Received: by 2002:a9a:4c47:0:b029:116:c383:538 with SMTP id u7csp7569354lko; Fri, 30 Jul 2021 06:40:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy1AjkRaUkz1iNMn8ROZliuxQ6xzFtN5L9T0qw+q5To3BTqbznLqNrYdOPmSmhep8ARr0t5 X-Received: by 2002:a05:6402:254a:: with SMTP id l10mr3147839edb.258.1627652423633; Fri, 30 Jul 2021 06:40:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627652423; cv=none; d=google.com; s=arc-20160816; b=xFTOPE1mlcOwtHs4G0h9DBIhR3g7VlFIxyBWjQ8cQy2wIf7Fb+IfxSxr16CEcTlHny ffZb5Q4kpePZJDn3C+RafiqlcG31s7e2P6pOxgHg62p6TAJxL3BiFor/khoOPYjZcILK qZwxxLvTynteABJZRSJW1XkXPOVi54gMbbSZTsiuPTGzQNoPnW//ycmhX1i6SIUg3174 KbYOFC98lo30BrJcoI83pK5BKTcyjRWPH4XXG01ixQFRHBnJAw+5L9LE2qx47fo17BPe KMHnHUA+ftasbrqjY+Fqhj3+fszlnq/e7Csq8yN3MggUSznsKptaEWXEJ2M6L/0SqF6o ePTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=7/WQB//VzVhhX5BO4HhWYyS6cfa1X7NJ8bEqFUuJYds=; b=Bqb0l86aMqUuSzIiZ1QStQts6K0JIIovypklIxw/M2jplXyELOWeeyew3/6U0iy1Lv F4BeDZBRK3MVHFEm3DMk61Ijet1KwJ5Jwj024k2IbBC1VsEWrPBfciDSo7ed6f90De9s E/SWknJ6ltCYO7X8/AsSkSg6Vw2YhNFRM4g8mADKOYf7KKKKN+fkGi1mytjyIPmX2vRY XDfUHEa2FvriUg73ZwKumSlKcXqKXIKCK567XMbfDol55ltJ/2zyDU4ZCo+nITFE4UvK egvjFBqrCSHKIhJ2mSNdv+fP2GKcesuM0UEMt3DTxtA8vXb5SVdrPhGSOozjWyxi+97C gXkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ho38LvuK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s12si1715580ejc.488.2021.07.30.06.39.59; Fri, 30 Jul 2021 06:40:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=ho38LvuK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238996AbhG3NgK (ORCPT + 99 others); Fri, 30 Jul 2021 09:36:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:40744 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238971AbhG3NgI (ORCPT ); Fri, 30 Jul 2021 09:36:08 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3016C60F5C; Fri, 30 Jul 2021 13:36:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1627652164; bh=Kxc+WnvFkFgpyTYYCMg+FHtM463+Ta69Z65pcvFy+nw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=ho38LvuKv74hab1fk9TeMpOaOP6S+B8D6La1ytammZe5husN2Sln3hk0b/jsKKSP0 Oz9B9qEtRAk1vmf+xAbnGmmd1qGPrQ9eU9guuq08fEy1thlwKJFnvdr7w53exlPS5B k3IeKepk+++IJ/FD/tQwIU77xPc6BY7A8E0E/yzZnR1X6UFUVaRYVOX9RitafiYcbV bib44KzdYE0lqK4kU4CYw8St0cKpzFa5VucXQ9aczPK2DoLoAKfefZLGOIjmQj1Tqw GMjjZmvtivOvJ8j07Wxuk3EZcIC+y0tVdQ6NY50ImRhnD1JcDVSgsJHoIXs89/F/p8 Jl4YG45FZpqUg== Received: by mail-ej1-f45.google.com with SMTP id e19so16854416ejs.9; Fri, 30 Jul 2021 06:36:04 -0700 (PDT) X-Gm-Message-State: AOAM530U5TA7H9peY0mh8WKWGEoKFFky28NbbltMa8POY+az9yFOBLuP WuZNzjyeFFrLKF3kncT4pX//6+imT7nXEpC2Eu4= X-Received: by 2002:adf:fd90:: with SMTP id d16mr3288984wrr.105.1627652152412; Fri, 30 Jul 2021 06:35:52 -0700 (PDT) MIME-Version: 1.0 References: <20210727144859.4150043-1-arnd@kernel.org> In-Reply-To: From: Arnd Bergmann Date: Fri, 30 Jul 2021 15:35:35 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v5 0/6] compat: remove compat_alloc_user_space To: Heiko Carstens Cc: Andrew Morton , Arnd Bergmann , Catalin Marinas , Will Deacon , Thomas Bogendoerfer , "James E.J. Bottomley" , Helge Deller , Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , Vasily Gorbik , Christian Borntraeger , "David S. Miller" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "the arch/x86 maintainers" , "H. Peter Anvin" , Al Viro , "Eric W. Biederman" , Christoph Hellwig , Feng Tang , Linux ARM , Linux Kernel Mailing List , "open list:BROADCOM NVRAM DRIVER" , Parisc List , linuxppc-dev , linux-s390 , sparclinux , linux-arch , Linux API , Linux-MM Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 30, 2021 at 11:49 AM Heiko Carstens wrote: > On Tue, Jul 27, 2021 at 04:48:53PM +0200, Arnd Bergmann wrote: > > Our CI reports this with linux-next and running strace selftest in > compat mode: Thanks a lot for the report! I managed track it down based on your output, it turns out that I end up copying data from the stack according to how much the user asked for, and in this case that was much more than the 8 byte nodemask_t, copying all of the kernel stack all the way into the guard page with CONFIG_VMAP_STACK, where it crashed. Without CONFIG_VMAP_STACK, or with user space that asks for less data, it would just be an information leak, so others probably haven't noticed the problem. The change below should fix that, I'll double-check the other callers as well before sending a proper fixup patch to Andrew. Arnd diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 4fabf2dddbc0..0d1f3be32723 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -1438,6 +1438,7 @@ static int copy_nodes_to_user(unsigned long __user *mask, unsigned long maxnode, if (clear_user((char __user *)mask + nbytes, copy - nbytes)) return -EFAULT; copy = nbytes; + maxnode = nr_node_ids; } if (compat)