From patchwork Fri Sep 25 22:57:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 11800949 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4228A618 for ; Fri, 25 Sep 2020 22:57:53 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E69D6208B6 for ; Fri, 25 Sep 2020 22:57:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="HxUfyd/e" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E69D6208B6 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id AF4D46B005C; Fri, 25 Sep 2020 18:57:51 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id AA64B6B0062; Fri, 25 Sep 2020 18:57:51 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9BC216B0068; Fri, 25 Sep 2020 18:57:51 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0048.hostedemail.com [216.40.44.48]) by kanga.kvack.org (Postfix) with ESMTP id 86ABC6B005C for ; Fri, 25 Sep 2020 18:57:51 -0400 (EDT) Received: from smtpin23.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 38934181AE865 for ; Fri, 25 Sep 2020 22:57:51 +0000 (UTC) X-FDA: 77303097942.23.coach40_55182592716b Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin23.hostedemail.com (Postfix) with ESMTP id 16BA037606 for ; Fri, 25 Sep 2020 22:57:51 +0000 (UTC) X-Spam-Summary: 1,0,0,272f9fb5edad7b80,d41d8cd98f00b204,jannh@google.com,,RULES_HIT:41:152:355:379:541:800:960:966:973:988:989:1260:1277:1313:1314:1345:1437:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2196:2199:2393:2553:2559:2562:3138:3139:3140:3141:3142:3152:3353:3865:3866:3867:3868:3873:4250:4385:5007:6119:6261:6653:7903:10004:10400:11026:11232:11658:11914:12043:12266:12296:12297:12438:12519:12555:12679:12895:13069:13311:13357:14093:14096:14097:14181:14394:14659:14721:21060:21080:21212:21324:21365:21444:21451:21611:21627:21990:30054:30090,0,RBL:209.85.218.67:@google.com:.lbl8.mailshell.net-66.100.201.100 62.18.0.100;04ygfout1wg1wxx3y5nj8xrf8g4cyycm146ob7zcnyc9acsnoyzyurp443pu11o.9uez1j6gq8we6jpbkqdtchq4haxs3f11xxguarp9s85nkru3zbnpusuj1cwzgyt.r-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:24,LUA_SUMMARY:none X-HE-Tag: coach40_55182592716b X-Filterd-Recvd-Size: 4440 Received: from mail-ej1-f67.google.com (mail-ej1-f67.google.com [209.85.218.67]) by imf26.hostedemail.com (Postfix) with ESMTP for ; Fri, 25 Sep 2020 22:57:50 +0000 (UTC) Received: by mail-ej1-f67.google.com with SMTP id lo4so761039ejb.8 for ; Fri, 25 Sep 2020 15:57:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:mime-version:date:message-id:subject:to:cc; bh=YTJqkpgJ8oGbu26zT6SqE6IfywbetOrrOLJaZFmqFLI=; b=HxUfyd/eapx5d9+natJZmF1OG6ii97A3mF0U2oxOdhVMVqS8P8a7nBqozCJ6gvy4aH 6WX8ebltB7J3oiM8Lp4cRRoErs1EzN8fe/0oGNyRPGWHSYHK/MQ3bbXE8eu6FsxFek/u hXzwQzjyF3KTWQx2QkP3FgJf3ujEcfJryviQXuq4bz2kht1UVDIsoX6A+DuD5ZIl4ROc eT57/7CXn7tfDWT2R5zugAdpnopNXbDwPBk7RE049IaE/UAI4KNCNr0RK6NQQt8qj8MH PbrzOtvvBR7ABllsGQooitoQxONXuD24h4BCE/fM3g8U+vfViMayp39EMgBkFiw7DAz7 ma7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:date:message-id:subject:to:cc; bh=YTJqkpgJ8oGbu26zT6SqE6IfywbetOrrOLJaZFmqFLI=; b=LVcNJoea9ssBQYoHysoi5TLA0xBYvHzykheDnWcRM2TkNhIcsk/Ls9u1LRlUjzOt/q RbX2gReMTd1v0nhPgUhI5+YrNIhmGaDFu/qYibu7/ZCYRJPxRzsfDxBk08gJ7utbnQBI JiFurJjbMqBiRIsrkqOuEA+MQ82zJNeoml8cEk9FsAobmIBU0rRzPKCcJ8U9VhlFgy1W 3u60wcyMq1lQGVfxi3cWJO37mYP7OrJ8K5NRwoa1QZDrMqbB+mPTCbmTE10+b/4yn1M6 yYSg2S27+OL+G2KCrSy/VnRAAz0eo9GwlypIu6g9NEXZqve86x2E2wf20aM5NEonsHq7 uzuw== X-Gm-Message-State: AOAM533WOl7mrih1rozLTHz3ln12ljTPlwBrtE10aOfAmmZmeaZuIRql LatjrFEVGQhNnO7L31DKjS0tUNwvTISrZpTovTw7Xw== X-Google-Smtp-Source: ABdhPJwzZMwvLlbmrBUiDCYiZCqbWehbbMddoxwGMHXx99+i0Ne8EE4+NVOKVeBtzLPiYiiV8yCtpiA/p1c82yQCQJM= X-Received: by 2002:a17:907:94cf:: with SMTP id dn15mr5168167ejc.114.1601074669251; Fri, 25 Sep 2020 15:57:49 -0700 (PDT) Received: from 913411032810 named unknown by gmailapi.google.com with HTTPREST; Fri, 25 Sep 2020 15:57:48 -0700 From: Jann Horn X-Mailer: git-send-email 2.28.0.681.g6f77f65b4e-goog MIME-Version: 1.0 Date: Fri, 25 Sep 2020 15:57:48 -0700 Message-ID: Subject: [PATCH] nds32: Take mmap lock in cacheflush syscall To: Nick Hu , Greentime Hu , Vincent Chen Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: We need to take the mmap lock around find_vma() and subsequent use of the VMA. Otherwise, we can race with concurrent operations like munmap(), which can lead to use-after-free accesses to freed VMAs. Fixes: 1932fbe36e02 ("nds32: System calls handling") Signed-off-by: Jann Horn --- To the maintainers: I can't easily test this patch - I don't even have an nds32 compiler. If you have tested this patch, you may want to add a CC stable tag to this. arch/nds32/kernel/sys_nds32.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) wbd = false; @@ -44,11 +50,15 @@ SYSCALL_DEFINE3(cacheflush, unsigned int, start, unsigned int, end, int, cache) case BCACHE: break; default: - return -EINVAL; + ret = -EINVAL; + goto out; } cpu_cache_wbinval_range_check(vma, start, end, flushi, wbd); + ret = 0; - return 0; +out: + mmap_read_unlock(mm); + return ret; } SYSCALL_DEFINE2(fp_udfiex_crtl, unsigned int, cmd, unsigned int, act) base-commit: 6d28cf7dfede6cfca5119a0d415a6a447c68f3a0 diff --git a/arch/nds32/kernel/sys_nds32.c b/arch/nds32/kernel/sys_nds32.c index cb2d1e219bb3..836deecea83d 100644 --- a/arch/nds32/kernel/sys_nds32.c +++ b/arch/nds32/kernel/sys_nds32.c @@ -28,12 +28,18 @@ SYSCALL_DEFINE4(fadvise64_64_wrapper,int, fd, int, advice, loff_t, offset, SYSCALL_DEFINE3(cacheflush, unsigned int, start, unsigned int, end, int, cache) { + struct mm_struct *mm = current->mm; struct vm_area_struct *vma; bool flushi = true, wbd = true; + int ret; - vma = find_vma(current->mm, start); - if (!vma) - return -EFAULT; + if (mmap_read_lock_killable(mm)) + return -EINTR; + vma = find_vma(mm, start); + if (!vma) { + ret = -EFAULT; + goto out; + } switch (cache) { case ICACHE: