From: Dave Hansen <dave.hansen@intel.com>
To: Frantisek Hrbata <fhrbata@redhat.com>, linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org, tglx@linutronix.de, mingo@redhat.com,
hpa@zytor.com, x86@kernel.org, oleg@redhat.com,
kamaleshb@in.ibm.com, hechjie@cn.ibm.com,
akpm@linux-foundation.org, dvlasenk@redhat.com,
prarit@redhat.com, lwoodman@redhat.com, hannsj_uhl@de.ibm.com
Subject: Re: [PATCH 1/1] x86: add phys addr validity check for /dev/mem mmap
Date: Thu, 14 Aug 2014 09:36:03 -0700 [thread overview]
Message-ID: <53ECE573.1030405@intel.com> (raw)
In-Reply-To: <1408025927-16826-2-git-send-email-fhrbata@redhat.com>
Thanks for dredging this back up!
On 08/14/2014 07:18 AM, Frantisek Hrbata wrote:
> +int valid_phys_addr_range(phys_addr_t addr, size_t count)
> +{
> + return addr + count <= __pa(high_memory);
> +}
Is this correct on 32-bit? It would limit /dev/mem to memory below 896MB.
> +int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
> +{
Nit: please add units to things like "count". len_bytes would be nice
for this kind of thing, especially since it's passed *with* a pfn it
would be easy to think it is a count in pages.
> + /* pgoff + count overflow is checked in do_mmap_pgoff */
> + pfn += count >> PAGE_SHIFT;
> +
> + if (pfn >> BITS_PER_LONG - PAGE_SHIFT)
> + return -EOVERFLOW;
Is this -EOVERFLOW correct? It is called like this:
> static int mmap_mem(struct file *file, struct vm_area_struct *vma)
> {
> if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size))
> return -EINVAL;
So I think we need to return true/false:0/1. -EOVERFLOW would be true,
and that if() would pass.
> + return phys_addr_valid(pfn << PAGE_SHIFT);
> +}
Maybe I'm dumb, but it took me a minute to figure out what you were
trying to do with the: "(pfn >> BITS_PER_LONG - PAGE_SHIFT)". In any
case, I think it is wrong on 32-bit.
On 32-bit, BITS_PER_LONG=32, and PAGE_SIZE=12, and a paddr=0x100000000
or pfn=0x100000 (4GB) is perfectly valid with PAE enabled. But, this
code pfn>>(32-12) would result in 0x1 and return -EOVERFLOW.
I think something like this would be easier to read and actually work on
32-bit:
static inline int arch_pfn_possible(unsigned long pfn)
{
unsigned long max_arch_pfn = 1UL << (boot_cpu_data.x86_phys_bits -
PAGE_SHIFT);
return pfn < max_arch_pfn;
}
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Dave Hansen <dave.hansen@intel.com>
To: Frantisek Hrbata <fhrbata@redhat.com>, linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org, tglx@linutronix.de, mingo@redhat.com,
hpa@zytor.com, x86@kernel.org, oleg@redhat.com,
kamaleshb@in.ibm.com, hechjie@cn.ibm.com,
akpm@linux-foundation.org, dvlasenk@redhat.com,
prarit@redhat.com, lwoodman@redhat.com, hannsj_uhl@de.ibm.com
Subject: Re: [PATCH 1/1] x86: add phys addr validity check for /dev/mem mmap
Date: Thu, 14 Aug 2014 09:36:03 -0700 [thread overview]
Message-ID: <53ECE573.1030405@intel.com> (raw)
In-Reply-To: <1408025927-16826-2-git-send-email-fhrbata@redhat.com>
Thanks for dredging this back up!
On 08/14/2014 07:18 AM, Frantisek Hrbata wrote:
> +int valid_phys_addr_range(phys_addr_t addr, size_t count)
> +{
> + return addr + count <= __pa(high_memory);
> +}
Is this correct on 32-bit? It would limit /dev/mem to memory below 896MB.
> +int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
> +{
Nit: please add units to things like "count". len_bytes would be nice
for this kind of thing, especially since it's passed *with* a pfn it
would be easy to think it is a count in pages.
