From patchwork Sat Mar  2 06:43:12 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kefeng Wang <wangkefeng.wang@huawei.com>
X-Patchwork-Id: 13579434
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 86C8BC54798
	for <linux-mm@archiver.kernel.org>; Sat,  2 Mar 2024 06:44:05 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E801B6B0095; Sat,  2 Mar 2024 01:44:04 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E08F66B009B; Sat,  2 Mar 2024 01:44:04 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id CCFAA6B009C; Sat,  2 Mar 2024 01:44:04 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com
 [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id B83566B0095
	for <linux-mm@kvack.org>; Sat,  2 Mar 2024 01:44:04 -0500 (EST)
Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 6294E120637
	for <linux-mm@kvack.org>; Sat,  2 Mar 2024 06:44:04 +0000 (UTC)
X-FDA: 81851159208.27.499FB57
Received: from szxga05-in.huawei.com (szxga05-in.huawei.com [45.249.212.191])
	by imf13.hostedemail.com (Postfix) with ESMTP id EECC320009
	for <linux-mm@kvack.org>; Sat,  2 Mar 2024 06:44:00 +0000 (UTC)
Authentication-Results: imf13.hostedemail.com;
	dkim=none;
	spf=pass (imf13.hostedemail.com: domain of wangkefeng.wang@huawei.com
 designates 45.249.212.191 as permitted sender)
 smtp.mailfrom=wangkefeng.wang@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1709361842;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references; bh=X9T0uFnNin0WF3zdrS9L2OwCcRG24azLnxoi7iWoV4A=;
	b=piyAHP3sv9SR1QRoZXAmjIDbiB79B4gHZxMMMiNc8E36H7C7c4prbJi+tdyVdtOGZae52v
	+7inW0FxDsQcAQlSYhj9Zu5d07beJr4ylrYRLJrMIvw6QrSXcwUhgAHKsG2ewO600qXODT
	YL35/WmSukjdV8nzEDGNCgDddyqWlCg=
ARC-Authentication-Results: i=1;
	imf13.hostedemail.com;
	dkim=none;
	spf=pass (imf13.hostedemail.com: domain of wangkefeng.wang@huawei.com
 designates 45.249.212.191 as permitted sender)
 smtp.mailfrom=wangkefeng.wang@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709361842; a=rsa-sha256;
	cv=none;
	b=sL+LYKdcPaDDUSv8avexVRLOtno65ZGPoE1jGlPPPO2Qs34vcqa61dtiiuiWsoFFjr7CEL
	N1uF8J6MuSPY89IhwOr/nkgBfmb2lO0y97J+3N5mhJoh6IdbNe8KSrzfratQuPfMfRiNnT
	wiSWYhdaIM4YvfTV25vJtPe7uhLs6Os=
Received: from mail.maildlp.com (unknown [172.19.88.234])
	by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4TmwQx31LTz1FLPf;
	Sat,  2 Mar 2024 14:43:53 +0800 (CST)
Received: from dggpemm100001.china.huawei.com (unknown [7.185.36.93])
	by mail.maildlp.com (Postfix) with ESMTPS id 0BFFB140120;
	Sat,  2 Mar 2024 14:43:57 +0800 (CST)
Received: from localhost.localdomain (10.175.112.125) by
 dggpemm100001.china.huawei.com (7.185.36.93) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.35; Sat, 2 Mar 2024 14:43:56 +0800
From: Kefeng Wang <wangkefeng.wang@huawei.com>
To: Andrew Morton <akpm@linux-foundation.org>, <linux-kernel@vger.kernel.org>
CC: <linux-mm@kvack.org>, Lorenzo Stoakes <lstoakes@gmail.com>, Kefeng Wang
	<wangkefeng.wang@huawei.com>, Yue Sun <samsun1006219@gmail.com>
Subject: [PATCH] mm: memory: fix shift-out-of-bounds in fault_around_bytes_set
Date: Sat, 2 Mar 2024 14:43:12 +0800
Message-ID: <20240302064312.2358924-1-wangkefeng.wang@huawei.com>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
X-Originating-IP: [10.175.112.125]
X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To
 dggpemm100001.china.huawei.com (7.185.36.93)
X-Rspamd-Queue-Id: EECC320009
X-Rspam-User: 
X-Stat-Signature: xxndpgf96gxm8xh4ic11rz7pesi95egz
X-Rspamd-Server: rspam01
X-HE-Tag: 1709361840-913884
X-HE-Meta: 
 U2FsdGVkX19xlnJZOWlDiihKDcI3EiGVLtU27I6o5OgMQO4UAoDAw6H4Cc42WYYE1eMb6MSDdXqShYrpaBl4Gpa4PUaCeYEO3nuF3QMGNPy3mMnCFOi195SnEAWtRZd5UaJAOEgekx+kwWvLKJZ+oJsiB+ARrek6McKR9T5oK9L2f5rTwC+HGmEc2ejzba5O5CcZ0ZkUpXMgqHtc1+QiB6OxshfnP1ihwRU1wcTL6dysdBKNcWdrBqW6ImYl38p2cVPeyzUva6MUMjxM0Ymz3JGqmghwKH25Gscul11/+BIKxpLev6kafcRj7oLxyMFiLV/xacLRubZ+e2taaCkhTA5/875qw800U4GEg/Cf2RIThi3Ouzj8xm86wuhgkOGYy3m0SqHVNOlPMvIZHyPfP689El82RZ0Gag709FCY5lMrnPv7Tl5pdJkz+nyejr9gGrC7qtpL3IgXmYkYYC8k7GQEHTR2WHQPFqg5HGH4IlzTJWU4ek8APlZ+uENr52Zh5kKiCN4ciNTVrvFxi9Y6a4mhN+waQjzbtZAOWTaNrxpvSEFnbCyL4fqWle0sk3V5sAcV4i58Pc8ydDD7Y0LoHyPHl6lj9GthgzmZQOHdla9IBwxTXgje1F1Y+Vh3FhQe9njOQ279QBidndDBg2wwI3pGW1HYgynZbNj49V7EQoOd3EzhBmofChMZnmLz0OuoDtz842IUaveQU323d06aAS6xKnxGEW8ffZTqqh8xkmpI6g3a8OxI16buN6BBhQbnxr5Yome+hZyNVB4ynl53RYw0CjSo35P8DXt/PJTwOuVY0BRzcjZYuycZNwMVAQdnggc7IyHg7kIOxaIjcKVVmK6rNoO05ujcIRKJdaQmsDIppWwyxGdryHrecXtTWI9KbHukflmISOE=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

