From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58A2AC48BF6 for ; Sun, 3 Mar 2024 13:39:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 523F36B0098; Sun, 3 Mar 2024 08:39:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4D3136B009C; Sun, 3 Mar 2024 08:39:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 39A836B009D; Sun, 3 Mar 2024 08:39:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 2A5C86B0098 for ; Sun, 3 Mar 2024 08:39:00 -0500 (EST) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id E8DAD14084C for ; Sun, 3 Mar 2024 13:38:59 +0000 (UTC) X-FDA: 81855833598.15.477E773 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by imf26.hostedemail.com (Postfix) with ESMTP id 0E5C4140013 for ; Sun, 3 Mar 2024 13:38:57 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=XwQtkAuq; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf26.hostedemail.com: domain of lstoakes@gmail.com designates 209.85.128.44 as permitted sender) smtp.mailfrom=lstoakes@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709473138; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=AaYg+84UpnvI55N5mXLGMaC2OyI6mbvpzT3hDzv5rt4=; b=H0YRpCYRMWzdxuZeyfWeGEaCgrxZtTyakx2NSFoJSDYXrcEQzJ13wb/xlalk0klnIS1LKf LPx0Yu0sfBOjj+QElLSO9aVPegDkr+1iy76KxawSUUeglqyIkSjBpmKX+Nxwbn2I5/8h0W tvFGh4N1QZuyFrUoNEFRN5vPqniKo/o= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=XwQtkAuq; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf26.hostedemail.com: domain of lstoakes@gmail.com designates 209.85.128.44 as permitted sender) smtp.mailfrom=lstoakes@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709473138; a=rsa-sha256; cv=none; b=TRJEsQNovB+Z4+2SQkau/zkbc8rwV2AoIgmZa0h/iZsqyB6bPzkvJVQYx69wo6g+LmouIy GBWnSCZuaYnc0nOYS8E2ETtpUx6fYZic+WUHuWLGoECWoO+thqi3H7fqtxWVRcNW/qc5im FJh5Iw6R19nno5Ogq9INBrfW5BrQv6U= Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-412e22315d8so1268745e9.1 for ; Sun, 03 Mar 2024 05:38:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709473136; x=1710077936; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=AaYg+84UpnvI55N5mXLGMaC2OyI6mbvpzT3hDzv5rt4=; b=XwQtkAuq9Ri9R1xhvwY+ivfEdK7j+NMSFlVz9lu0TfqsEFaSnKKfkECZGBWry5NBND QkAranaugfXD8pphqJWsyCSHOt1ZeqqsQsq8H+nmQHPrFaJT9AvljtbbLqOXzYMhbD7f DgWFBSsW5L7CsKjm48t3CtVvOf1WKLnqikDJgPFErAW/L0Q0Nmj3teUbtfyXgBg/k0vc zi+LtMg7B+oNrk3wYOVL+FUz0egbueZCB/d3tUYkxjwLoU9RHDBcLIcRo6bBXPbVaifR e8QYXrDzR8DJuFy+DUuXql9WbgZ9k36ycnwc/aNX/OJ0qy/eqdktTOcXfcD/yLLJWCRE 6b2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709473136; x=1710077936; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=AaYg+84UpnvI55N5mXLGMaC2OyI6mbvpzT3hDzv5rt4=; b=rjMVQ49wUhdPAfhE7PVkwf5JLGB+oACcMTG+PMmdbycgKfEiC89OIQutKfb15/HtOP MJgljmAge1s7UoINo7XXeeFaFj9yh7J9+Nb+S454KMRWA8H9cQNH0F/TBd/vRg3JRvFH ugkrWmMn9LHtd795tICKOANPqEHGotzFWEOx6ZsHM/Esraa9r8YPwvnn6ZRjy5CupLLK IwBV+O39waTUaBDikcgKPkssusHxIGtfRCwFuSeppDCt71HT6/Cdn2AYHAvkh1l+Pfaa V4Ya0KVkHEZGnW49RliBihHqiTX3+TndurqJ6IeOM79UzD9CFKOL9+HIrq/tIHQoUeun NECA== X-Forwarded-Encrypted: i=1; AJvYcCU/NLONhfcCnfZLgVaGkFZZufq8NV/t7Ru9dvkChR2R1Qf3C5BvvrqT5k/tMB60tHDzruTAS2i6bf5OIhp5INtwAbE= X-Gm-Message-State: AOJu0YxIwLpLnfHIDZM2CtpLv/8nk8FmrI2CMxNH8V6c6gy/aCpEWUdJ t8wNFxa2XZbrmFJ36P7UIbXZ9yzIB2FGS7OhAt6oIC0LlClAQe1O X-Google-Smtp-Source: AGHT+IFthyF5TNsuEzVwVMUwg/w4D4t4uutNeGyoI6GV5XWVhkwUl1GFo9urWwnSfjlAD2zRoxCzpw== X-Received: by 2002:adf:cc06:0:b0:33e:6ac:691b with SMTP id x6-20020adfcc06000000b0033e06ac691bmr4913224wrh.9.1709473136200; Sun, 03 Mar 2024 05:38:56 -0800 (PST) Received: from localhost ([2a00:23cc:d20f:ba01:bb66:f8b2:a0e8:6447]) by smtp.gmail.com with ESMTPSA id az23-20020adfe197000000b0033d97bd5ddasm9822234wrb.85.2024.03.03.05.38.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 Mar 2024 05:38:55 -0800 (PST) Date: Sun, 3 Mar 2024 13:38:54 +0000 From: Lorenzo Stoakes To: Kefeng Wang Cc: Andrew Morton , linux-kernel@vger.kernel.org, linux-mm@kvack.org, Yue Sun Subject: Re: [PATCH] mm: memory: fix shift-out-of-bounds in fault_around_bytes_set Message-ID: References: <20240302064312.2358924-1-wangkefeng.wang@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240302064312.2358924-1-wangkefeng.wang@huawei.com> X-Rspam-User: X-Stat-Signature: j51jhe3yzcxt81x5u18nej37qu99y8mq X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 0E5C4140013 X-HE-Tag: 1709473137-458268 X-HE-Meta: U2FsdGVkX1+LvuFwGdfYEU3sufrLQ1H5Ad0lDJQUmK41nOrBbj2vEIG1nl+RESgsv16CF4ne/dm7uNWmhXZuZhXnCteDiwR/lHJmyQJ/BrtuDmDcPaUAE/MyqiacaiVSHsc/KBMZLyhoMHC52D89judf4u1UjIGYpbuM1T7MCcYu73rfxOJl7g+Wfjp4wsEkfPFaWQeDgn1Cynl7uvARncgQHY9XWzmx8x5o/SelQlMEw9W4te9Iupjg1q6I3nk3sIK24/ssWJFMk9KFHdulkrY2kQUGBW+D+N1PGaDribr5em/5xl2CdL/93mFhHyHhEGXzxh8LmBwAJ5UoL7OSU34RWg1BSQ+5Pj3Jey/7wLnZt7puQlyq/H1XHDPJLdS1hQhlxox2BYwTW2M6Tl0P0CL9+1DuyxSW5Ai/ZbO7BJ68Mw2cyoUNxXZxjqCJk+U/Er3EQhZeH+KZ8BNCL6yPIvGA5A4Ta1CLFSRZIjru+JYSi5MU8DaSitfieY1RrXTIfdewSci3RpO0PD+HYB16yJkO3kxoARx+JsD/ML0FBsJELGCspJA3uE9l1EZPugRPBXzeqUsmyMdL28gVeysAR9Z4z+9B/nMICQGSQYwlCYFAcALaZJBPFnxuorfzZlbKwKjPRDb4pOxxrziAODbdPTIy9cK0uU/kam4vApbPf8AYmWRLg6G8Q1xDHlsAKFnpkyXkUxaEYCYufyqU9lnYqlvnT57KRTobYWI+wnlJeElShcYT2ZIFiTHY9IxYoCFZ4kY/EhvJj2yMbsIHhOXkJT0iQrVNjxPiZ6o5vlq2XRu36jqyefk9QDyx3UU+jcgQgY5FnrUgYHd4gF128rRoeYdIjjC3tyPyL3enmLSGD14Kl4v/xgmuQ/NXQ5CZEehVNAcPqprs9Z6/MlLz4DU36j8EeAk9MeSWCksFDIdWpuBwha3E3OvaK4AYhN/abfjwMVoEF9H7XMBp2D1jZfP