From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.19 36/48] [coredump] dont use __kernel_write() on kmap_local_page()
Date: Mon, 10 Oct 2022 09:05:34 +0200 [thread overview]
Message-ID: <20221010070334.630261714@linuxfoundation.org> (raw)
In-Reply-To: <20221010070333.676316214@linuxfoundation.org>
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 06bbaa6dc53cb72040db952053432541acb9adc7 ]
passing kmap_local_page() result to __kernel_write() is unsafe -
random ->write_iter() might (and 9p one does) get unhappy when
passed ITER_KVEC with pointer that came from kmap_local_page().
Fix by providing a variant of __kernel_write() that takes an iov_iter
from caller (__kernel_write() becomes a trivial wrapper) and adding
dump_emit_page() that parallels dump_emit(), except that instead of
__kernel_write() it uses __kernel_write_iter() with ITER_BVEC source.
Fixes: 3159ed57792b "fs/coredump: use kmap_local_page()"
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/coredump.c | 38 +++++++++++++++++++++++++++++++++-----
fs/internal.h | 3 +++
fs/read_write.c | 22 ++++++++++++++--------
3 files changed, 50 insertions(+), 13 deletions(-)
diff --git a/fs/coredump.c b/fs/coredump.c
index ebc43f960b64..f1355e52614a 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -832,6 +832,38 @@ static int __dump_skip(struct coredump_params *cprm, size_t nr)
}
}
+static int dump_emit_page(struct coredump_params *cprm, struct page *page)
+{
+ struct bio_vec bvec = {
+ .bv_page = page,
+ .bv_offset = 0,
+ .bv_len = PAGE_SIZE,
+ };
+ struct iov_iter iter;
+ struct file *file = cprm->file;
+ loff_t pos = file->f_pos;
+ ssize_t n;
+
+ if (cprm->to_skip) {
+ if (!__dump_skip(cprm, cprm->to_skip))
+ return 0;
+ cprm->to_skip = 0;
+ }
+ if (cprm->written + PAGE_SIZE > cprm->limit)
+ return 0;
+ if (dump_interrupted())
+ return 0;
+ iov_iter_bvec(&iter, WRITE, &bvec, 1, PAGE_SIZE);
+ n = __kernel_write_iter(cprm->file, &iter, &pos);
+ if (n != PAGE_SIZE)
+ return 0;
+ file->f_pos = pos;
+ cprm->written += PAGE_SIZE;
+ cprm->pos += PAGE_SIZE;
+
+ return 1;
+}
+
int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
{
if (cprm->to_skip) {
@@ -863,7 +895,6 @@ int dump_user_range(struct coredump_params *cprm, unsigned long start,
for (addr = start; addr < start + len; addr += PAGE_SIZE) {
struct page *page;
- int stop;
/*
* To avoid having to allocate page tables for virtual address
@@ -874,10 +905,7 @@ int dump_user_range(struct coredump_params *cprm, unsigned long start,
*/
page = get_dump_page(addr);
if (page) {
- void *kaddr = kmap_local_page(page);
-
- stop = !dump_emit(cprm, kaddr, PAGE_SIZE);
- kunmap_local(kaddr);
+ int stop = !dump_emit_page(cprm, page);
put_page(page);
if (stop)
return 0;
diff --git a/fs/internal.h b/fs/internal.h
index 87e96b9024ce..3e206d3e317c 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -16,6 +16,7 @@ struct shrink_control;
struct fs_context;
struct user_namespace;
struct pipe_inode_info;
+struct iov_iter;
/*
* block/bdev.c
@@ -221,3 +222,5 @@ ssize_t do_getxattr(struct user_namespace *mnt_userns,
int setxattr_copy(const char __user *name, struct xattr_ctx *ctx);
int do_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
struct xattr_ctx *ctx);
+
+ssize_t __kernel_write_iter(struct file *file, struct iov_iter *from, loff_t *pos);
diff --git a/fs/read_write.c b/fs/read_write.c
index 397da0236607..a0a3d35e2c0f 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -509,14 +509,9 @@ static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t
}
/* caller is responsible for file_start_write/file_end_write */
-ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)
+ssize_t __kernel_write_iter(struct file *file, struct iov_iter *from, loff_t *pos)
{
- struct kvec iov = {
- .iov_base = (void *)buf,
- .iov_len = min_t(size_t, count, MAX_RW_COUNT),
- };
struct kiocb kiocb;
- struct iov_iter iter;
ssize_t ret;
if (WARN_ON_ONCE(!(file->f_mode & FMODE_WRITE)))
@@ -532,8 +527,7 @@ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t
init_sync_kiocb(&kiocb, file);
kiocb.ki_pos = pos ? *pos : 0;
- iov_iter_kvec(&iter, WRITE, &iov, 1, iov.iov_len);
- ret = file->f_op->write_iter(&kiocb, &iter);
+ ret = file->f_op->write_iter(&kiocb, from);
if (ret > 0) {
if (pos)
*pos = kiocb.ki_pos;
@@ -543,6 +537,18 @@ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t
inc_syscw(current);
return ret;
}
+
+/* caller is responsible for file_start_write/file_end_write */
+ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)
+{
+ struct kvec iov = {
+ .iov_base = (void *)buf,
+ .iov_len = min_t(size_t, count, MAX_RW_COUNT),
+ };
+ struct iov_iter iter;
+ iov_iter_kvec(&iter, WRITE, &iov, 1, iov.iov_len);
+ return __kernel_write_iter(file, &iter, pos);
+}
/*
* This "EXPORT_SYMBOL_GPL()" is more of a "EXPORT_SYMBOL_DONTUSE()",
* but autofs is one of the few internal kernel users that actually
--
2.35.1
next prev parent reply other threads:[~2022-10-10 7:12 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-10 7:04 [PATCH 5.19 00/48] 5.19.15-rc1 review Greg Kroah-Hartman
2022-10-10 7:04 ` [PATCH 5.19 01/48] sparc: Unbreak the build Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 02/48] Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 03/48] hardening: Remove Clangs enable flag for -ftrivial-auto-var-init=zero Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 04/48] docs: update mediator information in CoC docs Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 05/48] xsk: Inherit need_wakeup flag for shared sockets Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 06/48] wait_on_bit: add an acquire memory barrier Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 07/48] provide arch_test_bit_acquire for architectures that define test_bit Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 08/48] fs: fix UAF/GPF bug in nilfs_mdt_destroy Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 09/48] firmware: arm_scmi: Improve checks in the info_get operations Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 10/48] firmware: arm_scmi: Harden accesses to the sensor domains Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 11/48] firmware: arm_scmi: Add SCMI PM driver remove routine Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 12/48] arm64: dts: rockchip: fix upper usb port on BPI-R2-Pro Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 13/48] dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 14/48] dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 15/48] dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 16/48] wifi: iwlwifi: dont spam logs with NSS>2 messages Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 17/48] ARM: dts: fix Moxa SDIO compatible, remove sdhci misnomer Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 18/48] drm/amdgpu/mes: zero the sdma_hqd_mask of 2nd SDMA engine for SDMA 6.0.1 Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 19/48] scsi: qedf: Fix a UAF bug in __qedf_probe() Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 20/48] net/ieee802154: fix uninit value bug in dgram_sendmsg Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 21/48] net: marvell: prestera: add support for for Aldrin2 Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 22/48] ALSA: hda/hdmi: Fix the converter reuse for the silent stream Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 23/48] um: Cleanup syscall_handler_t cast in syscalls_32.h Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 24/48] um: Cleanup compiler warning in arch/x86/um/tls_32.c Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 25/48] gpio: ftgpio010: Make irqchip immutable Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 26/48] arch: um: Mark the stack non-executable to fix a binutils warning Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 27/48] net: atlantic: fix potential memory leak in aq_ndev_close() Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 28/48] KVM: s390: Pass initialized arg even if unused Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 29/48] drm/amd/display: Fix double cursor on non-video RGB MPO Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 30/48] drm/amd/display: Assume an LTTPR is always present on fixed_vs links Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 31/48] drm/amd/display: update gamut remap if plane has changed Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 32/48] drm/amd/display: skip audio setup when audio stream is enabled Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 33/48] drm/amd/display: Fix DP MST timeslot issue when fallback happened Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 34/48] drm/amd/display: increase dcn315 pstate change latency Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 35/48] perf/x86/intel: Fix unchecked MSR access error for Alder Lake N Greg Kroah-Hartman
2022-10-10 7:05 ` Greg Kroah-Hartman [this message]
2022-10-10 7:05 ` [PATCH 5.19 37/48] i2c: davinci: fix PM disable depth imbalance in davinci_i2c_probe Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 38/48] usb: mon: make mmapped memory read only Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 39/48] USB: serial: ftdi_sio: fix 300 bps rate for SIO Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 40/48] gpiolib: acpi: Add support to ignore programming an interrupt Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 41/48] gpiolib: acpi: Add a quirk for Asus UM325UAZ Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 42/48] mmc: core: Replace with already defined values for readability Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 43/48] mmc: core: Terminate infinite loop in SD-UHS voltage switch Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 44/48] rpmsg: qcom: glink: replace strncpy() with strscpy_pad() Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 45/48] bpf: Gate dynptr API behind CAP_BPF Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 46/48] net: ethernet: mtk_eth_soc: fix state in __mtk_foe_entry_clear Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 47/48] bpf: Fix resetting logic for unreferenced kptrs Greg Kroah-Hartman
2022-10-10 7:05 ` [PATCH 5.19 48/48] Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works Greg Kroah-Hartman
2022-10-10 16:01 ` [PATCH 5.19 00/48] 5.19.15-rc1 review Naresh Kamboju
2022-10-10 16:29 ` Justin Forbes
2022-10-10 18:51 ` Florian Fainelli
2022-10-10 21:28 ` Shuah Khan
2022-10-11 7:25 ` Bagas Sanjaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221010070334.630261714@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.