Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1402229pxa; Thu, 13 Aug 2020 07:54:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxmFq2aG2I6b2uYnUF+MZOsqhJzMEds4WsXm4favuHhvHsL75JH2uHZ3uiEu/JxIovJPPIu X-Received: by 2002:a17:906:b294:: with SMTP id q20mr4903478ejz.223.1597330459455; Thu, 13 Aug 2020 07:54:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597330459; cv=none; d=google.com; s=arc-20160816; b=HGMzNz4k1bx1lrDATBl0dY8A5yHd6bkfOS+jPayF7piXJRYpTBkPYpNb8+lPtengON P25DsnrKemqCZ0iCqXwwWlFS7bWdrZktA9j8Uo/jrsQFTO4MmUZw0uHl4KZ09JGuj3KS ofM2rQyVvop/RQGkfcBDitOowjfnolbtsmG6qcHjCYlivweG0FAv8JPnQyurIcdBZOwH ftyKo9c8QThELNPDs16rDswQgEf4fbHX5dZFrXpIkuXn9/E7ylVbo4u/jOXx/+HQEaAP BKdJJ0tLdRjO/npi00xmqPHwLmvciFaMV7oP2mEr0JhlmdcjvVrG7J6C045qBiC7zbJo f/Lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:to:from:dkim-signature; bh=QuYyyEUf06CmnNYAz7kwB5OeYF/6966Caycqxe7vEQ0=; b=AnSPuNveAG1tmQr+gB4LxEKKZdc8J6GUcw1ZQnvLPHwc/yK7lVyojXSo6FVSv0MFif mAv7deW9jCyBw2AE7r6PSM+LDwbAsK/ulNE5xLB3zvfrYdDGvMIR/zRZbCtmkuVpSHkM DhAKBwSFYzwkEZpib30omZjbI/YulJZkNXyPK80Gaj5hBT4YK9cdRKHaQNqnFVWIB+01 IG/r0sYBQS7AkU6i6AzuV5mukZS1wV8GvmJCLnQl580gQCtOaUEPV/gQcRKYd1AGywOm Wp+yOWg2O/rByYs0cgQkWrq7n4wwYgI8dwLNHcHWR0xN6Wn1QcJ3ApOd+uBNikSXqRTq fpFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@toxicpanda-com.20150623.gappssmtp.com header.s=20150623 header.b=OU0ZUnoL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 24si4378188edv.581.2020.08.13.07.53.56; Thu, 13 Aug 2020 07:54:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@toxicpanda-com.20150623.gappssmtp.com header.s=20150623 header.b=OU0ZUnoL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726252AbgHMOxK (ORCPT + 99 others); Thu, 13 Aug 2020 10:53:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726131AbgHMOxJ (ORCPT ); Thu, 13 Aug 2020 10:53:09 -0400 Received: from mail-qv1-xf42.google.com (mail-qv1-xf42.google.com [IPv6:2607:f8b0:4864:20::f42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97D69C061757 for ; Thu, 13 Aug 2020 07:53:09 -0700 (PDT) Received: by mail-qv1-xf42.google.com with SMTP id b2so2732111qvp.9 for ; Thu, 13 Aug 2020 07:53:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toxicpanda-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=QuYyyEUf06CmnNYAz7kwB5OeYF/6966Caycqxe7vEQ0=; b=OU0ZUnoLeM1DwRoOITnt86qC2+PnWCy+k9kfNjiMlfeaWL7l+d4UxDzgQAHqy3dBQD hovu5kZyylIbQoPzZ5FbnD4BgRo10pRkjiN/X6IckpchwJ3ILFXxJXBybLaHdEtW4+jd vbsR3bzIh6eXQ0yE7t88x5wbKq4K0JKg2P+1qMROTgnbaa7V89sx1FJPrxzjzbJEp9rI fvNEf9j7zojY4EwizrI3rdhZnLCqcLMk5uYsdIClc9feasQPHkt55dYaf3kWaRAlJvNC MUa981mSnEfuc6kaCxX39Yw/l7ugpQnjZGW7QrSyL1bTDXVwNCTPsonJXeqJEZs4zTT8 l5UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=QuYyyEUf06CmnNYAz7kwB5OeYF/6966Caycqxe7vEQ0=; b=h9khAMGnH7EqOjxlVhndaqXOjvjp3fAKRgCq2GGtAPT5NHy7V5+ITjvHqaKmLlJcNo IfqgoBOTQLs0ebRN+5fJSxL8o+prya/O/TSHYOevzl6cxZkXw+CkwQ7iZReOE46QrSCs e5lVZDr8U/HY7/81RiFXm6pXDvxQ7iLpXv1jSqxBa1NKKnsxZ0CvpHnZG8Ratu+qbAmJ Nsl1mjnS92+SpMR8Ehjc85oO59gBd/FwXZEGgU+7vVMZWLr539MwkiIZalTBOzY7MSQX Qv2HDIIRPcMX465ACPW09Vddlv3dowgU9Fr1ph5UTdM6iZviv77VfXiTdvBvbJdoDVF5 sPSg== X-Gm-Message-State: AOAM530PFrHVDzdiI7zehyWneN7X43xIOZImwro6rpgqoY1q/Xx44zzO Sn7Vwx9HxxWSGk7OHxK2oMH8dg== X-Received: by 2002:ad4:4a27:: with SMTP id n7mr5048422qvz.184.1597330387282; Thu, 13 Aug 2020 07:53:07 -0700 (PDT) Received: from localhost (cpe-174-109-172-136.nc.res.rr.com. [174.109.172.136]) by smtp.gmail.com with ESMTPSA id 9sm6559668qtg.4.2020.08.13.07.53.