GitHub-Mirror/Star64_linux
2
0
Fork 0
mirror of https://github.com/Fishwaldo/Star64_linux.git synced 2025-04-02 12:34:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fs: Handle intra-page faults in copy_mount_options()

Browse source 
The copy_mount_options() function takes a user pointer argument but no
size and it tries to read up to a PAGE_SIZE. However, copy_from_user()
is not guaranteed to return all the accessible bytes if, for example,
the access crosses a page boundary and gets a fault on the second page.
To work around this, the current copy_mount_options() implementation
performs two copy_from_user() passes, first to the end of the current
page and the second to what's left in the subsequent page.

On arm64 with MTE enabled, access to a user page may trigger a fault
after part of the buffer in a page has been copied (when the user
pointer tag, bits 56-59, no longer matches the allocation tag stored in
memory). Allow copy_mount_options() to handle such intra-page faults by
resorting to byte at a time copy in case of copy_from_user() failure.

Note that copy_from_user() handles the zeroing of the kernel buffer in
case of error.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Catalin Marinas 2020-07-01 17:46:06 +01:00
parent 2200aa7154
commit d563d678aa
1 changed files with 18 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
fs/namespace.c
View file

@ -3075,7 +3075,7 @@ static void shrink_submounts(struct mount *mnt)
void *copy_mount_options(const void __user * data) void *copy_mount_options(const void __user * data)
{ {
char *copy; char *copy;
unsigned size; unsigned left, offset;
if (!data) if (!data)
return NULL; return NULL;
@ -3084,16 +3084,27 @@ void *copy_mount_options(const void __user * data)
if (!copy) if (!copy)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
size = PAGE_SIZE - offset_in_page(data); left = copy_from_user(copy, data, PAGE_SIZE);
if (copy_from_user(copy, data, size)) { /*
* Not all architectures have an exact copy_from_user(). Resort to
* byte at a time.
*/
offset = PAGE_SIZE - left;
while (left) {
char c;
if (get_user(c, (const char __user *)data + offset))
break;
copy[offset] = c;
left--;
offset++;
}
if (left == PAGE_SIZE) {
kfree(copy); kfree(copy);
return ERR_PTR(-EFAULT); return ERR_PTR(-EFAULT);
} }
if (size != PAGE_SIZE) {
if (copy_from_user(copy + size, data + size, PAGE_SIZE - size))
memset(copy + size, 0, PAGE_SIZE - size);
}
return copy; return copy;
} }