From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CF4BC433EF for ; Fri, 24 Dec 2021 07:06:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9272D6B008C; Fri, 24 Dec 2021 02:06:32 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 8D6456B0096; Fri, 24 Dec 2021 02:06:32 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7EC506B0098; Fri, 24 Dec 2021 02:06:32 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0096.hostedemail.com [216.40.44.96]) by kanga.kvack.org (Postfix) with ESMTP id 709866B008C for ; Fri, 24 Dec 2021 02:06:32 -0500 (EST) Received: from smtpin18.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 2F7BA86986 for ; Fri, 24 Dec 2021 07:06:32 +0000 (UTC) X-FDA: 78951804624.18.4EF30A9 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by imf28.hostedemail.com (Postfix) with ESMTP id D1F41C0038 for ; Fri, 24 Dec 2021 07:06:30 +0000 (UTC) Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4JKylG1zS0zbjZS; Fri, 24 Dec 2021 15:06:02 +0800 (CST) Received: from dggpemm500001.china.huawei.com (7.185.36.107) by dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Fri, 24 Dec 2021 15:06:27 +0800 Received: from [10.174.177.243] (10.174.177.243) by dggpemm500001.china.huawei.com (7.185.36.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.20; Fri, 24 Dec 2021 15:06:26 +0800 Message-ID: <96fe1826-aeaf-4ea0-9f01-03d6b3933b34@huawei.com> Date: Fri, 24 Dec 2021 15:06:25 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH] Revert "mm/usercopy: Drop extra is_vmalloc_or_module() check" Content-Language: en-US To: Christophe Leroy , Kees Cook , Laura Abbott , Mark Rutland , "linux-mm@kvack.org" , "Andrew Morton" , "linux-kernel@vger.kernel.org" , Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , "linuxppc-dev@lists.ozlabs.org" References: <20211223102126.161848-1-wangkefeng.wang@huawei.com> From: Kefeng Wang In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed X-Originating-IP: [10.174.177.243] X-ClientProxiedBy: dggeme702-chm.china.huawei.com (10.1.199.98) To dggpemm500001.china.huawei.com (7.185.36.107) X-CFilter-Loop: Reflected X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: D1F41C0038 X-Stat-Signature: bgbqjui5gtqjb9paftem5diagyf81yhg Authentication-Results: imf28.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf28.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com X-HE-Tag: 1640329590-100868 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2021/12/24 14:01, Christophe Leroy wrote: > > Le 23/12/2021 =C3=A0 11:21, Kefeng Wang a =C3=A9crit=C2=A0: >> This reverts commit 517e1fbeb65f5eade8d14f46ac365db6c75aea9b. >> >> usercopy: Kernel memory exposure attempt detected from SLUB object= not in SLUB page?! (offset 0, size 1048)! >> kernel BUG at mm/usercopy.c:99 >> ... >> usercopy_abort+0x64/0xa0 (unreliable) >> __check_heap_object+0x168/0x190 >> __check_object_size+0x1a0/0x200 >> dev_ethtool+0x2494/0x2b20 >> dev_ioctl+0x5d0/0x770 >> sock_do_ioctl+0xf0/0x1d0 >> sock_ioctl+0x3ec/0x5a0 >> __se_sys_ioctl+0xf0/0x160 >> system_call_exception+0xfc/0x1f0 >> system_call_common+0xf8/0x200 >> >> When run ethtool eth0, the BUG occurred, the code shows below, >> >> data =3D vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN)); >> copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) >> >> The data is alloced by vmalloc(), virt_addr_valid(ptr) will return tr= ue >> on PowerPC64, which leads to the panic, add back the is_vmalloc_or_mod= ule() >> check to fix it. > Is it expected that virt_addr_valid() returns true on PPC64 for > vmalloc'ed memory ? If that's the case it also means that > CONFIG_DEBUG_VIRTUAL won't work as expected either. Our product reports this bug to me, after let them do some test, I found virt_addr_valid return true for vmalloc'ed memory on their board. I think DEBUG_VIRTUAL could not be work well too, but I can't test it. > > If it is unexpected, I think you should fix PPC64 instead of adding thi= s > hack back. Maybe the ARM64 fix can be used as a starting point, see > commit 68dd8ef32162 ("arm64: memory: Fix virt_addr_valid() using > __is_lm_address()") Yes=EF=BC=8C I check the history,=C2=A0 fix virt_addr_valid() on PowerPC = is what I=20 firstly want to do, but I am not familiar with PPC, and also HARDENED_USERCOPY on other's=20 ARCHs could has this issue too, so I add the workaround back. 1) PPC maintainer/expert, any suggestion ? 2) Maybe we could add some check to WARN this scenario. --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -229,6 +229,8 @@ static inline void check_heap_object(const void=20 *ptr, unsigned long n, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (!virt_addr_valid(ptr)) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 return; +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 WARN_ON_ONCE(is_vmalloc_or_module_a= ddr(ptr)); > In the meantime, can you provide more information on your config, > especially which memory model is used ? Some useful configs, CONFIG_PPC64=3Dy CONFIG_PPC_BOOK3E_64=3Dy CONFIG_E5500_CPU=3Dy CONFIG_TARGET_CPU_BOOL=3Dy CONFIG_PPC_BOOK3E=3Dy CONFIG_E500=3Dy CONFIG_PPC_E500MC=3Dy CONFIG_PPC_FPU=3Dy CONFIG_FSL_EMB_PERFMON=3Dy CONFIG_FSL_EMB_PERF_EVENT=3Dy CONFIG_FSL_EMB_PERF_EVENT_E500=3Dy CONFIG_BOOKE=3Dy CONFIG_PPC_FSL_BOOK3E=3Dy CONFIG_PTE_64BIT=3Dy CONFIG_PHYS_64BIT=3Dy CONFIG_PPC_MMU_NOHASH=3Dy CONFIG_PPC_BOOK3E_MMU=3Dy CONFIG_SELECT_MEMORY_MODEL=3Dy CONFIG_FLATMEM_MANUAL=3Dy CONFIG_FLATMEM=3Dy CONFIG_FLAT_NODE_MEM_MAP=3Dy CONFIG_SPARSEMEM_VMEMMAP_ENABLE=3Dy > > Christophe