From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Matthew Wilcox <willy@infradead.org>,
stable@kernel.org, Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: [PATCH AUTOSEL 5.0 79/79] fs: prevent page refcount overflow in pipe_buf_get
Date: Fri, 26 Apr 2019 21:38:38 -0400 [thread overview]
Message-ID: <20190427013838.6596-79-sashal@kernel.org> (raw)
In-Reply-To: <20190427013838.6596-1-sashal@kernel.org>
From: Matthew Wilcox <willy@infradead.org>
[ Upstream commit 15fab63e1e57be9fdb5eec1bbc5916e9825e9acb ]
Change pipe_buf_get() to return a bool indicating whether it succeeded
in raising the refcount of the page (if the thing in the pipe is a page).
This removes another mechanism for overflowing the page refcount. All
callers converted to handle a failure.
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dev.c | 12 ++++++------
fs/pipe.c | 4 ++--
fs/splice.c | 12 ++++++++++--
include/linux/pipe_fs_i.h | 10 ++++++----
kernel/trace/trace.c | 6 +++++-
5 files changed, 29 insertions(+), 15 deletions(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 809c0f2f9942..64f4de983468 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2034,10 +2034,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
ret = -EINVAL;
- if (rem < len) {
- pipe_unlock(pipe);
- goto out;
- }
+ if (rem < len)
+ goto out_free;
rem = len;
while (rem) {
@@ -2055,7 +2053,9 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
pipe->nrbufs--;
} else {
- pipe_buf_get(pipe, ibuf);
+ if (!pipe_buf_get(pipe, ibuf))
+ goto out_free;
+
*obuf = *ibuf;
obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
obuf->len = rem;
@@ -2078,11 +2078,11 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
ret = fuse_dev_do_write(fud, &cs, len);
pipe_lock(pipe);
+out_free:
for (idx = 0; idx < nbuf; idx++)
pipe_buf_release(pipe, &bufs[idx]);
pipe_unlock(pipe);
-out:
kvfree(bufs);
return ret;
}
diff --git a/fs/pipe.c b/fs/pipe.c
index c51750ed4011..2a297bce381f 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -189,9 +189,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
* in the tee() system call, when we duplicate the buffers in one
* pipe into another.
*/
-void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
+bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
{
- get_page(buf->page);
+ return try_get_page(buf->page);
}
EXPORT_SYMBOL(generic_pipe_buf_get);
diff --git a/fs/splice.c b/fs/splice.c
index 90c29675d573..386a5cc74f1e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1588,7 +1588,11 @@ retry:
* Get a reference to this pipe buffer,
* so we can copy the contents over.
*/
- pipe_buf_get(ipipe, ibuf);
+ if (!pipe_buf_get(ipipe, ibuf)) {
+ if (ret == 0)
+ ret = -EFAULT;
+ break;
+ }
*obuf = *ibuf;
/*
@@ -1662,7 +1666,11 @@ static int link_pipe(struct pipe_inode_info *ipipe,
* Get a reference to this pipe buffer,
* so we can copy the contents over.
*/
- pipe_buf_get(ipipe, ibuf);
+ if (!pipe_buf_get(ipipe, ibuf)) {
+ if (ret == 0)
+ ret = -EFAULT;
+ break;
+ }
obuf = opipe->bufs + nbuf;
*obuf = *ibuf;
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index 3ecd7ea212ae..bbee2caf5837 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -108,18 +108,20 @@ struct pipe_buf_operations {
/*
* Get a reference to the pipe buffer.
*/
- void (*get)(struct pipe_inode_info *, struct pipe_buffer *);
+ bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);
};
/**
* pipe_buf_get - get a reference to a pipe_buffer
* @pipe: the pipe that the buffer belongs to
* @buf: the buffer to get a reference to
+ *
+ * Return: %true if the reference was successfully obtained.
*/
-static inline void pipe_buf_get(struct pipe_inode_info *pipe,
+static inline __must_check bool pipe_buf_get(struct pipe_inode_info *pipe,
struct pipe_buffer *buf)
{
- buf->ops->get(pipe, buf);
+ return buf->ops->get(pipe, buf);
}
/**
@@ -178,7 +180,7 @@ struct pipe_inode_info *alloc_pipe_info(void);
void free_pipe_info(struct pipe_inode_info *);
/* Generic pipe buffer ops functions */
-void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
+bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 89158aa93fa6..de77420f83f8 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6836,12 +6836,16 @@ static void buffer_pipe_buf_release(struct pipe_inode_info *pipe,
buf->private = 0;
}
-static void buffer_pipe_buf_get(struct pipe_inode_info *pipe,
+static bool buffer_pipe_buf_get(struct pipe_inode_info *pipe,
struct pipe_buffer *buf)
{
struct buffer_ref *ref = (struct buffer_ref *)buf->private;
+ if (ref->ref > INT_MAX/2)
+ return false;
+
ref->ref++;
+ return true;
}
/* Pipe buffer operations for a buffer. */
--
2.19.1
prev parent reply other threads:[~2019-04-27 1:40 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-27 1:37 [PATCH AUTOSEL 5.0 01/79] ASoC: tlv320aic3x: fix reset gpio reference counting Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 02/79] ASoC: hdmi-codec: fix S/PDIF DAI Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 03/79] ASoC: ab8500: Mark expected switch fall-through Sasha Levin
2019-04-27 17:14 ` Mark Brown
2019-04-27 17:31 ` Gustavo A. R. Silva
2019-04-27 18:00 ` Mark Brown
2019-04-28 1:06 ` Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 04/79] ASoC: stm32: sai: fix iec958 controls indexation Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 05/79] ASoC: stm32: sai: fix exposed capabilities in spdif mode Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 06/79] ASoC: stm32: sai: fix race condition in irq handler Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 07/79] ASoC:soc-pcm:fix a codec fixup issue in TDM case Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 08/79] ASoC:hdac_hda:use correct format to setup hda codec Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 09/79] ASoC:intel:skl:fix a simultaneous playback & capture issue on hda platform Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 10/79] ASoC: dpcm: prevent snd_soc_dpcm use after free Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 11/79] ASoC: nau8824: fix the issue of the widget with prefix name Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 12/79] ASoC: nau8810: fix the issue of widget with prefixed name Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 13/79] ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 14/79] ASoC: rt5682: Check JD status when system resume Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 15/79] ASoC: rt5682: fix jack type detection issue Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 16/79] ASoC: rt5682: recording has no sound after booting Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 17/79] ASoC: wm_adsp: Add locking to wm_adsp2_bus_error Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 18/79] clk: