From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 67/83] dont use __kernel_write() on kmap_local_page()
Date: Mon, 3 Oct 2022 09:11:32 +0200 [thread overview]
Message-ID: <20221003070723.675440372@linuxfoundation.org> (raw)
In-Reply-To: <20221003070721.971297651@linuxfoundation.org>
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 06bbaa6dc53cb72040db952053432541acb9adc7 ]
passing kmap_local_page() result to __kernel_write() is unsafe -
random ->write_iter() might (and 9p one does) get unhappy when
passed ITER_KVEC with pointer that came from kmap_local_page().
Fix by providing a variant of __kernel_write() that takes an iov_iter
from caller (__kernel_write() becomes a trivial wrapper) and adding
dump_emit_page() that parallels dump_emit(), except that instead of
__kernel_write() it uses __kernel_write_iter() with ITER_BVEC source.
Fixes: 3159ed57792b "fs/coredump: use kmap_local_page()"
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/coredump.c | 38 +++++++++++++++++++++++++++++++++-----
fs/internal.h | 3 +++
fs/read_write.c | 22 ++++++++++++++--------
3 files changed, 50 insertions(+), 13 deletions(-)
diff --git a/fs/coredump.c b/fs/coredump.c
index 26eb5a095832..43fdd82f82ab 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -902,6 +902,38 @@ static int __dump_skip(struct coredump_params *cprm, size_t nr)
}
}
+static int dump_emit_page(struct coredump_params *cprm, struct page *page)
+{
+ struct bio_vec bvec = {
+ .bv_page = page,
+ .bv_offset = 0,
+ .bv_len = PAGE_SIZE,
+ };
+ struct iov_iter iter;
+ struct file *file = cprm->file;
+ loff_t pos = file->f_pos;
+ ssize_t n;
+
+ if (cprm->to_skip) {
+ if (!__dump_skip(cprm, cprm->to_skip))
+ return 0;
+ cprm->to_skip = 0;
+ }
+ if (cprm->written + PAGE_SIZE > cprm->limit)
+ return 0;
+ if (dump_interrupted())
+ return 0;
+ iov_iter_bvec(&iter, WRITE, &bvec, 1, PAGE_SIZE);
+ n = __kernel_write_iter(cprm->file, &iter, &pos);
+ if (n != PAGE_SIZE)
+ return 0;
+ file->f_pos = pos;
+ cprm->written += PAGE_SIZE;
+ cprm->pos += PAGE_SIZE;
+
+ return 1;
+}
+
int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
{
if (cprm->to_skip) {
@@ -933,7 +965,6 @@ int dump_user_range(struct coredump_params *cprm, unsigned long start,
for (addr = start; addr < start + len; addr += PAGE_SIZE) {
struct page *page;
- int stop;
/*
* To avoid having to allocate page tables for virtual address
@@ -944,10 +975,7 @@ int dump_user_range(struct coredump_params *cprm, unsigned long start,
*/
page = get_dump_page(addr);
if (page) {
- void *kaddr = kmap_local_page(page);
-
- stop = !dump_emit(cprm, kaddr, PAGE_SIZE);
- kunmap_local(kaddr);
+ int stop = !dump_emit_page(cprm, page);
put_page(page);
if (stop)
return 0;
diff --git a/fs/internal.h b/fs/internal.h
index 4f1fe6d08866..69b64136ae4c 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -16,6 +16,7 @@ struct shrink_control;
struct fs_context;
struct user_namespace;
struct pipe_inode_info;
+struct iov_iter;
/*
* block/bdev.c
@@ -219,3 +220,5 @@ struct xattr_ctx {
int setxattr_copy(const char __user *name, struct xattr_ctx *ctx);
int do_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
struct xattr_ctx *ctx);
+
+ssize_t __kernel_write_iter(struct file *file, struct iov_iter *from, loff_t *pos);
diff --git a/fs/read_write.c b/fs/read_write.c
index 8d3ec975514d..08299a8f3e05 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -512,14 +512,9 @@ static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t
}
/* caller is responsible for file_start_write/file_end_write */
-ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)
+ssize_t __kernel_write_iter(struct file *file, struct iov_iter *from, loff_t *pos)
{
- struct kvec iov = {
- .iov_base = (void *)buf,
- .iov_len = min_t(size_t, count, MAX_RW_COUNT),
- };
struct kiocb kiocb;
- struct iov_iter iter;
ssize_t ret;
if (WARN_ON_ONCE(!(file->f_mode & FMODE_WRITE)))
@@ -535,8 +530,7 @@ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t
init_sync_kiocb(&kiocb, file);
kiocb.ki_pos = pos ? *pos : 0;
- iov_iter_kvec(&iter, WRITE, &iov, 1, iov.iov_len);
- ret = file->f_op->write_iter(&kiocb, &iter);
+ ret = file->f_op->write_iter(&kiocb, from);
if (ret > 0) {
if (pos)
*pos = kiocb.ki_pos;
@@ -546,6 +540,18 @@ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t
inc_syscw(current);
return ret;
}
+
+/* caller is responsible for file_start_write/file_end_write */
+ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)
+{
+ struct kvec iov = {
+ .iov_base = (void *)buf,
+ .iov_len = min_t(size_t, count, MAX_RW_COUNT),
+ };
+ struct iov_iter iter;
+ iov_iter_kvec(&iter, WRITE, &iov, 1, iov.iov_len);
+ return __kernel_write_iter(file, &iter, pos);
+}
/*
* This "EXPORT_SYMBOL_GPL()" is more of a "EXPORT_SYMBOL_DONTUSE()",
* but autofs is one of the few internal kernel users that actually
--
2.35.1
