Commit 2d432cb7 authored by Matthew Wilcox's avatar Matthew Wilcox Committed by Linus Torvalds

mm: prevent mapping slab pages to userspace

It's never appropriate to map a page allocated by SLAB into userspace.
A buggy device driver might try this, or an attacker might be able to
find a way to make it happen.

Christoph said:

: Let's just fail the code.  Currently this may work with SLUB.  But SLAB
: and SLOB overlay fields with mapcount.  So you would have a corrupted page
: struct if you mapped a slab page to user space.

Link: http://lkml.kernel.org/r/20190125173827.2658-1-willy@infradead.orgSigned-off-by: default avatarMatthew Wilcox <willy@infradead.org>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Acked-by: default avatarPekka Enberg <penberg@kernel.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent afd07389
...@@ -1452,7 +1452,7 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, ...@@ -1452,7 +1452,7 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
spinlock_t *ptl; spinlock_t *ptl;
retval = -EINVAL; retval = -EINVAL;
if (PageAnon(page)) if (PageAnon(page) || PageSlab(page))
goto out; goto out;
retval = -ENOMEM; retval = -ENOMEM;
flush_dcache_page(page); flush_dcache_page(page);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment