• Michael Ellerman's avatar
    mm: check that we have the right vma in __access_remote_vm() · fe936dfc
    Michael Ellerman authored
    In __access_remote_vm() we need to check that we have found the right
    vma, not the following vma before we try to access it.  Otherwise we
    might call the vma's access routine with an address which does not fall
    inside the vma.
    
    It was discovered on a current kernel but with an unreleased driver,
    from memory it was strace leading to a kernel bad access, but it
    obviously depends on what the access implementation does.
    
    Looking at other access implementations I only see:
    
      $ git grep -A 5 vm_operations|grep access
      arch/powerpc/platforms/cell/spufs/file.c-	.access = spufs_mem_mmap_access,
      arch/x86/pci/i386.c-	.access = generic_access_phys,
      drivers/char/mem.c-	.access = generic_access_phys
      fs/sysfs/bin.c-	.access		= bin_access,
    
    The spufs one looks like it might behave badly given the wrong vma, it
    assumes vma->vm_file->private_data is a spu_context, and looks like it
    would probably blow up pretty quickly if it wasn't.
    
    generic_access_phys() only uses the vma to check vm_flags and get the
    mm, and then walks page tables using the address.  So it should bail on
    the vm_flags check, or at worst let you access some other VM_IO mapping.
    
    And bin_access() just proxies to another access implementation.
    Signed-off-by: default avatarMichael Ellerman <michael@ellerman.id.au>
    Reviewed-by: default avatarKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    fe936dfc
memory.c 106 KB