From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, UNPARSEABLE_RELAY,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75A77C4727E for ; Fri, 25 Sep 2020 23:13:59 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E656521D7F for ; Fri, 25 Sep 2020 23:13:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="QUvhulOg" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E656521D7F Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8A4486B0062; Fri, 25 Sep 2020 19:13:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8335F6B0068; Fri, 25 Sep 2020 19:13:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6860F6B006C; Fri, 25 Sep 2020 19:13:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0113.hostedemail.com [216.40.44.113]) by kanga.kvack.org (Postfix) with ESMTP id 49D5D6B0062 for ; Fri, 25 Sep 2020 19:13:58 -0400 (EDT) Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 0FE4B180AD802 for ; Fri, 25 Sep 2020 23:13:58 +0000 (UTC) X-FDA: 77303138556.07.walk19_61169ea2716b Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin07.hostedemail.com (Postfix) with ESMTP id EAA401803F9B8 for ; Fri, 25 Sep 2020 23:13:57 +0000 (UTC) X-HE-Tag: walk19_61169ea2716b X-Filterd-Recvd-Size: 4243 Received: from mail-ed1-f65.google.com (mail-ed1-f65.google.com [209.85.208.65]) by imf18.hostedemail.com (Postfix) with ESMTP for ; Fri, 25 Sep 2020 23:13:57 +0000 (UTC) Received: by mail-ed1-f65.google.com with SMTP id j2so4160213eds.9 for ; Fri, 25 Sep 2020 16:13:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:mime-version:date:message-id:subject:to:cc; bh=L+IBKxZ0QcO0B3h5t+5jOzhzbzhKa2XA+CIt/FMH1ZU=; b=QUvhulOg1NGwk/mf4srFts8KcoGxxZiH8tNot324c6UXUzdCnR2i74d8kyZm5AS0O+ mKLGW/kzPRw/o6KPsbBhuMnEdRVRzMVylfNrGDc//9vOvYe5hFxlyn4l+L/gulbovgMB ZboS38medD690GgkrdnX3OiESGxCDtFJr2xXaUpAOGUZhVrJEgAeWUg1lNXRVdPHw1ZA AUcumQEefbPNtBUFZaWmYCHFj3MrwV2XjRk9WKJipjJtPXMP9Sk0IGE4PtkuY8EuGkH0 xvYjVU8koXY2XaGs8c9EypzHVGSyCwU2WLJIKVbpim45Ku68vunua8ur7NBWbBB95be4 Cutg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:date:message-id:subject:to:cc; bh=L+IBKxZ0QcO0B3h5t+5jOzhzbzhKa2XA+CIt/FMH1ZU=; b=ivUHOFRGe55t9Yqg7+CT/GVmC/jpSMITuWyUnMO2/n2kuUyNkGaFZ5jrN6wrGjNvjr Hj3GMQY8pvHKVpRNryqqnJR+YD6vrkSfy562HR4iucdvSq4JW9YFgn2e04dE67YO7uHY 5E22CVUQmZX4J/9uxDxddLEtV1XH2gazlB4B4dMqJL8Lt9sbMmE22cziT+Spu6/A9ReW QwJTpiyqu/6ywfDu2Ky988CQEgrUitcTqy6kcjt3PdP92cH6gkwt+32nefuZTjwPHO6u GxDdVqBhWPlMAtAY1W+czzecuznwpSM3V+YRtkuZx0iX+E/iTk6QHQBl93mvBc3VbCa/ itMw== X-Gm-Message-State: AOAM531IfgTLrIQGb7MWGGz5B+XSzveQz2oI+E0MuRHaCutqEjlWRbEZ cM4jU6Hue/D7KnLqp1V4BNgB9ZdUqQ1tJ85vMWPZexwnb0k= X-Google-Smtp-Source: ABdhPJwfShpjQL3TbayUPK58WzanTDcYUE/rKStFhRifVnZvS65bVakkOVt0vLIUM/TnAYUxztYRt6rzxFoPbFuqfo8= X-Received: by 2002:a50:ccd2:: with SMTP id b18mr3904033edj.51.1601075636081; Fri, 25 Sep 2020 16:13:56 -0700 (PDT) Received: from 913411032810 named unknown by gmailapi.google.com with HTTPREST; Fri, 25 Sep 2020 16:13:55 -0700 From: Jann Horn X-Mailer: git-send-email 2.28.0.681.g6f77f65b4e-goog MIME-Version: 1.0 Date: Fri, 25 Sep 2020 16:13:55 -0700 Message-ID: Subject: [PATCH] nios2: Take mmap lock in cacheflush syscall To: Ley Foon Tan Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: We need to take the mmap lock around find_vma() and subsequent use of the VMA. Otherwise, we can race with concurrent operations like munmap(), which can lead to use-after-free accesses to freed VMAs. Fixes: 1000197d8013 ("nios2: System calls handling") Signed-off-by: Jann Horn --- To the maintainers: I can't easily test this patch - I don't even have a nios2 compiler. If you have tested this patch, you may want to add a CC stable tag to this. arch/nios2/kernel/sys_nios2.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/arch/nios2/kernel/sys_nios2.c b/arch/nios2/kernel/sys_nios2.c index cd390ec4f88b..2c8f8bd850c9 100644 --- a/arch/nios2/kernel/sys_nios2.c +++ b/arch/nios2/kernel/sys_nios2.c @@ -22,6 +22,7 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, unsigned int op) { struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; if (len == 0) return 0; @@ -34,16 +35,21 @@ asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len, if (addr + len < addr) return -EFAULT; + if (mmap_read_lock_killable(mm)) + return -EINTR; /* * Verify that the specified address region actually belongs * to this process. */ - vma = find_vma(current->mm, addr); - if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) + vma = find_vma(mm, addr); + if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) { + mmap_read_unlock(); return -EFAULT; + } flush_cache_range(vma, addr, addr + len); + mmap_read_unlock(); return 0; } base-commit: 6d28cf7dfede6cfca5119a0d415a6a447c68f3a0 -- 2.28.0.681.g6f77f65b4e-goog