next prev parent reply other threads:[~2022-10-03 7:33 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-03 7:10 [PATCH 5.15 00/83] 5.15.72-rc1 review Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 01/83] ALSA: hda: Do disconnect jacks at codec unbind Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 02/83] ALSA: hda: Fix hang at HD-audio codec unbinding due to refcount saturation Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 03/83] ALSA: hda: Fix Nvidia dp infoframe Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 04/83] ALSA: hda/realtek: fix speakers and micmute on HP 855 G8 Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 05/83] cgroup: reduce dependency on cgroup_mutex Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 06/83] cgroup: cgroup_get_from_id() must check the looked-up kn is a directory Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 07/83] uas: add no-uas quirk for Hiksemi usb_disk Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 08/83] usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 09/83] uas: ignore UAS for Thinkplus chips Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 10/83] usb: typec: ucsi: Remove incorrect warning Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 11/83] thunderbolt: Explicitly reset plug events delay back to USB4 spec value Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 12/83] net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 13/83] Input: snvs_pwrkey - fix SNVS_HPVIDR1 register address Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 14/83] can: c_can: dont cache TX messages for C_CAN cores Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 15/83] clk: ingenic-tcu: Properly enable registers before accessing timers Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 16/83] x86/sgx: Do not fail on incomplete sanitization on premature stop of ksgxd Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 17/83] ARM: dts: integrator: Tag PCI host with device_type Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 18/83] ntfs: fix BUG_ON in ntfs_lookup_inode_by_name() Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 19/83] mm/damon/dbgfs: fix memory leak when using debugfs_lookup() Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 20/83] net: mt7531: only do PLL once after the reset Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 21/83] Revert "firmware: arm_scmi: Add clock management to the SCMI power domain" Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 22/83] powerpc/64s/radix: dont need to broadcast IPI for radix pmd collapse flush Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 23/83] drm/i915/gt: Restrict forced preemption to the active context Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 24/83] drm/amdgpu: Add amdgpu suspend-resume code path under SRIOV Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 25/83] vduse: prevent uninitialized memory accesses Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 26/83] libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 27/83] mmc: moxart: fix 4-bit bus width and remove 8-bit bus width Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 28/83] mmc: hsq: Fix data stomping during mmc recovery Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 29/83] mm/page_alloc: fix race condition between build_all_zonelists and page allocation Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 30/83] mm: prevent page_frag_alloc() from corrupting the memory Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 31/83] mm: fix dereferencing possible ERR_PTR Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 32/83] mm/migrate_device.c: flush TLB while holding PTL Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 33/83] mm: fix madivse_pageout mishandling on non-LRU page Greg Kroah-Hartman
2022-10-03 7:10 ` [PATCH 5.15 34/83] mm,hwpoison: check mm when killing accessing process Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 35/83] media: dvb_vb2: fix possible out of bound access Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 36/83] media: rkvdec: Disable H.264 error detection Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 37/83] media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 38/83] swiotlb: max mapping size takes min align mask into account Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 39/83] ARM: dts: am33xx: Fix MMCHS0 dma properties Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 40/83] reset: imx7: Fix the iMX8MP PCIe PHY PERST support Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 41/83] ARM: dts: am5748: keep usb4_tm disabled Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 42/83] soc: sunxi: sram: Actually claim SRAM regions Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 43/83] soc: sunxi: sram: Prevent the driver from being unbound Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 44/83] soc: sunxi_sram: Make use of the helper function devm_platform_ioremap_resource() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 45/83] soc: sunxi: sram: Fix probe function ordering issues Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 46/83] soc: sunxi: sram: Fix debugfs info for A64 SRAM C Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 47/83] ASoC: imx-card: Fix refcount issue with of_node_put Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 48/83] arm64: dts: qcom: sm8350: fix UFS PHY serdes size Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 49/83] ASoC: tas2770: Reinit regcache on reset Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 50/83] drm/bridge: lt8912b: add vsync hsync Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 51/83] drm/bridge: lt8912b: set hdmi or dvi mode Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 52/83] drm/bridge: lt8912b: fix corrupted image output Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 53/83] Revert "drm: bridge: analogix/dp: add panel prepare/unprepare in suspend/resume time" Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 54/83] Input: melfas_mip4 - fix return value check in mip4_probe() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 55/83] gpio: mvebu: Fix check for pwm support on non-A8K platforms Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 56/83] usbnet: Fix memory leak in usbnet_disconnect() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 57/83] net: sched: act_ct: fix possible refcount leak in tcf_ct_init() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 58/83] cxgb4: fix missing unlock on ETHOFLD desc collect fail path Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 59/83] net/mlxbf_gige: Fix an IS_ERR() vs NULL bug in mlxbf_gige_mdio_probe Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 60/83] nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 61/83] wifi: mac80211: fix regression with non-QoS drivers Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 62/83] net: stmmac: power up/down serdes in stmmac_open/release Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 63/83] net: phy: Dont WARN for PHY_UP state in mdio_bus_phy_resume() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 64/83] selftests: Fix the if conditions of in test_extra_filter() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 65/83] vdpa/ifcvf: fix the calculation of queuepair Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 66/83] fs: split off setxattr_copy and do_setxattr function from setxattr Greg Kroah-Hartman
2022-10-03 7:11 ` Greg Kroah-Hartman [this message]
2022-10-03 7:11 ` [PATCH 5.15 68/83] clk: imx: imx6sx: remove the SET_RATE_PARENT flag for QSPI clocks Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 69/83] clk: iproc: Do not rely on node name for correct PLL setup Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 70/83] KVM: x86: Hide IA32_PLATFORM_DCA_CAP[31:0] from the guest Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 71/83] perf metric: Add documentation and rename a variable Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 72/83] perf metric: Only add a referenced metric once Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 73/83] perf parse-events: Add const to evsel name Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 74/83] perf parse-events: Add new "metric-id" term Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 75/83] perf parse-events: Identify broken modifiers Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 76/83] perf list: Display hybrid PMU events with cpu type Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 77/83] perf tools: Check vmlinux/kallsyms arguments in all tools Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 78/83] perf tools: Enhance the matching of sub-commands abbreviations Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 79/83] perf list: Print all available tool events Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 80/83] x86/alternative: Fix race in try_get_desc() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 81/83] drm/i915/gem: Really move i915_gem_context.link under ref protection Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 82/83] perf pmu: Fix alias events list Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.15 83/83] perf evsel: Add tool event helpers Greg Kroah-Hartman
2022-10-03 11:31 ` [PATCH 5.15 00/83] 5.15.72-rc1 review Jon Hunter
2022-10-03 14:26 ` Guenter Roeck
2022-10-03 18:23 ` Florian Fainelli
2022-10-04 17:45 ` Greg Kroah-Hartman
2022-10-03 17:52 ` Guenter Roeck
2022-10-03 18:40 ` Ron Economos
2022-10-03 21:30 ` Shuah Khan
2022-10-03 22:12 ` Shuah Khan
2022-10-03 21:30 ` Slade Watkins
2022-10-04 4:02 ` Bagas Sanjaya
2022-10-04 8:05 ` Naresh Kamboju
2022-10-04 11:41 ` Sudip Mukherjee (Codethink)
2022-10-05 1:45 ` Kelsey Steele
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221003070723.675440372@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.