From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Miles Chen <miles.chen@mediatek.com>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrey Konovalov <andreyknvl@google.com>,
Alexander Potapenko <glider@google.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Dmitry Vyukov <dvyukov@google.com>,
Marco Elver <elver@google.com>, Will Deacon <will@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Song Bao Hua (Barry Song)" <song.bao.hua@hisilicon.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.4 30/36] proc: use untagged_addr() for pagemap_read addresses
Date: Mon, 14 Dec 2020 18:28:14 +0100 [thread overview]
Message-ID: <20201214172544.783476534@linuxfoundation.org> (raw)
In-Reply-To: <20201214172543.302523401@linuxfoundation.org>
From: Miles Chen <miles.chen@mediatek.com>
commit 40d6366e9d86d9a67b5642040e76082fdb5bdcf9 upstream.
When we try to visit the pagemap of a tagged userspace pointer, we find
that the start_vaddr is not correct because of the tag.
To fix it, we should untag the userspace pointers in pagemap_read().
I tested with 5.10-rc4 and the issue remains.
Explanation from Catalin in [1]:
"Arguably, that's a user-space bug since tagged file offsets were never
supported. In this case it's not even a tag at bit 56 as per the arm64
tagged address ABI but rather down to bit 47. You could say that the
problem is caused by the C library (malloc()) or whoever created the
tagged vaddr and passed it to this function. It's not a kernel
regression as we've never supported it.
Now, pagemap is a special case where the offset is usually not
generated as a classic file offset but rather derived by shifting a
user virtual address. I guess we can make a concession for pagemap
(only) and allow such offset with the tag at bit (56 - PAGE_SHIFT + 3)"
My test code is based on [2]:
A userspace pointer which has been tagged by 0xb4: 0xb400007662f541c8
userspace program:
uint64 OsLayer::VirtualToPhysical(void *vaddr) {
uint64 frame, paddr, pfnmask, pagemask;
int pagesize = sysconf(_SC_PAGESIZE);
off64_t off = ((uintptr_t)vaddr) / pagesize * 8; // off = 0xb400007662f541c8 / pagesize * 8 = 0x5a00003b317aa0
int fd = open(kPagemapPath, O_RDONLY);
...
if (lseek64(fd, off, SEEK_SET) != off || read(fd, &frame, 8) != 8) {
int err = errno;
string errtxt = ErrorString(err);
if (fd >= 0)
close(fd);
return 0;
}
...
}
kernel fs/proc/task_mmu.c:
static ssize_t pagemap_read(struct file *file, char __user *buf,
size_t count, loff_t *ppos)
{
...
src = *ppos;
svpfn = src / PM_ENTRY_BYTES; // svpfn == 0xb400007662f54
start_vaddr = svpfn << PAGE_SHIFT; // start_vaddr == 0xb400007662f54000
end_vaddr = mm->task_size;
/* watch out for wraparound */
// svpfn == 0xb400007662f54
// (mm->task_size >> PAGE) == 0x8000000
if (svpfn > mm->task_size >> PAGE_SHIFT) // the condition is true because of the tag 0xb4
start_vaddr = end_vaddr;
ret = 0;
while (count && (start_vaddr < end_vaddr)) { // we cannot visit correct entry because start_vaddr is set to end_vaddr
int len;
unsigned long end;
...
}
...
