From patchwork Fri Aug 23 22:17:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Campbell X-Patchwork-Id: 11112405 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 297241395 for ; Fri, 23 Aug 2019 22:18:15 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id EA0382133F for ; Fri, 23 Aug 2019 22:18:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=nvidia.com header.i=@nvidia.com header.b="Hen0jCZn" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EA0382133F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=nvidia.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 2821D6B04BA; Fri, 23 Aug 2019 18:18:14 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 20AB46B04BB; Fri, 23 Aug 2019 18:18:14 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0D27A6B04BC; Fri, 23 Aug 2019 18:18:14 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0182.hostedemail.com [216.40.44.182]) by kanga.kvack.org (Postfix) with ESMTP id DB2416B04BA for ; Fri, 23 Aug 2019 18:18:13 -0400 (EDT) Received: from smtpin17.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with SMTP id 7B081180AD7C1 for ; Fri, 23 Aug 2019 22:18:13 +0000 (UTC) X-FDA: 75855106866.17.rake07_64d0af2c0240c X-Spam-Summary: 1,0,0,,d41d8cd98f00b204,rcampbell@nvidia.com,::linux-kernel@vger.kernel.org:amd-gfx@lists.freedesktop.org:dri-devel@lists.freedesktop.org:nouveau@lists.freedesktop.org:jglisse@redhat.com:jgg@mellanox.com:akpm@linux-foundation.org:hch@lst.de:rcampbell@nvidia.com,RULES_HIT:30003:30054:30064:30070,0,RBL:216.228.121.143:@nvidia.com:.lbl8.mailshell.net-62.18.0.100 64.10.201.10,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:ft,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:24,LUA_SUMMARY:none X-HE-Tag: rake07_64d0af2c0240c X-Filterd-Recvd-Size: 4568 Received: from hqemgate14.nvidia.com (hqemgate14.nvidia.com [216.228.121.143]) by imf17.hostedemail.com (Postfix) with ESMTP for ; Fri, 23 Aug 2019 22:18:12 +0000 (UTC) Received: from hqpgpgate101.nvidia.com (Not Verified[216.228.121.13]) by hqemgate14.nvidia.com (using TLS: TLSv1.2, DES-CBC3-SHA) id ; Fri, 23 Aug 2019 15:18:11 -0700 Received: from hqmail.nvidia.com ([172.20.161.6]) by hqpgpgate101.nvidia.com (PGP Universal service); Fri, 23 Aug 2019 15:18:11 -0700 X-PGP-Universal: processed; by hqpgpgate101.nvidia.com on Fri, 23 Aug 2019 15:18:11 -0700 Received: from HQMAIL110.nvidia.com (172.18.146.15) by HQMAIL105.nvidia.com (172.20.187.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 23 Aug 2019 22:18:10 +0000 Received: from HQMAIL105.nvidia.com (172.20.187.12) by hqmail110.nvidia.com (172.18.146.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 23 Aug 2019 22:18:08 +0000 Received: from hqnvemgw01.nvidia.com (172.20.150.20) by HQMAIL105.nvidia.com (172.20.187.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 23 Aug 2019 22:18:08 +0000 Received: from rcampbell-dev.nvidia.com (Not Verified[10.110.48.66]) by hqnvemgw01.nvidia.com with Trustwave SEG (v7,5,8,10121) id ; Fri, 23 Aug 2019 15:18:08 -0700 From: Ralph Campbell To: CC: , , , , =?utf-8?b?SsOpcsO0bWUgR2xpc3Nl?= , Jason Gunthorpe , Andrew Morton , "Christoph Hellwig" , Ralph Campbell Subject: [PATCH 1/2] mm/hmm: hmm_range_fault() NULL pointer bug Date: Fri, 23 Aug 2019 15:17:52 -0700 Message-ID: <20190823221753.2514-2-rcampbell@nvidia.