From patchwork Mon Jun 19 18:27:25 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jason Gunthorpe <jgg@nvidia.com>
X-Patchwork-Id: 13284880
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E4FEEEB64D9
	for <linux-mm@archiver.kernel.org>; Mon, 19 Jun 2023 18:27:33 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4AC2B8D0002; Mon, 19 Jun 2023 14:27:33 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 45CC98D0001; Mon, 19 Jun 2023 14:27:33 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2FD688D0002; Mon, 19 Jun 2023 14:27:33 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 190798D0001
	for <linux-mm@kvack.org>; Mon, 19 Jun 2023 14:27:33 -0400 (EDT)
Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id E7B361A0793
	for <linux-mm@kvack.org>; Mon, 19 Jun 2023 18:27:32 +0000 (UTC)
X-FDA: 80920330344.26.C00AB69
Received: from NAM10-DM6-obe.outbound.protection.outlook.com
 (mail-dm6nam10on2077.outbound.protection.outlook.com [40.107.93.77])
	by imf25.hostedemail.com (Postfix) with ESMTP id 9FC87A0003
	for <linux-mm@kvack.org>; Mon, 19 Jun 2023 18:27:29 +0000 (UTC)
Authentication-Results: imf25.hostedemail.com;
	dkim=pass header.d=Nvidia.com header.s=selector2 header.b=BELDwCO6;
	spf=pass (imf25.hostedemail.com: domain of jgg@nvidia.com designates
 40.107.93.77 as permitted sender) smtp.mailfrom=jgg@nvidia.com;
	dmarc=pass (policy=reject) header.from=nvidia.com;
	arc=pass ("microsoft.com:s=arcselector9901:i=1")
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1687199249;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=E9SpD6dv0o1rHtkU5ApsK1xVfj8YahL07ejMewzCja8=;
	b=s6EqlkebO1s33C49Z42dash7Ie0HHJUrrnXqSHNNLmfpwTHsJ/ke+Jb+BzRB8JN8DxpD1m
	hoZLP3RdLy5OFkanak3qz+Vp30saeQICa8mtwqsliOSYfYf2RSAPfUIHmg3KCElc2dluy8
	YcgE3YN4NyfF7nmSA0x0ZrR73f5vJCs=
ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1687199249; a=rsa-sha256;
	cv=pass;
	b=OlHuhFxClggV2ZbK4Iyl6O715ZdgfByZsofwuFInQpPvlppfG5WRQoutPgGf9HhHYyqxmh
	so+VQvmLu5RhEh/jnNLV/NcNyFHLnvMrOHZKeoeoKRxEy9qDUxKBZx8u7bImL172q7k1b1
	kYbq/fYjHwg1oAdtUflhwVc5fuxa53s=
ARC-Authentication-Results: i=2;
	imf25.hostedemail.com;
	dkim=pass header.d=Nvidia.com header.s=selector2 header.b=BELDwCO6;
	spf=pass (imf25.hostedemail.com: domain of jgg@nvidia.com designates
 40.107.93.77 as permitted sender) smtp.mailfrom=jgg@nvidia.com;
	dmarc=pass (policy=reject) header.from=nvidia.com;
	arc=pass ("microsoft.com:s=arcselector9901:i=1")
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=CdXRj59UX8/gDfyxVhOCLPlfqNT9Kv7MYUpms7DK/+0cbB5CQECV3rpAEb2NOorKjYr4DFbXiySgoqIgwuQJqC+uX7hPDHTv+r5QyLOqxLa3eCJB+WvB3v/U+WCmqTQrndRiB7/dGjbRyvMknWNvcOEmdzAnj7/mmQO0wTieTxUZE8t7K0CmD3qK7r/VWQv5Vc2Xi+QSRlwLblDWem+m2eTdis6BsjHLo7knpSraO1rwBmdzOfkaswnEMa+h2Tqru7of+XziT8RlmVzis4zDfNPwEdBL90bxDoBcC+oz5WVsVTMAukClWeBt0LItZhpV//B7FoT/vUEFrA2A67YtsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=E9SpD6dv0o1rHtkU5ApsK1xVfj8YahL07ejMewzCja8=;
