summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorCatalin Marinas <catalin.marinas@arm.com>2020-07-01 17:46:06 +0100
committerCatalin Marinas <catalin.marinas@arm.com>2020-09-04 12:46:07 +0100
commitd563d678aa0be06e7bff2953c986f5ff0355f79c (patch)
treef816dcd2271211869df0846df64580d996146d09 /fs
parent2200aa7154cb7ef76bac93e98326883ba64bfa2e (diff)
downloadlwn-d563d678aa0be06e7bff2953c986f5ff0355f79c.tar.gz
lwn-d563d678aa0be06e7bff2953c986f5ff0355f79c.zip
fs: Handle intra-page faults in copy_mount_options()
The copy_mount_options() function takes a user pointer argument but no size and it tries to read up to a PAGE_SIZE. However, copy_from_user() is not guaranteed to return all the accessible bytes if, for example, the access crosses a page boundary and gets a fault on the second page. To work around this, the current copy_mount_options() implementation performs two copy_from_user() passes, first to the end of the current page and the second to what's left in the subsequent page. On arm64 with MTE enabled, access to a user page may trigger a fault after part of the buffer in a page has been copied (when the user pointer tag, bits 56-59, no longer matches the allocation tag stored in memory). Allow copy_mount_options() to handle such intra-page faults by resorting to byte at a time copy in case of copy_from_user() failure. Note that copy_from_user() handles the zeroing of the kernel buffer in case of error. Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs')
-rw-r--r--fs/namespace.c25
1 files changed, 18 insertions, 7 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index bae0e95b3713..32a0b9146757 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3075,7 +3075,7 @@ static void shrink_submounts(struct mount *mnt)
void *copy_mount_options(const void __user * data)
{
char *copy;
- unsigned size;
+ unsigned left, offset;
if (!data)
return NULL;
@@ -3084,16 +3084,27 @@ void *copy_mount_options(const void __user * data)
if (!copy)
return ERR_PTR(-ENOMEM);
- size = PAGE_SIZE - offset_in_page(data);
+ left = copy_from_user(copy, data, PAGE_SIZE);
- if (copy_from_user(copy, data, size)) {
+ /*
+ * Not all architectures have an exact copy_from_user(). Resort to
+ * byte at a time.
+ */
+ offset = PAGE_SIZE - left;
+ while (left) {
+ char c;
+ if (get_user(c, (const char __user *)data + offset))
+ break;
+ copy[offset] = c;
+ left--;
+ offset++;
+ }
+
+ if (left == PAGE_SIZE) {
kfree(copy);
return ERR_PTR(-EFAULT);
}
- if (size != PAGE_SIZE) {
- if (copy_from_user(copy + size, data + size, PAGE_SIZE - size))
- memset(copy + size, 0, PAGE_SIZE - size);
- }
+
return copy;
}