[PATCH] cxl/mem: Fixes to IOCTL interface

[PATCH] cxl/mem: Fixes to IOCTL interface

[Ben Widawsky]

When submitting a command for userspace, input and output payload bounce
buffers are allocated. For a given command, both input and output
buffers may exist and so when allocation of the input buffer fails, the
output buffer must be freed. As far as I can tell, userspace can't
easily exploit the leak to OOM a machine unless the machine was already
near OOM state.

This bug was introduced in v5 of the patch and did not exist in prior
revisions.

While here, adjust the variable 'j' found in patch review by Konrad.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com> (v2)
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 drivers/cxl/mem.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
index df895bcca63a..626fd7066f4f 100644
--- a/drivers/cxl/mem.c
+++ b/drivers/cxl/mem.c
@@ -514,8 +514,10 @@ static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm,
 	if (cmd->info.size_in) {
 		mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload),
 						   cmd->info.size_in);
-		if (IS_ERR(mbox_cmd.payload_in))
+		if (IS_ERR(mbox_cmd.payload_in)) {
+			kvfree(mbox_cmd.payload_out);
 			return PTR_ERR(mbox_cmd.payload_in);
+		}
 	}
 
 	rc = cxl_mem_mbox_get(cxlm);
@@ -696,7 +698,7 @@ static int cxl_query_cmd(struct cxl_memdev *cxlmd,
 	struct device *dev = &cxlmd->dev;
 	struct cxl_mem_command *cmd;
 	u32 n_commands;
-	int j = 0;
+	int cmds = 0;
 
 	dev_dbg(dev, "Query IOCTL\n");
 
@@ -714,10 +716,10 @@ static int cxl_query_cmd(struct cxl_memdev *cxlmd,
 	cxl_for_each_cmd(cmd) {
 		const struct cxl_command_info *info = &cmd->info;
 
-		if (copy_to_user(&q->commands[j++], info, sizeof(*info)))
+		if (copy_to_user(&q->commands[cmds++], info, sizeof(*info)))
 			return -EFAULT;
 
-		if (j == n_commands)
+		if (cmds == n_commands)
 			break;
 	}
 
-- 
2.30.1
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

Re: [PATCH] cxl/mem: Fixes to IOCTL interface

[Dan Williams]

On Sat, Feb 20, 2021 at 1:57 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
>
> When submitting a command for userspace, input and output payload bounce
> buffers are allocated. For a given command, both input and output
> buffers may exist and so when allocation of the input buffer fails, the
> output buffer must be freed. As far as I can tell, userspace can't
> easily exploit the leak to OOM a machine unless the machine was already
> near OOM state.
>
> This bug was introduced in v5 of the patch and did not exist in prior
> revisions.
>

Thanks for the quick turnaround, but I think that speed introduced
some issues...

> While here, adjust the variable 'j' found in patch review by Konrad.

Please split this pure cleanup to its own patch. The subject says
"Fixes", but it's only the one fix.

>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Since the commit is upstream add a "Fixes" line:

Fixes: 583fa5e71cae ('cxl/mem: Add basic IOCTL interface")

> Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
> Reviewed-by: Dan Williams <dan.j.williams@intel.com> (v2)
> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

Jonathan and I didn't pre-review this.
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

Re: [PATCH] cxl/mem: Fixes to IOCTL interface

[Ben Widawsky]

On 21-02-20 18:38:36, Dan Williams wrote:
> On Sat, Feb 20, 2021 at 1:57 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
> >
> > When submitting a command for userspace, input and output payload bounce
> > buffers are allocated. For a given command, both input and output
> > buffers may exist and so when allocation of the input buffer fails, the
> > output buffer must be freed. As far as I can tell, userspace can't
> > easily exploit the leak to OOM a machine unless the machine was already
> > near OOM state.
> >
> > This bug was introduced in v5 of the patch and did not exist in prior
> > revisions.
> >
> 
> Thanks for the quick turnaround, but I think that speed introduced
> some issues...
> 
> > While here, adjust the variable 'j' found in patch review by Konrad.
> 
> Please split this pure cleanup to its own patch. The subject says
> "Fixes", but it's only the one fix.
> 

This was intentional. I pinged you internally to just drop it if you don't like
to combine these kind of things. It didn't feel worthwhile to introduce a new
patch to change the 'j'. I agree with Konrad that 'j' is not the best variable
name to use. Konrad, maybe you'd like to send a fixup for that one?

I will drop this hunk.

> >
> > Cc: Al Viro <viro@zeniv.linux.org.uk>
> > Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> 
> Since the commit is upstream add a "Fixes" line:
> 
> Fixes: 583fa5e71cae ('cxl/mem: Add basic IOCTL interface")
> 
> > Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
> > Reviewed-by: Dan Williams <dan.j.williams@intel.com> (v2)
> > Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> 
> Jonathan and I didn't pre-review this.

My bad on this. It was a mistake that I pulled the info from the original patch
I was fixing.
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

Re: [PATCH] cxl/mem: Fixes to IOCTL interface

[Dan Williams]

On Sat, Feb 20, 2021 at 7:47 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
>
> On 21-02-20 18:38:36, Dan Williams wrote:
> > On Sat, Feb 20, 2021 at 1:57 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
> > >
> > > When submitting a command for userspace, input and output payload bounce
> > > buffers are allocated. For a given command, both input and output
> > > buffers may exist and so when allocation of the input buffer fails, the
> > > output buffer must be freed. As far as I can tell, userspace can't
> > > easily exploit the leak to OOM a machine unless the machine was already
> > > near OOM state.
> > >
> > > This bug was introduced in v5 of the patch and did not exist in prior
> > > revisions.
> > >
> >
> > Thanks for the quick turnaround, but I think that speed introduced
> > some issues...
> >
> > > While here, adjust the variable 'j' found in patch review by Konrad.
> >
> > Please split this pure cleanup to its own patch. The subject says
> > "Fixes", but it's only the one fix.
> >
>
> This was intentional. I pinged you internally to just drop it if you don't like
> to combine these kind of things.

