From patchwork Thu Oct 25 01:27:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rafael David Tinoco X-Patchwork-Id: 149508 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp715427ljp; Wed, 24 Oct 2018 18:27:57 -0700 (PDT) X-Google-Smtp-Source: AJdET5c9bz26Evkyepz8pkS29/bDV6+OwwvWJfoY17l+REFeEq8YwHCL1rYmOOmIQzxIUuB4GdAc X-Received: by 2002:a17:902:b692:: with SMTP id c18-v6mr4625075pls.191.1540430877044; Wed, 24 Oct 2018 18:27:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540430877; cv=none; d=google.com; s=arc-20160816; b=R0eeVtd1imrd3svVdV//s06koeBL5IkD9r8fH54E6woGvY5/9Nn6FgXSMHiUbtKV8V S0tuClVIk0UnNOb8F0C0lcQ7WuwGs9hEk2RlxHTwOb+/xuPOzVqskG9GS0foknbnENao zfy+g7hNCfMHTsEU4fnV3LHUyIDVqjCjxdXDl8gjkh9OfZVw/jz+rywKZgDU4dICAHGk sG7+xOUCTZAdLU8KW4KZeQI5CkkgRCnBQk/AKG1RzgTRqiaSnDrU2mb1eH7sbk/z5eCJ SeFX2IuV0djcS4ZGmgLKafbvPZmSrZKyIzC1DGOoVDDsKQKL9TbmY2n05hhB5JJE0VbT bMvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=ti4MDF9979DMD/586tRYIueeMdaiFl0KtuS7MeNcMD0=; b=uKhEQYhHV0IkrD/XmCN3hHSSYEpmjqhYR71IcPO0eNbowabq6G7E3cL5WCPB1Ca0yP MmrZvXBPO3y1/GyoPFzoG6XPL/Zn5eMWM3doPdXBpyF6/OgpQfw6t3oeTMZ0WgyRaB6Q Qltik8wgsoF6p/vorBcLUElw98Zfd7kG7L72sgn93LvDoS1mxuH9QrQKk4QT7TmQPk9O 3Zc4WWnuDEViI3CSROo/OsgQG4wPTuVL5cW37HbBV9bUUDjcMiAIo663zPsgQYU4dlM1 hB2LpYaxS9efkMYBZPriIG9WdKQjw/quyakpi0gbee7QRTDplTWgf9dUeyKpMHnBS2Eh 57kg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=SrQiVam+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g189-v6si6278957pgc.204.2018.10.24.18.27.56; Wed, 24 Oct 2018 18:27:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=SrQiVam+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726685AbeJYJ6W (ORCPT + 32 others); Thu, 25 Oct 2018 05:58:22 -0400 Received: from mail-qt1-f193.google.com ([209.85.160.193]:40298 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726204AbeJYJ6W (ORCPT ); Thu, 25 Oct 2018 05:58:22 -0400 Received: by mail-qt1-f193.google.com with SMTP id z9-v6so8004516qto.7 for ; Wed, 24 Oct 2018 18:27:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ti4MDF9979DMD/586tRYIueeMdaiFl0KtuS7MeNcMD0=; b=SrQiVam+Gqw4blhB2ENKcEf/DqjBBJYyiJSpd+OJEidU44Quqj5377QkoWaUuO/Ia9 vHGO8wmj13eOS0WP6JkoDi82FOVWqTfV1anRYlvpiTyt6KzlWjFPWl6S7hOVQxMAiN1Z 0BSlrO+fGRTrqWVcGpTfcXXaAWPmir14beqoQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ti4MDF9979DMD/586tRYIueeMdaiFl0KtuS7MeNcMD0=; b=kG3VMG2AuInksR43RVoe+45iEOaCdrutDgs9URLQf1M9QZBTVHBSx5ENjx6K502OT2 YglWea/rNY1iRLksh89WL11xjCWdTYyKTsbjcbBtp2ILeA+HqT6TJ28RIWK6C4BUJFNx pQnPQIaJ6rGXh/Di+4M+ebl6k5dA1bjF9LS7oxOGYvYqp47lKC5qWUDaEdJ2eLcQ5ca7 H5EOGZ2KHOI0oZbnsDp8LccQHrwZPLEGv+5Q8j9Rf5dwjfid+Kr8tjCCimV3k/R0docr fzUcvCqkDMiQuJWxyu53rGp8fJdHpeN8HMnopEK6SNOEnksOuKtghxi0mjNQ0pY7rZgZ 46Vg== X-Gm-Message-State: AGRZ1gLHIfk+FwS/uNwKn4j29Lq0plcCda7hhqC062g14j0SIaKWqsAK WrGLaIOuCgb80X/S+J969W/QY1/ULXQM8w== X-Received: by 2002:a0c:fcca:: with SMTP id i10mr4580914qvq.69.1540430872434; Wed, 24 Oct 2018 18:27:52 -0700 (PDT) Received: from workstation.celeiro.br ([138.204.25.17]) by smtp.gmail.com with ESMTPSA id m6-v6sm5338994qta.50.2018.10.24.18.27.