Received: by 10.213.65.68 with SMTP id h4csp271976imn;
        Mon, 12 Mar 2018 13:19:53 -0700 (PDT)
X-Google-Smtp-Source: AG47ELuMrpV4PVGL/RP5xOBgGB/c2uLveM3KKfHPLNbZX7nMB3NwMmxsgThbDTHjqP54K43TuUFq
X-Received: by 10.99.63.14 with SMTP id m14mr7553026pga.174.1520885993444;
        Mon, 12 Mar 2018 13:19:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520885993; cv=none;
        d=google.com; s=arc-20160816;
        b=qcVaYNB496hQkgm2P5emqqOM3jgiv6D/XCf2I/T5wN1Ynbz3bQpv3ZIPMkf9yXrFxT
         HRO6EUH6x6Ce046Rb4XiWhzPsVurJZfMsYeDRSUxo1RoyP1Ywm1THdUxxZVuW2nYxijK
         ZSe3szQm0kmpbD5cbhw3CdO0xWu55QxVgeCjd+jlJvsw4tLHt+zX/1ubWMx0n6SJNV7m
         Jc02J5+TBGqMWxnhL2pDuKhlNUbYIcF14kMpGtmJN2qOKIiYkOxgooXlkR3IbPRqdNUX
         1u6U5rTE9T7r95GBjC8verLnnPb87flxDgnyvyfqqi8EUk1haANg45nwEP0Qb2L/z2b9
         IrLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=upvhgsouy/A5M0vzEnKNd0Q/A6Il1CPMmQqVoZQlKNc=;
        b=TiRD9ludDCKn7jHIzZ5tbcnqM8nsj4/4uOWiwBCXISmqDZ4kpsVws+XJzJwYl4aaq2
         nCzTvrqTNJPTDqdVJ3on2xjodV/mAHRztuEyQW7D+ydSJ3153+dZDr+3SuoZSboAucCI
         C6W/FtpnUSTvLmwh3syWoT6iV+UqjmPT0yjhghBXsil260gaO7wAUYCgynNKyZZuzvif
         ooLr+XeF2rPnyX0wZVV2cG57rx+KNdpnrvlGiT/UtPspjlvVo/MMGXTI+BLxKqzGNCVR
         9EfDsdK1Opn1gYZuVPmUfXw/g691WEkL2InEx12KOvYGrbqducMAXl4EgQ4TjdBtnNPz
         V6ag==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v187si6438478pfv.25.2018.03.12.13.19.38;
        Mon, 12 Mar 2018 13:19:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932400AbeCLURw (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Mon, 12 Mar 2018 16:17:52 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:55320 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S932171AbeCLUQJ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Mar 2018 16:16:09 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 99092401DE7F;
        Mon, 12 Mar 2018 20:16:08 +0000 (UTC)
Received: from llong.com (dhcp-17-75.bos.redhat.com [10.18.17.75])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 24D1E11301D0;
        Mon, 12 Mar 2018 20:16:06 +0000 (UTC)
From:   Waiman Long <longman@redhat.com>
To:     "Luis R. Rodriguez" <mcgrof@kernel.org>,
        Kees Cook <keescook@chromium.org>
Cc:     linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        Andrew Morton <akpm@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Matthew Wilcox <willy@infradead.org>,
        Waiman Long <longman@redhat.com>
Subject: [PATCH v4 0/6] ipc: Clamp *mni to the real IPCMNI limit
Date:   Mon, 12 Mar 2018 16:15:38 -0400
Message-Id: <1520885744-1546-1-git-send-email-longman@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 12 Mar 2018 20:16:08 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 12 Mar 2018 20:16:08 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'longman@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

v3->v4:
 - Remove v3 patches 1 & 2 as they have been merged into the mm tree.
 - Change flags from uint16_t to unsigned int.
 - Remove CTL_FLAGS_OOR_WARNED and use pr_warn_ratelimited() instead.
 - Simplify the warning message code.
 - Add a new patch to fail the ctl_table registration with invalid flag.
 - Add a test case for range clamping in sysctl selftest.

v2->v3:
 - Fix kdoc comment errors.
 - Incorporate comments and suggestions from Luis R. Rodriguez.
 - Add a patch to fix a typo error in fs/proc/proc_sysctl.c.

v1->v2:
 - Add kdoc comments to the do_proc_do{u}intvec_minmax_conv_param
   structures.
 - Add a new flags field to the ctl_table structure for specifying
   whether range clamping should be activated instead of adding new
   sysctl parameter handlers.
 - Clamp the semmni value embedded in the multi-values sem parameter.

v1 patch: https://lkml.org/lkml/2018/2/19/453
v2 patch: https://lkml.org/lkml/2018/2/27/627

The sysctl parameters msgmni, shmmni and semmni have an inherent limit
of IPC_MNI (32k). However, users may not be aware of that because they
can write a value much higher than that without getting any error or
notification. Reading the parameters back will show the newly written
values which are not real.

Enforcing the limit by failing sysctl parameter write, however, can
break existing user applications. To address this delemma, a new flags
field is introduced into the ctl_table. The value CTL_FLAGS_CLAMP_RANGE
can be added to any ctl_table entries to enable a looser range clamping
without returning any error. For example,

  .flags = CTL_FLAGS_CLAMP_RANGE,

This flags value are now used for the range checking of shmmni,
msgmni and semmni without breaking existing applications. If any out
of range value is written to those sysctl parameters, the following
warning will be printed instead.

  sysctl: "shmmni" was set out of range [0, 32768], clamped to 32768.

Reading the values back will show 32768 instead of some fake values.

Waiman Long (6):
  sysctl: Add flags to support min/max range clamping
  proc/sysctl: Check for invalid flags bits
  sysctl: Warn when a clamped sysctl parameter is set out of range
  ipc: Clamp msgmni and shmmni to the real IPCMNI limit
  ipc: Clamp semmni to the real IPCMNI limit
  test_sysctl: Add range clamping test

 fs/proc/proc_sysctl.c                    | 12 +++++
 include/linux/sysctl.h                   | 15 ++++++
 ipc/ipc_sysctl.c                         | 22 +++++++--
 ipc/sem.c                                | 28 +++++++++++
 ipc/util.h                               |  4 ++
 kernel/sysctl.c                          | 80 ++++++++++++++++++++++++++++----
 tools/testing/selftests/sysctl/sysctl.sh | 43 +++++++++++++++++
 7 files changed, 192 insertions(+), 12 deletions(-)

-- 
1.8.3.1