Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4799130ybl;
        Wed, 22 Jan 2020 05:02:10 -0800 (PST)
X-Google-Smtp-Source: APXvYqzt/RWWCyfJx7rMcykTNFZfnhtmvYmYP4q8r3610FJbwFsnrX2DX/29dDHtDvuuD3Nrr4AR
X-Received: by 2002:a9d:ec1:: with SMTP id 59mr7018147otj.141.1579698130685;
        Wed, 22 Jan 2020 05:02:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579698130; cv=none;
        d=google.com; s=arc-20160816;
        b=iSJIjcctme3u7YZGi/0VbvzdO/XbLMDhT5wHGaZNb5s53GfADcENwhb1JWQOReg3O7
         PO6nt3IMQt+pbkAj6YASsaSYI12wJeyyO1TrbUOcVdjD3aGFsTTtBNYzhbrRsQ7WPSIz
         K7ZMWLssc95TbNIioJEHTMq68+CoYJYBfBqz//ZrqD+u+Qhxbsh0HZqRPrqacZq2g8iy
         Q7r6VyB/kt/xNbFVB1riwyy3cGC9pIFtHCI1j5j6Qs9wDSwh2RITYyfG7ar8eI81RhyG
         FAAv0yZZF7LxmG7Hc2rJPtjRo5RTT7NhlD8m0MCoITBJlkYR0csZlK/VvYO7NSNezS5Q
         9a0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:date:cc:to:subject:from:message-id
         :dkim-signature;
        bh=IYuSNHph3xeKS9BqJ4P2sNK404BWtsrlVrUfzRg8JZc=;
        b=rRjV5+OgCnFLJHn6wVytNO+uIsfG0Nhj+yhOMv2SwDO8t5ChkwRCrqXwPXzSZ7AApT
         VZgXgKIyEhzN0K31/2b9+DHT7eVvpGUZl5G4gS5QJ/AZho4AKvSbk4ZJhiVuFQj8xsrK
         ZamYEd4w++mDWTKzCjgK2V4SvuchMv10BdxDDhux5LQPpinhY9v1eJZjQ3mkF9xpotz7
         NEQrRGiVqacUCuZVp45ANCID5lz8oQ0VOOgDItwZ3EXoel8MN1Hb61+HD2JTTLopRNs9
         U9KQbCK+WCi/tsOebIQ5FCcoGU/33jczgww+H66/oO3uEoXLQzdN10IW0/Yq19vnFzdd
         QokA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@c-s.fr header.s=mail header.b="Id0p0/pu";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d17si20997490oib.174.2020.01.22.05.01.58;
        Wed, 22 Jan 2020 05:02:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@c-s.fr header.s=mail header.b="Id0p0/pu";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729163AbgAVNAn (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Wed, 22 Jan 2020 08:00:43 -0500
Received: from pegase1.c-s.fr ([93.17.236.30]:37038 "EHLO pegase1.c-s.fr"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728900AbgAVNAk (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Jan 2020 08:00:40 -0500
Received: from localhost (mailhub1-int [192.168.12.234])
        by localhost (Postfix) with ESMTP id 482lrM6r0Bz9v4T1;
        Wed, 22 Jan 2020 14:00:35 +0100 (CET)
Authentication-Results: localhost; dkim=pass
        reason="1024-bit key; insecure key"
        header.d=c-s.fr header.i=@c-s.fr header.b=Id0p0/pu; dkim-adsp=pass;
        dkim-atps=neutral
X-Virus-Scanned: Debian amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
        by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024)
        with ESMTP id ER69ev4z_Xec; Wed, 22 Jan 2020 14:00:35 +0100 (CET)
Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])
        by pegase1.c-s.fr (Postfix) with ESMTP id 482lrM51BQz9v4T0;
        Wed, 22 Jan 2020 14:00:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=c-s.fr; s=mail;
        t=1579698035; bh=IYuSNHph3xeKS9BqJ4P2sNK404BWtsrlVrUfzRg8JZc=;
        h=From:Subject:To:Cc:Date:From;
        b=Id0p0/punrqkIoihRIjlOTDIJUf8EAaYY/45qzeAcFcpIvcYgWSV7dABhL2qWd+Rd
         OrZCEwEeHWaDFQsMYorxbrJexxNque0AKSTnLknGxGBn0IXYhJ8P0sIFr5JDMOEa91
         sZ3Li+AyYuqq/Ks/DIu38NLCzSiqIwLU7TDPZFEo=
Received: from localhost (localhost [127.0.0.1])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id CD87C8B803;
        Wed, 22 Jan 2020 14:00:36 +0100 (CET)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from messagerie.si.c-s.fr ([127.0.0.1])
        by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023)
        with ESMTP id shOjK1liW11x; Wed, 22 Jan 2020 14:00:36 +0100 (CET)
Received: from po14934vm.idsi0.si.c-s.fr (po15451.idsi0.si.c-s.fr [172.25.230.100])
        by messagerie.si.c-s.fr (Postfix) with ESMTP id D917D8B7FA;
        Wed, 22 Jan 2020 14:00:35 +0100 (CET)
Received: by po14934vm.idsi0.si.c-s.fr (Postfix, from userid 0)
        id 9179F651E0; Wed, 22 Jan 2020 13:00:35 +0000 (UTC)
Message-Id: <a02d3426f93f7eb04960a4d9140902d278cab0bb.1579697910.git.christophe.leroy@c-s.fr>
From:   Christophe Leroy <christophe.leroy@c-s.fr>
Subject: [PATCH v1 1/6] fs/readdir: Fix filldir() and filldir64() use of
 user_access_begin()
To:     Benjamin Herrenschmidt <benh@kernel.crashing.org>,
        Paul Mackerras <paulus@samba.org>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Andrew Morton <akpm@linux-foundation.org>
Cc:     linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
        linux-fsdevel@vger.kernel.org, linux-mm@kvack.org
Date:   Wed, 22 Jan 2020 13:00:35 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Some architectures grand full access to userspace regardless of the
address/len passed to user_access_begin(), but other architectures
only grand access to the requested area.

