diff options
| author | Vlastimil Babka <[email protected]> | 2020-06-01 21:45:43 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2020-06-02 10:59:06 -0700 |
| commit | 49f2d2419d60a103752e5fbaf158cf8d07c0d884 (patch) | |
| tree | 77b46b3ee2bcdcc135b01bc5d6fbd6be2c572be1 | |
| parent | 485e9605c05733759d3bd5aba4fbe561801f3658 (diff) | |
usercopy: mark dma-kmalloc caches as usercopy caches
We have seen a "usercopy: Kernel memory overwrite attempt detected to
SLUB object 'dma-kmalloc-1 k' (offset 0, size 11)!" error on s390x, as
IUCV uses kmalloc() with __GFP_DMA because of memory address
restrictions. The issue has been discussed [2] and it has been noted
that if all the kmalloc caches are marked as usercopy, there's little
reason not to mark dma-kmalloc caches too. The 'dma' part merely means
that __GFP_DMA is used to restrict memory address range.
As Jann Horn put it [3]:
"I think dma-kmalloc slabs should be handled the same way as normal
kmalloc slabs. When a dma-kmalloc allocation is freshly created, it is
just normal kernel memory - even if it might later be used for DMA -,
and it should be perfectly fine to copy_from_user() into such
allocations at that point, and to copy_to_user() out of them at the
end. If you look at the places where such allocations are created, you
can see things like kmemdup(), memcpy() and so on - all normal
operations that shouldn't conceptually be different from usercopy in
any relevant way."
Thus this patch marks the dma-kmalloc-* caches as usercopy.
[1] https://bugzilla.suse.com/show_bug.cgi?id=1156053
[2] https://lore.kernel.org/kernel-hardening/[email protected]/
[3] https://lore.kernel.org/kernel-hardening/CAG48ez1a4waGk9kB0WLaSbs4muSoK0AYAVk8=XYaKj4_+6e6Hg@mail.gmail.com/
Signed-off-by: Vlastimil Babka <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Acked-by: Christian Borntraeger <[email protected]>
Acked-by: Jiri Slaby <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Christopher Lameter <[email protected]>
Cc: Julian Wiedmann <[email protected]>
Cc: Ursula Braun <[email protected]>
Cc: Alexander Viro <[email protected]>
Cc: David Windsor <[email protected]>
Cc: Pekka Enberg <[email protected]>
Cc: David Rientjes <[email protected]>
Cc: Joonsoo Kim <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Laura Abbott <[email protected]>
Cc: Mark Rutland <[email protected]>
Cc: "Martin K. Petersen" <[email protected]>
Cc: Paolo Bonzini <[email protected]>
Cc: Christoffer Dall <[email protected]>
Cc: Dave Kleikamp <[email protected]>
Cc: Jan Kara <[email protected]>
Cc: Luis de Bethencourt <[email protected]>
Cc: Marc Zyngier <[email protected]>
Cc: Rik van Riel <[email protected]>
Cc: Matthew Garrett <[email protected]>
Cc: Michal Kubecek <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Linus Torvalds <[email protected]>
| -rw-r--r-- | mm/slab_common.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/mm/slab_common.c b/mm/slab_common.c index 23c7500eea7d..9e72ba224175 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -1303,7 +1303,8 @@ void __init create_kmalloc_caches(slab_flags_t flags) kmalloc_caches[KMALLOC_DMA][i] = create_kmalloc_cache( kmalloc_info[i].name[KMALLOC_DMA], kmalloc_info[i].size, - SLAB_CACHE_DMA | flags, 0, 0); + SLAB_CACHE_DMA | flags, 0, + kmalloc_info[i].size); } } #endif |