meson-gxbb: round the vdec dividers to closest Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 19/79] ASoC: stm32: dfsdm: manage multiple prepare Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 20/79] ASoC: stm32: dfsdm: fix debugfs warnings on entry creation Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 21/79] ASoC: cs4270: Set auto-increment bit for register writes Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 22/79] ASoC: dapm: Fix NULL pointer dereference in snd_soc_dapm_free_kcontrol Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 23/79] drm/omap: hdmi4_cec: Fix CEC clock handling for PM Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 24/79] IB/hfi1: Clear the IOWAIT pending bits when QP is put into error state Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 25/79] IB/hfi1: Eliminate opcode tests on mr deref Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 26/79] IB/hfi1: Fix the allocation of RSM table Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 27/79] MIPS: KGDB: fix kgdb support for SMP platforms Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 28/79] ASoC: tlv320aic32x4: Fix Common Pins Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 29/79] drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata() Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 30/79] ASoC: dpcm: skip missing substream while applying symmetry Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 31/79] perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 32/79] perf/x86/intel: Initialize TFA MSR Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 33/79] linux/kernel.h: Use parentheses around argument in u64_to_user_ptr() Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 34/79] ALSA: hda/realtek - Move to ACT_INIT state Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 35/79] iov_iter: Fix build error without CONFIG_CRYPTO Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 36/79] xtensa: fix initialization of pt_regs::syscall in start_thread Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 37/79] ASoC: rockchip: pdm: fix regmap_ops hang issue Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 38/79] drm/amdkfd: Add picasso pci id Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 39/79] drm/amdgpu: Adjust IB test timeout for XGMI configuration Sasha Levin
2019-04-27 1:37 ` [PATCH AUTOSEL 5.0 40/79] drm/amdgpu: amdgpu_device_recover_vram always failed if only one node in shadow_list Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 41/79] drm/amd/display: fix cursor black issue Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 42/79] ASoC: cs35l35: Disable regulators on driver removal Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 43/79] objtool: Add rewind_stack_do_exit() to the noreturn list Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 44/79] powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 45/79] slab: fix a crash by reading /proc/slab_allocators Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 46/79] ASoC: stm32: fix sai driver name initialisation Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 47/79] drm/sun4i: tcon top: Fix NULL/invalid pointer dereference in sun8i_tcon_top_un/bind Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 48/79] virtio_pci: fix a NULL pointer reference in vp_del_vqs Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 49/79] RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 50/79] RDMA/hns: Fix bug that caused srq creation to fail Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 51/79] tpm: fix an invalid condition in tpm_common_poll Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 52/79] KEYS: trusted: fix -Wvarags warning Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 53/79] scsi: csiostor: fix missing data copy in csio_scsi_err_handler() Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 54/79] drm/mediatek: fix possible object reference leak Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 55/79] drm/mediatek: fix the rate and divder of hdmi phy for MT2701 Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 56/79] drm/mediatek: make implementation of recalc_rate() for MT2701 hdmi phy Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 57/79] drm/mediatek: remove flag CLK_SET_RATE_PARENT " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 58/79] drm/mediatek: using new factor for tvdpll " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 59/79] drm/mediatek: no change parent rate in round_rate() " Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 60/79] Bluetooth: btusb: request wake pin with NOAUTOEN Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 61/79] ASoC: Intel: kbl: fix wrong number of channels Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 62/79] ASoC: stm32: sai: fix master clock management Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 63/79] ALSA: hda: Fix racy display power access Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 64/79] block, bfq: fix use after free in bfq_bfqq_expire Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 65/79] virtio-blk: limit number of hw queues by nr_cpu_ids Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 66/79] blk-mq: introduce blk_mq_complete_request_sync() Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 67/79] nvme: cancel request synchronously Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 68/79] clk: x86: Add system specific quirk to mark clocks as critical Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 69/79] nvme-fc: correct csn initialization and increments on error Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 70/79] nvmet: fix discover log page when offsets are used Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 71/79] platform/x86: pmc_atom: Drop __initconst on dmi table Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 72/79] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 73/79] NFSv4.1 fix incorrect return value in copy_file_range Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 74/79] perf/core: Fix perf_event_disable_inatomic() race Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 75/79] iommu/amd: Set exclusion range correctly Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 76/79] mm: make page ref count overflow check tighter and more explicit Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 77/79] mm: add 'try_get_page()' helper function Sasha Levin
2019-04-27 1:38 ` [PATCH AUTOSEL 5.0 78/79] mm: prevent get_user_pages() from overflowing page refcount Sasha Levin
2019-04-27 1:38 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190427013838.6596-79-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox