From patchwork Fri Sep 25 23:13:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 11800955 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B1AFF618 for ; Fri, 25 Sep 2020 23:13:59 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 5DB1522211 for ; Fri, 25 Sep 2020 23:13:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="QUvhulOg" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5DB1522211 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8A4486B0062; Fri, 25 Sep 2020 19:13:58 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 8335F6B0068; Fri, 25 Sep 2020 19:13:58 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6860F6B006C; Fri, 25 Sep 2020 19:13:58 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0113.hostedemail.com [216.40.44.113]) by kanga.kvack.org (Postfix) with ESMTP id 49D5D6B0062 for ; Fri, 25 Sep 2020 19:13:58 -0400 (EDT) Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 0FE4B180AD802 for ; Fri, 25 Sep 2020 23:13:58 +0000 (UTC) X-FDA: 77303138556.07.walk19_61169ea2716b Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin07.hostedemail.com (Postfix) with ESMTP id EAA401803F9B8 for ; Fri, 25 Sep 2020 23:13:57 +0000 (UTC) X-Spam-Summary: 1,0,0,9a2a7f185a06bd24,d41d8cd98f00b204,jannh@google.com,,RULES_HIT:41:152:355:379:541:800:960:966:973:988:989:1260:1277:1313:1314:1345:1437:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2196:2199:2393:2553:2559:2562:2915:3138:3139:3140:3141:3142:3152:3352:3865:3866:3867:3868:3873:3874:4250:4321:4385:5007:6261:6653:10004:10400:11026:11232:11658:11914:12043:12266:12296:12297:12438:12519:12555:12679:12895:13069:13311:13357:13870:14093:14096:14097:14181:14394:14659:14721:21080:21212:21324:21365:21444:21451:21627:21990:30003:30054:30069:30090,0,RBL:209.85.208.65:@google.com:.lbl8.mailshell.net-62.18.84.100 66.100.201.100;04y84633zh7mgcfyue8q5q5kis4f1ycm8yxbarukbhh38kyoybqydtsgwb5e8cx.iy1pd3oz3i6s113wcqzik49a6bcwu5tiqwdoqoodaubi4dobxuafra9u63aoedi.s-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:23,LUA_SUMMARY:none X-HE-Tag: walk19_61169ea2716b X-Filterd-Recvd-Size: 4243 Received: from mail-ed1-f65.google.com (mail-ed1-f65.google.com [209.85.208.65]) by imf18.hostedemail.com (Postfix) with ESMTP for ; Fri, 25 Sep 2020 23:13:57 +0000 (UTC) Received: by mail-ed1-f65.google.com with SMTP id j2so4160213eds.9 for ; Fri, 25 Sep 2020 16:13:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:mime-version:date:message-id:subject:to:cc; bh=L+IBKxZ0QcO0B3h5t+5jOzhzbzhKa2XA+CIt/FMH1ZU=; b=QUvhulOg1NGwk/mf4srFts8KcoGxxZiH8tNot324c6UXUzdCnR2i74d8kyZm5AS0O+ mKLGW/kzPRw/o6KPsbBhuMnEdRVRzMVylfNrGDc//9vOvYe5hFxlyn4l+L/gulbovgMB ZboS38medD690GgkrdnX3OiESGxCDtFJr2xXaUpAOGUZhVrJEgAeWUg1lNXRVdPHw1ZA AUcumQEefbPNtBUFZaWmYCHFj3MrwV2XjRk9WKJipjJtPXMP9Sk0IGE4PtkuY8EuGkH0 xvYjVU8koXY2XaGs8c9EypzHVGSyCwU2WLJIKVbpim45Ku68vunua8ur7NBWbBB95be4 Cutg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:date:message-id:subject:to:cc; bh=L+IBKxZ0QcO0B3h5t+5jOzhzbzhKa2XA+CIt/FMH1ZU=; b=ivUHOFRGe55t9Yqg7+CT/GVmC/jpSMITuWyUnMO2/n2kuUyNkGaFZ5jrN6wrGjNvjr Hj3GMQY8pvHKVpRNryqqnJR+YD6vrkSfy562HR4iucdvSq4JW9YFgn2e04dE67YO7uHY 5E22CVUQmZX4J/9uxDxddLEtV1XH2gazlB4B4dMqJL8Lt9sbMmE22cziT+Spu6/A9ReW QwJTpiyqu/6ywfDu2Ky988CQEgrUitcTqy6kcjt3PdP92cH6gkwt+32nefuZTjwPHO6u GxDdVqBhWPlMAtAY1W+czzecuznwpSM3V+YRtkuZx0iX+E/iTk6QHQBl93mvBc3VbCa/ itMw== X-Gm-Message-State: AOAM531IfgTLrIQGb7MWGGz5B+XSzveQz2oI+E0MuRHaCutqEjlWRbEZ cM4jU6Hue/D7KnLqp1V4BNgB9ZdUqQ1tJ85vMWPZexwnb0k= X-Google-Smtp-Source: ABdhPJwfShpjQL3TbayUPK58WzanTDcYUE/rKStFhRifVnZvS65bVakkOVt0vLIUM/TnAYUxztYRt6rzxFoPbFuqfo8= X-Received: by 2002:a50:ccd2:: with SMTP id b18mr3904033edj.51.1601075636081; Fri, 25 Sep 2020 16:13:56 -0700 (PDT) Received: from 913411032810 named unknown by gmailapi.google.com with HTTPREST; Fri, 25 Sep 2020 16:13:55 -0700 From: Jann Horn X-Mailer: git-send-email 2.28.0.681.g6f77f65b4e-goog MIME-Version: 1.0 Date: Fri, 25 Sep 2020 16:13:55 -0700 Message-ID: Subject: [PATCH] nios2: Take mmap lock in cacheflush syscall To: Ley Foon Tan Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: We need to take the mmap lock around find_vma() and subsequent use of the VMA. Otherwise, we can race with concurrent operations like munmap(), which can lead to use-after-free accesses to freed VMAs. Fixes: 1000197d8013 ("nios2: System calls handling") Signed-off-by: Jann Horn --- To the maintainers: I can't easily test this patch - I don't even have a nios2 compiler. If you have tested this patch, you may want to add a CC stable tag to this. arch/nios2/kernel/sys_nios2.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) return 0; @@ -34,16 +35,21 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, if (addr + len < addr) return -EFAULT; + if (mmap_read_lock_killable(mm)) + return -EINTR; /* * Verify that the specified address region actually belongs * to this process. */ - vma = find_vma(current->mm, addr); - if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) + vma = find_vma(mm, addr); + if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) { + mmap_read_unlock(); return -EFAULT; + } flush_cache_range(vma, addr, addr + len); + mmap_read_unlock(); return 0; } base-commit: 6d28cf7dfede6cfca5119a0d415a6a447c68f3a0 diff --git a/arch/nios2/kernel/sys_nios2.c b/arch/nios2/kernel/sys_nios2.c index cd390ec4f88b..2c8f8bd850c9 100644 --- a/arch/nios2/kernel/sys_nios2.c +++ b/arch/nios2/kernel/sys_nios2.c @@ -22,6 +22,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, unsigned int op) { struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; if (len == 0)