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190823221753.2514-1-rcampbell@nvidia.com> References: <20190823221753.2514-1-rcampbell@nvidia.com> MIME-Version: 1.0 X-NVConfidentiality: public DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1; t=1566598691; bh=KyPc8c5coEeaWyED4oOxl50+aKdesFPM9yZHDro83x0=; h=X-PGP-Universal:From:To:CC:Subject:Date:Message-ID:X-Mailer: In-Reply-To:References:MIME-Version:X-NVConfidentiality: Content-Transfer-Encoding:Content-Type; b=Hen0jCZnlwep5U1y8LSyUogocyncUlU8ncNOkdizYSGrpz0PWiTpWbpyXqvih6gF+ 3qM1vKPirI+eZhD9UBcD2rfGfX74o53wuqQ2rhVZQESI2bl/mdp0CgojyL1mtxb5Ob ir8YSrHdcr998BKtxBB/eEKh7i1GORjBa8cuXwOmDZ/V0k9Iyw4bAWSCMlLHs4ccfk Wt5oaufB+AfvTNVTT0Pq9TclkBcHR/CNerxUzXKz8H04CUc/qNXXq93VqSEU5uK80W pCzPYHqan8YLxW66Ob9wjgncemYyfZJiszrN4yrr0WCyhls1D6yjDovJ7pYDNxAIfA +LLT4nPogr8Bg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Although hmm_range_fault() calls find_vma() to make sure that a vma exists before calling walk_page_range(), hmm_vma_walk_hole() can still be called with walk->vma == NULL if the start and end address are not contained within the vma range. hmm_range_fault() /* calls find_vma() but no range check */ walk_page_range() /* calls find_vma(), sets walk->vma = NULL */ __walk_page_range() walk_pgd_range() walk_p4d_range() walk_pud_range() hmm_vma_walk_hole() hmm_vma_walk_hole_() hmm_vma_do_fault() handle_mm_fault(vma=0) Signed-off-by: Ralph Campbell Reviewed-by: Christoph Hellwig --- mm/hmm.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/mm/hmm.c b/mm/hmm.c index fc05c8fe78b4..29371485fe94 100644 --- a/mm/hmm.c +++ b/mm/hmm.c @@ -229,6 +229,9 @@ static int hmm_vma_do_fault(struct mm_walk *walk, unsigned long addr, struct vm_area_struct *vma = walk->vma; vm_fault_t ret; + if (!vma) + goto err; + if (hmm_vma_walk->flags & HMM_FAULT_ALLOW_RETRY) flags |= FAULT_FLAG_ALLOW_RETRY; if (write_fault) @@ -239,12 +242,14 @@ static int hmm_vma_do_fault(struct mm_walk *walk, unsigned long addr, /* Note, handle_mm_fault did up_read(&mm->mmap_sem)) */ return -EAGAIN; } - if (ret & VM_FAULT_ERROR) { - *pfn = range->values[HMM_PFN_ERROR]; - return -EFAULT; - } + if (ret & VM_FAULT_ERROR) + goto err; return -EBUSY; + +err: + *pfn = range->values[HMM_PFN_ERROR]; + return -EFAULT; } static int hmm_pfns_bad(unsigned long addr, From patchwork Fri Aug 23 22:17:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralph Campbell X-Patchwork-Id: 11112407 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8B3BB1399 for ; Fri, 23 Aug 2019 22:18:17 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 57C9420850 for ; Fri, 23 Aug 2019 22:18:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=nvidia.com header.i=@nvidia.com header.b="Py/+nEgU" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 57C9420850 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=nvidia.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 1252C6B04BB; Fri, 23 Aug 2019 18:18:15 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 0AE2E6B04BC; Fri, 23 Aug 2019 18:18:15 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E8EBC6B04BD; Fri, 23 Aug 2019 18:18:14 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0078.hostedemail.com [216.40.44.78]) by kanga.kvack.org (Postfix) with ESMTP id C259D6B04BB for ; Fri, 23 Aug 2019 18:18:14 -0400 (EDT) Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with SMTP id 692B68243760 for ; Fri, 23 Aug 2019 22:18:14 +0000 (UTC) X-FDA: 75855106908.30.rifle72_64d16e05c5e3e X-Spam-Summary: 1,0,0,,d41d8cd98f00b204,rcampbell@nvidia.com,::linux-kernel@vger.kernel.org:amd-gfx@lists.freedesktop.org:dri-devel@lists.freedesktop.org:nouveau@lists.freedesktop.org:jglisse@redhat.com:jgg@mellanox.com:akpm@linux-foundation.org:hch@lst.de:rcampbell@nvidia.com,RULES_HIT:30054:30064:30070,0,RBL:216.228.121.143:@nvidia.com:.lbl8.mailshell.net-62.18.0.100 64.10.201.10,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:ft,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:25,LUA_SUMMARY:none X-HE-Tag: rifle72_64d16e05c5e3e X-Filterd-Recvd-Size: 4344 Received: from hqemgate14.nvidia.com (hqemgate14.nvidia.com [216.228.121.143]) by imf38.hostedemail.com (Postfix) with ESMTP for ; Fri, 23 Aug 2019 22:18:12 +0000 (UTC) Received: from hqpgpgate102.nvidia.com (Not Verified[216.228.121.13]) by hqemgate14.nvidia.com (using TLS: TLSv1.2, DES-CBC3-SHA) id ; Fri, 23 Aug 2019 15:18:11 -0700 Received: from hqmail.nvidia.com ([172.20.161.6]) by hqpgpgate102.nvidia.com (PGP Universal service); Fri, 23 Aug 2019 15:18:11 -0700 X-PGP-Universal: processed; by hqpgpgate102.nvidia.com on Fri, 23 Aug 2019 15:18:11 -0700 Received: from HQMAIL110.nvidia.com (172.18.146.15) by HQMAIL105.nvidia.com (172.20.187.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 23 Aug 2019 22:18:11 +0000 Received: from HQMAIL101.nvidia.com (172.20.187.10) by hqmail110.nvidia.com (172.18.146.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 23 Aug 2019 22:18:09 +0000 Received: from hqnvemgw01.nvidia.com (172.20.150.20) by HQMAIL101.nvidia.com (172.20.187.10) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 23 Aug 2019 22:18:09 +0000 Received: from rcampbell-dev.nvidia.com (Not Verified[10.110.48.66]) by hqnvemgw01.nvidia.com with Trustwave SEG (v7,5,8,10121) id ; Fri, 23 Aug 2019 15:18:09 -0700 From: Ralph Campbell To: CC: , , , , =?utf-8?b?SsOpcsO0bWUgR2xpc3Nl?= , Jason Gunthorpe , Andrew Morton , "Christoph Hellwig" , Ralph Campbell Subject: [PATCH 2/2] mm/hmm: hmm_range_fault() infinite loop Date: Fri, 23 Aug 2019 15:17:53 -0700 Message-ID: <20190823221753.2514-3-rcampbell@nvidia.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190823221753.2514-1-rcampbell@nvidia.com> References: <20190823221753.2514-1-rcampbell@nvidia.com> MIME-Version: 1.0 X-NVConfidentiality: public DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1; t=1566598691; bh=H0xCNFTKe9KT+REMj7c8+VZLGl6bVqw61h/FiyncJWs=; h=X-PGP-Universal:From:To:CC:Subject:Date:Message-ID:X-Mailer: In-Reply-To:References:MIME-Version:X-NVConfidentiality: Content-Transfer-Encoding:Content-Type; b=Py/+nEgUIjhIZbSu7cNxlYuXfEoZik6c6x3VzsIs38x5i57ELvn5JRlErcGl1DLSm OPm61FMKufS0D/REIhl99DbtgwiyufGaCiuLtD8EtwBjFC2UWBQZpe9L/R3XF+LaCc pQYGZc/IOqyS2G+1GlYqg8wySXYGft4IwgvkW/lneMjxIKzhvyBTvhGlLWRH96F7be Fjkol1850wsIJiuiZ2VkFIBG8mjuuMqEH9je3XnpBUdEIlN96xf1lgzs2F34kKu7gW AU8/C52wqkZa4aBqUpmIEWGA90tAL+iwPA08Ennyfoh6kGscOu2VY2sukBo6VVT5Uz 8g47hs3zUIkNw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Normally, callers to handle_mm_fault() are supposed to check the vma->vm_flags first. hmm_range_fault() checks for VM_READ but doesn't check for VM_WRITE if the caller requests a page to be faulted in with write permission (via the hmm_range.pfns[] value). If the vma is write protected, this can result in an infinite loop: hmm_range_fault() walk_page_range() ... hmm_vma_walk_hole() hmm_vma_walk_hole_() hmm_vma_do_fault() handle_mm_fault(FAULT_FLAG_WRITE) /* returns VM_FAULT_WRITE */ /* returns -EBUSY */ /* returns -EBUSY */ /* returns -EBUSY */ /* loops on -EBUSY and range->valid */ Prevent this by checking for vma->vm_flags & VM_WRITE before calling handle_mm_fault(). Signed-off-by: Ralph Campbell Reviewed-by: Christoph Hellwig Reviewed-by: Jason Gunthorpe --- mm/hmm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/hmm.c b/mm/hmm.c index 29371485fe94..4882b83aeccb 100644 --- a/mm/hmm.c +++ b/mm/hmm.c @@ -292,6 +292,9 @@ static int hmm_vma_walk_hole_(unsigned long addr, unsigned long end, hmm_vma_walk->last = addr; i = (addr - range->start) >> PAGE_SHIFT; + if (write_fault && walk->vma && !(walk->vma->vm_flags & VM_WRITE)) + return -EPERM; + for (; addr < end; addr += PAGE_SIZE, i++) { pfns[i] = range->values[HMM_PFN_NONE]; if (fault || write_fault) {