From patchwork Mon Aug 13 12:02:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Zhang, Yi" X-Patchwork-Id: 10563865 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BF061139A for ; Mon, 13 Aug 2018 03:24:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A98A02909C for ; Mon, 13 Aug 2018 03:24:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9C414290A0; Mon, 13 Aug 2018 03:24:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=BAYES_00,DATE_IN_FUTURE_06_12, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A06912909C for ; Mon, 13 Aug 2018 03:24:11 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 3B88D210ED78F; Sun, 12 Aug 2018 20:24:11 -0700 (PDT) X-Original-To: linux-nvdimm@lists.01.org Delivered-To: linux-nvdimm@lists.01.org Received-SPF: None (no SPF record) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=yi.z.zhang@linux.intel.com; receiver=linux-nvdimm@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E13AB210DBE6E for ; Sun, 12 Aug 2018 20:24:09 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Aug 2018 20:24:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,231,1531810800"; d="scan'208";a="74856396" Received: from linux.intel.com ([10.54.29.200]) by orsmga003.jf.intel.com with ESMTP; 12 Aug 2018 20:24:09 -0700 Received: from dazhang1-ssd.sh.intel.com (dazhang1-ssd.sh.intel.com [10.239.48.78]) by linux.intel.com (Postfix) with ESMTP id D776258019B; Sun, 12 Aug 2018 20:24:07 -0700 (PDT) From: Zhang Yi To: linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org, dan.j.williams@intel.com, jack@suse.cz, zwisler@kernel.org, dave.jiang@intel.com, yu.c.zhang@intel.com Subject: [PATCH V2 1/1] device-dax: check for vma range while dax_mmap. Date: Mon, 13 Aug 2018 20:02:56 +0800 Message-Id: <46441800c43f029757c70d8386e3112701081503.1534160958.git.yi.z.zhang@linux.intel.com> X-Mailer: git-send-email 2.7.4 X-BeenThere: linux-nvdimm@lists.01.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Linux-nvdimm developer list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: yi.z.zhang@intel.com MIME-Version: 1.0 Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" X-Virus-Scanned: ClamAV using ClamSMTP This patch prevents a user mapping an illegal vma range that is larger than a dax device physical resource. When qemu maps the dax device for virtual nvdimm's backend device, the v-nvdimm label area is defined at the end of mapped range. By using an illegal size that exceeds the range of the device dax, it will trigger a fault with qemu. Signed-off-by: Zhang Yi Reviewed-by: Vishal Verma --- drivers/dax/device.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/drivers/dax/device.c b/drivers/dax/device.c index 108c37f..6fe8c30 100644 --- a/drivers/dax/device.c +++ b/drivers/dax/device.c @@ -177,6 +177,33 @@ static const struct attribute_group *dax_attribute_groups[] = { NULL, }; +static int check_vma_range(struct dev_dax *dev_dax, struct vm_area_struct *vma, + const char *func) +{ + struct device *dev = &dev_dax->dev; + struct resource *res; + unsigned long size; + int ret, i; + + if (!dax_alive(dev_dax->dax_dev)) + return -ENXIO; + + size = vma->vm_end - vma->vm_start + (vma->vm_pgoff << PAGE_SHIFT); + ret = -EINVAL; + for (i = 0; i < dev_dax->num_resources; i++) { + res = &dev_dax->res[i]; + if (size > resource_size(res)) { + dev_info_ratelimited(dev, + "%s: %s: fail, vma range overflow\n", + current->comm, func); + ret = -EINVAL; + continue; + } else + return 0; + } + return ret; +} + static int check_vma(struct dev_dax *dev_dax, struct vm_area_struct *vma, const char *func) { @@ -469,6 +496,8 @@ static int dax_mmap(struct file *filp, struct vm_area_struct *vma) */ id = dax_read_lock(); rc = check_vma(dev_dax, vma, __func__); + if (!rc) + rc = check_vma_range(dev_dax, vma, __func__); dax_read_unlock(id); if (rc) return rc;