[PATCH] mm/gup: Do not return 0 from pin_user_pages

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args
@ 2023-06-19 18:27 Jason Gunthorpe
  2023-06-20  1:38 ` John Hubbard
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Jason Gunthorpe @ 2023-06-19 18:27 UTC (permalink / raw)
  To: Andrew Morton, John Hubbard, linux-mm, Lorenzo Stoakes
  Cc: syzbot+353c7be4964c6253f24a

These routines are not intended to return zero, the callers cannot do
anything sane with a 0 return. They should return an error which means
future calls to GUP will not succeed, or they should return some non-zero
number of pinned pages which means GUP should be called again.

If start + nr_pages overflows it should return -EOVERFLOW to signal the
arguments are invalid.

Syzkaller keeps tripping on this when fuzzing GUP arguments.

Reported-by: syzbot+353c7be4964c6253f24a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000094fdd05faa4d3a4@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
 mm/gup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/gup.c b/mm/gup.c
index bbe4162365933e..36c587fec574fd 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -2969,7 +2969,7 @@ static int internal_get_user_pages_fast(unsigned long start,
 	start = untagged_addr(start) & PAGE_MASK;
 	len = nr_pages << PAGE_SHIFT;
 	if (check_add_overflow(start, len, &end))
-		return 0;
+		return -EOVERFLOW;
 	if (end > TASK_SIZE_MAX)
 		return -EFAULT;
 	if (unlikely(!access_ok((void __user *)start, len)))

base-commit: b3eacbbcd0dab69ed4c44cbd2d2d72b016762b17
-- 
2.40.1



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args
  2023-06-19 18:27 [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args Jason Gunthorpe
@ 2023-06-20  1:38 ` John Hubbard
  2023-06-20 21:20 ` Lorenzo Stoakes
  2023-06-21 11:24 ` David Hildenbrand
  2 siblings, 0 replies; 5+ messages in thread
From: John Hubbard @ 2023-06-20  1:38 UTC (permalink / raw)
  To: Jason Gunthorpe, Andrew Morton, linux-mm, Lorenzo Stoakes
  Cc: syzbot+353c7be4964c6253f24a

On 6/19/23 11:27, Jason Gunthorpe wrote:
> These routines are not intended to return zero, the callers cannot do
> anything sane with a 0 return. They should return an error which means
> future calls to GUP will not succeed, or they should return some non-zero
> number of pinned pages which means GUP should be called again.
> 
> If start + nr_pages overflows it should return -EOVERFLOW to signal the
> arguments are invalid.
> 
> Syzkaller keeps tripping on this when fuzzing GUP arguments.
> 
> Reported-by: syzbot+353c7be4964c6253f24a@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/000000000000094fdd05faa4d3a4@google.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
>   mm/gup.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Reviewed-by: John Hubbard <jhubbard@nvidia.com>


thanks,
-- 
John Hubbard
NVIDIA


> diff --git a/mm/gup.c b/mm/gup.c
> index bbe4162365933e..36c587fec574fd 100644
> --- a/mm/gup.c
> +++ b/mm/gup.c
> @@ -2969,7 +2969,7 @@ static int internal_get_user_pages_fast(unsigned long start,
>   	start = untagged_addr(start) & PAGE_MASK;
>   	len = nr_pages << PAGE_SHIFT;
>   	if (check_add_overflow(start, len, &end))
> -		return 0;
> +		return -EOVERFLOW;
>   	if (end > TASK_SIZE_MAX)
>   		return -EFAULT;
>   	if (unlikely(!access_ok((void __user *)start, len)))
> 
> base-commit: b3eacbbcd0dab69ed4c44cbd2d2d72b016762b17




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args
  2023-06-19 18:27 [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args Jason Gunthorpe
  2023-06-20  1:38 ` John Hubbard
@ 2023-06-20 21:20 ` Lorenzo Stoakes
  2023-06-21 11:24 ` David Hildenbrand
  2 siblings, 0 replies; 5+ messages in thread
From: Lorenzo Stoakes @ 2023-06-20 21:20 UTC (permalink / raw)
  To: Jason Gunthorpe
  Cc: Andrew Morton, John Hubbard, linux-mm, syzbot+353c7be4964c6253f24a

On Mon, Jun 19, 2023 at 03:27:25PM -0300, Jason Gunthorpe wrote:
> These routines are not intended to return zero, the callers cannot do
> anything sane with a 0 return. They should return an error which means
> future calls to GUP will not succeed, or they should return some non-zero
> number of pinned pages which means GUP should be called again.
>
> If start + nr_pages overflows it should return -EOVERFLOW to signal the
> arguments are invalid.

It's crazy that it wasn't doing this before.

