Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2089314pxa; Fri, 7 Aug 2020 02:53:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwV5Bp0ZD5QNj3QazLbtjqKSPgyeJCQqF+8+ro2rogWCg8A51AwsVoUT51wgslglO37YLwc X-Received: by 2002:a17:906:d042:: with SMTP id bo2mr8251141ejb.152.1596794032611; Fri, 07 Aug 2020 02:53:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596794032; cv=none; d=google.com; s=arc-20160816; b=izwIDwDJ4nz+s3CZ2P0JrIQlYCAnpm4eNsl2TDv2P7x3/gy/X0nsa19ixUiCiMvVFG GANUvfpwCL1J42dd4RXgPvAzJRI4EKF0scUmzFMFWdWl8Nlby7CCmeqieAe6Pg+u33Wa u8nLXYSIH0gNOtAp+4/8/JVNaeJ9HwOCxs33fRnnYaYoSH7RH5yqHbOoeXcgZnBB+69E ZFB4Ks6hhw+kA5V6oOpkA3mWwLpStN97ZH0rjkV2zeZkl/9fbwI47bTabbpVSlOLZm5q onJ3tnbc50Whqu+/gnHT4ZMkhmXK00Ox21G1jhCAqEqZ8Y6YgsaYB0YF8D5d25DBWarX U6RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=rWsDkZSaH0uI4cPRe7mFxrsylVVt/l3eSy43bcYVPNc=; b=YNZS7jAGQytT7xTyf869hTZOvWu/BmLjqDBxESfFXV+8ha1DYR00leh1uZgTt/mqsN VbOb5xkKL9VRwFfYp0pz5g0Wozg4hqdUWwBmkGQ9kUJN9VjYUUYp/0+VlbQ4jFCyyI/y yBsj6qquCsrltI9GHlT7yLv1RdMCyxQzLV5zTWkPO6CwuDv9m+0RdSAT051nKyxxbuN7 HXCBEBq6GeKXhe0U03S/7IEd9oNuilIYXGkNhC7km16vziTARPZf7JoqxKL/Ss2XFMe6 lqKMT2r5mhdeW8uDIWeV4KHdkWGVbLSFf3iGkpe6VR8oSFNgfGKu0IvSZQ0pH2baySNE MfkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=CeVpMLF5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dp1si7656755ejc.173.2020.08.07.02.53.30; Fri, 07 Aug 2020 02:53:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=mail header.b=CeVpMLF5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727898AbgHGJw0 (ORCPT + 99 others); Fri, 7 Aug 2020 05:52:26 -0400 Received: from mail.zx2c4.com ([192.95.5.64]:50481 "EHLO mail.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727037AbgHGJwZ (ORCPT ); Fri, 7 Aug 2020 05:52:25 -0400 Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5f638ce4 for ; Fri, 7 Aug 2020 09:27:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type; s=mail; bh=jHXcrZ97Q570/AtX6P6IATl6PTE=; b=CeVpML F5oWN3sLB1ftZhe6CaCcV2VNLGaYjGtfXqpWsgctvZT5ior0c32UebT0MqPhSVA/ tkH0clSjumgfwAYVpFZ81CGp7Brbw15eS7hcpxumFQRSM6Fp/lHcPX/r+nvdWjet D+ufvGl6laMTd1oXWhwI/7aXn3efSUe3not7JO/TP0yGiepoVr+q7zIeq0urHYz9 yizLhxK+Vri+wBVj95hv2lDSPiJFH3OLGc91gbw+2PlzjgDyS3/aAdNw8bggMCqn 1sVVa2VSgkrLwYudMwMPfEgWdSlDf413Y0UH04VvwetBUW4qeFWYw12Mo5FuBANW tJZr/IIMfXOuOpuQ== Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 33151408 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Fri, 7 Aug 2020 09:27:39 +0000 (UTC) Received: by mail-io1-f50.google.com with SMTP id k23so1286268iom.10 for ; Fri, 07 Aug 2020 02:52:22 -0700 (PDT) X-Gm-Message-State: AOAM5307bI7/Y40panEPkSx4l54GJEsenOEMyswLxLEMWbJlXsex1PKu a6fQ9ymLh8eTofi8yY5OF23q6KETDKsgWUQ0PV8= X-Received: by 2002:a05:6638:250f:: with SMTP id v15mr3907264jat.75.1596793941897; Fri, 07 Aug 2020 02:52:21 -0700 (PDT) MIME-Version: 1.0 References: <20200807084013.7090-1-joro@8bytes.org> In-Reply-To: <20200807084013.7090-1-joro@8bytes.org> From: "Jason A. Donenfeld" Date: Fri, 7 Aug 2020 11:52:09 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] x86/mm/64: Do not dereference non-present PGD entries To: Joerg Roedel Cc: X86 ML , Dave Hansen , Andy Lutomirski , Peter Zijlstra , "H . Peter Anvin" , Mike Rapoport , Joerg Roedel , Linus Torvalds , Andrew Morton , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 7, 2020 at 10:40 AM Joerg Roedel wrote: > > From: Joerg Roedel > > The code for preallocate_vmalloc_pages() was written under the > assumption that the p4d_offset() and pud_offset() functions will perform > present checks before dereferencing the parent entries. > > This assumption is wrong an leads to a bug in the code which causes the > physical address found in the PGD be used as a page-table page, even if > the PGD is not present. > > So the code flow currently is: > > pgd = pgd_offset_k(addr); > p4d = p4d_offset(pgd, addr); > if (p4d_none(*p4d)) > p4d = p4d_alloc(&init_mm, pgd, addr); > > This lacks a check for pgd_none() at least, the correct flow would be: > > pgd = pgd_offset_k(addr); > if (pgd_none(*pgd)) > p4d = p4d_alloc(&init_mm, pgd, addr); > else > p4d = p4d_offset(pgd, addr); > > But this is the same flow that the p4d_alloc() and the pud_alloc() > functions use internally, so there is no need to duplicate them. > > Remove the p?d_none() checks from the function and just call into > p4d_alloc() and pud_alloc() to correctly pre-allocate the PGD entries. > > Reported-by: Jason A. Donenfeld > Fixes: 6eb82f994026 ("x86/mm: Pre-allocate P4D/PUD pages for vmalloc area") > Signed-off-by: Joerg Roedel > --- > arch/x86/mm/init_64.c | 31 +++++++++++++------------------ > 1 file changed, 13 insertions(+), 18 deletions(-) > > diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c > index 3f4e29a78f2b..449e071240e1 100644 > --- a/arch/x86/mm/init_64.c > +++ b/arch/x86/mm/init_64.c > @@ -1253,28 +1253,23 @@ static void __init preallocate_vmalloc_pages(void) > p4d_t *p4d; > pud_t *pud; > > - p4d = p4d_offset(pgd, addr); > - if (p4d_none(*p4d)) { > - /* Can only happen with 5-level paging */ > - p4d = p4d_alloc(&init_mm, pgd, addr); > - if (!p4d) { > - lvl = "p4d"; > - goto failed; > - } > - } > + lvl = "p4d"; > + p4d = p4d_alloc(&init_mm, pgd, addr); > + if (!p4d) > + goto failed; > > + /* > + * With 5-level paging the P4D level is not folded. So the PGDs > + * are now populated and there is no need to walk down to the > + * PUD level. > + */ > if (pgtable_l5_enabled()) > continue; > > - pud = pud_offset(p4d, addr); > - if (pud_none(*pud)) { > - /* Ends up here only with 4-level paging */ > - pud = pud_alloc(&init_mm, p4d, addr); > - if (!pud) { > - lvl = "pud"; > - goto failed; > - } > - } > + lvl = "pud"; > + pud = pud_alloc(&init_mm, p4d, addr); > + if (!pud) > + goto failed; > } > > return; > -- > 2.26.2 This appears to fix the issue, so: Tested-by: Jason A. Donenfeld