linux/mm/gup_benchmark.c
Dan Carpenter 4b408c74ee mm/gup_benchmark.c: prevent integer overflow in ioctl
The concern here is that "gup->size" is a u64 and "nr_pages" is unsigned
long.  On 32 bit systems we could trick the kernel into allocating fewer
pages than expected.

Link: http://lkml.kernel.org/r/20181025061546.hnhkv33diogf2uis@kili.mountain
Fixes: 64c349f4ae78 ("mm: add infrastructure for get_user_pages_fast() benchmarking")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Keith Busch <keith.busch@intel.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-10-31 08:54:12 -07:00

136 lines
2.8 KiB
C

#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/ktime.h>
#include <linux/debugfs.h>
#define GUP_FAST_BENCHMARK _IOWR('g', 1, struct gup_benchmark)
#define GUP_LONGTERM_BENCHMARK _IOWR('g', 2, struct gup_benchmark)
#define GUP_BENCHMARK _IOWR('g', 3, struct gup_benchmark)
struct gup_benchmark {
__u64 get_delta_usec;
__u64 put_delta_usec;
__u64 addr;
__u64 size;
__u32 nr_pages_per_call;
__u32 flags;
__u64 expansion[10]; /* For future use */
};
static int __gup_benchmark_ioctl(unsigned int cmd,
struct gup_benchmark *gup)
{
ktime_t start_time, end_time;
unsigned long i, nr_pages, addr, next;
int nr;
struct page **pages;
if (gup->size > ULONG_MAX)
return -EINVAL;
nr_pages = gup->size / PAGE_SIZE;
pages = kvcalloc(nr_pages, sizeof(void *), GFP_KERNEL);
if (!pages)
return -ENOMEM;
i = 0;
nr = gup->nr_pages_per_call;
start_time = ktime_get();
for (addr = gup->addr; addr < gup->addr + gup->size; addr = next) {
if (nr != gup->nr_pages_per_call)
break;
next = addr + nr * PAGE_SIZE;
if (next > gup->addr + gup->size) {
next = gup->addr + gup->size;
nr = (next - addr) / PAGE_SIZE;
}
switch (cmd) {
case GUP_FAST_BENCHMARK:
nr = get_user_pages_fast(addr, nr, gup->flags & 1,
pages + i);
break;
case GUP_LONGTERM_BENCHMARK:
nr = get_user_pages_longterm(addr, nr, gup->flags & 1,
pages + i, NULL);
break;
case GUP_BENCHMARK:
nr = get_user_pages(addr, nr, gup->flags & 1, pages + i,
NULL);
break;
default:
return -1;
}
if (nr <= 0)
break;
i += nr;
}
end_time = ktime_get();
gup->get_delta_usec = ktime_us_delta(end_time, start_time);
gup->size = addr - gup->addr;
start_time = ktime_get();
for (i = 0; i < nr_pages; i++) {
if (!pages[i])
break;
put_page(pages[i]);
}
end_time = ktime_get();
gup->put_delta_usec = ktime_us_delta(end_time, start_time);
kvfree(pages);
return 0;
}
static long gup_benchmark_ioctl(struct file *filep, unsigned int cmd,
unsigned long arg)
{
struct gup_benchmark gup;
int ret;
switch (cmd) {
case GUP_FAST_BENCHMARK:
case GUP_LONGTERM_BENCHMARK:
case GUP_BENCHMARK:
break;
default:
return -EINVAL;
}
if (copy_from_user(&gup, (void __user *)arg, sizeof(gup)))
return -EFAULT;
ret = __gup_benchmark_ioctl(cmd, &gup);
if (ret)
return ret;
if (copy_to_user((void __user *)arg, &gup, sizeof(gup)))
return -EFAULT;
return 0;
}
static const struct file_operations gup_benchmark_fops = {
.open = nonseekable_open,
.unlocked_ioctl = gup_benchmark_ioctl,
};
static int gup_benchmark_init(void)
{
void *ret;
ret = debugfs_create_file_unsafe("gup_benchmark", 0600, NULL, NULL,
&gup_benchmark_fops);
if (!ret)
pr_warn("Failed to create gup_benchmark in debugfs");
return 0;
}
late_initcall(gup_benchmark_init);