The rounddown_pow_of_two(0) is undefined, so val = 0 is not allowed in
the fault_around_bytes_set(), and leads to shift-out-of-bounds,

UBSAN: shift-out-of-bounds in include/linux/log2.h:67:13
shift exponent 4294967295 is too large for 64-bit type 'long unsigned int'
CPU: 7 PID: 107 Comm: sh Not tainted 6.8.0-rc6-next-20240301 #294
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
 dump_backtrace+0x94/0xec
 show_stack+0x18/0x24
 dump_stack_lvl+0x78/0x90
 dump_stack+0x18/0x24
 ubsan_epilogue+0x10/0x44
 __ubsan_handle_shift_out_of_bounds+0x98/0x134
 fault_around_bytes_set+0xa4/0xb0
 simple_attr_write_xsigned.isra.0+0xe4/0x1ac
 simple_attr_write+0x18/0x24
 debugfs_attr_write+0x4c/0x98
 vfs_write+0xd0/0x4b0
 ksys_write+0x6c/0xfc
 __arm64_sys_write+0x1c/0x28
 invoke_syscall+0x44/0x104
 el0_svc_common.constprop.0+0x40/0xe0
 do_el0_svc+0x1c/0x28
 el0_svc+0x34/0xdc
 el0t_64_sync_handler+0xc0/0xc4
 el0t_64_sync+0x190/0x194
---[ end trace ]---

Fix it by setting the minimum val to PAGE_SIZE.

Reported-by: Yue Sun <samsun1006219@gmail.com>
Closes: https://lore.kernel.org/all/CAEkJfYPim6DQqW1GqCiHLdh2-eweqk1fGyXqs3JM+8e1qGge8w@mail.gmail.com/
Fixes: 53d36a56d8c4 ("mm: prefer fault_around_pages to fault_around_bytes")
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
---
 mm/memory.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/memory.c b/mm/memory.c
index abd4f33d62c9..e17669d4f72f 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4776,7 +4776,8 @@ static int fault_around_bytes_set(void *data, u64 val)
 	 * The minimum value is 1 page, however this results in no fault-around
 	 * at all. See should_fault_around().
 	 */
-	fault_around_pages = max(rounddown_pow_of_two(val) >> PAGE_SHIFT, 1UL);
+	val = max(val, PAGE_SIZE);
+	fault_around_pages = rounddown_pow_of_two(val) >> PAGE_SHIFT;
 
 	return 0;
 }