From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
stable@kernel.org, Sasha Levin <sashal@kernel.org>,
linux-mm@kvack.org
Subject: [PATCH AUTOSEL 5.0 78/79] mm: prevent get_user_pages() from overflowing page refcount
Date: Fri, 26 Apr 2019 21:38:37 -0400 [thread overview]
Message-ID: <20190427013838.6596-78-sashal@kernel.org> (raw)
In-Reply-To: <20190427013838.6596-1-sashal@kernel.org>
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64 ]
If the page refcount wraps around past zero, it will be freed while
there are still four billion references to it. One of the possible
avenues for an attacker to try to make this happen is by doing direct IO
on a page multiple times. This patch makes get_user_pages() refuse to
take a new page reference if there are already more than two billion
references to the page.
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/gup.c | 48 ++++++++++++++++++++++++++++++++++++------------
mm/hugetlb.c | 13 +++++++++++++
2 files changed, 49 insertions(+), 12 deletions(-)
diff --git a/mm/gup.c b/mm/gup.c
index 75029649baca..81e0bdefa2cc 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -157,8 +157,12 @@ retry:
goto retry;
}
- if (flags & FOLL_GET)
- get_page(page);
+ if (flags & FOLL_GET) {
+ if (unlikely(!try_get_page(page))) {
+ page = ERR_PTR(-ENOMEM);
+ goto out;
+ }
+ }
if (flags & FOLL_TOUCH) {
if ((flags & FOLL_WRITE) &&
!pte_dirty(pte) && !PageDirty(page))
@@ -295,7 +299,10 @@ retry_locked:
if (pmd_trans_unstable(pmd))
ret = -EBUSY;
} else {
- get_page(page);
+ if (unlikely(!try_get_page(page))) {
+ spin_unlock(ptl);
+ return ERR_PTR(-ENOMEM);
+ }
spin_unlock(ptl);
lock_page(page);
ret = split_huge_page(page);
@@ -497,7 +504,10 @@ static int get_gate_page(struct mm_struct *mm, unsigned long address,
if (is_device_public_page(*page))
goto unmap;
}
- get_page(*page);
+ if (unlikely(!try_get_page(*page))) {
+ ret = -ENOMEM;
+ goto unmap;
+ }
out:
ret = 0;
unmap:
@@ -1393,6 +1403,20 @@ static void undo_dev_pagemap(int *nr, int nr_start, struct page **pages)
}
}
+/*
+ * Return the compund head page with ref appropriately incremented,
+ * or NULL if that failed.
+ */
+static inline struct page *try_get_compound_head(struct page *page, int refs)
+{
+ struct page *head = compound_head(page);
+ if (WARN_ON_ONCE(page_ref_count(head) < 0))
+ return NULL;
+ if (unlikely(!page_cache_add_speculative(head, refs)))
+ return NULL;
+ return head;
+}
+
#ifdef CONFIG_ARCH_HAS_PTE_SPECIAL
static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
int write, struct page **pages, int *nr)
@@ -1427,9 +1451,9 @@ static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
page = pte_page(pte);
- head = compound_head(page);
- if (!page_cache_get_speculative(head))
+ head = try_get_compound_head(page, 1);
+ if (!head)
goto pte_unmap;
if (unlikely(pte_val(pte) != pte_val(*ptep))) {
@@ -1568,8 +1592,8 @@ static int gup_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
refs++;
} while (addr += PAGE_SIZE, addr != end);
- head = compound_head(pmd_page(orig));
- if (!page_cache_add_speculative(head, refs)) {
+ head = try_get_compound_head(pmd_page(orig), refs);
+ if (!head) {
*nr -= refs;
return 0;
}
@@ -1606,8 +1630,8 @@ static int gup_huge_pud(pud_t orig, pud_t *pudp, unsigned long addr,
refs++;
} while (addr += PAGE_SIZE, addr != end);
- head = compound_head(pud_page(orig));
- if (!page_cache_add_speculative(head, refs)) {
+ head = try_get_compound_head(pud_page(orig), refs);
+ if (!head) {
*nr -= refs;
return 0;
}
@@ -1643,8 +1667,8 @@ static int gup_huge_pgd(pgd_t orig, pgd_t *pgdp, unsigned long addr,
refs++;
} while (addr += PAGE_SIZE, addr != end);
- head = compound_head(pgd_page(orig));
- if (!page_cache_add_speculative(head, refs)) {
+ head = try_get_compound_head(pgd_page(orig), refs);
+ if (!head) {
*nr -= refs;
return 0;
}
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 8dfdffc34a99..c220315dc533 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4298,6 +4298,19 @@ long follow_hugetlb_page(struct mm_struct *mm, struct vm_area_struct *vma,
pfn_offset = (vaddr & ~huge_page_mask(h)) >> PAGE_SHIFT;
page = pte_page(huge_ptep_get(pte));
+
+ /*
+ * Instead of doing 'try_get_page()' below in the same_page
+ * loop, just check the count once here.
