From patchwork Fri Sep 4 10:30:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Catalin Marinas X-Patchwork-Id: 11756557 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E83BA618 for ; Fri, 4 Sep 2020 10:31:34 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B635821775 for ; Fri, 4 Sep 2020 10:31:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B635821775 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 3DC5E6B00A8; Fri, 4 Sep 2020 06:31:33 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 36B0F6B00AA; Fri, 4 Sep 2020 06:31:33 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1934A6B00AB; Fri, 4 Sep 2020 06:31:33 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0105.hostedemail.com [216.40.44.105]) by kanga.kvack.org (Postfix) with ESMTP id F24F86B00A8 for ; Fri, 4 Sep 2020 06:31:32 -0400 (EDT) Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id C52F0824556B for ; Fri, 4 Sep 2020 10:31:32 +0000 (UTC) X-FDA: 77225012424.07.cable79_540422a270b1 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin07.hostedemail.com (Postfix) with ESMTP id 9184F1803F9AC for ; Fri, 4 Sep 2020 10:31:32 +0000 (UTC) X-Spam-Summary: 1,0,0,563891b3521c8156,d41d8cd98f00b204,cmainas@kernel.org,,RULES_HIT:41:355:379:421:541:800:960:966:973:988:989:1260:1311:1314:1345:1359:1437:1515:1534:1542:1711:1730:1747:1777:1792:2196:2198:2199:2200:2393:2553:2559:2562:2899:2901:3138:3139:3140:3141:3142:3354:3743:3865:3866:3867:3868:3870:3871:3872:3874:4250:4321:4362:4385:4605:5007:6261:6742:7875:8603:10004:11026:11232:11658:11914:12043:12114:12296:12297:12438:12517:12519:12555:12986:13161:13180:13229:13894:14180:14181:14394:14721:21060:21080:21230:21451:21627:21740:21795:21990:30051:30054:30079:30090,0,RBL:198.145.29.99:@kernel.org:.lbl8.mailshell.net-62.2.0.100 64.100.201.201;04y84yttap4touci78xf6yqwroxkuypee8a4b11ktypfet8gjysq7cyjub3itth.rfeabf68bzged144dj4izeswxs8hmouo8iyu1uxy6tbq9u3frpihgi7ozt4mb9c.k-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:24,LUA_SUMMARY:none X-HE-Tag: cable79_540422a270b1 X-Filterd-Recvd-Size: 4041 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf16.hostedemail.com (Postfix) with ESMTP for ; Fri, 4 Sep 2020 10:31:32 +0000 (UTC) Received: from localhost.localdomain (unknown [46.69.195.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 609E9208B3; Fri, 4 Sep 2020 10:31:29 +0000 (UTC) From: Catalin Marinas To: linux-arm-kernel@lists.infradead.org Cc: linux-mm@kvack.org, linux-arch@vger.kernel.org, Will Deacon , Dave P Martin , Vincenzo Frascino , Szabolcs Nagy , Kevin Brodsky , Andrey Konovalov , Peter Collingbourne , Andrew Morton , Alexander Viro Subject: [PATCH v9 24/29] fs: Handle intra-page faults in copy_mount_options() Date: Fri, 4 Sep 2020 11:30:24 +0100 Message-Id: <20200904103029.32083-25-catalin.marinas@arm.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200904103029.32083-1-catalin.marinas@arm.com> References: <20200904103029.32083-1-catalin.marinas@arm.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 9184F1803F9AC X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam04 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The copy_mount_options() function takes a user pointer argument but no size and it tries to read up to a PAGE_SIZE. However, copy_from_user() is not guaranteed to return all the accessible bytes if, for example, the access crosses a page boundary and gets a fault on the second page. To work around this, the current copy_mount_options() implementation performs two copy_from_user() passes, first to the end of the current page and the second to what's left in the subsequent page. On arm64 with MTE enabled, access to a user page may trigger a fault after part of the buffer in a page has been copied (when the user pointer tag, bits 56-59, no longer matches the allocation tag stored in memory). Allow copy_mount_options() to handle such intra-page faults by resorting to byte at a time copy in case of copy_from_user() failure. Note that copy_from_user() handles the zeroing of the kernel buffer in case of error. Signed-off-by: Catalin Marinas Cc: Alexander Viro --- Hi Al, If there are any objections to this patch, please let me know. Otherwise, I plan to queue it together with the rest of the arm64 MTE series. Thanks. Notes: v6: - Simplified logic to fall-back to byte-by-byte if the copy_from_user() fails. v4: - Rewrite to avoid arch_has_exact_copy_from_user() New in v3. fs/namespace.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index bae0e95b3713..32a0b9146757 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3075,7 +3075,7 @@ static void shrink_submounts(struct mount *mnt) void *copy_mount_options(const void __user * data) { char *copy; - unsigned size; + unsigned left, offset; if (!data) return NULL; @@ -3084,16 +3084,27 @@ void *copy_mount_options(const void __user * data) if (!copy) return ERR_PTR(-ENOMEM); - size = PAGE_SIZE - offset_in_page(data); + left = copy_from_user(copy, data, PAGE_SIZE); - if (copy_from_user(copy, data, size)) { + /* + * Not all architectures have an exact copy_from_user(). Resort to + * byte at a time. + */ + offset = PAGE_SIZE - left; + while (left) { + char c; + if (get_user(c, (const char __user *)data + offset)) + break; + copy[offset] = c; + left--; + offset++; + } + + if (left == PAGE_SIZE) { kfree(copy); return ERR_PTR(-EFAULT); } - if (size != PAGE_SIZE) { - if (copy_from_user(copy + size, data + size, PAGE_SIZE - size)) - memset(copy + size, 0, PAGE_SIZE - size); - } + return copy; }