• Michal Hocko's avatar
    mm: do not bug_on on incorrect length in __mm_populate() · 1a55a71e
    Michal Hocko authored
    commit bb177a732c4369bb58a1fe1df8f552b6f0f7db5f upstream.
    syzbot has noticed that a specially crafted library can easily hit
    VM_BUG_ON in __mm_populate
      kernel BUG at mm/gup.c:1242!
      invalid opcode: 0000 [#1] SMP
      CPU: 2 PID: 9667 Comm: a.out Not tainted 4.18.0-rc3 #644
      Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
      RIP: 0010:__mm_populate+0x1e2/0x1f0
      Code: 55 d0 65 48 33 14 25 28 00 00 00 89 d8 75 21 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 75 18 f1 ff 0f 0b e8 6e 18 f1 ff <0f> 0b 31 db eb c9 e8 93 06 e0 ff 0f 1f 00 55 48 89 e5 53 48 89 fb
      Call Trace:
    The reason is that the length of the new brk is not page aligned when we
    try to populate the it.  There is no reason to bug on that though.
    do_brk_flags already aligns the length properly so the mapping is
    expanded as it should.  All we need is to tell mm_populate about it.
    Besides that there is absolutely no reason to to bug_on in the first
    place.  The worst thing that could happen is that the last page wouldn't
    get populated and that is far from putting system into an inconsistent
    Fix the issue by moving the length sanitization code from do_brk_flags
    up to vm_brk_flags.  The only other caller of do_brk_flags is brk
    syscall entry and it makes sure to provide the proper length so t here
    is no need for sanitation and so we can use do_brk_flags without it.
    Also remove the bogus BUG_ONs.
    [osalvador@techadventures.net: fix up vm_brk_flags s@request@len@]
    Link: http://lkml.kernel.org/r/20180706090217.GI32658@dhcp22.suse.czSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
    Reported-by: default avatarsyzbot <syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com>
    Tested-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Reviewed-by: default avatarOscar Salvador <osalvador@suse.de>
    Cc: Zi Yan <zi.yan@cs.rutgers.edu>
    Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
    Cc: Dan Williams <dan.j.williams@intel.com>
    Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: "Huang, Ying" <ying.huang@intel.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    [bwh: Backported to 4.9:
     - There is no do_brk_flags() function; update do_brk()
     - Adjust context]
    Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
gup.c 44 KB