+ */
+ if (unlikely(page_count(page) <= 0)) {
+ if (pages) {
+ spin_unlock(ptl);
+ remainder = 0;
+ err = -ENOMEM;
+ break;
+ }
+ }
same_page:
if (pages) {
pages[i] = mem_map_offset(page, pfn_offset);
--
2.19.1
next prev parent reply other threads:[~2019-04-27 1:40 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-27 1:37 [PATCH AUTOSEL 5.0 01/79] ASoC: tlv320aic3x: fix reset gpio reference counting Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 02/79] ASoC: hdmi-codec: fix S/PDIF DAI Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 03/79] ASoC: ab8500: Mark expected switch fall-through Sasha Levin
2019-04-27 17:14 ` Mark Brown
2019-04-27 17:31 ` Gustavo A. R. Silva
2019-04-27 18:00 ` Mark Brown
2019-04-28 1:06 ` Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 04/79] ASoC: stm32: sai: fix iec958 controls indexation Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 05/79] ASoC: stm32: sai: fix exposed capabilities in spdif mode Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 06/79] ASoC: stm32: sai: fix race condition in irq handler Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 07/79] ASoC:soc-pcm:fix a codec fixup issue in TDM case Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 08/79] ASoC:hdac_hda:use correct format to setup hda codec Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 09/79] ASoC:intel:skl:fix a simultaneous playback & capture issue on hda platform Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 10/79] ASoC: dpcm: prevent snd_soc_dpcm use after free Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 11/79] ASoC: nau8824: fix the issue of the widget with prefix name Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 12/79] ASoC: nau8810: fix the issue of widget with prefixed name Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 13/79] ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 14/79] ASoC: rt5682: Check JD status when system resume Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 15/79] ASoC: rt5682: fix jack type detection issue Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 16/79] ASoC: rt5682: recording has no sound after booting Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 17/79] ASoC: wm_adsp: Add locking to wm_adsp2_bus_error Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 18/79] clk: meson-gxbb: round the vdec dividers to closest Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 19/79] ASoC: stm32: dfsdm: manage multiple prepare Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 20/79] ASoC: stm32: dfsdm: fix debugfs warnings on entry creation Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 21/79] ASoC: cs4270: Set auto-increment bit for register writes Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 22/79] ASoC: dapm: Fix NULL pointer dereference in snd_soc_dapm_free_kcontrol Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 23/79] drm/omap: hdmi4_cec: Fix CEC clock handling for PM Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 24/79] IB/hfi1: Clear the IOWAIT pending bits when QP is put into error state Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 25/79] IB/hfi1: Eliminate opcode tests on mr deref Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 26/79] IB/hfi1: Fix the allocation of RSM table Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 27/79] MIPS: KGDB: fix kgdb support for SMP platforms Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 28/79] ASoC: tlv320aic32x4: Fix Common Pins Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 29/79] drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata() Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 30/79] ASoC: dpcm: skip missing substream while applying symmetry Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 31/79] perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 32/79] perf/x86/intel: Initialize TFA MSR Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 33/79] linux/kernel.h: Use parentheses around argument in u64_to_user_ptr() Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 34/79] ALSA: hda/realtek - Move to ACT_INIT state Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 35/79] iov_iter: Fix build error without CONFIG_CRYPTO Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 36/79] xtensa: fix initialization of pt_regs::syscall in start_thread Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 37/79] ASoC: rockchip: pdm: fix regmap_ops hang issue Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 38/79] drm/amdkfd: Add picasso pci id Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 39/79] drm/amdgpu: Adjust IB test timeout for XGMI configuration Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 40/79] drm/amdgpu: amdgpu_device_recover_vram always failed if only one node in shadow_list Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 41/79] drm/amd/display: fix cursor black issue Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 42/79] ASoC: cs35l35: Disable regulators on driver removal Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 43/79] objtool: Add rewind_stack_do_exit() to the noreturn list Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 44/79] powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 45/79] slab: fix a crash by reading /proc/slab_allocators Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 46/79] ASoC: stm32: fix sai driver name initialisation Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 47/79] drm/sun4i: tcon top: Fix NULL/invalid pointer dereference in sun8i_tcon_top_un/bind Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 48/79] virtio_pci: fix a NULL pointer reference in vp_del_vqs Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 49/79] RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 50/79] RDMA/hns: Fix bug that caused srq creation to fail Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 51/79] tpm: fix an invalid condition in tpm_common_poll Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 52/79] KEYS: trusted: fix -Wvarags warning Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 53/79] scsi: csiostor: fix missing data copy in csio_scsi_err_handler() Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 54/79] drm/mediatek: fix possible object reference leak Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 55/79] drm/mediatek: fix the rate and divder of hdmi phy for MT2701 Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 56/79] drm/mediatek: make implementation of recalc_rate() for MT2701 hdmi phy Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 57/79] drm/mediatek: remove flag CLK_SET_RATE_PARENT " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 58/79] drm/mediatek: using new factor for tvdpll " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 59/79] drm/mediatek: no change parent rate in round_rate() " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 60/79] Bluetooth: btusb: request wake pin with NOAUTOEN Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 61/79] ASoC: Intel: kbl: fix wrong number of channels Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 62/79] ASoC: stm32: sai: fix master clock management Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 63/79] ALSA: hda: Fix racy display power access Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 64/79] block, bfq: fix use after free in bfq_bfqq_expire Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 65/79] virtio-blk: limit number of hw queues by nr_cpu_ids Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 66/79] blk-mq: introduce blk_mq_complete_request_sync() Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 67/79] nvme: cancel request synchronously Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 68/79] clk: x86: Add system specific quirk to mark clocks as critical Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 69/79] nvme-fc: correct csn initialization and increments on error Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 70/79] nvmet: fix discover log page when offsets are used Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 71/79] platform/x86: pmc_atom: Drop __initconst on dmi table Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 72/79] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 73/79] NFSv4.1 fix incorrect return value in copy_file_range Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 74/79] perf/core: Fix perf_event_disable_inatomic() race Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 75/79] iommu/amd: Set exclusion range correctly Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 76/79] mm: make page ref count overflow check tighter and more explicit Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 77/79] mm: add 'try_get_page()' helper function Sasha Levin
2019-04-27 1:38 ` Sasha Levin [this message]
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 79/79] fs: prevent page refcount overflow in pipe_buf_get Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190427013838.6596-78-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox