From patchwork Thu Sep 16 10:41:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Zijlstra X-Patchwork-Id: 12498657 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98A1FC433F5 for ; Thu, 16 Sep 2021 10:42:05 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9DC8A61108 for ; Thu, 16 Sep 2021 10:42:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9DC8A61108 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 2D4E36B0071; Thu, 16 Sep 2021 06:42:04 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 283FD6B0072; Thu, 16 Sep 2021 06:42:04 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1733A900002; Thu, 16 Sep 2021 06:42:04 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0154.hostedemail.com [216.40.44.154]) by kanga.kvack.org (Postfix) with ESMTP id 07C226B0071 for ; Thu, 16 Sep 2021 06:42:04 -0400 (EDT) Received: from smtpin33.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id B168B181AF5F7 for ; Thu, 16 Sep 2021 10:42:03 +0000 (UTC) X-FDA: 78593096526.33.299294F Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) by imf01.hostedemail.com (Postfix) with ESMTP id C2EBB505C413 for ; Thu, 16 Sep 2021 10:42:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Type:MIME-Version:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=jRgfonC5L8Exw5nctbhCYQZiAxmOo4AgrBv5+sphGzg=; b=NwZHjarP7QJKUupGM1W+XL4ziw K2RIaRzj/GCTicJKzcoMdGcGDPOJC+vfUwdqaRyzBkJRr5DZEFS4HtPCTYkNr0rfbKj3j8Qiyjckw XMuzj2iOO+X4ugeBgEqDS7Jmq9HrPBNRNYvuhyVxUNZtSbOerDBluwcU+kxCbMaPQISjZpCnP9jzH 4ExIl66QuAM1Gr46y7UFL3I1uhg4j9jbisn6PnWJiQVdupzenDVwH7Pt7bZNDUgokaKe9+FIRCol8 9lcbY97k/nlpR85tnIhoTqexIqx6u7LFH2EO9S9BCYF10Ke1uxiyx3BYl71e8bSw0vd6EgYwiChPs fyHwIxig==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1mQoq6-003dAr-Aw; Thu, 16 Sep 2021 10:41:58 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 33FCD300238; Thu, 16 Sep 2021 12:41:57 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id EB5092CCDF680; Thu, 16 Sep 2021 12:41:56 +0200 (CEST) Date: Thu, 16 Sep 2021 12:41:56 +0200 From: Peter Zijlstra To: Andrew Morton , Christoph Hellwig , Will Deacon Cc: andreyknvl@gmail.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Mel Gorman , keescook@chromium.org Subject: [PATCH] mm/vmalloc: Don't allow VM_NO_GUARD on vmap() Message-ID: MIME-Version: 1.0 Content-Disposition: inline Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=infradead.org header.s=desiato.20200630 header.b=NwZHjarP; spf=none (imf01.hostedemail.com: domain of peterz@infradead.org has no SPF policy when checking 90.155.92.199) smtp.mailfrom=peterz@infradead.org; dmarc=none X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: C2EBB505C413 X-Stat-Signature: 8nmwgdwc4mnqecsy5u4mz1c98smjmzww X-HE-Tag: 1631788922-841146 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The vmalloc guard pages are added on top of each allocation, thereby isolating any two allocations from one another. The top guard of the lower allocation is the bottom guard guard of the higher allocation etc. Therefore VM_NO_GUARD is dangerous; it breaks the basic premise of isolating separate allocations. There are only two in-tree users of this flag, neither of which use it through the exported interface. Ensure it stays this way. Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Christoph Hellwig Reviewed-by: David Hildenbrand Acked-by: Will Deacon Acked-by: Kees Cook --- include/linux/vmalloc.h | 2 +- mm/vmalloc.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h index 671d402c3778..10e9571ff0b2 100644 --- a/include/linux/vmalloc.h +++ b/include/linux/vmalloc.h @@ -22,7 +22,7 @@ struct notifier_block; /* in notifier.h */ #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */ #define VM_DMA_COHERENT 0x00000010 /* dma_alloc_coherent */ #define VM_UNINITIALIZED 0x00000020 /* vm_struct is not fully initialized */ -#define VM_NO_GUARD 0x00000040 /* don't add guard page */ +#define VM_NO_GUARD 0x00000040 /* ***DANGEROUS*** don't add guard page */ #define VM_KASAN 0x00000080 /* has allocated kasan shadow memory */ #define VM_FLUSH_RESET_PERMS 0x00000100 /* reset direct map and flush TLB on unmap, can't be freed in atomic context */ #define VM_MAP_PUT_PAGES 0x00000200 /* put pages and free array in vfree */ diff --git a/mm/vmalloc.c b/mm/vmalloc.c index d77830ff604c..01927ebea267 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -2743,6 +2743,13 @@ void *vmap(struct page **pages, unsigned int count, might_sleep(); + /* + * Your top guard is someone else's bottom guard. Not having a top + * guard compromises someone else's mappings too. + */ + if (WARN_ON_ONCE(flags & VM_NO_GUARD)) + flags &= ~VM_NO_GUARD; + if (count > totalram_pages()) return NULL;