Hi Kees,

On 2020-07-10 3:44 p.m., Kees Cook wrote:

On Fri, Jul 10, 2020 at 03:10:25PM -0700, Scott Branden wrote:

quoted

On 2020-07-10 3:04 p.m., Matthew Wilcox wrote:

quoted

On Fri, Jul 10, 2020 at 02:00:32PM -0700, Scott Branden wrote:

quoted

quoted

@@ -950,8 +951,8 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
    		goto out;
    	}
-	if (id != READING_FIRMWARE_PREALLOC_BUFFER)
-		*buf = vmalloc(i_size);
+	if (!*buf)

The assumption that *buf is always NULL when id !=
READING_FIRMWARE_PREALLOC_BUFFER doesn't appear to be correct.
I get unhandled page faults due to this change on boot.

Did it give you a stack backtrace?

Yes, but there's no requirement that *buf need to be NULL when calling this
function.
To fix my particular crash I added the following locally:

--- a/kernel/module.c
+++ b/kernel/module.c

@@ -3989,7 +3989,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char

__user *, uargs, int, flags)
  {
      struct load_info info = { };
      loff_t size;
-    void *hdr;
+    void *hdr = NULL;
      int err;

      err = may_init_module();

Thanks for the diagnosis and fix! I haven't had time to cycle back
around to this series yet. Hopefully soon. :)

I don't consider this a complete fix as there may be other callers which 
do not initialize
the *buf param to NULL before calling kernel_read_file.

But, it does boot my system.  Also, I was able to make modifications for my
pread changes that pass (and the IMA works with IMA patch in my series 
is dropped completely with your changes in place).

So your changes work for me other than the hack needed above.