From: Jingxian He hejingxian@huawei.com
hulk inclusion category: feature bugzilla: 48159 CVE: N/A
------------------------------
Enhance variables check and sync for pin mem as followings: 1) Remove unused variable in set_fork_pid; 2) Remove unused calling of access_ok, which is called in copy_from_user; 3) Enhance page_map_entry_start check in pin_mem_area; 4) Keep get_page_map_info and create_page_map_info for internal use, and increase get_page_map_info_by_pid and create_page_map_info_by_pid for external use, which is protected by spinlock; 5) Use spin_lock_irqsave instead of spin_lock.
Signed-off-by: Jingxian He hejingxian@huawei.com Reviewed-by: Jing Xiangfeng jingxiangfeng@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/char/pin_memory.c | 7 ------ include/linux/pin_mem.h | 4 +-- mm/pin_mem.c | 51 +++++++++++++++++++++++++++++---------- 3 files changed, 40 insertions(+), 22 deletions(-)
diff --git a/drivers/char/pin_memory.c b/drivers/char/pin_memory.c index 05fa7cfde03b2..4b3a6c8b31de9 100644 --- a/drivers/char/pin_memory.c +++ b/drivers/char/pin_memory.c @@ -98,8 +98,6 @@ static int set_pin_mem_area(unsigned long arg) struct pin_mem_area_set pmas; void __user *buf = (void __user *)arg;
- if (!access_ok(buf, sizeof(pmas))) - return -EFAULT; if (copy_from_user(&pmas, buf, sizeof(pmas))) return -EINVAL; if (pmas.area_num > MAX_PIN_MEM_AREA_NUM) { @@ -119,8 +117,6 @@ static int pin_mem_remap(unsigned long arg) void __user *buf = (void __user *)arg; struct pid *pid_s;
- if (!access_ok(buf, sizeof(int))) - return -EINVAL; if (copy_from_user(&pid, buf, sizeof(int))) return -EINVAL;
@@ -157,11 +153,8 @@ static int pin_mem_remap(unsigned long arg) static int set_fork_pid(unsigned long arg) { int pid; - struct page_map_info *pmi = NULL; void __user *buf = (void __user *)arg;
- if (!access_ok(buf, sizeof(int))) - goto fault; if (copy_from_user(&pid, buf, sizeof(int))) goto fault; current->fork_pid = pid; diff --git a/include/linux/pin_mem.h b/include/linux/pin_mem.h index 21422f8b0349c..6c54482a42a11 100644 --- a/include/linux/pin_mem.h +++ b/include/linux/pin_mem.h @@ -64,8 +64,8 @@ struct redirect_info { unsigned int redirect_index[0]; };
-extern struct page_map_info *get_page_map_info(int pid); -extern struct page_map_info *create_page_map_info(int pid); +extern struct page_map_info *get_page_map_info_by_pid(int pid); +extern struct page_map_info *create_page_map_info_by_pid(int pid); extern vm_fault_t do_mem_remap(int pid, struct mm_struct *mm); extern vm_fault_t do_anon_page_remap(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, struct page *page); diff --git a/mm/pin_mem.c b/mm/pin_mem.c index c657ae7f64860..d035934724cdc 100644 --- a/mm/pin_mem.c +++ b/mm/pin_mem.c @@ -72,7 +72,7 @@ static int __init setup_redirect_space_size(char *str) } early_param("redirect_space_size", setup_redirect_space_size);
-struct page_map_info *create_page_map_info(int pid) +static struct page_map_info *create_page_map_info(int pid) { struct page_map_info *new;
@@ -93,9 +93,20 @@ struct page_map_info *create_page_map_info(int pid) pin_pid_num++; return new; } -EXPORT_SYMBOL_GPL(create_page_map_info);
-struct page_map_info *get_page_map_info(int pid) +struct page_map_info *create_page_map_info_by_pid(int pid) +{ + unsigned long flags; + struct page_map_info *ret; + + spin_lock_irqsave(&page_map_entry_lock, flags); + ret = create_page_map_info(pid); + spin_unlock_irqrestore(&page_map_entry_lock, flags); + return ret; +} +EXPORT_SYMBOL_GPL(create_page_map_info_by_pid); + +static struct page_map_info *get_page_map_info(int pid) { int i;
@@ -108,7 +119,18 @@ struct page_map_info *get_page_map_info(int pid) } return NULL; } -EXPORT_SYMBOL_GPL(get_page_map_info); + +struct page_map_info *get_page_map_info_by_pid(int pid) +{ + unsigned long flags; + struct page_map_info *ret; + + spin_lock_irqsave(&page_map_entry_lock, flags); + ret = get_page_map_info(pid); + spin_unlock_irqrestore(&page_map_entry_lock, flags); + return ret; +} +EXPORT_SYMBOL_GPL(get_page_map_info_by_pid);
static struct page *find_head_page(struct page *page) { @@ -380,12 +402,12 @@ static void reserve_user_space_map_pages(void) } } } - spin_unlock(&page_map_entry_lock); + spin_unlock_irqrestore(&page_map_entry_lock, flags); return;
free_pages: free_user_map_pages(index, i, j); - spin_unlock(&page_map_entry_lock); + spin_unlock_irqrestore(&page_map_entry_lock, flags); }
@@ -672,10 +694,11 @@ int pin_mem_area(struct task_struct *task, struct mm_struct *mm, pid = task->pid; spin_lock_irqsave(&page_map_entry_lock, flags); nr_pages = ((end_addr - start_addr) / PAGE_SIZE); - if ((unsigned long)page_map_entry_start + nr_pages * sizeof(struct page *) >= - page_map_entry_end) { + if ((unsigned long)page_map_entry_start + + nr_pages * sizeof(unsigned long) + + sizeof(struct page_map_entry) >= page_map_entry_end) { pr_warn("Page map entry use up!\n"); - ret = -EFAULT; + ret = -ENOMEM; goto finish; }
@@ -965,13 +988,15 @@ vm_fault_t do_mem_remap(int pid, struct mm_struct *mm)
if (reserve_user_map_pages_fail || !mm) return -EFAULT; + + spin_lock_irqsave(&page_map_entry_lock, flags); pmi = get_page_map_info(pid); + if (pmi) + pmi->disable_free_page = true; + spin_unlock_irqrestore(&page_map_entry_lock, flags); if (!pmi) return -EFAULT;
- spin_lock_irqsave(&page_map_entry_lock, flags); - pmi->disable_free_page = true; - spin_unlock(&page_map_entry_lock); down_write(&mm->mmap_sem); pme = pmi->pme; vma = mm->mmap; @@ -1067,7 +1092,7 @@ void clear_pin_memory_record(void) pin_pid_num = 0; page_map_entry_start = __page_map_entry_start; } - spin_unlock(&page_map_entry_lock); + spin_unlock_irqrestore(&page_map_entry_lock, flags); } EXPORT_SYMBOL_GPL(clear_pin_memory_record);