From: Christoph Hellwig <hch@lst.de> To: Linus Torvalds <torvalds@linux-foundation.org>, Al Viro <viro@zeniv.linux.org.uk>, Michael Ellerman <mpe@ellerman.id.au>, x86@kernel.org Cc: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Subject: [PATCH 01/10] fs: don't allow kernel reads and writes without iter ops Date: Thu, 27 Aug 2020 17:00:21 +0200 [thread overview] Message-ID: <20200827150030.282762-2-hch@lst.de> (raw) In-Reply-To: <20200827150030.282762-1-hch@lst.de> Don't allow calling ->read or ->write with set_fs as a preparation for killing off set_fs. All the instances that we use kernel_read/write on are using the iter ops already. If a file has both the regular ->read/->write methods and the iter variants those could have different semantics for messed up enough drivers. Also fails the kernel access to them in that case. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Kees Cook <keescook@chromium.org> --- fs/read_write.c | 67 +++++++++++++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 25 deletions(-) diff --git a/fs/read_write.c b/fs/read_write.c index 5db58b8c78d0dd..702c4301d9eb6b 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -419,27 +419,41 @@ static ssize_t new_sync_read(struct file *filp, char __user *buf, size_t len, lo return ret; } +static int warn_unsupported(struct file *file, const char *op) +{ + pr_warn_ratelimited( + "kernel %s not supported for file %pD4 (pid: %d comm: %.20s)\n", + op, file, current->pid, current->comm); + return -EINVAL; +} + ssize_t __kernel_read(struct file *file, void *buf, size_t count, loff_t *pos) { - mm_segment_t old_fs = get_fs(); + struct kvec iov = { + .iov_base = buf, + .iov_len = min_t(size_t, count, MAX_RW_COUNT), + }; + struct kiocb kiocb; + struct iov_iter iter; ssize_t ret; if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) return -EINVAL; if (!(file->f_mode & FMODE_CAN_READ)) return -EINVAL; + /* + * Also fail if ->read_iter and ->read are both wired up as that + * implies very convoluted semantics. + */ + if (unlikely(!file->f_op->read_iter || file->f_op->read)) + return warn_unsupported(file, "read"); - if (count > MAX_RW_COUNT) - count = MAX_RW_COUNT; - set_fs(KERNEL_DS); - if (file->f_op->read) - ret = file->f_op->read(file, (void __user *)buf, count, pos); - else if (file->f_op->read_iter) - ret = new_sync_read(file, (void __user *)buf, count, pos); - else - ret = -EINVAL; - set_fs(old_fs); + init_sync_kiocb(&kiocb, file); + kiocb.ki_pos = *pos; + iov_iter_kvec(&iter, READ, &iov, 1, iov.iov_len); + ret = file->f_op->read_iter(&kiocb, &iter); if (ret > 0) { + *pos = kiocb.ki_pos; fsnotify_access(file); add_rchar(current, ret); } @@ -510,28 +524,31 @@ static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t /* caller is responsible for file_start_write/file_end_write */ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos) { - mm_segment_t old_fs; - const char __user *p; + struct kvec iov = { + .iov_base = (void *)buf, + .iov_len = min_t(size_t, count, MAX_RW_COUNT), + }; + struct kiocb kiocb; + struct iov_iter iter; ssize_t ret; if (WARN_ON_ONCE(!(file->f_mode & FMODE_WRITE))) return -EBADF; if (!(file->f_mode & FMODE_CAN_WRITE)) return -EINVAL; + /* + * Also fail if ->write_iter and ->write are both wired up as that + * implies very convoluted semantics. + */ + if (unlikely(!file->f_op->write_iter || file->f_op->write)) + return warn_unsupported(file, "write"); - old_fs = get_fs(); - set_fs(KERNEL_DS); - p = (__force const char __user *)buf; - if (count > MAX_RW_COUNT) - count = MAX_RW_COUNT; - if (file->f_op->write) - ret = file->f_op->write(file, p, count, pos); - else if (file->f_op->write_iter) - ret = new_sync_write(file, p, count, pos); - else - ret = -EINVAL; - set_fs(old_fs); + init_sync_kiocb(&kiocb, file); + kiocb.ki_pos = *pos; + iov_iter_kvec(&iter, WRITE, &iov, 1, iov.iov_len); + ret = file->f_op->write_iter(&kiocb, &iter); if (ret > 0) { + *pos = kiocb.ki_pos; fsnotify_modify(file); add_wchar(current, ret); } -- 2.28.0
WARNING: multiple messages have this Message-ID (diff)
