From: Toshi Kani <toshi.kani@hpe.com>
To: Henning Schild <henning.schild@siemens.com>,
Ingo Molnar <mingo@kernel.org>
Cc: tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com,
bp@alien8.de, linux-nvdimm@lists.01.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/mm/vmfault: Make vmalloc_fault() handle large pages
Date: Tue, 09 Feb 2016 09:08:51 -0700 [thread overview]
Message-ID: <1455034131.2925.79.camel@hpe.com> (raw)
In-Reply-To: <20160209132645.55971eff@md1em3qc>
On Tue, 2016-02-09 at 13:26 +0100, Henning Schild wrote:
> On Tue, 9 Feb 2016 11:22:35 +0100
> Ingo Molnar <mingo@kernel.org> wrote:
>
> > * Henning Schild <henning.schild@siemens.com> wrote:
> >
> > > On Tue, 9 Feb 2016 10:10:03 +0100
> > > Ingo Molnar <mingo@kernel.org> wrote:
> > >
> > > > * Toshi Kani <toshi.kani@hpe.com> wrote:
> > > >
> > > > > Since 4.1, ioremap() supports large page (pud/pmd) mappings in
> > > > > x86_64 and PAE. vmalloc_fault() however assumes that the vmalloc
> > > > > range is limited to pte mappings.
> > > > >
> > > > > pgd_ctor() sets the kernel's pgd entries to user's during
> > > > > fork(), which makes user processes share the same page tables
> > > > > for the kernel ranges. When a call to ioremap() is made at
> > > > > run-time that leads to allocate a new 2nd level table (pud in
> > > > > 64-bit and pmd in PAE), user process needs to re-sync with the
> > > > > updated kernel pgd entry with vmalloc_fault().
> > > > >
> > > > > Following changes are made to vmalloc_fault().
> > > >
> > > > So what were the effects of this shortcoming? Were large page
> > > > ioremap()s unusable? Was this harmless because no driver used this
> > > > facility?
> > >
> > > Drivers do use huge ioremap()s. Now if a pre-existing mm is used to
> > > access the device memory a #PF and the call to vmalloc_fault would
> > > eventually make the kernel treat device memory as if it was a
> > > pagetable.
> > > The results are illegal reads/writes on iomem and dereferencing
> > > iomem content like it was a pointer to a lower level pagetable.
> > > - #PF if you are lucky
#PF -> vmalloc_fault -> oops
> > > - funny modification of arbitrary memory possible
> > > - can be abused with uio or regular userland ??
>
> Looking over the code again i am not sure the last two are even
> possible, it is just the pointer deref that can cause a #PF.
> If the pointer turns out to "work" the code will just read and
> eventually BUG().
The last two case are not possible.
> > Ok, so this is a serious live bug exposed to drivers, that also
> > requires a Cc: stable tag.
Yes, the fix should go to stable as well.
Thanks,
-Toshi
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Toshi Kani <toshi.kani@hpe.com>
To: Henning Schild <henning.schild@siemens.com>,
Ingo Molnar <mingo@kernel.org>
Cc: tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com,
bp@alien8.de, linux-nvdimm@lists.01.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/mm/vmfault: Make vmalloc_fault() handle large pages
Date: Tue, 09 Feb 2016 09:08:51 -0700 [thread overview]
Message-ID: <1455034131.2925.79.camel@hpe.com> (raw)
In-Reply-To: <20160209132645.55971eff@md1em3qc>
On Tue, 2016-02-09 at 13:26 +0100, Henning Schild wrote:
> On Tue, 9 Feb 2016 11:22:35 +0100
> Ingo Molnar <mingo@kernel.org> wrote:
>
> > * Henning Schild <henning.schild@siemens.com> wrote:
> >
> > > On Tue, 9 Feb 2016 10:10:03 +0100
> > > Ingo Molnar <mingo@kernel.org> wrote:
> > > A A
> > > > * Toshi Kani <toshi.kani@hpe.com> wrote:
> > > > A A
> > > > > Since 4.1, ioremap() supports large page (pud/pmd) mappings in
> > > > > x86_64 and PAE. vmalloc_fault() however assumes that the vmalloc
> > > > > range is limited to pte mappings.
> > > > >
> > > > > pgd_ctor() sets the kernel's pgd entries to user's during
> > > > > fork(), which makes user processes share the same page tables
> > > > > for the kernel ranges.A A When a call to ioremap() is made at
> > > > > run-time that leads to allocate a new 2nd level table (pud in
> > > > > 64-bit and pmd in PAE), user process needs to re-sync with the
> > > > > updated kernel pgd entry with vmalloc_fault().
> > > > >
> > > > > Following changes are made to vmalloc_fault().A A A A
> > > >
> > > > So what were the effects of this shortcoming? Were large page
> > > > ioremap()s unusable? Was this harmless because no driver used this
> > > > facility?A A
> > >
> > > Drivers do use huge ioremap()s. Now if a pre-existing mm is used to
> > > access the device memory a #PF and the call to vmalloc_fault would
> > > eventually make the kernel treat device memory as if it was a
> > > pagetable.
> > > The results are illegal reads/writes on iomem and dereferencing
> > > iomem content like it was a pointer to a lower level pagetable.
> > > - #PF if you are lucky
#PF -> vmalloc_fault -> oops
> > > - funny modification of arbitrary memory possible
> > > - can be abused with uio or regular userland ??A A A
>
> Looking over the code again i am not sure the last two are even
> possible, it is just the pointer deref that can cause a #PF.
> If the pointer turns out to "work" the code will just read and
> eventually BUG().
The last two case are not possible.
> > Ok, so this is a serious live bug exposed to drivers, that also
> > requires a Cc: stable tag.
Yes, the fix should go to stable as well.
Thanks,
-Toshi
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Toshi Kani <toshi.kani@hpe.com>
To: Henning Schild <henning.schild@siemens.com>,
Ingo Molnar <mingo@kernel.org>
Cc: tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com,
bp@alien8.de, linux-nvdimm@ml01.01.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/mm/vmfault: Make vmalloc_fault() handle large pages
Date: Tue, 09 Feb 2016 09:08:51 -0700 [thread overview]
Message-ID: <1455034131.2925.79.camel@hpe.com> (raw)
In-Reply-To: <20160209132645.55971eff@md1em3qc>
On Tue, 2016-02-09 at 13:26 +0100, Henning Schild wrote:
> On Tue, 9 Feb 2016 11:22:35 +0100
> Ingo Molnar <mingo@kernel.org> wrote:
>
> > * Henning Schild <henning.schild@siemens.com> wrote:
> >
> > > On Tue, 9 Feb 2016 10:10:03 +0100
> > > Ingo Molnar <mingo@kernel.org> wrote:
> > >
> > > > * Toshi Kani <toshi.kani@hpe.com> wrote:
> > > >
> > > > > Since 4.1, ioremap() supports large page (pud/pmd) mappings in
> > > > > x86_64 and PAE. vmalloc_fault() however assumes that the vmalloc
> > > > > range is limited to pte mappings.
> > > > >
> > > > > pgd_ctor() sets the kernel's pgd entries to user's during
> > > > > fork(), which makes user processes share the same page tables
> > > > > for the kernel ranges. When a call to ioremap() is made at
> > > > > run-time that leads to allocate a new 2nd level table (pud in
> > > > > 64-bit and pmd in PAE), user process needs to re-sync with the
> > > > > updated kernel pgd entry with vmalloc_fault().
> > > > >
> > > > > Following changes are made to vmalloc_fault().
> > > >
> > > > So what were the effects of this shortcoming? Were large page
> > > > ioremap()s unusable? Was this harmless because no driver used this
> > > > facility?
> > >
> > > Drivers do use huge ioremap()s. Now if a pre-existing mm is used to
> > > access the device memory a #PF and the call to vmalloc_fault would
> > > eventually make the kernel treat device memory as if it was a
> > > pagetable.
> > > The results are illegal reads/writes on iomem and dereferencing
> > > iomem content like it was a pointer to a lower level pagetable.
> > > - #PF if you are lucky
#PF -> vmalloc_fault -> oops
> > > - funny modification of arbitrary memory possible
> > > - can be abused with uio or regular userland ??
>
> Looking over the code again i am not sure the last two are even
> possible, it is just the pointer deref that can cause a #PF.
> If the pointer turns out to "work" the code will just read and
> eventually BUG().
The last two case are not possible.
> > Ok, so this is a serious live bug exposed to drivers, that also
> > requires a Cc: stable tag.
Yes, the fix should go to stable as well.
Thanks,
-Toshi
next prev parent reply other threads:[~2016-02-09 16:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-09 0:00 [PATCH] x86/mm/vmfault: Make vmalloc_fault() handle large pages Toshi Kani
2016-02-09 0:00 ` Toshi Kani
2016-02-09 9:10 ` Ingo Molnar
2016-02-09 9:10 ` Ingo Molnar
2016-02-09 9:53 ` Henning Schild
2016-02-09 9:53 ` Henning Schild
2016-02-09 10:22 ` Ingo Molnar
2016-02-09 10:22 ` Ingo Molnar
2016-02-09 12:26 ` Henning Schild
2016-02-09 12:26 ` Henning Schild
2016-02-09 16:08 ` Toshi Kani [this message]
2016-02-09 16:08 ` Toshi Kani
2016-02-09 16:08 ` Toshi Kani
2016-02-09 16:03 ` Toshi Kani
2016-02-09 16:03 ` Toshi Kani
2016-02-09 16:03 ` Toshi Kani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1455034131.2925.79.camel@hpe.com \
--to=toshi.kani@hpe.com \
--cc=bp@alien8.de \
--cc=henning.schild@siemens.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-nvdimm@lists.01.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.