rob Herring <robh@kernel.org>,
        Florian Fainelli <f.fainelli@gmail.com>,
        Geert Uytterhoeven <geert@linux-m68k.org>,
        Doug Berger <opendmb@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>, chunyan.zhang@unisoc.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>

pfn_valid can be wrong when parsing a invalid pfn whose phys address
exceeds BITS_PER_LONG as the MSB will be trimed when shifted.

The issue originally arise from bellowing call stack, which corresponding to
an access of the /proc/kpageflags from userspace with a invalid pfn parameter
and leads to kernel panic.

[46886.723249] c7 [<c031ff98>] (stable_page_flags) from [<c03203f8>]
[46886.723264] c7 [<c0320368>] (kpageflags_read) from [<c0312030>]
[46886.723280] c7 [<c0311fb0>] (proc_reg_read) from [<c02a6e6c>]
[46886.723290] c7 [<c02a6e24>] (__vfs_read) from [<c02a7018>]
[46886.723301] c7 [<c02a6f74>] (vfs_read) from [<c02a778c>]
[46886.723315] c7 [<c02a770c>] (SyS_pread64) from [<c0108620>]
(ret_fast_syscall+0x0/0x28)

Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
---
v2: use __pfn_to_phys/__phys_to_pfn instead of max_pfn as the criteria
v3: update commit message to describe the defection's context
      add Mike Rapoport as reviewer
---
 arch/arm/mm/init.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
index c2daabb..cc769fa 100644
--- a/arch/arm/mm/init.c
+++ b/arch/arm/mm/init.c
@@ -177,6 +177,11 @@ static void __init zone_sizes_init(unsigned long
min, unsigned long max_low,
 #ifdef CONFIG_HAVE_ARCH_PFN_VALID
 int pfn_valid(unsigned long pfn)
 {
+       phys_addr_t addr = __pfn_to_phys(pfn);
+
+       if (__phys_to_pfn(addr) != pfn)
+               return 0;
+
        return memblock_is_map_memory(__pfn_to_phys(pfn));
 }
 EXPORT_SYMBOL(pfn_valid);
-- 
1.9.1