From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Matthew Wilcox <willy@infradead.org>,
stable@kernel.org, Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 53/53] fs: prevent page refcount overflow in pipe_buf_get
Date: Fri, 26 Apr 2019 21:40:50 -0400 [thread overview]
Message-ID: <20190427014051.7522-53-sashal@kernel.org> (raw)
In-Reply-To: <20190427014051.7522-1-sashal@kernel.org>
From: Matthew Wilcox <willy@infradead.org>
[ Upstream commit 15fab63e1e57be9fdb5eec1bbc5916e9825e9acb ]
Change pipe_buf_get() to return a bool indicating whether it succeeded
in raising the refcount of the page (if the thing in the pipe is a page).
This removes another mechanism for overflowing the page refcount. All
callers converted to handle a failure.
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dev.c | 12 ++++++------
fs/pipe.c | 4 ++--
fs/splice.c | 12 ++++++++++--
include/linux/pipe_fs_i.h | 10 ++++++----
kernel/trace/trace.c | 6 +++++-
5 files changed, 29 insertions(+), 15 deletions(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index baaed4d05b22..249de20f752a 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1989,10 +1989,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
ret = -EINVAL;
- if (rem < len) {
- pipe_unlock(pipe);
- goto out;
- }
+ if (rem < len)
+ goto out_free;
rem = len;
while (rem) {
@@ -2010,7 +2008,9 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
pipe->nrbufs--;
} else {
- pipe_buf_get(pipe, ibuf);
+ if (!pipe_buf_get(pipe, ibuf))
+ goto out_free;
+
*obuf = *ibuf;
obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
obuf->len = rem;
@@ -2033,11 +2033,11 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
ret = fuse_dev_do_write(fud, &cs, len);
pipe_lock(pipe);
+out_free:
for (idx = 0; idx < nbuf; idx++)
pipe_buf_release(pipe, &bufs[idx]);
pipe_unlock(pipe);
-out:
kvfree(bufs);
return ret;
}
diff --git a/fs/pipe.c b/fs/pipe.c
index c51750ed4011..2a297bce381f 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -189,9 +189,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
* in the tee() system call, when we duplicate the buffers in one
* pipe into another.
*/
-void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
+bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
{
- get_page(buf->page);
+ return try_get_page(buf->page);
}
EXPORT_SYMBOL(generic_pipe_buf_get);
diff --git a/fs/splice.c b/fs/splice.c
index 29e92b506394..3ca117e79ee4 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1584,7 +1584,11 @@ static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
* Get a reference to this pipe buffer,
* so we can copy the contents over.
*/
- pipe_buf_get(ipipe, ibuf);
+ if (!pipe_buf_get(ipipe, ibuf)) {
+ if (ret == 0)
+ ret = -EFAULT;
+ break;
+ }
*obuf = *ibuf;
/*
@@ -1658,7 +1662,11 @@ static int link_pipe(struct pipe_inode_info *ipipe,
* Get a reference to this pipe buffer,
* so we can copy the contents over.
*/
- pipe_buf_get(ipipe, ibuf);
+ if (!pipe_buf_get(ipipe, ibuf)) {
+ if (ret == 0)
+ ret = -EFAULT;
+ break;
+ }
obuf = opipe->bufs + nbuf;
*obuf = *ibuf;
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index 3ecd7ea212ae..bbee2caf5837 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -108,18 +108,20 @@ struct pipe_buf_operations {
/*
* Get a reference to the pipe buffer.
*/
- void (*get)(struct pipe_inode_info *, struct pipe_buffer *);
+ bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);
};
/**
* pipe_buf_get - get a reference to a pipe_buffer
* @pipe: the pipe that the buffer belongs to
* @buf: the buffer to get a reference to
+ *
+ * Return: %true if the reference was successfully obtained.
