[PATCH 4.14 140/157] mm: fix devmem_is_allowed() for sub-page System RAM intersections

From: Greg Kroah-Hartman
Date: Sun Jul 01 2018 - 13:39:00 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.14 144/157] Input: elan_i2c_smbus - fix more potential stack buffer overflows"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 147/157] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 147/157] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 144/157] Input: elan_i2c_smbus - fix more potential stack buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@xxxxxxxxx>

commit 2bdce74412c249ac01dfe36b6b0043ffd7a5361e upstream.

Hussam reports:

I was poking around and for no real reason, I did cat /dev/mem and
strings /dev/mem. Then I saw the following warning in dmesg. I saved it
and rebooted immediately.

memremap attempted on mixed range 0x000000000009c000 size: 0x1000
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11810 at kernel/memremap.c:98 memremap+0x104/0x170
[..]
Call Trace:
xlate_dev_mem_ptr+0x25/0x40
read_mem+0x89/0x1a0
__vfs_read+0x36/0x170

The memremap() implementation checks for attempts to remap System RAM
with MEMREMAP_WB and instead redirects those mapping attempts to the
linear map. However, that only works if the physical address range
being remapped is page aligned. In low memory we have situations like
the following:

00000000-00000fff : Reserved
00001000-0009fbff : System RAM
0009fc00-0009ffff : Reserved

...where System RAM intersects Reserved ranges on a sub-page page
granularity.

Given that devmem_is_allowed() special cases any attempt to map System
RAM in the first 1MB of memory, replace page_is_ram() with the more
precise region_intersects() to trap attempts to map disallowed ranges.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=199999
Link: http://lkml.kernel.org/r/152856436164.18127.2847888121707136898.stgit@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 92281dee825f ("arch: introduce memremap()")
Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx>
Reported-by: Hussam Al-Tayeb <me@xxxxxxxxxxxxx>
Tested-by: Hussam Al-Tayeb <me@xxxxxxxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
arch/x86/mm/init.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -706,7 +706,9 @@ void __init init_mem_mapping(void)
*/
int devmem_is_allowed(unsigned long pagenr)
{
- if (page_is_ram(pagenr)) {
+ if (region_intersects(PFN_PHYS(pagenr), PAGE_SIZE,
+ IORESOURCE_SYSTEM_RAM, IORES_DESC_NONE)
+ != REGION_DISJOINT) {
/*
* For disallowed memory regions in the low 1MB range,
* request that the page be shown as all zeros.

Next message: Greg Kroah-Hartman: "[PATCH 4.14 144/157] Input: elan_i2c_smbus - fix more potential stack buffer overflows"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 147/157] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 147/157] ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 144/157] Input: elan_i2c_smbus - fix more potential stack buffer overflows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]