mm: apply_to_pte_range warn and fail if a large pte is encountered

ascend inclusion category: feature bugzilla: NA CVE: NA https://lwn.net/ml/linux-kernel/20200825145753.529284-3-npiggin@gmail.com/ -------------- apply_to_pte_range might mistake a large pte for bad, or treat it as a page table, resulting in a crash or corruption. Add a test to warn and return error if large entries are found. Signed-off-by: N Nicholas Piggin <npiggin@gmail.com> Signed-off-by: N Rui Xiang <rui.xiang@huawei.com> Reviewed-by: N Ding Tianhong <dingtianhong@huawei.com> Reviewed-by: N Zefan Li <lizefan@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

mm: apply_to_pte_range warn and fail if a large pte is encountered
ascend inclusion category: feature bugzilla: NA CVE: NA https://lwn.net/ml/linux-kernel/20200825145753.529284-3-npiggin@gmail.com/ -------------- apply_to_pte_range might mistake a large pte for bad, or treat it as a page table, resulting in a crash or corruption. Add a test to warn and return error if large entries are found. Signed-off-by: N Nicholas Piggin <npiggin@gmail.com> Signed-off-by: N Rui Xiang <rui.xiang@huawei.com> Reviewed-by: N Ding Tianhong <dingtianhong@huawei.com> Reviewed-by: N Zefan Li <lizefan@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
c8141476 · Nicholas Piggin · Yang Yingliang · d3efb4d3 · c8141476
显示空白变更内容
内联并排

Showing with 44 addition and 16 deletion

mm/memory.c mm/memory.c +44 -16

未找到文件。
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2015,13 +2015,20 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
 	}
 	do {
 		next = pmd_addr_end(addr, end);
-		if (create || !pmd_none_or_clear_bad(pmd)) {
-			err = apply_to_pte_range(mm, pmd, addr, next, fn, data,
-						 create);
+		if (pmd_none(*pmd) && !create)
+			continue;
+		if (WARN_ON_ONCE(pmd_leaf(*pmd)))
+			return -EINVAL;
+		if (!pmd_none(*pmd) && WARN_ON_ONCE(pmd_bad(*pmd))) {
+			if (!create)
+				continue;
+			pmd_clear_bad(pmd);
+		}
+		err = apply_to_pte_range(mm, pmd, addr, next, fn, data, create);
 		if (err)
 			break;
-		}
 	} while (pmd++, addr = next, addr != end);
+
 	return err;
 }

@@ -2042,13 +2049,20 @@ static int apply_to_pud_range(struct mm_struct *mm, p4d_t *p4d,
 	}
 	do {
 		next = pud_addr_end(addr, end);
-		if (create || !pud_none_or_clear_bad(pud)) {
-			err = apply_to_pmd_range(mm, pud, addr, next, fn, data,
-						 create);
+		if (pud_none(*pud) && !create)
+			continue;
+		if (WARN_ON_ONCE(pud_leaf(*pud)))
+			return -EINVAL;
+		if (!pud_none(*pud) && WARN_ON_ONCE(pud_bad(*pud))) {
+			if (!create)
+				continue;
+			pud_clear_bad(pud);
+		}
+		err = apply_to_pmd_range(mm, pud, addr, next, fn, data, create);
 		if (err)
 			break;
-		}
 	} while (pud++, addr = next, addr != end);
+
 	return err;
 }

@@ -2069,13 +2083,20 @@ static int apply_to_p4d_range(struct mm_struct *mm, pgd_t *pgd,
 	}
 	do {
 		next = p4d_addr_end(addr, end);
-		if (create || !p4d_none_or_clear_bad(p4d)) {
-			err = apply_to_pud_range(mm, p4d, addr, next, fn, data,
-						 create);
+		if (p4d_none(*p4d) && !create)
+			continue;
+		if (WARN_ON_ONCE(p4d_leaf(*p4d)))
+			return -EINVAL;
+		if (!p4d_none(*p4d) && WARN_ON_ONCE(p4d_bad(*p4d))) {
+			if (!create)
+				continue;
+			p4d_clear_bad(p4d);
+		}
+		err = apply_to_pud_range(mm, p4d, addr, next, fn, data, create);
 		if (err)
 			break;
-		}
 	} while (p4d++, addr = next, addr != end);
+
 	return err;
 }

@@ -2094,8 +2115,15 @@ static int __apply_to_page_range(struct mm_struct *mm, unsigned long addr,
 	pgd = pgd_offset(mm, addr);
 	do {
 		next = pgd_addr_end(addr, end);
-		if (!create && pgd_none_or_clear_bad(pgd))
+		if (pgd_none(*pgd) && !create)
 			continue;
+		if (WARN_ON_ONCE(pgd_leaf(*pgd)))
+			return -EINVAL;
+		if (!pgd_none(*pgd) && WARN_ON_ONCE(pgd_bad(*pgd))) {
+			if (!create)
+				continue;
+			pgd_clear_bad(pgd);
+		}
 		err = apply_to_p4d_range(mm, pgd, addr, next, fn, data, create);
 		if (err)
 			break;