From patchwork Tue Dec 10 21:30:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brian Geffon X-Patchwork-Id: 13902094 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D79A9E77180 for ; Tue, 10 Dec 2024 21:31:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 453278D0013; Tue, 10 Dec 2024 16:31:04 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 38E668D000B; Tue, 10 Dec 2024 16:31:04 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 22F318D0013; Tue, 10 Dec 2024 16:31:04 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id F345F8D000B for ; Tue, 10 Dec 2024 16:31:03 -0500 (EST) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id A47CC42855 for ; Tue, 10 Dec 2024 21:31:03 +0000 (UTC) X-FDA: 82880344596.14.A71B1AD Received: from mail-vs1-f74.google.com (mail-vs1-f74.google.com [209.85.217.74]) by imf26.hostedemail.com (Postfix) with ESMTP id E55FC14001A for ; Tue, 10 Dec 2024 21:30:44 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=yRhB+hnP; spf=pass (imf26.hostedemail.com: domain of 3FLNYZwcKCB86B9AAJIBJJBG9.7JHGDIPS-HHFQ57F.JMB@flex--bgeffon.bounces.google.com designates 209.85.217.74 as permitted sender) smtp.mailfrom=3FLNYZwcKCB86B9AAJIBJJBG9.7JHGDIPS-HHFQ57F.JMB@flex--bgeffon.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733866244; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=dgSSzFrkXg1CYSEsBlnHDnKWydapEER+JZ1i3v6REhA=; b=ghF7p29ibs1zNavzNLk3E6akfkCpYuI8ofIHBNFtFgtYRqie5Y9bjFSBtgLRSzkJbMspko 370EEiy0XeDM92LOjW1n0vbfMbqgkwvKGxBbbr+mJ8eMBWfsf4BNCkBxsew5beBrGOP8pT TH8LYohSSbvFhRGcVMHyDn47S8muS8U= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=yRhB+hnP; spf=pass (imf26.hostedemail.com: domain of 3FLNYZwcKCB86B9AAJIBJJBG9.7JHGDIPS-HHFQ57F.JMB@flex--bgeffon.bounces.google.com designates 209.85.217.74 as permitted sender) smtp.mailfrom=3FLNYZwcKCB86B9AAJIBJJBG9.7JHGDIPS-HHFQ57F.JMB@flex--bgeffon.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733866244; a=rsa-sha256; cv=none; b=qblcVAdj1VI0C8YqSdNbv47fRQ9tThxTZfAtvvLlkLtOqlfoDg1aQyWvNSsvN3PDGv7UKk X01miiIsExZxslw+knRgoIec1c0wzgDXdDSlKN5iEBMFgDqyCktewA0RLqOumGan0N/0CA X8p4pBGFdCRsBto1g1k4gPXRWc89Ek4= Received: by mail-vs1-f74.google.com with SMTP id ada2fe7eead31-4affbf5361eso523803137.0 for ; Tue, 10 Dec 2024 13:31:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733866261; x=1734471061; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=dgSSzFrkXg1CYSEsBlnHDnKWydapEER+JZ1i3v6REhA=; b=yRhB+hnPd3lg8Pxg0/km9FycHZW3GTMjIt5F+APLX1xwqm10fXfGf5jlPuNsapP6Oc 3SAmmXxBYTj+Bxqtnr0ZpWU19TR5GKAEcgcVTBS1z4S5KK5v8pBvLGIIxG2c5bDlr3q/ FdlxtuCrJv3Ihi0THLu0edQYI5SX8CY6ePtJxYGlTAjDXnnjOfEknYq3PCpdgvkXSbqs RRS8CDVzp+fh0lsvqmbE7AKfPOgnTePNYaClh1oyim0OyTI8jRU4Vmg86+tsBn+UeGdT 5ymY6kAisIHyHvCU7ORA+HHRv84gTDEW8DDNx6LqSS/IfzMgY8tRy+trX8InwX1NUNDY FEKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733866261; x=1734471061; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dgSSzFrkXg1CYSEsBlnHDnKWydapEER+JZ1i3v6REhA=; b=j8VAjglfUH60eACRd6CuAK1NzIpc2z8eO7rXUTrKT+38w+q2RtFDE3Txgeqv3/uIE7 