From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oa1-f41.google.com (mail-oa1-f41.google.com [209.85.160.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A9DAE3469FA for ; Sat, 30 May 2026 03:07:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780110430; cv=none; b=Sxj2Ph9u0QFOMW1YPX5fpH6AGREiTVIdR3413UZRIN1zx0hSyFgC5FOO+1vss/y+2kPcWUPguAw9B7T4sN/pRioqU70K1C4Xxxmyd6YUqSLPrE++E8OoqtBreB2XwRUkEnGiEbRXjFuhQukN0SzfTMAWf+7iREvXcGm0wwWRgEs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780110430; c=relaxed/simple; bh=y9o5pE/t2QwB8acLQ6u3PuFsa7vnP5zDEEAoI8hWT6I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hp1wO/gk6pS9aZRhDPbk6YQReNb8K2KqJoh8RtJBNKmXYloCh05xnt+VkZFJA7iuoDCmarsrUxq8lDQ56OGsgutj6YB4oqkZb/FKWmWY0h7TKcUgFpkyIkhaLYwKZRO/NSdjldwau+TGxSW+qp6YU6AFUpiMGF+wDqV4J+68ia0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ye+po/QO; arc=none smtp.client-ip=209.85.160.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ye+po/QO" Received: by mail-oa1-f41.google.com with SMTP id 586e51a60fabf-43b6f782cfaso3626230fac.3 for ; Fri, 29 May 2026 20:07:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780110428; x=1780715228; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dqjY4u9zUiWcPW2IlZPEJiw+YGemyDZucGA8LuuTFVU=; b=Ye+po/QOHyRrLXjxUNfqlFfMKWiIN8ieXdmdhLpPaJtq6xv9K7Deg3yivJWcYk9Pp2 rbfgTZmho0TGBZwNGCkYWhs5K4m9Zx6JxyDwHaFt1CfXP/V4mGLuzvPiS1A91kHTpsNo 0N6z+Jk2/jQZZfYbnKQwA9pFztGYwc+2P8KgtBzHQ8ABDj8ZXbJlvwk0PJZM1E8X7v4k Byj3WiRbbm0QSXf8bxWaBQGTTJlczvCBF7M1SuPCtJT7BRKPT4s2PL8IeR1fnhzujwdJ WDdvjiJjQKm/UbF0hYGMPd1A4c9MAaFhoEIxSg0kohqUAJNcT3ER5O1wdlTP7SGvz5cr AlDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780110428; x=1780715228; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dqjY4u9zUiWcPW2IlZPEJiw+YGemyDZucGA8LuuTFVU=; b=bX8OZBf8XKhQpdwMJJRIKWN33TlmuwGShUkTuoc7XUUCz671crg9jrrfF4v+AdpBsm i4BhB7Gz+Qdfr+C8CAErJh3qcste9KZkV6UAjorxGJkd8NGhUMTYNmc9IwNybAqUBQm9 6ScXdVqeesime97LcNRCkRLJF2irzxVBdCEtXctppv9KXtz1IDaVEfw/ZJJOFXlznZ3Q f8O/bDOGhzrXa2bzR+s96h+NBBVq4nZHnvmY1X0RikoYYoA1LVgK3fUulsORx78CBrEM DoaVdFXSTbI6qKgvy0KBM3VU1p2SrabvpZzXNAgVkHwwLDqp9gKcE2rBzqSj533DsqQ/ mqXw== X-Forwarded-Encrypted: i=1; AFNElJ+ZSUIGTElINE/DwCjA8NCrjWgGRcFCOwFny/BWa6FH2cmYoNmzHWxfaeM1IrN+Al2cQ/7VvZJvqrhFg/Y=@vger.kernel.org X-Gm-Message-State: AOJu0YxX8RIiizWq7e7aHTRO2dPsOnG3uzRun29ePhD4K9JMkoKVVznd XXdeODDZ5ayYQpBEWypXbSJLjWJFqC1dW/8ScQrH/UT980OloZW7x77C X-Gm-Gg: Acq92OFQlLn2rUR2InzAKnJz6ztfejk1a4d67jh7JzdzycLdg6Hzva5+mZN4atLjjLT uz+/88aNbZAaiQvJCcYCvg3kMylImo0lRwUiSjXfDtwl/zMIC7aOJKEYhtETZN16ra1Y1WrlBJp vmjE9p1TpOPciq5K75+hRyEjwCeKCChp700m+dnlgcz9AZRTnH4nqEJ8x6QWTLfA6SnHkq6ik2Y 00K2CrsfSC7ec7KJP7JH0ZZ5g2YjTBLy07yyQjF9lKuyUb9cyz/3EA3VG9ouw9o5DxCipWhjHOL /xre2qJUQhwItT36U8pPf4OAgbo6vOqlJugxPXtsIfM9p5xCdOqcpi44G5WsJYrvyVMOpfyJaqp r29FrWZISDztgsvVvYHPppn1YmYJoWcWr/jY2PxW2jdPsS31N/AFNfpVaINESQ20I0wHPWS1Vae xlyIt5MX3Wv7ZUUHV4pViuPgXLPuJtx6SAZLPheDdc63pIdLMM2jFZsOYunRf0OdYTqDwyxQ== X-Received: by 2002:a05:6870:1613:b0:43b:722c:d29 with SMTP id 586e51a60fabf-43ca42c5fd2mr1468423fac.25.1780110427609; Fri, 29 May 2026 20:07:07 -0700 (PDT) Received: from localhost (static-23-234-115-121.cust.tzulo.com. [23.234.115.121]) by smtp.gmail.com with UTF8SMTPSA id 586e51a60fabf-43c93abfe02sm2549669fac.5.2026.05.29.20.07.