For exemple, on 32 bits powerpc (book3s/32), access is granted by
segments of 256 Mbytes.

Modify filldir() and filldir64() to request the real area they need
to get access to.

Fixes: 9f79b78ef744 ("Convert filldir[64]() from __put_user() to unsafe_put_user()")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
 fs/readdir.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/fs/readdir.c b/fs/readdir.c
index d26d5ea4de7b..ef04e5e76c59 100644
--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -236,15 +236,11 @@ static int filldir(struct dir_context *ctx, const char *name, int namlen,
 	if (dirent && signal_pending(current))
 		return -EINTR;
 
-	/*
-	 * Note! This range-checks 'previous' (which may be NULL).
-	 * The real range was checked in getdents
-	 */
-	if (!user_access_begin(dirent, sizeof(*dirent)))
+	if (dirent && unlikely(put_user(offset, &dirent->d_off)))
 		goto efault;
-	if (dirent)
-		unsafe_put_user(offset, &dirent->d_off, efault_end);
 	dirent = buf->current_dir;
+	if (!user_access_begin(dirent, reclen))
+		goto efault;
 	unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
 	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
 	unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
@@ -323,15 +319,11 @@ static int filldir64(struct dir_context *ctx, const char *name, int namlen,
 	if (dirent && signal_pending(current))
 		return -EINTR;
 
-	/*
-	 * Note! This range-checks 'previous' (which may be NULL).
-	 * The real range was checked in getdents
-	 */
-	if (!user_access_begin(dirent, sizeof(*dirent)))
+	if (dirent && unlikely(put_user(offset, &dirent->d_off)))
 		goto efault;
-	if (dirent)
-		unsafe_put_user(offset, &dirent->d_off, efault_end);
 	dirent = buf->current_dir;
+	if (!user_access_begin(dirent, reclen))
+		goto efault;
 	unsafe_put_user(ino, &dirent->d_ino, efault_end);
 	unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
 	unsafe_put_user(d_type, &dirent->d_type, efault_end);
-- 
2.25.0