From: Christoph Hellwig <hch@lst.de> To: Linus Torvalds <torvalds@linux-foundation.org>, Al Viro <viro@zeniv.linux.org.uk>, Michael Ellerman <mpe@ellerman.id.au>, x86@kernel.org Cc: linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org Subject: [PATCH 01/10] fs: don't allow kernel reads and writes without iter ops Date: Thu, 27 Aug 2020 17:00:21 +0200 [thread overview] Message-ID: <20200827150030.282762-2-hch@lst.de> (raw) In-Reply-To: <20200827150030.282762-1-hch@lst.de> Don't allow calling ->read or ->write with set_fs as a preparation for killing off set_fs. All the instances that we use kernel_read/write on are using the iter ops already. If a file has both the regular ->read/->write methods and the iter variants those could have different semantics for messed up enough drivers. Also fails the kernel access to them in that case. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Kees Cook <keescook@chromium.org> --- fs/read_write.c | 67 +++++++++++++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 25 deletions(-) diff --git a/fs/read_write.c b/fs/read_write.c index 5db58b8c78d0dd..702c4301d9eb6b 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -419,27 +419,41 @@ static ssize_t new_sync_read(struct file *filp, char __user *buf, size_t len, lo return ret; } +static int warn_unsupported(struct file *file, const char *op) +{ + pr_warn_ratelimited( + "kernel %s not supported for file %pD4 (pid: %d comm: %.20s)\n", + op, file, current->pid, current->comm); + return -EINVAL; +} + ssize_t __kernel_read(struct file *file, void *buf, size_t count, loff_t *pos) { - mm_segment_t old_fs = get_fs(); + struct kvec iov = { + .iov_base = buf, + .iov_len = min_t(size_t, count, MAX_RW_COUNT), + }; + struct kiocb kiocb; + struct iov_iter iter; ssize_t ret; if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ))) return -EINVAL; if (!(file->f_mode & FMODE_CAN_READ)) return -EINVAL; + /* + * Also fail if ->read_iter and ->read are both wired up as that + * implies very convoluted semantics. + */ + if (unlikely(!file->f_op->read_iter || file->f_op->read)) + return warn_unsupported(file, "read"); - if (count > MAX_RW_COUNT) - count = MAX_RW_COUNT; - set_fs(KERNEL_DS); - if (file->f_op->read) - ret = file->f_op->read(file, (void __user *)buf, count, pos); - else if (file->f_op->read_iter) - ret = new_sync_read(file, (void __user *)buf, count, pos); - else - ret = -EINVAL; - set_fs(old_fs); + init_sync_kiocb(&kiocb, file); + kiocb.ki_pos = *pos; + iov_iter_kvec(&iter, READ, &iov, 1, iov.iov_len); + ret = file->f_op->read_iter(&kiocb, &iter); if (ret > 0) { + *pos = kiocb.ki_pos; fsnotify_access(file); add_rchar(current, ret); } @@ -510,28 +524,31 @@ static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t /* caller is responsible for file_start_write/file_end_write */ ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos) { - mm_segment_t old_fs; - const char __user *p; + struct kvec iov = { + .iov_base = (void *)buf, + .iov_len = min_t(size_t, count, MAX_RW_COUNT), + }; + struct kiocb kiocb; + struct iov_iter iter; ssize_t ret; if (WARN_ON_ONCE(!(file->f_mode & FMODE_WRITE))) return -EBADF; if (!(file->f_mode & FMODE_CAN_WRITE)) return -EINVAL; + /* + * Also fail if ->write_iter and ->write are both wired up as that + * implies very convoluted semantics. + */ + if (unlikely(!file->f_op->write_iter || file->f_op->write)) + return warn_unsupported(file, "write"); - old_fs = get_fs(); - set_fs(KERNEL_DS); - p = (__force const char __user *)buf; - if (count > MAX_RW_COUNT) - count = MAX_RW_COUNT; - if (file->f_op->write) - ret = file->f_op->write(file, p, count, pos); - else if (file->f_op->write_iter) - ret = new_sync_write(file, p, count, pos); - else - ret = -EINVAL; - set_fs(old_fs); + init_sync_kiocb(&kiocb, file); + kiocb.ki_pos = *pos; + iov_iter_kvec(&iter, WRITE, &iov, 1, iov.iov_len); + ret = file->f_op->write_iter(&kiocb, &iter); if (ret > 0) { + *pos = kiocb.ki_pos; fsnotify_modify(file); add_wchar(current, ret); } -- 2.28.0