 b=kVJDFVDJhB0cvnddJ3mmqPCvq8Csl0rcXHsgp3K0SB2xvkKbyORgjMFc3LlDtxf2Jk761FCveh9w8VqgC5EGuzyGCsPZ/8Sisrm884cxVDCU3k5YnxuBZyCj3GY/ZBvgTst1KzJ2aK6TJcrIsuA1bTexzNY4Jh48M6tZNfTFd+2kDJkXKepWG0pTl3MlV7n74YDOX18eeMZR9KGGnCmqYxKTQVUDbske9Q3E4vvl3IFeKwPI8xp3u+nLJJ8ku9ZdbaWODWSXFmq/jEKEq1kxzpHty1H6NQI5GDKhj2DASMXjWHDcpxupE7lHTlrVnt43DyHgMSWaKF8db+cIHB5qdw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com;
 dkim=pass header.d=nvidia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=E9SpD6dv0o1rHtkU5ApsK1xVfj8YahL07ejMewzCja8=;
 b=BELDwCO6VqG5YlYs8C0+YF7JDMYT3kRATf/ISvsF1250w6OO2EyLCwCm13Z3U3FwB9CUSoLNPCMzg5eQDhX7U64kUmQYk3mmaaXno6MrNhJ7po+YiR74rpiaQ8eRut/dAwnuddgVFTJPkGiCb2lMJscq0M5BZqUoyBS5UzUxSjpIoGWgUKmCv81s1JvlkpuchUkCna0fKjUp01Rmfe/s31CILzsHNuO+6QZUIthVALulcOJg6QibIQkUs7oQp6w33c8wmNt2Ti5m6GQ7LDbwyRVnQO5ecX4YabtJUNNUNsEoEbdDbkdjAsjiggY+hKpb8UiiGWl+PwubLP9ADJtlAg==
Received: from LV2PR12MB5869.namprd12.prod.outlook.com (2603:10b6:408:176::16)
 by SN7PR12MB6863.namprd12.prod.outlook.com (2603:10b6:806:264::19) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6500.35; Mon, 19 Jun
 2023 18:27:27 +0000
Received: from LV2PR12MB5869.namprd12.prod.outlook.com
 ([fe80::f7a7:a561:87e9:5fab]) by LV2PR12MB5869.namprd12.prod.outlook.com
 ([fe80::f7a7:a561:87e9:5fab%7]) with mapi id 15.20.6500.031; Mon, 19 Jun 2023
 18:27:27 +0000
From: Jason Gunthorpe <jgg@nvidia.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	John Hubbard <jhubbard@nvidia.com>,
	linux-mm@kvack.org,
	Lorenzo Stoakes <lstoakes@gmail.com>
Cc: syzbot+353c7be4964c6253f24a@syzkaller.appspotmail.com
Subject: [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad
 args
Date: Mon, 19 Jun 2023 15:27:25 -0300
Message-Id: <0-v1-3d5ed1f20d50+104-gup_overflow_jgg@nvidia.com>
X-ClientProxiedBy: YT1P288CA0036.CANP288.PROD.OUTLOOK.COM (2603:10b6:b01::49)
 To LV2PR12MB5869.namprd12.prod.outlook.com (2603:10b6:408:176::16)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: LV2PR12MB5869:EE_|SN7PR12MB6863:EE_
X-MS-Office365-Filtering-Correlation-Id: 4a7b3bff-b249-41ef-90f6-08db70f2d5b2
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	fJkNmsDPDSNMGW1OIOCxW4YNad7uMO9JAJ8DY6+jb1btC8g/fn9YxfG3WkdVZTwi+10OibxwZZaD2uk+/nBT2Xe9ihSYxlO9wwK4qS0v7MH6V0y9nILrJUuOEFGmF68ufh0iZJNd+9lQ1d+Vn0Rehwpm8lK4QuX++u0p8/SflSkG5ogsf4tpuVxayAf/mudinr4FzUXB74i5WC48lR4rJr8JZL7bAvLSb5cyaJ37nNdvYYdVBOZq7RRPr/rmJPj+z3xYxjLLxet+/jcy60unmaO1r1TC4sRCdSmqs5fhDyl54g7sGblfztcTmzhiOKM+MCdhLA51PoBpYOEZ7bqTzJ43uwVzsVJabo4IDip+9HPe49dtbgR7BOdaRyKviNL3Nqe11INax2djBz1RwW4Vbxse5+tdl/3zXq7sQr3Vc8nF58SB6UIe8R2EBSQwAASn7xPmFjxGRAmHdqAts9GUT0olU5DxreKKLAsH1Yxac1HmHK96fbRJfIsNomFem0/sP0FJ5OLX4Ww+Hf+3mUc+L6laG8OzczcokCfvnFjjQF0G7CzO2puPZJ+TOL0J+c2ZeebFpIsUjrv3goSE8Jat9YEgOJblqpKbAQVCjkbPbMSZO3bltkXSO4zeR2LEja/d41Q3Czdw1tAP+DwVIBpTOA==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV2PR12MB5869.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(376002)(366004)(396003)(39860400002)(346002)(136003)(451199021)(38100700002)(36756003)(86362001)(966005)(6486002)(6512007)(26005)(6506007)(186003)(8936002)(8676002)(5660300002)(478600001)(110136005)(316002)(41300700001)(66946007)(4326008)(66556008)(66476007)(2906002)(83380400001)(2616005)(4216001);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 ewSC22rEtfW9quBWVcyGIr6YNFIL/4kFoseW3FPl+4vWMX6ejx06rKt/wJJ7ro342D30AOkidqfjihSbXXetV8L1VKHbBFota/YlFLQcRAMqlreybZiKa/k/RiDh+/j83Tgps277dxORdhDviZqbrp+LWxTXGhOH1nUTxYhRa7DRnmMQ2tXo8nIDwIX/N15+yLrVJS/bWQlZVNwMdnV9//4sF8k1UqCy88jBCAuL1OSlP2MWiaQjN7Y/ud7bBr/eDqQQNaB9Ij1vkYKb65dPAQckBuwKWFNfvTzxsbTdFP+Hq3Xsx1iJdJxI6hd1VQmf5ftSUfY8bwymJFn7hk1GHu30Z0jNoOIhVnX1TPkqw0elUY6eox1QsVKTk4ABN5GSTa1g9CORuSfsXGeIYnoCFNx1ji6pcGvLULR1SsIWQ6eTCxXK8uucos2YJ2dsahx1/cmXZoS0Ew9Hkwr3DV79KJP1xd2AZlCVBxeE40pqt+Rrbd9KVPSNCAIsYxADkdldLsL5mVweZ3PLM2djJw7hBUy5BpREKDNYluX3DRI9Np6b7RVzdXNomUdeNRVa+UlGUmQQhIJwN/W6YVd0jXoIOMps/yFRULVq66hgguPwi5gUnIBYmVNA8OxEwx0GI+w5zMuFCq30jEJZ8aA7qqryjr1JQRlqRqnGWH71Q/H+Q9YM8svR4hgVMWWmXnA9oORu98kROvYTkGSMUQ5ZE64ebSnYYOpNEIszdga/9jtf9MLVwuqtz1UsF/LZHO4WEDJ0lyMPybpB+RD81KgBPD7dmPvVYWhuCFPPRhgvikFqQUxWLAfaGlEymmg3R15QngWr8ON3wOob95r8vlzmgSGfoBapdSKh7z8jWt4MsUIdNDNceeu12s+uOcIlFL4lw2/41bhxEt+busffVK3Lm1/xujj9PW+1Fc12m3/GMC8HZ4b3VEv/nNwDZWA1jAgtQeVMRbHJgsBQyAykbl8OMWrpx6MEvlXenVVffvVKpyrTBsW3yBsZBCIUZsXa361ax2xb//0lCHgZZRB231xO2tYSUYlqALb+8iK7DX+OvWa5mQ9ImCoKO30P5nQNpc/VQIaHA09NyrevjmxG9IIJ9lOp2lCUiiRoLzGKep9EVFvUMmrz7eYgVJVSqm4yDi0s8SaF/avi+lTf685S+pOwGY86KUhGxZ/k0ACZkk0+wRWh90o+wd7cA0YZMLfPR1f3o0xFkb5/r45dbm2trN38lmR0kkz96iS5JH5Pe07oA8T/2AefoMf63i+LBe5KklQlKfiOPAzjyYnTIJAiG7H7Wx/nHszVCjoTHVp7gHhI+PTKqcIarlUEiE4IsGzP6hMI0m7awOkH8nDcNQdvT+tQL2kkb6Yokrryo2qH/avrW134SfEdo/PsYyoMk/EjPEnyMYgSLr5LhnV8wzeORYq1fEhDN+PQX2EGHryzRwjo4T+MT5CsnGmEU8MqGGQcwUGD1NHWmLnaqHFNgIc+SFeYh5xC+3ghc9cv9bX4bvgzlcsvAr3OxHFQ8FuRwf2ojlJmaNUPi9jLOh3M7VrbAB09coHvXOx0zCXiabx33y4U3dKh9NZaUEaNd4087q60wD6uz1RR
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 4a7b3bff-b249-41ef-90f6-08db70f2d5b2
X-MS-Exchange-CrossTenant-AuthSource: LV2PR12MB5869.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jun 2023 18:27:27.3613
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 2cCGqnYlVt0/ctSF64DsQ6k+fEBxzJAKexZluPU5ENRESKAIiqodJF2RMolKga+o
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR12MB6863
X-Rspamd-Queue-Id: 9FC87A0003
X-Rspam-User: 
X-Stat-Signature: qxws8xxn3gpa5esxcnrfjfqmpkphewqp
X-Rspamd-Server: rspam03
X-HE-Tag: 1687199249-316343
X-HE-Meta: 
