Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp5549925imm; Sat, 19 May 2018 04:39:50 -0700 (PDT) X-Google-Smtp-Source: AB8JxZo62vv/EYVpofw4ejSATGpO+4faGnliKHjMMB54xUj3b7HH3g0IdaTbUS9iGAKnKRJxOdEj X-Received: by 2002:a17:902:1c7:: with SMTP id b65-v6mr13181133plb.298.1526729990603; Sat, 19 May 2018 04:39:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526729990; cv=none; d=google.com; s=arc-20160816; b=BJujS54UC7Nrp7pbF4yQA6LKHOoz2O7aWnd5f1lnDJHpcy7Do7ObzcxQtT7IPGgmSI bQETaRL0SzE7E7y6CWeMTVSNT+s9UVtKKLJcj3ycYxHA5W4GK9EysE3UIFFz7jULWAyv 5ys7WCpE290wzZyPqhKOcBj2hZgXgfnQnoWbueOkNgtCfhywCh108I0sQTfO9uEreWVa zIe/ua23OXfywdVu97WfK49vwz5KmIriwvhHInQPfTqooxDn5Hd+dhurf38Gt6Ns2U3s qKF6jraV+Lwwz2hVI8JkKb8z54bti6OFqvSImdvnPmficF+IrrDNsRdLmY+9pgDuFoI3 IzGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:in-reply-to :content-disposition:mime-version:references:subject:cc:to:from:date :arc-authentication-results; bh=HHjlEBiR8nxg+o56pVpIFgiVdgmxzoLLQvfRE7NhvTw=; b=BpcI4u/4xMFa9tmYckgeWmmlRfy33+Ra590Uxz0rxB0jXW/NLSfkHFXqULtYI0GMwB 6iTU9Lzr2XXN3TYRLxUWohCug+/MulbJPTDUm7smSw+0xuk7YMRCCUwyPjYzazMgWFCO OHtsA0LCm1GsqSmjfwo8ruAqKisV/vEBPHOywYPVN2IoHwZYlNifyirJaWW2xTbsOvXz J3c48qElZcsyTNFRgoxOehbBRBlxJJsAdekOt5xgMwz2J+YGj8kANxC3h1hQM7H48J2T VsQmv5bASVGXVMZ5L5/xZih8J4EIZKBkLieuO9OoVwheXfyXVt9CHodgJYlq41GKgOC0 fH5g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v123-v6si9570486pfc.273.2018.05.19.04.39.36; Sat, 19 May 2018 04:39:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752296AbeESLj0 (ORCPT + 99 others); Sat, 19 May 2018 07:39:26 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:59094 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752129AbeESLjY (ORCPT ); Sat, 19 May 2018 07:39:24 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4JBcqJ3108300 for ; Sat, 19 May 2018 07:39:24 -0400 Received: from e06smtp12.uk.ibm.com (e06smtp12.uk.ibm.com [195.75.94.108]) by mx0b-001b2d01.pphosted.com with ESMTP id 2j2g4fdwf9-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 19 May 2018 07:39:23 -0400 Received: from localhost by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 19 May 2018 12:39:22 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp12.uk.ibm.com (192.168.101.142) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sat, 19 May 2018 12:39:20 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4JBdKch66846932; Sat, 19 May 2018 11:39:20 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A418AAE045; Sat, 19 May 2018 12:28:37 +0100 (BST) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 659E4AE04D; Sat, 19 May 2018 12:28:37 +0100 (BST) Received: from localhost (unknown [9.145.71.232]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTPS; Sat, 19 May 2018 12:28:37 +0100 (BST) Date: Sat, 19 May 2018 13:39:14 +0200 From: Vasily Gorbik To: Linus Torvalds Cc: Al Viro , Andrew Morton , Linux Kernel Mailing List , Heiko Carstens Subject: Re: [PATCH] procfs: fix mmap() for /proc/vmcore References: <20180519034338.GV30522@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-TM-AS-GCONF: 00 x-cbid: 18051911-0008-0000-0000-000004F83B63 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051911-0009-0000-0000-00001E8CBCAD Message-Id: X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-19_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805190112 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 18, 2018 at 09:12:56PM -0700, Linus Torvalds wrote: > On Fri, May 18, 2018 at 8:43 PM Al Viro wrote: > > > Not quite. The things like > > if (unlikely(*ppos >= inode->i_sb->s_maxbytes)) > > return 0; > > iov_iter_truncate(iter, inode->i_sb->s_maxbytes); > > protect most of the regular files (see mm/filemap.c). And for devices > (which is > > where the majority of crap ->read()/->write() is) it's obviously not > applicable - > > ->s_maxbytes of *what*? > > Yeah that "s_maxbytes of what" is I think the real issue. We should never > have made s_maxbytes be super-block specific: we should have made it be > per-inode, and then have inode_init_always() initialize it using something > like the file_mmap_size_max() logic. > > (So we'd still have a "sb_maxbytes" that filesystems would fill in, but it > would only be used as a "fill in inode value for regular files for this > superblock"). > > Then we could actually protect read/write properly, because many of the > nasty bugs have been in character device drivers. > > Oh well. It would still be a good thing to do some day, I suspect, but it's > clearly not the case now, and so s_maxbytes actually has much less coverage > than I was hoping for. > > (And thus also the problems with /proc/vmcore - it never saw s_maxbytes > limits before). > > Oh, well. The lack of any meaningful s_maxbytes coverage for proc obviously > means that my objections against Vasily's patch are mostly invalid. Even if > /proc does use "generic_file_llseek()" a lot and that should limit things > to 4G offsets, you can just use pread64/pwrite64 to see if you can screw up > the offset. > > I'd still prefer to limit the damage to just "vmcore". > > Something like the below COMPLETELY UNTESTED patch? Vasily? Would work, but file_mmap_size_max first checks if (S_ISREG(inode->i_mode)) return inode->i_sb->s_maxbytes; before if (file->f_mode & FMODE_UNSIGNED_OFFSET) return 0; so, as it is this patch does not fix the issue. > Linus > > fs/proc/vmcore.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c > index a45f0af22a60..83278c547127 100644 > --- a/fs/proc/vmcore.c > +++ b/fs/proc/vmcore.c > @@ -491,7 +491,15 @@ static int mmap_vmcore(struct file *file, struct vm_area_struct *vma) > } > #endif > > +/* Mark vmcore as being able and willing to do 64-bit mmaps */ > +static int vmcore_open(struct inode *inode, struct file *file) > +{ > + file->f_mode |= FMODE_UNSIGNED_OFFSET; > + return 0; > +} > + > static const struct file_operations proc_vmcore_operations = { > + .open = vmcore_open, > .read = read_vmcore, > .llseek = default_llseek, > .mmap = mmap_vmcore,