*/
-static inline void pipe_buf_get(struct pipe_inode_info *pipe,
+static inline __must_check bool pipe_buf_get(struct pipe_inode_info *pipe,
struct pipe_buffer *buf)
{
- buf->ops->get(pipe, buf);
+ return buf->ops->get(pipe, buf);
}
/**
@@ -178,7 +180,7 @@ struct pipe_inode_info *alloc_pipe_info(void);
void free_pipe_info(struct pipe_inode_info *);
/* Generic pipe buffer ops functions */
-void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
+bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index c65cea71d1ee..b01260f7b445 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6816,12 +6816,16 @@ static void buffer_pipe_buf_release(struct pipe_inode_info *pipe,
buf->private = 0;
}
-static void buffer_pipe_buf_get(struct pipe_inode_info *pipe,
+static bool buffer_pipe_buf_get(struct pipe_inode_info *pipe,
struct pipe_buffer *buf)
{
struct buffer_ref *ref = (struct buffer_ref *)buf->private;
+ if (ref->ref > INT_MAX/2)
+ return false;
+
ref->ref++;
+ return true;
}
/* Pipe buffer operations for a buffer. */
--
2.19.1
prev parent reply other threads:[~2019-04-27 1:42 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-27 1:39 [PATCH AUTOSEL 4.19 01/53] ASoC: tlv320aic3x: fix reset gpio reference counting Sasha Levin
2019-04-27 1:39 ` [PATCH AUTOSEL 4.19 02/53] ASoC: hdmi-codec: fix S/PDIF DAI Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 03/53] ASoC: ab8500: Mark expected switch fall-through Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 04/53] ASoC: stm32: sai: fix iec958 controls indexation Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 05/53] ASoC: stm32: sai: fix exposed capabilities in spdif mode Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 06/53] ASoC:soc-pcm:fix a codec fixup issue in TDM case Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 07/53] ASoC:intel:skl:fix a simultaneous playback & capture issue on hda platform Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 08/53] ASoC: nau8824: fix the issue of the widget with prefix name Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 09/53] ASoC: nau8810: fix the issue of widget with prefixed name Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 10/53] ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 11/53] ASoC: rt5682: recording has no sound after booting Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 12/53] ASoC: wm_adsp: Add locking to wm_adsp2_bus_error Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 13/53] clk: meson-gxbb: round the vdec dividers to closest Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 14/53] ASoC: stm32: dfsdm: manage multiple prepare Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 15/53] ASoC: stm32: dfsdm: fix debugfs warnings on entry creation Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 16/53] ASoC: cs4270: Set auto-increment bit for register writes Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 17/53] ASoC: dapm: Fix NULL pointer dereference in snd_soc_dapm_free_kcontrol Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 18/53] drm/omap: hdmi4_cec: Fix CEC clock handling for PM Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 19/53] IB/hfi1: Eliminate opcode tests on mr deref Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 20/53] IB/hfi1: Fix the allocation of RSM table Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 21/53] MIPS: KGDB: fix kgdb support for SMP platforms Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 22/53] ASoC: tlv320aic32x4: Fix Common Pins Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 23/53] drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata() Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 24/53] perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 25/53] perf/x86/intel: Initialize TFA MSR Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 26/53] linux/kernel.h: Use parentheses around argument in u64_to_user_ptr() Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 27/53] xtensa: fix initialization of pt_regs::syscall in start_thread Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 28/53] ASoC: rockchip: pdm: fix regmap_ops hang issue Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 29/53] drm/amdkfd: Add picasso pci id Sasha Levin
[not found] ` <BN6PR12MB18098B1A85760FCFFFDD3C37F73F0@BN6PR12MB1809.namprd12.prod.outlook.com>
2019-05-08 17:35 ` Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 30/53] drm/amd/display: fix cursor black issue Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 31/53] ASoC: cs35l35: Disable regulators on driver removal Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 32/53] objtool: Add rewind_stack_do_exit() to the noreturn list Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 33/53] powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 34/53] slab: fix a crash by reading /proc/slab_allocators Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 35/53] ASoC: stm32: fix sai driver name initialisation Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 36/53] drm/sun4i: tcon top: Fix NULL/invalid pointer dereference in sun8i_tcon_top_un/bind Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 37/53] virtio_pci: fix a NULL pointer reference in vp_del_vqs Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 38/53] RDMA/vmw_pvrdma: Fix memory leak on pvrdma_pci_remove Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 39/53] RDMA/hns: Fix bug that caused srq creation to fail Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 40/53] scsi: csiostor: fix missing data copy in csio_scsi_err_handler() Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 41/53] drm/mediatek: fix possible object reference leak Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 42/53] Bluetooth: btusb: request wake pin with NOAUTOEN Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 43/53] ASoC: Intel: kbl: fix wrong number of channels Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 44/53] virtio-blk: limit number of hw queues by nr_cpu_ids Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 45/53] clk: x86: Add system specific quirk to mark clocks as critical Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 46/53] nvme-fc: correct csn initialization and increments on error Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 47/53] platform/x86: pmc_atom: Drop __initconst on dmi table Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 48/53] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 49/53] perf/core: Fix perf_event_disable_inatomic() race Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 50/53] iommu/amd: Set exclusion range correctly Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 51/53] mm: make page ref count overflow check tighter and more explicit Sasha Levin
2019-04-27 1:40 ` [PATCH AUTOSEL 4.19 52/53] mm: add 'try_get_page()' helper function Sasha Levin
2019-04-27 1:40 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190427014051.7522-53-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).