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Oct 2018 18:27:51 -0700 (PDT) From: Rafael David Tinoco To: linux-kernel@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, Rafael David Tinoco , Russell King , Mark Brown , Sergey Senozhatsky , Nitin Gupta , Minchan Kim Subject: [PATCH 1/2] mm/zsmalloc.c: check encoded object value overflow for PAE Date: Wed, 24 Oct 2018 22:27:44 -0300 Message-Id: <20181025012745.20884-1-rafael.tinoco@linaro.org> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 32-bit systems, zsmalloc uses HIGHMEM and, when PAE is enabled, the physical frame number might be so big that zsmalloc obj encoding (to location) will break IF architecture does not re-define MAX_PHYSMEM_BITS, causing: [ 497.097843] ================================================================== [ 497.102365] BUG: KASAN: null-ptr-deref in zs_map_object+0xa4/0x2bc [ 497.105933] Read of size 4 at addr 00000000 by task mkfs.ext4/623 [ 497.109684] [ 497.110722] CPU: 2 PID: 623 Comm: mkfs.ext4 Not tainted 4.19.0-rc8-00017-g8239bc6d3307-dirty #15 [ 497.116098] Hardware name: Generic DT based system [ 497.119094] [] (unwind_backtrace) from [] (show_stack+0x20/0x24) [ 497.123819] [] (show_stack) from [] (dump_stack+0xbc/0xe8) [ 497.128299] [] (dump_stack) from [] (kasan_report+0x248/0x390) [ 497.132928] [] (kasan_report) from [] (__asan_load4+0x78/0xb4) [ 497.137530] [] (__asan_load4) from [] (zs_map_object+0xa4/0x2bc) [ 497.142335] [] (zs_map_object) from [] (zram_bvec_rw.constprop.2+0x324/0x8e4 [zram]) [ 497.148294] [] (zram_bvec_rw.constprop.2 [zram]) from [] (zram_make_request+0x234/0x46c [zram]) [ 497.154653] [] (zram_make_request [zram]) from [] (generic_make_request+0x304/0x63c) [ 497.160413] [] (generic_make_request) from [] (submit_bio+0x4c/0x1c8) [ 497.165379] [] (submit_bio) from [] (submit_bh_wbc.constprop.15+0x238/0x26c) [ 497.170775] [] (submit_bh_wbc.constprop.15) from [] (__block_write_full_page+0x524/0x76c) [ 497.176776] [] (__block_write_full_page) from [] (block_write_full_page+0x1bc/0x1d4) [ 497.182549] [] (block_write_full_page) from [] (blkdev_writepage+0x24/0x28) [ 497.187849] [] (blkdev_writepage) from [] (__writepage+0x44/0x78) [ 497.192633] [] (__writepage) from [] (write_cache_pages+0x3b8/0x800) [ 497.197616] [] (write_cache_pages) from [] (generic_writepages+0x74/0xa0) [ 497.202807] [] (generic_writepages) from [] (blkdev_writepages+0x18/0x1c) [ 497.208022] [] (blkdev_writepages) from [] (do_writepages+0x68/0x134) [ 497.213002] [] (do_writepages) from [] (__filemap_fdatawrite_range+0xb0/0xf4) [ 497.218447] [] (__filemap_fdatawrite_range) from [] (file_write_and_wait_range+0x64/0xd0) [ 497.224416] [] (file_write_and_wait_range) from [] (blkdev_fsync+0x54/0x84) [ 497.229749] [] (blkdev_fsync) from [] (vfs_fsync_range+0x70/0xd4) [ 497.234549] [] (vfs_fsync_range) from [] (do_fsync+0x4c/0x80) [ 497.239159] [] (do_fsync) from [] (sys_fsync+0x1c/0x20) [ 497.243407] [] (sys_fsync) from [] (ret_fast_syscall+0x0/0x2c) like in this ARM 32-bit (LPAE enabled), example. That occurs because, if not set, MAX_POSSIBLE_PHYSMEM_BITS will default to BITS_PER_LONG (32) in most cases, and, for PAE, _PFN_BITS will be wrong: which may cause obj variable to overflow if PFN is HIGHMEM and referencing any page above the 4GB watermark. This commit exposes the BUG IF the architecture supports PAE AND does not explicitly set MAX_POSSIBLE_PHYSMEM_BITS to supported value. Link: https://bugs.linaro.org/show_bug.cgi?id=3765#c17 Signed-off-by: Rafael David Tinoco --- mm/zsmalloc.