oy7KgThl YMf4/xxNeMu5zC+0mUaNUwJxZm0crNKgEyq1L5A2Yf3EAExktcdvobdmz0XAJqCG4iGX4DHGGrIpspYsnh0KYHsff2f20pWQtZ8XMgZ0GX+tHj6fCGrgmgGzyMJBv03ghxPAHkqt5MgbmB71JNTNQ059sQDBTop8FN1sjdqeTABXA4VroD+jXQWU3mH5EpyzO11NUyDOJPDJPFvbMqOWid/NAioXyAt8gIh7COC67BXmURDrdSlv6JU7Gm+9KOqBfKwzWfkC4kBTCLmkbP6p1eByMwZHSg+fLm24wCVbEk0vI5nNfL5M7s3MOwE2S6rc/cTLMLUfdiwKj5eRvWq7DLTkrY7fwNyTuImdNh1+C8nM6R/do1Vdb5orOQFdrqg3BCDdO+G8TpvIUEDYpaHWRSnoN4U3CSIKavo8kiR2jVP5LYO9j2Mta0D683iMbOafkkup0WqVRQBWnPRLizwMYBpLdMr8hxVwUY0//OAmf+bot2fw0ajuNx6AOjdQgygSREMmhBY/TGwufKlr68g1H4h/I/PyPXHbwxfVANr0FZxtsG/0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sat, Mar 02, 2024 at 02:43:12PM +0800, Kefeng Wang wrote: > The rounddown_pow_of_two(0) is undefined, so val = 0 is not allowed in > the fault_around_bytes_set(), and leads to shift-out-of-bounds, > > UBSAN: shift-out-of-bounds in include/linux/log2.h:67:13 > shift exponent 4294967295 is too large for 64-bit type 'long unsigned int' > CPU: 7 PID: 107 Comm: sh Not tainted 6.8.0-rc6-next-20240301 #294 > Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 > Call trace: > dump_backtrace+0x94/0xec > show_stack+0x18/0x24 > dump_stack_lvl+0x78/0x90 > dump_stack+0x18/0x24 > ubsan_epilogue+0x10/0x44 > __ubsan_handle_shift_out_of_bounds+0x98/0x134 > fault_around_bytes_set+0xa4/0xb0 > simple_attr_write_xsigned.isra.0+0xe4/0x1ac > simple_attr_write+0x18/0x24 > debugfs_attr_write+0x4c/0x98 > vfs_write+0xd0/0x4b0 > ksys_write+0x6c/0xfc > __arm64_sys_write+0x1c/0x28 > invoke_syscall+0x44/0x104 > el0_svc_common.constprop.0+0x40/0xe0 > do_el0_svc+0x1c/0x28 > el0_svc+0x34/0xdc > el0t_64_sync_handler+0xc0/0xc4 > el0t_64_sync+0x190/0x194 > ---[ end trace ]--- > > Fix it by setting the minimum val to PAGE_SIZE. > > Reported-by: Yue Sun > Closes: https://lore.kernel.org/all/CAEkJfYPim6DQqW1GqCiHLdh2-eweqk1fGyXqs3JM+8e1qGge8w@mail.gmail.com/ > Fixes: 53d36a56d8c4 ("mm: prefer fault_around_pages to fault_around_bytes") > Signed-off-by: Kefeng Wang > --- > mm/memory.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/mm/memory.c b/mm/memory.c > index abd4f33d62c9..e17669d4f72f 100644 > --- a/mm/memory.c > +++ b/mm/memory.c > @@ -4776,7 +4776,8 @@ static int fault_around_bytes_set(void *data, u64 val) > * The minimum value is 1 page, however this results in no fault-around > * at all. See should_fault_around(). > */ > - fault_around_pages = max(rounddown_pow_of_two(val) >> PAGE_SHIFT, 1UL); > + val = max(val, PAGE_SIZE); > + fault_around_pages = rounddown_pow_of_two(val) >> PAGE_SHIFT; > > return 0; > } > -- > 2.27.0 > Thanks, this was an oversight on my part, this fix looks good: Reviewed-by: Lorenzo Stoakes