VWR2nevX5FIV8oRF7kNS1WTH+XTQ/xOui7u8GHeESOccehNp7PqkDajLLdBZTYNm28Oy LsMe3y7DBZdMBuQ1gWf8zgPGfUFDM974C2GKGdC2MJn/t4NjhSdLgfzGsGOTk55bJMYp QTGZYYU8C8ekVjUGOtbAn61qj5K4A2fEQ88SEdkmCMAooLzaYyFQEufARLFqSxi0e2hf PiliICmGbnn4PuP+oVyitcoLkdXXx6YMJswq0xNYrj2PawE997WZLK2KTdlB9d97r1db ccOA== X-Forwarded-Encrypted: i=1; AJvYcCUIQ6g3OGpU4Vd1CFaUXGXRwD9i0vzs5cW/ZSvocYIJstxQK23MbVIzWNVjo8M1pUe5Bax+WkviWQ==@kvack.org X-Gm-Message-State: AOJu0YxLAlb+KtGR7QM2+dFzMvDCMFrwzD02/OcOepxZEhqs7Z/nD2fy nqlmgnouqKvFsJNkM5bYmEa/LDe6nmhQmLqLn8KLZnvne6zkMVz4kr1Z525BJnV3+uWKu3xtJLR 3Le0Mdw== X-Google-Smtp-Source: AGHT+IEKDfK3mB1Oud35BwI5L0PRyQfm0U+xeis8VT50pizsN9eNp+xwqUl3Ojn1lQWMegDIcvf/M2NcwiQC X-Received: from vsvd7.prod.google.com ([2002:a05:6102:1487:b0:4b1:11cd:b284]) (user=bgeffon job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6102:1629:b0:4af:4ae0:2320 with SMTP id ada2fe7eead31-4b1291bba89mr1461879137.26.1733866260721; Tue, 10 Dec 2024 13:31:00 -0800 (PST) Date: Tue, 10 Dec 2024 16:30:46 -0500 In-Reply-To: <20241210213050.2839638-1-bgeffon@google.com> Mime-Version: 1.0 References: <20241210213050.2839638-1-bgeffon@google.com> X-Mailer: git-send-email 2.47.0.338.g60cca15819-goog Message-ID: <20241210213050.2839638-2-bgeffon@google.com> Subject: [RFC PATCH 1/5] mm: mremap: Fix new_addr being used as a hint with MREMAP_DONTUNMAP From: Brian Geffon To: Andrew Morton Cc: Lorenzo Stoakes , Jann Horn , Vlastimil Babka , "Liam R. Howlett" , linux-mm@kvack.org, Marco Vanotti , linux-kernel@vger.kernel.org, Brian Geffon X-Rspamd-Queue-Id: E55FC14001A X-Rspamd-Server: rspam12 X-Stat-Signature: rb8gphnqbq43hxuxf5ei8yhtzbmzir1w X-Rspam-User: X-HE-Tag: 1733866244-928342 X-HE-Meta: U2FsdGVkX1/C5Zgs4sXAvNUqaiGVqGsg3WoTdIRLR4Lj0O0h3CIXArmEk5LCF8/WWtSPQ/VmA88bevNELhleYO3jTDdWNECJzzwy+z29WT8/3vUpEr/2ZD73/SYU4UXDLmQ2dGaTN81PiddccAqBouLit9jGMrP3m26TWqhBBEiJdYMUChBXqyndNug/LXxU4D1PlTcD4+zaGE9ok/4S9+I+y+fHLDFulz4gTPg91DQjR2UNjoyIy8jDRmjdFsgsPSQMp0Xz5NxlZaA6GoCkQUHrkC9iSoK1G0Oma/oAyzrXpVmrA3Oll5Z8/JXvX6+KnMIdD3952CIga9/xG0r7UHh+NOZslxbmmMktOt5ggHuoaEL22MsXJeXJTwb1nVDUJRUakqp62cxXdpTSMC3DR1pVSalLqk+6d0yKoG8rfBC/4gLLZtjeGljiUKYlLS444fBJ2Po/7AUA7wA5JL47i6JRlPUpmgGX07zkxsffTRJtM1C5UulydtOvgBKp4RHbWzarEolE6ybdVnNNxEo1NJXPapfqMbpP63PSwaMEIqjZZHEICKxfaaGeLzEyJ8qxGt0J8JKPPoVqvhdtI+aNpO8vHCZ46J257doQyu47CHy2M8uCtRzDD9Kf8jsqVwjs5n8Vuyghua9jER+Pdh+bph+7xvUeiF8tf66ufbiQbLMjPlqmRoNgkKe0FNZVV84cjdnxxtCo9JKDK7LTZFInR4UkH2DDgZqaPgOXoD0yzmCLrHWRWQo7nibiCAKX4tltv7j0vvfKhEXy87YygKIhlO1HLX1OFYmN1O3fu5zevSgTogz2PyhDKh3CVagBgYgoPLnL1WuXxKd5jynZ3Mob4NZu0YOkXunJm+NjgCB655qgGAXjgUQBrdVFTsIo24A/4um3sKi9lu8w6YNE56QpLy6r9yt9jkkj9wtfpFoKLdoMQzW2/s596Dh7zWqbn7UARng8lhDPAN6YPx8DFeh C3XqOdOf PRK+4gVFIA5UpIp3ghUdpiybOEHnHXWeJU2UKH+zPqNaXeDo9ZxXuGBTS4eFLGwGsnnR2wxPQpVo+gY8kQ5USAxUXcUVPBXhbs9EM3Tx5xIJhA28fwZNAps/d05R52jed8LOg/ZNpTYUvWqSm4ulHk98rBL+c/4pj9Mrgkowsac99NpOa1lPL/4hcY+a6w9vYXek4zDmM380Y70Imu+muD5yx1ktlXWWMhmKwDTqE8Z7s2qIfDQXMUlgH0ayAHnOAlzC+0bm6CPUtGnSdJO8jTg9arF1K2muH8dl1vv5N2SyxaFllnr2ASlM4CSlo/Nm6PehS4N8kghW+5DH+N+UJAXuDIksaRSDhSprD4Wg9jZZZGuZ8MoaRZoGwi8QtbLNdJvz0VLpb/CJCsNzq25UD2YRMSu2qhMqY3do7OQvhkUZ5sH6FhGF7lz5NMwJorEDQlaKuxScmoiMIM3rgsTcOjmp+lWY44gxiQuFZ4nVtmbASwFo3VCzayqcNxmHzxwCPXenmNL9XS0B5JBUfKU+yECwdyJgpMhPPdOVwA/YOzjhXaLcZimhi1AsiiVU98tUaIjjAIdjnBJZHSZkqnk/cZMpgK3HwINDEQX8F X-Bogosity: Ham, tests=bogofilter, spamicity=0.280704, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Two non-mutually exclusive paths can land in mremap_to, MREMAP_FIXED and MREMAP_DONTUNMAP which are called from mremap(). In the case of MREMAP_FIXED we must validate the new_addr to ensure that the new address is valid. In the case of MREMAP_DONTUNMAP without MREMAP_FIXED a new address is specified as a hint, just like it would be in the case of mmap. In this second case we don't need to perform any checks because get_unmapped_area() will align new_addr, just like it would in the case of mmap. This patch only fixes the behavior that was inadvertently added with MREMAP_DONTUNMAP. v2: - Addressed comment from Marco Vanotti to consolidate these checks into existing MREMAP_FIXED blocks. Signed-off-by: Brian Geffon Reported-by: Marco Vanotti Reviewed-By: Marco Vanotti --- mm/mremap.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/mm/mremap.c b/mm/mremap.c index 60473413836b..62aec72bbe42 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -912,16 +912,6 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, unsigned long ret; unsigned long map_flags = 0; - if (offset_in_page(new_addr)) - return -EINVAL; - - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len) - return -EINVAL; - - /* Ensure the old/new locations do not overlap */ - if (addr + old_len > new_addr && new_addr + new_len > addr) - return -EINVAL; - /* * move_vma() need us to stay 4 maps below the threshold, otherwise * it will bail out at the very beginning. @@ -940,6 +930,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, return -ENOMEM; if (flags & MREMAP_FIXED) { + /* + * Two non-mutually exclusive paths can land in mremap_to, MREMAP_FIXED + * and MREMAP_DONTUNMAP which are called from mremap(). In the case of + * MREMAP_FIXED we must validate the new_addr to ensure that the new + * address is valid. In the case of MREMAP_DONTUNMAP without MREMAP_FIXED + * a new address is specified as a hint, just like it would be in the + * case of mmap. In this second case we don't need to perform any checks + * because get_unmapped_area() will align new_addr, just like it would in + * the case of mmap. + */ + if (offset_in_page(new_addr)) + return -EINVAL; + + if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len) + return -EINVAL; + + /* Ensure the old/new locations do not overlap */ + if (addr + old_len > new_addr && new_addr + new_len > addr) + return -EINVAL; /* * In mremap_to(). * VMA is moved to dst address, and munmap dst first.