From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42DFBC43446 for ; Wed, 15 Jul 2020 17:09:53 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id DB10D2065F for ; Wed, 15 Jul 2020 17:09:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DB10D2065F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id BE06A8D001A; Wed, 15 Jul 2020 13:09:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B406A8D0002; Wed, 15 Jul 2020 13:09:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9E0CF8D001A; Wed, 15 Jul 2020 13:09:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0052.hostedemail.com [216.40.44.52]) by kanga.kvack.org (Postfix) with ESMTP id 73B9F8D0002 for ; Wed, 15 Jul 2020 13:09:48 -0400 (EDT) Received: from smtpin11.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 3DE602C89 for ; Wed, 15 Jul 2020 17:09:48 +0000 (UTC) X-FDA: 77040947256.11.sheep33_44135e126efb Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin11.hostedemail.com (Postfix) with ESMTP id 0856A180F8B82 for ; Wed, 15 Jul 2020 17:09:48 +0000 (UTC) X-HE-Tag: sheep33_44135e126efb X-Filterd-Recvd-Size: 4335 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf20.hostedemail.com (Postfix) with ESMTP for ; Wed, 15 Jul 2020 17:09:47 +0000 (UTC) Received: from localhost.localdomain (unknown [95.146.230.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9611220663; Wed, 15 Jul 2020 17:09:44 +0000 (UTC) From: Catalin Marinas To: linux-arm-kernel@lists.infradead.org Cc: linux-mm@kvack.org, linux-arch@vger.kernel.org, Will Deacon , Dave P Martin , Vincenzo Frascino , Szabolcs Nagy , Kevin Brodsky , Andrey Konovalov , Peter Collingbourne , Andrew Morton , linux-fsdevel@vger.kernel.org, Alexander Viro Subject: [PATCH v7 24/29] fs: Handle intra-page faults in copy_mount_options() Date: Wed, 15 Jul 2020 18:08:39 +0100 Message-Id: <20200715170844.30064-25-catalin.marinas@arm.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200715170844.30064-1-catalin.marinas@arm.com> References: <20200715170844.30064-1-catalin.marinas@arm.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 0856A180F8B82 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam02 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The copy_mount_options() function takes a user pointer argument but no size and it tries to read up to a PAGE_SIZE. However, copy_from_user() is not guaranteed to return all the accessible bytes if, for example, the access crosses a page boundary and gets a fault on the second page. To work around this, the current copy_mount_options() implementation performs two copy_from_user() passes, first to the end of the current page and the second to what's left in the subsequent page. On arm64 with MTE enabled, access to a user page may trigger a fault after part of the buffer in a page has been copied (when the user pointer tag, bits 56-59, no longer matches the allocation tag stored in memory). Allow copy_mount_options() to handle such intra-page faults by resorting to byte at a time copy in case of copy_from_user() failure. Note that copy_from_user() handles the zeroing of the kernel buffer in case of error. Signed-off-by: Catalin Marinas Cc: Alexander Viro --- Al, I thought I'd not spam you with the whole arm64 MTE series, so only cc'ing you on a patch in the middle. Would you mind ack'ing/nak'ing this patch? I intend to push it upstream with the rest of the series for 5.9 (well, assuming nothing falls apart). It's not as elegant as the previous approach but with MTE we can get faults in the middle of a page, so we'd have to fall back to byte by byte copying. Thanks. Notes: v6: - Simplified logic to fall-back to byte-by-byte if the copy_from_user= () fails. =20 v4: - Rewrite to avoid arch_has_exact_copy_from_user() =20 New in v3. fs/namespace.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index f30ed401cc6d..fc45020c244e 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3074,7 +3074,7 @@ static void shrink_submounts(struct mount *mnt) void *copy_mount_options(const void __user * data) { char *copy; - unsigned size; + unsigned left, offset; =20 if (!data) return NULL; @@ -3083,16 +3083,27 @@ void *copy_mount_options(const void __user * data= ) if (!copy) return ERR_PTR(-ENOMEM); =20 - size =3D PAGE_SIZE - offset_in_page(data); + left =3D copy_from_user(copy, data, PAGE_SIZE); =20 - if (copy_from_user(copy, data, size)) { + /* + * Not all architectures have an exact copy_from_user(). Resort to + * byte at a time. + */ + offset =3D PAGE_SIZE - left; + while (left) { + char c; + if (get_user(c, (const char __user *)data + offset)) + break; + copy[offset] =3D c; + left--; + offset++; + } + + if (left =3D=3D PAGE_SIZE) { kfree(copy); return ERR_PTR(-EFAULT); } - if (size !=3D PAGE_SIZE) { - if (copy_from_user(copy + size, data + size, PAGE_SIZE - size)) - memset(copy + size, 0, PAGE_SIZE - size); - } + return copy; } =20