> + /* pgoff + count overflow is checked in do_mmap_pgoff */
> + pfn += count >> PAGE_SHIFT;
> +
> + if (pfn >> BITS_PER_LONG - PAGE_SHIFT)
> + return -EOVERFLOW;
Is this -EOVERFLOW correct? It is called like this:
> static int mmap_mem(struct file *file, struct vm_area_struct *vma)
> {
> if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size))
> return -EINVAL;
So I think we need to return true/false:0/1. -EOVERFLOW would be true,
and that if() would pass.
> + return phys_addr_valid(pfn << PAGE_SHIFT);
> +}
Maybe I'm dumb, but it took me a minute to figure out what you were
trying to do with the: "(pfn >> BITS_PER_LONG - PAGE_SHIFT)". In any
case, I think it is wrong on 32-bit.
On 32-bit, BITS_PER_LONG=32, and PAGE_SIZE=12, and a paddr=0x100000000
or pfn=0x100000 (4GB) is perfectly valid with PAE enabled. But, this
code pfn>>(32-12) would result in 0x1 and return -EOVERFLOW.
I think something like this would be easier to read and actually work on
32-bit:
static inline int arch_pfn_possible(unsigned long pfn)
{
unsigned long max_arch_pfn = 1UL << (boot_cpu_data.x86_phys_bits -
PAGE_SHIFT);
return pfn < max_arch_pfn;
}
next prev parent reply other threads:[~2014-08-14 16:36 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-14 14:18 [PATCH 0/1] Prevent possible PTE corruption with /dev/mem mmap Frantisek Hrbata
2014-08-14 14:18 ` Frantisek Hrbata
2014-08-14 14:18 ` [PATCH 1/1] x86: add phys addr validity check for " Frantisek Hrbata
2014-08-14 14:18 ` Frantisek Hrbata
2014-08-14 16:36 ` Dave Hansen [this message]
2014-08-14 16:36 ` Dave Hansen
2014-08-14 17:20 ` H. Peter Anvin
2014-08-14 17:20 ` H. Peter Anvin
2014-08-14 17:53 ` Frantisek Hrbata
2014-08-14 17:53 ` Frantisek Hrbata
2014-08-14 17:40 ` Frantisek Hrbata
2014-08-14 17:40 ` Frantisek Hrbata
2014-08-15 10:17 ` Frantisek Hrbata
2014-08-15 10:17 ` Frantisek Hrbata
2014-08-15 11:44 ` [PATCH V2 0/2] Prevent possible PTE corruption with " Frantisek Hrbata
2014-08-15 11:44 ` Frantisek Hrbata
2014-08-15 11:44 ` [PATCH V2 1/2] x86: add arch_pfn_possible helper Frantisek Hrbata
2014-08-15 11:44 ` Frantisek Hrbata
2014-08-15 11:44 ` [PATCH V2 2/2] x86: add phys addr validity check for /dev/mem mmap Frantisek Hrbata
2014-08-15 11:44 ` Frantisek Hrbata
2014-08-15 18:10 ` Dave Hansen
2014-08-15 18:10 ` Dave Hansen
2014-08-18 11:26 ` Frantisek Hrbata
2014-08-18 11:26 ` Frantisek Hrbata
2014-08-20 15:25 ` [PATCH 0/2] x86: allow read/write /dev/mem to access non-system RAM above high_memory Frantisek Hrbata
2014-08-20 15:25 ` Frantisek Hrbata
2014-08-20 15:25 ` [PATCH 1/2] x86: add high_memory check to (xlate|unxlate)_dev_mem_ptr Frantisek Hrbata
2014-08-20 15:25 ` Frantisek Hrbata
2014-08-20 15:25 ` [PATCH 2/2] x86: remove high_memory check from valid_phys_addr_range Frantisek Hrbata
2014-08-20 15:25 ` Frantisek Hrbata
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53ECE573.1030405@intel.com \
--to=dave.hansen@intel.com \
--cc=akpm@linux-foundation.org \
--cc=dvlasenk@redhat.com \
--cc=fhrbata@redhat.com \
--cc=hannsj_uhl@de.ibm.com \
--cc=hechjie@cn.ibm.com \
--cc=hpa@zytor.com \
--cc=kamaleshb@in.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lwoodman@redhat.com \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=prarit@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.