From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0F52C77B75 for ; Mon, 15 May 2023 13:10:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 658CA900004; Mon, 15 May 2023 09:10:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 608DA900002; Mon, 15 May 2023 09:10:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4F879900004; Mon, 15 May 2023 09:10:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 3AAA8900002 for ; Mon, 15 May 2023 09:10:18 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id F3168C1312 for ; Mon, 15 May 2023 13:10:17 +0000 (UTC) X-FDA: 80792522874.30.DE04286 Received: from azure-sdnproxy.icoremail.net (azure-sdnproxy.icoremail.net [52.229.168.213]) by imf30.hostedemail.com (Postfix) with ESMTP id 6413780005 for ; Mon, 15 May 2023 13:10:14 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=pku.edu.cn header.s=dkim header.b=PVR2JpuB; spf=pass (imf30.hostedemail.com: domain of lrh2000@pku.edu.cn designates 52.229.168.213 as permitted sender) smtp.mailfrom=lrh2000@pku.edu.cn; dmarc=pass (policy=none) header.from=pku.edu.cn ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684156216; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/FgfHoZt8CIbKJeIzVtG6eMW7phMC0X6WNZhYU6z8NA=; b=wXM54BGHy0IjPSY2uzQyjSONjSHwninSd3mXWx9TmmBx68A6v9H0qLQpzJBJIFpIbazIVw LMJYNv1tEEXqWO42xAB3Ab4iFBqgGjfDS8UorMb6S1ZbbcJS1UWkE1ooHXpa/4Oo2yJCWG 4aS9FDkOmaHoKb8QqXXgvJp4OZWdJbg= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=pku.edu.cn header.s=dkim header.b=PVR2JpuB; spf=pass (imf30.hostedemail.com: domain of lrh2000@pku.edu.cn designates 52.229.168.213 as permitted sender) smtp.mailfrom=lrh2000@pku.edu.cn; dmarc=pass (policy=none) header.from=pku.edu.cn ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684156216; a=rsa-sha256; cv=none; b=e63cjH1UaGlfeb41LiO2w6h0ikJFQMwYsHhDOI1dTRuwWcqeR90Dx9VzBF+RAn+PVy9EuZ 2gNMGY74g4dNUqudxE020vJBLE7BDnvQkCCzt3K2wKoZeT0vX42kOgQ7eRb00EavkPynuy LKaS2CdBbD8atN2pEi8Nyz31oACOXyQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pku.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:In-Reply-To:References:MIME-Version: Content-Transfer-Encoding; bh=/FgfHoZt8CIbKJeIzVtG6eMW7phMC0X6WN ZhYU6z8NA=; b=PVR2JpuBpFykLKuVCgCH22JOoFEc9akgZ4VtiJL+zH0wkNoS7Z BOnFWHBWzU6kJoWm1JYRFWumdKZFtE4e5cwT9cLGc7CtOFL1mqdVtMRk3RvapPFh NIO2NsECPkFJ8R0iesR/q0q9iMjXiuzCbNY7VCJt/MzZh+2rAwwILyy2o= Received: from localhost.localdomain (unknown [10.7.98.243]) by front02 (Coremail) with SMTP id 54FpogAnLDgqL2JkVboyFA--.10053S3; Mon, 15 May 2023 21:10:07 +0800 (CST) From: Ruihan Li To: linux-mm@kvack.org, linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Pasha Tatashin , David Hildenbrand , Matthew Wilcox , Andrew Morton , Christoph Hellwig , Alan Stern , Greg Kroah-Hartman , Ruihan Li , syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.comm, stable@vger.kernel.org Subject: [PATCH v2 1/4] usb: usbfs: Enforce page requirements for mmap Date: Mon, 15 May 2023 21:09:55 +0800 Message-Id: <20230515130958.32471-2-lrh2000@pku.edu.cn> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230515130958.32471-1-lrh2000@pku.edu.cn> References: <20230515130958.32471-1-lrh2000@pku.edu.cn> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:54FpogAnLDgqL2JkVboyFA--.10053S3 X-Coremail-Antispam: 1UD129KBjvJXoWxXryrGr4kuFyktw4DGw48WFg_yoW7Gr1UpF sxWr4YkrW5tr1xXrn3KFs8ua45Zws5uFyUKrWxu3s3uF13J3sakFn5AFW5ZF1fXr4qgr4r tFn0krWYk3WUG37anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBI1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2 