next prev parent reply other threads:[~2020-08-27 15:09 UTC|newest] Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-08-27 15:00 remove the last set_fs() in common code, and remove it for x86 and powerpc v2 Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig [this message] 2020-08-27 15:00 ` [PATCH 01/10] fs: don't allow kernel reads and writes without iter ops Christoph Hellwig 2020-08-27 15:58 ` David Laight 2020-08-29 9:23 ` 'Christoph Hellwig' 2020-08-29 9:23 ` 'Christoph Hellwig' 2020-09-01 6:48 ` [fs] ef30fb3c60: kernel write not supported for file /sys/kernel/softlockup_panic kernel test robot 2020-09-01 6:48 ` kernel test robot 2020-09-01 6:48 ` kernel test robot 2020-09-01 7:08 ` Christoph Hellwig 2020-09-01 7:08 ` Christoph Hellwig 2020-09-01 7:08 ` Christoph Hellwig 2020-08-27 15:00 ` [PATCH 02/10] fs: don't allow splice read/write without explicit ops Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-08-27 15:00 ` [PATCH 03/10] uaccess: add infrastructure for kernel builds with set_fs() Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-08-27 15:00 ` [PATCH 04/10] test_bitmap: skip user bitmap tests for !CONFIG_SET_FS Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-08-27 15:00 ` [PATCH 05/10] lkdtm: disable set_fs-based " Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-08-27 18:06 ` Linus Torvalds 2020-08-27 18:06 ` Linus Torvalds 2020-08-29 9:24 ` Christoph Hellwig 2020-08-29 9:24 ` Christoph Hellwig 2020-09-01 18:52 ` Kees Cook 2020-09-01 18:52 ` Kees Cook 2020-09-01 18:57 ` Kees Cook 2020-09-01 18:57 ` Kees Cook 2020-09-02 8:09 ` Christoph Hellwig 2020-09-02 8:09 ` Christoph Hellwig 2020-08-27 15:00 ` [PATCH 06/10] x86: move PAGE_OFFSET, TASK_SIZE & friends to page_{32,64}_types.h Christoph Hellwig 2020-08-27 15:00 ` [PATCH 06/10] x86: move PAGE_OFFSET, TASK_SIZE & friends to page_{32, 64}_types.h Christoph Hellwig 2020-08-27 15:00 ` [PATCH 07/10] x86: make TASK_SIZE_MAX usable from assembly code Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-08-27 15:00 ` [PATCH 08/10] x86: remove address space overrides using set_fs() Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-08-27 18:15 ` Linus Torvalds 2020-08-27 18:15 ` Linus Torvalds 2020-08-29 9:25 ` Christoph Hellwig 2020-08-29 9:25 ` Christoph Hellwig 2020-08-27 15:00 ` [PATCH 09/10] powerpc: use non-set_fs based maccess routines Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-08-27 15:00 ` [PATCH 10/10] powerpc: remove address space overrides using set_fs() Christoph Hellwig 2020-08-27 15:00 ` Christoph Hellwig 2020-09-02 6:15 ` Christophe Leroy 2020-09-02 12:36 ` Christoph Hellwig 2020-09-02 12:36 ` Christoph Hellwig 2020-09-02 13:13 ` David Laight 2020-09-02 13:13 ` David Laight 2020-09-02 13:24 ` Christophe Leroy 2020-09-02 13:24 ` Christophe Leroy 2020-09-02 13:51 ` David Laight 2020-09-02 13:51 ` David Laight 2020-09-02 14:12 ` Christophe Leroy 2020-09-02 14:12 ` Christophe Leroy 2020-09-02 15:02 ` David Laight 2020-09-02 15:02 ` David Laight 2020-09-02 15:17 ` Christophe Leroy 2020-09-02 15:17 ` Christophe Leroy 2020-09-02 18:02 ` Linus Torvalds 2020-09-02 18:02 ` Linus Torvalds 2020-09-03 7:11 ` Christoph Hellwig 2020-09-03 7:11 ` Christoph Hellwig 2020-09-03 7:27 ` Christophe Leroy 2020-09-03 7:27 ` Christophe Leroy 2020-09-03 8:55 ` Christophe Leroy 2020-09-03 8:55 ` Christophe Leroy 2020-09-03 7:20 ` Christophe Leroy 2020-09-03 7:20 ` Christophe Leroy 2020-08-27 15:31 ` remove the last set_fs() in common code, and remove it for x86 and powerpc v2 Christoph Hellwig 2020-09-01 17:13 ` Christophe Leroy 2020-09-01 17:25 ` Al Viro 2020-09-01 17:25 ` Al Viro 2020-09-01 17:42 ` Matthew Wilcox 2020-09-01 17:42 ` Matthew Wilcox 2020-09-01 18:39 ` Christophe Leroy 2020-09-01 18:39 ` Christophe Leroy 2020-09-01 19:01 ` Christophe Leroy 2020-09-01 19:01 ` Christophe Leroy 2020-09-02 8:10 ` Christoph Hellwig 2020-09-02 8:10 ` Christoph Hellwig 2020-10-27 9:29 ` [PATCH 02/10] fs: don't allow splice read/write without explicit ops David Howells 2020-10-27 9:29 ` David Howells 2020-10-27 9:51 ` David Howells 2020-10-27 9:51 ` David Howells 2020-10-27 9:54 ` Christoph Hellwig 2020-10-27 9:54 ` Christoph Hellwig 2020-10-27 10:38 ` David Howells 2020-10-27 10:38 ` David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200827150030.282762-2-hch@lst.de \ --to=hch@lst.de \ --cc=keescook@chromium.org \ --cc=linux-arch@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=mpe@ellerman.id.au \ --cc=torvalds@linux-foundation.org \ --cc=viro@zeniv.linux.org.uk \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.