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 29 May 2026 20:07:06 -0700 (PDT) From: Sam Edwards X-Google-Original-From: Sam Edwards To: Ilya Dryomov , Alex Markuze , Viacheslav Dubeyko Cc: Jeff Layton , Xiubo Li , ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org, Sam Edwards , stable@vger.kernel.org Subject: [PATCH v2 2/2] ceph: properly decrypt filenames in vmalloc() buffers Date: Fri, 29 May 2026 20:06:46 -0700 Message-ID: <20260530030646.85589-3-CFSworks@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260530030646.85589-1-CFSworks@gmail.com> References: <20260530030646.85589-1-CFSworks@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The fscrypt subsystem uses the scatterlist crypto API, inheriting its requirement that any buffers are in the linear mapping region. However, the messenger client uses kvmalloc() to create buffers for messages, which will occasionally place those buffers in the vmalloc() region when physical memory fragmentation doesn't permit a large enough kmalloc(). The various callers of ceph_fname_to_usr() directly pass (slices of) raw messages from the MDS without considering that the messages may be in vmalloc() buffers, resulting in oopses especially on non-x86 platforms (see 'Closes:' for more details and a reproducer). Make ceph_fname_to_usr() explicitly tolerant of vmalloc()-allocated fname->ctext, fname->name, and/or oname->name buffers, using `tname` (which, when non-null, must be a linear address; when null, is briefly allocated as necessary) as a bounce buffer to avoid passing any inappropriate addresses to fscrypt_fname_disk_to_usr(). Additionally change parse_reply_info_readdir() -- the only function to supply its own `tname` -- to follow the new "tname must never come from vmalloc()" rule by passing NULL when the message is not in the linear region. Though this causes a per-dentry kmalloc()+kfree(), this overhead exists only when processing the minority of messages that spill into vmalloc(). My (crude) testing puts this at only about 1 in 8,000 readdir messages. Still, if the overhead proves unreasonable in the future, it is easy enough to mitigate: a future change could allocate a bounce buffer in parse_reply_info_readdir() and use that as `tname` instead. Fixes: 457117f077c67 ("ceph: add helpers for converting names for userland presentation") Closes: https://lore.kernel.org/ceph-devel/CAH5Ym4ga7miUQE0K-cJA93Ya7w62P69MAN27R5cBiYnudoOHdA@mail.gmail.com/T/ Cc: stable@vger.kernel.org # v6.6+ Signed-off-by: Sam Edwards --- fs/ceph/crypto.c | 43 ++++++++++++++++++++++++++++++++++--------- fs/ceph/mds_client.c | 8 ++++++-- 2 files changed, 40 insertions(+), 11 deletions(-) diff --git a/fs/ceph/crypto.c b/fs/ceph/crypto.c index 7493a3acd7d0..bc0a097a4cea 100644 --- a/fs/ceph/crypto.c +++ b/fs/ceph/crypto.c @@ -298,6 +298,10 @@ int ceph_encode_encrypted_dname(struct inode *parent, char *buf, int elen) * Otherwise, base64 decode the string, and then ask fscrypt to format it * for