z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2vYz4IE04k24V AvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xf McIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7 v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF 7I0E8cxan2IY04v7MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCF04k20xvE74AGY7Cv6c x26w4UJr1UMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2Iq xVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42 IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY 6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aV CY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbHa0DUUUUU== X-CM-SenderInfo: yssqiiarrvmko6sn3hxhgxhubq/1tbiAgEMBVPy77495gAAsh X-Stat-Signature: 68wuyjzhfhd9smmbuudy5xa9osrqb3pe X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 6413780005 X-Rspam-User: X-HE-Tag: 1684156214-657432 X-HE-Meta: U2FsdGVkX19KmguKU30R66vbnmcJU1ZOrYYlNosUgYpQQHiRMZhrVajErKAr0CpaqzviUQ84+6l4oxUC32TBw98XThU21xPnJM+9WWl+i+ujgGPrHblBVALpjyohw3UBGPj5fyXLFJo2xywSDOHHmvpDoYAEpEtvJxWQyeTjzDkmdvY1BTFUaKL+VmdJ/O16LdevR1j89YE94h1wuvB9hkDUNi1Q6vCdghp/BSdEXkAFIQFqWPY+jR8a9b9oipAQOZ3c4XyEIoLwQOXEbGSOvrvZ6FlvqOyzBIvJfITeh9+Xcyl+k2YtUCrOnR0S1IoWGq0Iw4Niyom/Y4kUe5MokomvMJDqZ4l28qWXjX48UcejnkBr7Y3qAZVIBu6pPF0msay+iARkr93KMo0fkDyopxiXY9hwSAcisCjIoutJzwwdgQc7O7j2ImcnLfpnPG2sNqtNW3GKbOBmamdOdcq1DQFrORpmruoijY2LyS4n1gtspEhuVlp2LBHmqZF85wa7oszU2PEQAzHu3IV7R5xO6SX03zdW7aXyQXt4Ql5IC1gsENoWLXqPPFgIJJAxwvwJpbvN6TDw/3lu4aa7HGx7XM6KGjbkTIWF05o9peqi+/nugGrsOxldS2NxsOMKrJETXvzCP3Lv0RtIQO5+EdlVZh7s8SrH07xG7m1I0NHJ6jarDm2qPuOtaEH/bXLHCQ7v24hJsjQ/O9zRDl0kRYIZuXb8AYMsocpBsYh7di/M3iMnurh8dGe8y9yyLltQORnNCXxKgSoMbkvw/bbPPU3WV+vQkBwCK3HdCfq1g6Ocuj6B1tVOvMMR8a5+2tAYC94OYrHnO0x6/Ez/+w2pAj3bxn3Av4HaU2sjxHJENTsMNd9Jrt9CVk/reP+GiXRMAFACb6egjmGu/RdKlctxf3xA+F8r2Z9wCHQjSM/Np1C4wDZAIPyPvbfYoft8HcvUAf4yTIWbffaSQMQ1iwkQPYv 31Bt1AfZ a+I38HP+oIr6V2xxskJlVzzLYGZ0luQDG3hQlT/E5zd7ZJSIim/98LZyrBSPsyDyPq8OsJevjgtBN3AncAYtTygqZ1ctuInS6EnvhaABm9BBtYKujJVPaK+ZV6o+EtpY8JfXFbNuarsXIEvRFcBI//lIbxT6CDWeNGhU6pVp9LjWjFQtaFL9X4SXx5hfb9rJ2edpU6i4ZbwZpEym9elgAvmU9F+mPtQ0IodwTFvgR7B9KeqAOEMT+hy0nYTANH4Ye6rjFQuwpUV8Obl0PWa0GrkxsBivOE13XHM3Wdbc+vUeuDD+O4CnxqxShPL2VQH60w+4oMjOXmngkH/ZN0ysSXWZn2tY5l1e1l0xraRhh15QHyKUHjsST+MooRlmJQ7VAki5qYozOUP1XYWRYZb5pfflLzw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The current implementation of usbdev_mmap uses usb_alloc_coherent to allocate memory pages that will later be mapped into the user space. Meanwhile, usb_alloc_coherent employs three different methods to allocate memory, as outlined below: * If hcd->localmem_pool is non-null, it uses gen_pool_dma_alloc to allocate memory; * If DMA is not available, it uses kmalloc to allocate memory; * Otherwise, it uses dma_alloc_coherent. However, it should be noted that gen_pool_dma_alloc does not guarantee that the resulting memory will be page-aligned. Furthermore, trying to map slab pages (i.e., memory allocated by kmalloc) into the user space is not resonable and can lead to problems, such as a type confusion bug when PAGE_TABLE_CHECK=y [1]. To address these issues, this patch introduces hcd_alloc_coherent_pages, which addresses the above two problems. Specifically, hcd_alloc_coherent_pages uses gen_pool_dma_alloc_align instead of gen_pool_dma_alloc to ensure that the memory is page-aligned. To replace kmalloc, hcd_alloc_coherent_pages directly allocates pages by calling __get_free_pages. Reported-by: syzbot+fcf1a817ceb50935ce99@syzkaller.appspotmail.comm Closes: https://lore.kernel.org/lkml/000000000000258e5e05fae79fc1@google.com/ [1] Fixes: f7d34b445abc ("USB: Add support for usbfs zerocopy.") Fixes: ff2437befd8f ("usb: host: Fix excessive alignment restriction for local memory allocations") Cc: stable@vger.kernel.org Signed-off-by: Ruihan Li --- drivers/usb/core/buffer.c | 41 +++++++++++++++++++++++++++++++++++++++ drivers/usb/core/devio.c | 9 +++++---- include/linux/usb/hcd.h | 5 +++++ 3 files changed, 51 insertions(+), 4 deletions(-) diff --git a/drivers/usb/core/buffer.c b/drivers/usb/core/buffer.c index fbb087b72..268ccbec8 100644 --- a/drivers/usb/core/buffer.c +++ b/drivers/usb/core/buffer.c @@ -172,3 +172,44 @@ void hcd_buffer_free( } dma_free_coherent(hcd->self.sysdev, size, addr, dma); } + +void *hcd_buffer_alloc_pages(struct usb_hcd *hcd, + size_t size, gfp_t mem_flags, dma_addr_t *dma) +{ + if (size == 0) + return NULL; + + if (hcd->localmem_pool) + return gen_pool_dma_alloc_align(hcd->localmem_pool, + size, dma, PAGE_SIZE); + + /* some USB hosts just use PIO */ + if (!hcd_uses_dma(hcd)) { + *dma = DMA_MAPPING_ERROR; + return (void *)__get_free_pages(mem_flags, + get_order(size)); + } + + return dma_alloc_coherent(hcd->self.sysdev, + size, dma, mem_flags); +} + +void hcd_buffer_free_pages(struct usb_hcd *hcd, + size_t size, void *addr, dma_addr_t dma) +{ + if (!addr) + return; + + if (hcd->localmem_pool) { + gen_pool_free(hcd->localmem_pool, + (unsigned long)addr, size); + return; + } + + if (!hcd_uses_dma(hcd)) { + free_pages((unsigned long)addr, get_order(size)); + return; + } + + dma_free_coherent(hcd->self.sysdev, size, addr, dma); +} diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index e501a03d6..3936ca7f7 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -186,6 +186,7 @@ static int connected(struct usb_dev_state *ps) static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count) { struct usb_dev_state *ps = usbm->ps; + struct usb_hcd *hcd = bus_to_hcd(ps->dev->bus); unsigned long flags; spin_lock_irqsave(&ps->lock, flags); @@ -194,8 +195,8 @@ static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count) list_del(&usbm->memlist); spin_unlock_irqrestore(&ps->lock, flags); - usb_free_coherent(ps->dev, usbm->size, usbm->mem, - usbm->dma_handle); + hcd_buffer_free_pages(hcd, usbm->size, + usbm->mem, usbm->dma_handle); usbfs_decrease_memory_usage( usbm->size + sizeof(struct usb_memory)); kfree(usbm); @@ -247,8 +248,8 @@ static int usbdev_mmap(struct file *file, struct vm_area_struct *vma) goto error_decrease_mem; } - mem = usb_alloc_coherent(ps->dev, size, GFP_USER | __GFP_NOWARN, - &dma_handle); + mem = hcd_buffer_alloc_pages(hcd, + size, GFP_USER | __GFP_NOWARN, &dma_handle); if (!mem) { ret = -ENOMEM; goto error_free_usbm; diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h index 094c77eaf..0c7eff91a 100644 --- a/include/linux/usb/hcd.h +++ b/include/linux/usb/hcd.h @@ -501,6 +501,11 @@ void *hcd_buffer_alloc(struct usb_bus *bus, size_t size, void hcd_buffer_free(struct usb_bus *bus, size_t size, void *addr, dma_addr_t dma); +void *hcd_buffer_alloc_pages(struct usb_hcd *hcd, + size_t size, gfp_t mem_flags, dma_addr_t *dma); +void hcd_buffer_free_pages(struct usb_hcd *hcd, + size_t size, void *addr, dma_addr_t dma); + /* generic bus glue, needed for host controllers that don't use PCI */ extern irqreturn_t usb_hcd_irq(int irq, void *__hcd); -- 2.40.1