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 07:53:06 -0700 (PDT) From: Josef Bacik To: hch@lst.de, viro@ZenIV.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com Subject: [PATCH] proc: use vmalloc for our kernel buffer Date: Thu, 13 Aug 2020 10:53:05 -0400 Message-Id: <20200813145305.805730-1-josef@toxicpanda.com> X-Mailer: git-send-email 2.24.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since sysctl: pass kernel pointers to ->proc_handler we have been pre-allocating a buffer to copy the data from the proc handlers into, and then copying that to userspace. The problem is this just blind kmalloc()'s the buffer size passed in from the read, which in the case of our 'cat' binary was 64kib. Order-4 allocations are not awesome, and since we can potentially allocate up to our maximum order, use vmalloc for these buffers. Fixes: 32927393dc1c ("sysctl: pass kernel pointers to ->proc_handler") Signed-off-by: Josef Bacik --- fs/proc/proc_sysctl.c | 6 +++--- include/linux/string.h | 1 + mm/util.c | 26 ++++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index 6c1166ccdaea..207ac6e6e028 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -571,13 +571,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, goto out; if (write) { - kbuf = memdup_user_nul(ubuf, count); + kbuf = vmemdup_user_nul(ubuf, count); if (IS_ERR(kbuf)) { error = PTR_ERR(kbuf); goto out; } } else { - kbuf = kzalloc(count, GFP_KERNEL); + kbuf = kvzalloc(count, GFP_KERNEL); if (!kbuf) goto out; } @@ -600,7 +600,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, error = count; out_free_buf: - kfree(kbuf); + kvfree(kbuf); out: sysctl_head_finish(head); diff --git a/include/linux/string.h b/include/linux/string.h index 9b7a0632e87a..aee3689fb865 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -12,6 +12,7 @@ extern char *strndup_user(const char __user *, long); extern void *memdup_user(const void __user *, size_t); extern void *vmemdup_user(const void __user *, size_t); +extern void *vmemdup_user_nul(const void __user *, size_t); extern void *memdup_user_nul(const void __user *, size_t); /* diff --git a/mm/util.c b/mm/util.c index 5ef378a2a038..4de3b4b0f358 100644 --- a/mm/util.c +++ b/mm/util.c @@ -208,6 +208,32 @@ void *vmemdup_user(const void __user *src, size_t len) } EXPORT_SYMBOL(vmemdup_user); +/** + * vmemdup_user - duplicate memory region from user space and NUL-terminate + * + * @src: source address in user space + * @len: number of bytes to copy + * + * Return: an ERR_PTR() on failure. Result may be not + * physically contiguous. Use kvfree() to free. + */ +void *vmemdup_user_nul(const void __user *src, size_t len) +{ + void *p; + + p = kvmalloc(len, GFP_USER); + if (!p) + return ERR_PTR(-ENOMEM); + + if (copy_from_user(p, src, len)) { + kvfree(p); + return ERR_PTR(-EFAULT); + } + + return p; +} +EXPORT_SYMBOL(vmemdup_user_nul); + /** * strndup_user - duplicate an existing string from user space * @s: The string to duplicate -- 2.24.1