userland presentation. * + * Though the fscrypt/crypto subsystems broadly expect all buffers to be in the + * linear-mapped region, this function slightly relaxes those requirements: + * fname->ctext, fname->name, and oname->name may be vmalloc(), but not tname. + * * Returns 0 on success or negative error code on error. */ int ceph_fname_to_usr(const struct ceph_fname *fname, unsigned char *tname, @@ -305,11 +309,15 @@ int ceph_fname_to_usr(const struct ceph_fname *fname, unsigned char *tname, { struct inode *dir = fname->dir; struct fscrypt_str _tname = FSTR_INIT(NULL, 0); + struct fscrypt_str _oname; struct fscrypt_str iname; char *name = fname->name; int name_len = fname->name_len; int ret; + if (WARN_ON_ONCE(tname && is_vmalloc_addr(tname))) + return -EIO; + /* Sanity check that the resulting name will fit in the buffer */ if (fname->name_len > NAME_MAX || fname->ctext_len > NAME_MAX) return -EIO; @@ -350,16 +358,18 @@ int ceph_fname_to_usr(const struct ceph_fname *fname, unsigned char *tname, goto out_inode; } + if (!tname && (fname->ctext_len == 0 || + unlikely(is_vmalloc_addr(fname->ctext)) || + unlikely(is_vmalloc_addr(oname->name)))) { + ret = fscrypt_fname_alloc_buffer(NAME_MAX, &_tname); + if (ret) + goto out_inode; + tname = _tname.name; + } + if (fname->ctext_len == 0) { int declen; - if (!tname) { - ret = fscrypt_fname_alloc_buffer(NAME_MAX, &_tname); - if (ret) - goto out_inode; - tname = _tname.name; - } - declen = base64_decode(name, name_len, tname, false, BASE64_IMAP); if (declen <= 0) { ret = -EIO; @@ -367,13 +377,28 @@ int ceph_fname_to_usr(const struct ceph_fname *fname, unsigned char *tname, } iname.name = tname; iname.len = declen; + } else if (unlikely(is_vmalloc_addr(fname->ctext))) { + memcpy(tname, fname->ctext, fname->ctext_len); + + iname.name = tname; + iname.len = fname->ctext_len; } else { iname.name = fname->ctext; iname.len = fname->ctext_len; } - ret = fscrypt_fname_disk_to_usr(dir, 0, 0, &iname, oname); - if (!ret && (dir != fname->dir)) { + _oname.name = unlikely(is_vmalloc_addr(oname->name)) ? tname : oname->name; + _oname.len = oname->len; + + ret = fscrypt_fname_disk_to_usr(dir, 0, 0, &iname, &_oname); + if (ret) + goto out; + + if (unlikely(is_vmalloc_addr(oname->name))) + memcpy(oname->name, _oname.name, _oname.len); + oname->len = _oname.len; + + if (dir != fname->dir) { char tmp_buf[BASE64_CHARS(NAME_MAX)]; name_len = snprintf(tmp_buf, sizeof(tmp_buf), "_%.*s_%llu", diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index aa6730b48e97..8fcf185e3a82 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -538,9 +538,13 @@ static int parse_reply_info_readdir(void **p, void *end, * to do the base64_decode in-place. It's * safe because the decoded string should * always be shorter, which is 3/4 of origin - * string. + * string. If this message was allocated with + * vmalloc() (happens, but rarely), leave it + * NULL and let ceph_fname_to_usr() allocate + * suitable temporary working space instead. */ - tname = _name; + if (likely(!is_vmalloc_addr(_name))) + tname = _name; /* * Set oname to _name too, and this will be -- 2.53.0