linux-stable/mm/gup_benchmark.c
Dan Carpenter 30598425ae mm/gup_benchmark.c: prevent integer overflow in ioctl
[ Upstream commit 4b408c74ee5a0b74fc9265c2fe39b0e7dec7c056 ]

The concern here is that "gup->size" is a u64 and "nr_pages" is unsigned
long.  On 32 bit systems we could trick the kernel into allocating fewer
pages than expected.

Link: http://lkml.kernel.org/r/20181025061546.hnhkv33diogf2uis@kili.mountain
Fixes: 64c349f4ae78 ("mm: add infrastructure for get_user_pages_fast() benchmarking")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Keith Busch <keith.busch@intel.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-12-01 09:17:07 +01:00

107 lines
2.1 KiB
C

#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/ktime.h>
#include <linux/debugfs.h>
#define GUP_FAST_BENCHMARK _IOWR('g', 1, struct gup_benchmark)
struct gup_benchmark {
__u64 delta_usec;
__u64 addr;
__u64 size;
__u32 nr_pages_per_call;
__u32 flags;
};
static int __gup_benchmark_ioctl(unsigned int cmd,
struct gup_benchmark *gup)
{
ktime_t start_time, end_time;
unsigned long i, nr_pages, addr, next;
int nr;
struct page **pages;
if (gup->size > ULONG_MAX)
return -EINVAL;
nr_pages = gup->size / PAGE_SIZE;
pages = kvcalloc(nr_pages, sizeof(void *), GFP_KERNEL);
if (!pages)
return -ENOMEM;
i = 0;
nr = gup->nr_pages_per_call;
start_time = ktime_get();
for (addr = gup->addr; addr < gup->addr + gup->size; addr = next) {
if (nr != gup->nr_pages_per_call)
break;
next = addr + nr * PAGE_SIZE;
if (next > gup->addr + gup->size) {
next = gup->addr + gup->size;
nr = (next - addr) / PAGE_SIZE;
}
nr = get_user_pages_fast(addr, nr, gup->flags & 1, pages + i);
if (nr <= 0)
break;
i += nr;
}
end_time = ktime_get();
gup->delta_usec = ktime_us_delta(end_time, start_time);
gup->size = addr - gup->addr;
for (i = 0; i < nr_pages; i++) {
if (!pages[i])
break;
put_page(pages[i]);
}
kvfree(pages);
return 0;
}
static long gup_benchmark_ioctl(struct file *filep, unsigned int cmd,
unsigned long arg)
{
struct gup_benchmark gup;
int ret;
if (cmd != GUP_FAST_BENCHMARK)
return -EINVAL;
if (copy_from_user(&gup, (void __user *)arg, sizeof(gup)))
return -EFAULT;
ret = __gup_benchmark_ioctl(cmd, &gup);
if (ret)
return ret;
if (copy_to_user((void __user *)arg, &gup, sizeof(gup)))
return -EFAULT;
return 0;
}
static const struct file_operations gup_benchmark_fops = {
.open = nonseekable_open,
.unlocked_ioctl = gup_benchmark_ioctl,
};
static int gup_benchmark_init(void)
{
void *ret;
ret = debugfs_create_file_unsafe("gup_benchmark", 0600, NULL, NULL,
&gup_benchmark_fops);
if (!ret)
pr_warn("Failed to create gup_benchmark in debugfs");
return 0;
}
late_initcall(gup_benchmark_init);