Apologies, I've been offline this weekend and missed that. I will
point out though that in general I will not change patch contents on
the way upstream. The adjusted patch must appear on the mailing list.
The new korg support for attaching attestation to patches requires
they all be on the list, so even small adjustments need new postings.

> It didn't feel worthwhile to introduce a new
> patch to change the 'j'.

Janitorial patches happen all the time, so I think it's ok.
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

Re: [PATCH] cxl/mem: Fixes to IOCTL interface

[Konrad Rzeszutek Wilk]

..little snip..
> > > While here, adjust the variable 'j' found in patch review by Konrad.
> > 
> > Please split this pure cleanup to its own patch. The subject says
> > "Fixes", but it's only the one fix.
> > 
> 
> This was intentional. I pinged you internally to just drop it if you don't like
> to combine these kind of things. It didn't feel worthwhile to introduce a new
> patch to change the 'j'. I agree with Konrad that 'j' is not the best variable
> name to use. Konrad, maybe you'd like to send a fixup for that one?

Sure, but let do that _after_ Dan does his git-pull so that the
scripts/get_maintainers.pl will nicely pull the right emails :-)

> 
> I will drop this hunk.

+1
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

[PATCH v2] cxl/mem: Fix potential memory leak

[Ben Widawsky]

When submitting a command for userspace, input and output payload bounce
buffers are allocated. For a given command, both input and output
buffers may exist and so when allocation of the input buffer fails, the
output buffer must be freed too.

As far as I can tell, userspace can't easily exploit the leak to OOM a
machine unless the machine was already near OOM state.

Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")
Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
---
 drivers/cxl/mem.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
index df895bcca63a..244cb7d89678 100644
--- a/drivers/cxl/mem.c
+++ b/drivers/cxl/mem.c
@@ -514,8 +514,10 @@ static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm,
 	if (cmd->info.size_in) {
 		mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload),
 						   cmd->info.size_in);
-		if (IS_ERR(mbox_cmd.payload_in))
+		if (IS_ERR(mbox_cmd.payload_in)) {
+			kvfree(mbox_cmd.payload_out);
 			return PTR_ERR(mbox_cmd.payload_in);
+		}
 	}
 
 	rc = cxl_mem_mbox_get(cxlm);
-- 
2.30.1
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

Re: [PATCH v2] cxl/mem: Fix potential memory leak

[Jonathan Cameron]

On Sat, 20 Feb 2021 19:58:46 -0800
Ben Widawsky <ben.widawsky@intel.com> wrote:

> When submitting a command for userspace, input and output payload bounce
> buffers are allocated. For a given command, both input and output
> buffers may exist and so when allocation of the input buffer fails, the
> output buffer must be freed too.
> 
> As far as I can tell, userspace can't easily exploit the leak to OOM a
> machine unless the machine was already near OOM state.
> 
> Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")
> Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>

I'd probably have used a goto and label but I guess this works fine a well.
FWIW on such a small patch.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

> ---
>  drivers/cxl/mem.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
> index df895bcca63a..244cb7d89678 100644
> --- a/drivers/cxl/mem.c
> +++ b/drivers/cxl/mem.c
> @@ -514,8 +514,10 @@ static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm,
>  	if (cmd->info.size_in) {
>  		mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload),
>  						   cmd->info.size_in);
> -		if (IS_ERR(mbox_cmd.payload_in))
> +		if (IS_ERR(mbox_cmd.payload_in)) {
> +			kvfree(mbox_cmd.payload_out);
>  			return PTR_ERR(mbox_cmd.payload_in);
> +		}
>  	}
>  
>  	rc = cxl_mem_mbox_get(cxlm);
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

Re: [PATCH v2] cxl/mem: Fix potential memory leak

[Konrad Rzeszutek Wilk]

On Sat, Feb 20, 2021 at 07:58:46PM -0800, Ben Widawsky wrote:
> When submitting a command for userspace, input and output payload bounce
> buffers are allocated. For a given command, both input and output
> buffers may exist and so when allocation of the input buffer fails, the
> output buffer must be freed too.
> 
> As far as I can tell, userspace can't easily exploit the leak to OOM a
> machine unless the machine was already near OOM state.
> 
> Fixes: 583fa5e71cae ("cxl/mem: Add basic IOCTL interface")
> Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

And lets add the other R-tag:

Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Thank you for quick turn-around!
> Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
> ---
>  drivers/cxl/mem.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
> index df895bcca63a..244cb7d89678 100644
> --- a/drivers/cxl/mem.c
> +++ b/drivers/cxl/mem.c
> @@ -514,8 +514,10 @@ static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm,
>  	if (cmd->info.size_in) {
>  		mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload),
>  						   cmd->info.size_in);
> -		if (IS_ERR(mbox_cmd.payload_in))
> +		if (IS_ERR(mbox_cmd.payload_in)) {
> +			kvfree(mbox_cmd.payload_out);
>  			return PTR_ERR(mbox_cmd.payload_in);
> +		}
>  	}
>  
>  	rc = cxl_mem_mbox_get(cxlm);
> -- 
> 2.30.1
> 
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org