}
[1] https://lore.kernel.org/patchwork/patch/1343258/
[2] https://github.com/stressapptest/stressapptest/blob/master/src/os.cc#L158
Link: https://lkml.kernel.org/r/20201204024347.8295-1-miles.chen@mediatek.com
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Marco Elver <elver@google.com>
Cc: Will Deacon <will@kernel.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Song Bao Hua (Barry Song) <song.bao.hua@hisilicon.com>
Cc: <stable@vger.kernel.org> [5.4-]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/task_mmu.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -1567,11 +1567,15 @@ static ssize_t pagemap_read(struct file
src = *ppos;
svpfn = src / PM_ENTRY_BYTES;
- start_vaddr = svpfn << PAGE_SHIFT;
end_vaddr = mm->task_size;
/* watch out for wraparound */
- if (svpfn > mm->task_size >> PAGE_SHIFT)
+ start_vaddr = end_vaddr;
+ if (svpfn <= (ULONG_MAX >> PAGE_SHIFT))
+ start_vaddr = untagged_addr(svpfn << PAGE_SHIFT);
+
+ /* Ensure the address is inside the task */
+ if (start_vaddr > mm->task_size)
start_vaddr = end_vaddr;
/*
next prev parent reply other threads:[~2020-12-14 19:07 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-14 17:27 [PATCH 5.4 00/36] 5.4.84-rc1 review Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 01/36] Kbuild: do not emit debug info for assembly with LLVM_IAS=1 Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 02/36] x86/lib: Change .weak to SYM_FUNC_START_WEAK for arch/x86/lib/mem*_64.S Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 03/36] iwlwifi: pcie: limit memory read spin time Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 04/36] arm64: dts: rockchip: Assign a fixed index to mmc devices on rk3399 boards Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 05/36] iwlwifi: pcie: set LTR to avoid completion timeout Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 06/36] iwlwifi: mvm: fix kernel panic in case of assert during CSA Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 07/36] powerpc: Drop -me200 addition to build flags Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 08/36] arm64: dts: broadcom: clear the warnings caused by empty dma-ranges Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 09/36] ARC: stack unwinding: dont assume non-current task is sleeping Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 10/36] scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 11/36] interconnect: qcom: qcs404: Remove GPU and display RPM IDs Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 12/36] ibmvnic: skip tx timeout reset while in resetting Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 13/36] irqchip/gic-v3-its: Unconditionally save/restore the ITS state on suspend Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 14/36] spi: spi-nxp-fspi: fix fspi panic by unexpected interrupts Greg Kroah-Hartman
2020-12-14 17:27 ` [PATCH 5.4 15/36] soc: fsl: dpio: Get the cpumask through cpumask_of(cpu) Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 16/36] arm64: tegra: Disable the ACONNECT for Jetson TX2 Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 17/36] platform/x86: thinkpad_acpi: Do not report SW_TABLET_MODE on Yoga 11e Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 18/36] platform/x86: thinkpad_acpi: Add BAT1 is primary battery quirk for Thinkpad Yoga 11e 4th gen Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 19/36] platform/x86: acer-wmi: add automatic keyboard background light toggle key as KEY_LIGHTS_TOGGLE Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 20/36] platform/x86: intel-vbtn: Support for tablet mode on HP Pavilion 13 x360 PC Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 21/36] platform/x86: touchscreen_dmi: Add info for the Irbis TW118 tablet Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 22/36] can: m_can: m_can_dev_setup(): add support for bosch mcan version 3.3.0 Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 23/36] ktest.pl: Fix incorrect reboot for grub2bls Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 24/36] Input: cm109 - do not stomp on control URB Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 25/36] Input: i8042 - add Acer laptops to the i8042 reset list Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 26/36] pinctrl: amd: remove debounce filter setting in IRQ type setting Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 27/36] mmc: block: Fixup condition for CMD13 polling for RPMB requests Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 28/36] drm/i915/display/dp: Compute the correct slice count for VDSC on DP Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 29/36] kbuild: avoid static_assert for genksyms Greg Kroah-Hartman
2020-12-14 17:28 ` Greg Kroah-Hartman [this message]
2020-12-14 17:28 ` [PATCH 5.4 31/36] scsi: be2iscsi: Revert "Fix a theoretical leak in beiscsi_create_eqs()" Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 32/36] x86/mm/mem_encrypt: Fix definition of PMD_FLAGS_DEC_WP Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 33/36] x86/membarrier: Get rid of a dubious optimization Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 34/36] x86/apic/vector: Fix ordering in vector assignment Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 35/36] mm/zsmalloc.c: drop ZSMALLOC_PGTABLE_MAPPING Greg Kroah-Hartman
2020-12-14 17:28 ` [PATCH 5.4 36/36] compiler.h: fix barrier_data() on clang Greg Kroah-Hartman
2020-12-14 22:21 ` [PATCH 5.4 00/36] 5.4.84-rc1 review Shuah Khan
2020-12-15 6:51 ` Naresh Kamboju
2020-12-15 9:06 ` Jon Hunter
2020-12-15 20:31 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201214172544.783476534@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=aryabinin@virtuozzo.com \
--cc=catalin.marinas@arm.com \
--cc=dvyukov@google.com \
--cc=ebiederm@xmission.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=miles.chen@mediatek.com \
--cc=song.bao.hua@hisilicon.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.