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) -- 2.19.1 diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 9da65552e7ca..9c3ff8c2ccbc 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -119,6 +119,15 @@ #define OBJ_INDEX_BITS (BITS_PER_LONG - _PFN_BITS - OBJ_TAG_BITS) #define OBJ_INDEX_MASK ((_AC(1, UL) << OBJ_INDEX_BITS) - 1) +/* + * When using PAE, the obj encoding might overflow if arch does + * not re-define MAX_PHYSMEM_BITS, since zsmalloc uses HIGHMEM. + * This checks for a future bad page access, when de-coding obj. + */ +#define OBJ_OVERFLOW(_pfn) \ + (((unsigned long long) _pfn << (OBJ_INDEX_BITS + OBJ_TAG_BITS)) >= \ + ((_AC(1, ULL)) << MAX_POSSIBLE_PHYSMEM_BITS) ? 1 : 0) + #define FULLNESS_BITS 2 #define CLASS_BITS 8 #define ISOLATED_BITS 3 @@ -871,9 +880,14 @@ static void obj_to_location(unsigned long obj, struct page **page, */ static unsigned long location_to_obj(struct page *page, unsigned int obj_idx) { - unsigned long obj; + unsigned long obj, pfn; + + pfn = page_to_pfn(page); + + if (unlikely(OBJ_OVERFLOW(pfn))) + BUG(); - obj = page_to_pfn(page) << OBJ_INDEX_BITS; + obj = pfn << OBJ_INDEX_BITS; obj |= obj_idx & OBJ_INDEX_MASK; obj <<= OBJ_TAG_BITS; From patchwork Thu Oct 25 01:27:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rafael David Tinoco X-Patchwork-Id: 149509 Delivered-To: patch@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp715460ljp; Wed, 24 Oct 2018 18:28:00 -0700 (PDT) X-Google-Smtp-Source: AJdET5efYeJ/TsipYyw5UuS5iV+3k2f28tfrb5NFc2DGwZQ2ZvEeUyV00ITGn9eu6omul+57CXjc X-Received: by 2002:a62:6bc9:: with SMTP id g192-v6mr4836180pfc.232.1540430879941; Wed, 24 Oct 2018 18:27:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540430879; cv=none; d=google.com; s=arc-20160816; b=n8b/Ddg1Rt8uNk0u9LYfxytcdu+dgL0IplN6SL0NuNHhzZk76KYL8Y88AIaGv3S/7d ziyT9R6I0AOQ8C/IwdP1Ut4+S9Eh2uhC8dAhyx9FCQIzietoymOSeH/TQhReRkhsWicw zJ/a+jslUt6N0jR164CYGBWqDl/h7QhOjvTgaisNWF06WXH/pN4dfvFO+oqQ5OFmYdKF eu8nD1BwZ4wE2cEhD7ut4o8YKP+AS4iQLdu1PxoWdVFzGc8s2pXNhARuykNU3SyppyEg wtcuAYFwf8Z/G2sG9giMs6UXp/BkoZa2CSfyfXVo5KVtpuZgjJEsLkN4CnhTv/cgmKNI DUNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=UNa/t9rRC91BV1dr6X2f7W55SSKjZ97xlXgIrbqUXUI=; b=nqFN0UVtukl94HCXqxnrTlKc00ONYCdHDSRUSeYJxe0ki+DzJf2SCh4jlsxvpzoeoO NKt9n0lkB1YddlrNukoVR80MhPrjZK15gh/0A7VhrpVMkDA6lFllQ33YTL/unmyZ+DlD LEKITmThUj+EsLmBXi6i1i7ZqHF5rAc5JjT9QDLCNmm7qIUzLjJMnWWLn3+bBj5tA5La OZbcgoe4oMK1AfiQEoX6p1rShJ6FpQfAYvDh819tnVaT3A2FTeMUriwZAvVszmWr7MMm iYfORTUqyh3cc9Hqx9FuKZviYJLVcpK2FsfbK1CFTBTIDP/cfxh7ve2+XxfWFHk6SlSz XjhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=czusButT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y21-v6si6402185pga.361.2018.10.24.18.27.59; Wed, 24 Oct 2018 18:27:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=czusButT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727063AbeJYJ60 (ORCPT + 32 others); Thu, 25 Oct 2018 05:58:26 -0400 Received: from mail-qt1-f196.google.com ([209.85.160.196]:43757 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726204AbeJYJ6Z (ORCPT ); Thu, 25 Oct 2018 05:58:25 -0400 Received: by mail-qt1-f196.google.com with SMTP id q41-v6so7991416qtq.10 for ; Wed, 24 Oct 2018 18:27:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UNa/t9rRC91BV1dr6X2f7W55SSKjZ97xlXgIrbqUXUI=; b=czusButTMN/uNzZZ34Q/SnvIXJTZGsPDvsZkvMWCP06ciWNUUewL2u+Mk4gIEK+5pS Jl69asx44T/guF4j9st0f8xCtIaf2J2Zen6gezzkS9bNTT3KYA104atxfbmjv2KTPVpz AB79j5x8+322Hkx+uqUzAddml6RAuZkfiErss= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UNa/t9rRC91BV1dr6X2f7W55SSKjZ97xlXgIrbqUXUI=; b=WzHcXPvQCk9r9yo56dDJ8/WCbf8r5J+W4MmgMoMIGZIbTJgVRcrFNVNEodxUXERJRr h1s7CXbdQJXtnMyKl/PQ2ErPSgCKP42sbUeE2sW3DPX6s8DzKqq+DNJu2QCONaiSmRvK 5ZyY5c6DncU0ZX692cHpz6H/Jt/VHO73dcAq1ufEFfYRJwJAiu0UNO/e236jfCajpv0Q il/6EnNh+/ZgpkIYxBeenYXRnyyI0TjXWK788lpp25+dZSq9ZPTKPClojV1kqCzuMlR1 LG/g7r0AM9/0acE+YlkDu12fdBwPfo4yh2XoNzYaQopTEA/hhyNyTMYN0+ls0sZ4LBaA uFUg== X-Gm-Message-State: AGRZ1gL/kWpm6da7DqnUKh73t4A7BjZFbWU7gLr9s/saWbG5thkqVGLA HsQ6tix5UCSgg/S7ZwgFQHaIxdesuqMbwA== X-Received: by 2002:aed:2554:: with SMTP id w20-v6mr4736913qtc.183.1540430876020; Wed, 24 Oct 2018 18:27:56 -0700 (PDT) Received: from workstation.celeiro.br ([138.204.25.17]) by smtp.gmail.com with ESMTPSA id m6-v6sm5338994qta.50.2018.10.24.18.27.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Oct 2018 18:27:54 -0700 (PDT) From: Rafael David Tinoco To: linux-kernel@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, Rafael David Tinoco , Russell King , Mark Brown , Sergey Senozhatsky , Nitin Gupta , Minchan Kim Subject: [PATCH 2/2] mm/zsmalloc.c: fix zsmalloc ARM LPAE support Date: Wed, 24 Oct 2018 22:27:45 -0300 Message-Id: <20181025012745.20884-2-rafael.tinoco@linaro.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181025012745.20884-1-rafael.tinoco@linaro.org> References: <20181025012745.20884-1-rafael.tinoco@linaro.org> MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since commit 02390b87a945 ("mm/zsmalloc: Prepare to variable MAX_PHYSMEM_BITS"), an architecture has to define this value in order to guarantee that zsmalloc will be able to encode and decode the obj value properly. Similar to that change, this one sets the value for ARM LPAE, fixing a possible null-ptr-deref in zs_map_object() when using ARM LPAE and HIGHMEM pages located above the 4GB watermark. Link: https://bugs.linaro.org/show_bug.cgi?id=3765#c17 Signed-off-by: Rafael David Tinoco --- arch/arm/include/asm/pgtable-3level-types.h | 2 ++ 1 file changed, 2 insertions(+) -- 2.19.1 diff --git a/arch/arm/include/asm/pgtable-3level-types.h b/arch/arm/include/asm/pgtable-3level-types.h index 921aa30259c4..bd4994f98700 100644 --- a/arch/arm/include/asm/pgtable-3level-types.h +++ b/arch/arm/include/asm/pgtable-3level-types.h @@ -67,4 +67,6 @@ typedef pteval_t pgprot_t; #endif /* STRICT_MM_TYPECHECKS */ +#define MAX_POSSIBLE_PHYSMEM_BITS 36 + #endif /* _ASM_PGTABLE_3LEVEL_TYPES_H */