From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from zeniv.linux.org.uk ([195.92.253.2]:34902 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933129AbdKBSqP (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Thu, 2 Nov 2017 14:46:15 -0400
Date: Thu, 2 Nov 2017 18:46:12 +0000
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: linux-kernel@vger.kernel.org,
        George Zhang <georgezhang@vmware.com>,
        Andy king <acking@vmware.com>,
        Dmitry Torokhov <dtor@vmware.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 1/1] Fix: vmw_vmci driver get_user_pages_fast error
 handling
Message-ID: <20171102184612.GL21978@ZenIV.linux.org.uk>
References: <20171031230038.7476-1-mathieu.desnoyers@efficios.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20171031230038.7476-1-mathieu.desnoyers@efficios.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Tue, Oct 31, 2017 at 07:00:38PM -0400, Mathieu Desnoyers wrote:
> Comparing a signed return value against an unsigned num_pages
> field performs the comparison as "unsigned", and therefore mistakenly
> considers get_user_pages_fast() errors as success.

It's worse than that - if you look into the code in question you'll
see
                pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
                        retval);
                qp_release_pages(produce_q->kernel_if->u.h.header_page,
                                 retval, false);
                err = VMCI_ERROR_NO_MEM;
                goto out;
with
static void qp_release_pages(struct page **pages,
                             u64 num_pages, bool dirty)
{
        int i;

        for (i = 0; i < num_pages; i++) {
                if (dirty)
                        set_page_dirty(pages[i]);

                put_page(pages[i]);
                pages[i] = NULL;
        }
}

Now, guess what'll happen if you get there with retval being negative?
AFAICS, the right fix is something along the lines of
        if (retval != produce_q->kernel_if->num_pages) {
                pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
                        retval);
		if (retval > 0)
			qp_release_pages(produce_q->kernel_if->u.h.header_page,
					 retval, false);
                err = VMCI_ERROR_NO_MEM;
                goto out;
        }
and similar for the second caller.  Objections?