From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.kernel.org ([198.145.29.99]:43312 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726910AbeKPDpV (ORCPT <rfc822;stable@vger.kernel.org>);
        Thu, 15 Nov 2018 22:45:21 -0500
Date: Thu, 15 Nov 2018 12:36:30 -0500
From: Sasha Levin <sashal@kernel.org>
To: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable <stable@vger.kernel.org>, Michal Hocko <mhocko@suse.com>
Subject: Re: [PATCH 4.9] mm: do not bug_on on incorrect length in
 __mm_populate()
Message-ID: <20181115173630.GH95254@sasha-vm>
References: <20181113164155.2zo7nkciormz2cx7@xylophone.i.decadent.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20181113164155.2zo7nkciormz2cx7@xylophone.i.decadent.org.uk>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Tue, Nov 13, 2018 at 04:41:56PM +0000, Ben Hutchings wrote:
>From: Michal Hocko <mhocko@suse.com>
>
>commit bb177a732c4369bb58a1fe1df8f552b6f0f7db5f upstream.
>
>syzbot has noticed that a specially crafted library can easily hit
>VM_BUG_ON in __mm_populate
>
>  kernel BUG at mm/gup.c:1242!
>  invalid opcode: 0000 [#1] SMP
>  CPU: 2 PID: 9667 Comm: a.out Not tainted 4.18.0-rc3 #644
>  Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
>  RIP: 0010:__mm_populate+0x1e2/0x1f0
>  Code: 55 d0 65 48 33 14 25 28 00 00 00 89 d8 75 21 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 75 18 f1 ff 0f 0b e8 6e 18 f1 ff <0f> 0b 31 db eb c9 e8 93 06 e0 ff 0f 1f 00 55 48 89 e5 53 48 89 fb
>  Call Trace:
>     vm_brk_flags+0xc3/0x100
>     vm_brk+0x1f/0x30
>     load_elf_library+0x281/0x2e0
>     __ia32_sys_uselib+0x170/0x1e0
>     do_fast_syscall_32+0xca/0x420
>     entry_SYSENTER_compat+0x70/0x7f
>
>The reason is that the length of the new brk is not page aligned when we
>try to populate the it.  There is no reason to bug on that though.
>do_brk_flags already aligns the length properly so the mapping is
>expanded as it should.  All we need is to tell mm_populate about it.
>Besides that there is absolutely no reason to to bug_on in the first
>place.  The worst thing that could happen is that the last page wouldn't
>get populated and that is far from putting system into an inconsistent
>state.
>
>Fix the issue by moving the length sanitization code from do_brk_flags
>up to vm_brk_flags.  The only other caller of do_brk_flags is brk
>syscall entry and it makes sure to provide the proper length so t here
>is no need for sanitation and so we can use do_brk_flags without it.
>
>Also remove the bogus BUG_ONs.
>
>[osalvador@techadventures.net: fix up vm_brk_flags s@request@len@]
>Link: http://lkml.kernel.org/r/20180706090217.GI32658@dhcp22.suse.cz
>Signed-off-by: Michal Hocko <mhocko@suse.com>
>Reported-by: syzbot <syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com>
>Tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
>Reviewed-by: Oscar Salvador <osalvador@suse.de>
>Cc: Zi Yan <zi.yan@cs.rutgers.edu>
>Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
>Cc: Dan Williams <dan.j.williams@intel.com>
>Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
>Cc: Michael S. Tsirkin <mst@redhat.com>
>Cc: Al Viro <viro@zeniv.linux.org.uk>
>Cc: "Huang, Ying" <ying.huang@intel.com>
>Cc: <stable@vger.kernel.org>
>Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>[bwh: Backported to 4.9:
> - There is no do_brk_flags() function; update do_brk()
> - Adjust context]
>Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>

Queued for 4.9, thank you.

--
Thanks,
Sasha