>
> Syzkaller keeps tripping on this when fuzzing GUP arguments.
>
> Reported-by: syzbot+353c7be4964c6253f24a@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/000000000000094fdd05faa4d3a4@google.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
>  mm/gup.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/gup.c b/mm/gup.c
> index bbe4162365933e..36c587fec574fd 100644
> --- a/mm/gup.c
> +++ b/mm/gup.c
> @@ -2969,7 +2969,7 @@ static int internal_get_user_pages_fast(unsigned long start,
>  	start = untagged_addr(start) & PAGE_MASK;
>  	len = nr_pages << PAGE_SHIFT;
>  	if (check_add_overflow(start, len, &end))
> -		return 0;
> +		return -EOVERFLOW;
>  	if (end > TASK_SIZE_MAX)
>  		return -EFAULT;
>  	if (unlikely(!access_ok((void __user *)start, len)))
>
> base-commit: b3eacbbcd0dab69ed4c44cbd2d2d72b016762b17
> --
> 2.40.1
>
>

Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args
  2023-06-19 18:27 [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args Jason Gunthorpe
  2023-06-20  1:38 ` John Hubbard
  2023-06-20 21:20 ` Lorenzo Stoakes
@ 2023-06-21 11:24 ` David Hildenbrand
  2023-06-21 11:38   ` Jason Gunthorpe
  2 siblings, 1 reply; 5+ messages in thread
From: David Hildenbrand @ 2023-06-21 11:24 UTC (permalink / raw)
  To: Jason Gunthorpe, Andrew Morton, John Hubbard, linux-mm, Lorenzo Stoakes
  Cc: syzbot+353c7be4964c6253f24a

On 19.06.23 20:27, Jason Gunthorpe wrote:
> These routines are not intended to return zero, the callers cannot do
> anything sane with a 0 return. They should return an error which means
> future calls to GUP will not succeed, or they should return some non-zero
> number of pinned pages which means GUP should be called again.
> 
> If start + nr_pages overflows it should return -EOVERFLOW to signal the
> arguments are invalid.
> 
> Syzkaller keeps tripping on this when fuzzing GUP arguments.
> 
> Reported-by: syzbot+353c7be4964c6253f24a@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/000000000000094fdd05faa4d3a4@google.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
>   mm/gup.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/gup.c b/mm/gup.c
> index bbe4162365933e..36c587fec574fd 100644
> --- a/mm/gup.c
> +++ b/mm/gup.c
> @@ -2969,7 +2969,7 @@ static int internal_get_user_pages_fast(unsigned long start,
>   	start = untagged_addr(start) & PAGE_MASK;
>   	len = nr_pages << PAGE_SHIFT;
>   	if (check_add_overflow(start, len, &end))
> -		return 0;
> +		return -EOVERFLOW;

I'm curious if there is any sane use case where that could actually 
trigger. Smells like something that should be a WARN_ON_ONCE(), but 
maybe some callers simply pass through what user-space gave them.

Anyhow.

Reviewed-by: David Hildenbrand <david@redhat.com>

-- 
Cheers,

David / dhildenb



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args
  2023-06-21 11:24 ` David Hildenbrand
@ 2023-06-21 11:38   ` Jason Gunthorpe
  0 siblings, 0 replies; 5+ messages in thread
From: Jason Gunthorpe @ 2023-06-21 11:38 UTC (permalink / raw)
  To: David Hildenbrand
  Cc: Andrew Morton, John Hubbard, linux-mm, Lorenzo Stoakes,
	syzbot+353c7be4964c6253f24a

On Wed, Jun 21, 2023 at 01:24:14PM +0200, David Hildenbrand wrote:
> > diff --git a/mm/gup.c b/mm/gup.c
> > index bbe4162365933e..36c587fec574fd 100644
> > --- a/mm/gup.c
> > +++ b/mm/gup.c
> > @@ -2969,7 +2969,7 @@ static int internal_get_user_pages_fast(unsigned long start,
> >   	start = untagged_addr(start) & PAGE_MASK;
> >   	len = nr_pages << PAGE_SHIFT;
> >   	if (check_add_overflow(start, len, &end))
> > -		return 0;
> > +		return -EOVERFLOW;
> 
> I'm curious if there is any sane use case where that could actually trigger.
> Smells like something that should be a WARN_ON_ONCE(), but maybe some
> callers simply pass through what user-space gave them.

Yes, that is pretty common to just pass through.

Thanks,
Jason


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-06-21 11:38 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-19 18:27 [PATCH] mm/gup: Do not return 0 from pin_user_pages_fast() for bad args Jason Gunthorpe
2023-06-20  1:38 ` John Hubbard
2023-06-20 21:20 ` Lorenzo Stoakes
2023-06-21 11:24 ` David Hildenbrand
2023-06-21 11:38   ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox