Re: [RFC PATCH for 4.21 06/16] cpu_opv: Provide cpu_opv system call (v8)

From: Sergey Senozhatsky
Date: Tue Oct 16 2018 - 04:10:38 EST


Hi Mathieu,

On (10/10/18 15:19), Mathieu Desnoyers wrote:
[..]
> +SYSCALL_DEFINE4(cpu_opv, struct cpu_op __user *, ucpuopv, int, cpuopcnt,
> + int, cpu, int, flags)
> +{
[..]
> +again:
> + ret = cpu_opv_pin_pages(cpuopv, cpuopcnt, &vaddr_ptrs);
> + if (ret)
> + goto end;
> + ret = do_cpu_opv(cpuopv, cpuopcnt, &vaddr_ptrs, cpu);
> + if (ret == -EAGAIN)
> + retry = true;
> +end:
> + for (i = 0; i < vaddr_ptrs.nr_vaddr; i++) {
> + struct vaddr *vaddr = &vaddr_ptrs.addr[i];
> + int j;
> +
> + vm_unmap_user_ram((void *)vaddr->mem, vaddr->nr_pages);

A dumb question.

Both vm_unmap_user_ram() and vm_map_user_ram() can BUG_ON().
So this is
userspace -> syscall -> cpu_opv() -> vm_unmap_user_ram() -> BUG_ON()

Any chance someone can exploit it?

-ss