 U2FsdGVkX18iIzM78R/ca2+ODxlJS+UYdxPlnEOnHYaNlhMha35j6PchrEpSotGFcenewVxMsMs2AzQR4tUQQcExHQ9p4rnIeFCoXq8F7m/vviZlcsEmYtP3OxqO48nCxexsLuD1ZVfEdwMDka8peK+G/qBaxUSSK2P+7L8oyB0PT+/YxamMzQnQ5Vl4R7s9WWFdcxF59KZDJt7Top6UySsp6mjaVWV7zLVLa0BfIQszT73OIDXTd858myOsE0u+Rhx2L35+IS4gTk+4JjUIuGhZC7qsbH/+H1uGteMIWdM58IAvYpbaynHSLkyWnB4A+LF2XWC9Ufu8o16QQN2HFhOV+j7zwAcaiza2Yn03AG9TsCXQKnnMBSYh0boXGxjI4nsrPlulaVUIrxRfy4+Sj2m+6XohPrgvVJwVOUQAxRj/N2ABAxeg2GmSWgqnHwhoIS1F5JRJG1qWoLAUyh+ixkEC0DqdYhwIq53gUiiy2AzWK5LkIo/5xM8PT72bla1x5NoPtqJXZYWJ/RxLJHjtjoYgi2lD/KjaY+LMm20uknmhlaTQ7DBEUjWEgP94/bviOeDJUu4Cgi6BwXfcKPWZwHojO425IL6eyTtrqjC5vVwKazYMyxs1E+3/wtGlnl0UwUDw2B/CHZFREvEhBz+7IHwhZWZryVvAAEYArT1VNP1pgGdZPV90e0alpZ81vWpHkkw3rYqgiVdaKc9zfnnN3N5yX3mJTKyde4tjmupYwC4Pp9HKQy9fdcuv8Co4AwAsu4Nemgy/QWA16zEmJqx83sdt78O1YqhMmLoHWPLx+2QZ+pdTEC/zTX/CUqNJJssUV4PHbSXACnS096LyPIc8S9JUsxskLUdNunVwf6VYQCJ9VN1fkPbMz5E5AV9Wtck4Q7Tx0UDzNkD14ecqIZo6VO1Ak91IucJVITmLh4hfCkwbqbekTZzwEgSVFWVbb3tsC9o9uOvfHYqf11Bk2zu
 P2kUz+RA
 dnLb2Lqt87mVfMDo3tcdhI1IEq5/bzN/ti3nH5IixR7rfRu5q+ptmcSgXStKC0SQ01p3JNvAaJB0GYUKZJvcCS9ovGV+FWOnwknSNhAjLh5Hsr2xapPUS4TsFMru10LzT19Y3dc6SuR7SzuQGZw3sbI0PI+Er/Lwsal5JXNtW0Xqn20cRU3hEDwZlQ26p0AU2cSWHFyLJ4Dqqyt7MR+iWudx78mbQChIW+Hnmem2PHLW8Zea2A1zNgqI0xHP4aUUOqQpLA2V8TCayL+bxU7WxkDDOVOA5A73NffvMBmH7ASa2LiLtVYApvzDnRHTMtYedW1lhlgClqYE2FhqBQAJiLZJbIZ5nlCPRv5LG65EqrM9ff9uySevZDpSkb9hhZMB+7Y7ntVOFebFnULrm4N3LooHMdNA5yWF10fUcF1QYyay63sNWzQX85GZB2a/WY//g00SEaZxcvWHGAswMMDnmkoa7kGt7xp914R0r9y+KYFJ1OtgDLFq+0IUC/KuZRWtDjmIaNkCBuN6Vo+FnGB24eMeyLqlnXXXuB0fXc/N4g0HVG5USdZliJrK2hb0diGvw5562
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

These routines are not intended to return zero, the callers cannot do
anything sane with a 0 return. They should return an error which means
future calls to GUP will not succeed, or they should return some non-zero
number of pinned pages which means GUP should be called again.

If start + nr_pages overflows it should return -EOVERFLOW to signal the
arguments are invalid.

Syzkaller keeps tripping on this when fuzzing GUP arguments.

Reported-by: syzbot+353c7be4964c6253f24a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000094fdd05faa4d3a4@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: John Hubbard <jhubbard@nvidia.com>
Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
---
 mm/gup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


base-commit: b3eacbbcd0dab69ed4c44cbd2d2d72b016762b17

diff --git a/mm/gup.c b/mm/gup.c
index bbe4162365933e..36c587fec574fd 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -2969,7 +2969,7 @@ static int internal_get_user_pages_fast(unsigned long start,
 	start = untagged_addr(start) & PAGE_MASK;
 	len = nr_pages << PAGE_SHIFT;
 	if (check_add_overflow(start, len, &end))
-		return 0;
+		return -EOVERFLOW;
 	if (end > TASK_SIZE_MAX)
 		return -EFAULT;
 	if (unlikely(!access_ok((void __user *)start, len)))