From patchwork Fri Dec 8 13:38:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 846231 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3ytYMt2X44z9s82; Sat, 9 Dec 2017 00:38:34 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eNIrG-0007Bt-6k; Fri, 08 Dec 2017 13:38:30 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eNIrE-0007B5-Tb for kernel-team@lists.ubuntu.com; Fri, 08 Dec 2017 13:38:28 +0000 Received: from mail-wr0-f200.google.com ([209.85.128.200]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eNIrE-000454-MK for kernel-team@lists.ubuntu.com; Fri, 08 Dec 2017 13:38:28 +0000 Received: by mail-wr0-f200.google.com with SMTP id y23so5976740wra.16 for ; Fri, 08 Dec 2017 05:38:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=RvvkrG4k1BgHQToZP+KCypTN7qtJtKaI57GWVcLdAr0=; b=JxaQgEfNXuSveL8FSqzL+r7ajR/85tAYC52TV8dczny8V1JVSEL8LTcUG4SCGcYcmH Pg9TxL6EF7321Hnky6mhu4K+kFnNryNQvqbmalOg9PqSvcxKmjSjID1hhlbBcbNwT3fZ FlBb/PuOvArWuHpYlH/jXxt6uoj0ara9Do4ueUvca9HF+LNgDA1KTa1mRgBmuS+N3TH1 bmpdgpPSls7Z3Uy1O5NaH0RbTgL5IzYAqKOKU68oiexEYYsbJq1nJnKgOIN9VhDlMmbR 0H0e5j6KZItxSfHOgc9QTE0EBxpIDqGaD3kW9VfWbV38TG++5/eK+YXjcAOwKHYAnjvq 3DCA== X-Gm-Message-State: AKGB3mIy1e+7ArN9c+xntB7iduoq2Za7h9D/nreMgd0dqeigNw/heolv UXy54A3QivOGcJomqqGQVEqVrYEujggOTyqwGR3vVCjpWX2YqIzIT60MeTgVlj9wzZhRZJ55zoi CewqmmEheG0oBSTHQ3mlbC2EELIcIzPKBYr+Yqgpu9A== X-Received: by 10.28.66.138 with SMTP id k10mr1564804wmi.88.1512740308079; Fri, 08 Dec 2017 05:38:28 -0800 (PST) X-Google-Smtp-Source: ACJfBotpDzT6YFWPm1s6hR+bNFM0SrShNO+dzb3L5UujO5zPPOGSXepRqHB+ukwF4niV6EswYPqAFA== X-Received: by 10.28.66.138 with SMTP id k10mr1564794wmi.88.1512740307903; Fri, 08 Dec 2017 05:38:27 -0800 (PST) Received: from localhost ([212.121.131.210]) by smtp.gmail.com with ESMTPSA id l31sm11143049wrc.50.2017.12.08.05.38.26 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 08 Dec 2017 05:38:27 -0800 (PST) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [SRU][Xenial][PATCH 1/1] more bio_map_user_iov() leak fixes Date: Fri, 8 Dec 2017 14:38:23 +0100 Message-Id: <20171208133823.18790-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171208133823.18790-1-kleber.souza@canonical.com> References: <20171208133823.18790-1-kleber.souza@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Al Viro we need to take care of failure exit as well - pages already in bio should be dropped by analogue of bio_unmap_pages(), since their refcounts had been bumped only once per reference in bio. Cc: stable@vger.kernel.org Signed-off-by: Al Viro CVE-CVE-2017-12190 (backported from commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058) [klebers: page_cache_release() is defined as put_page(), but keep it as page_cache_release() for consistency with the rest of the code.] Signed-off-by: Kleber Sacilotto de Souza Acked-by: Stefan Bader Acked-by: Thadeu Lima de Souza Cascardo --- block/bio.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/block/bio.c b/block/bio.c index 68bbc835bacc..6750552d6b16 100644 --- a/block/bio.c +++ b/block/bio.c @@ -1268,6 +1268,7 @@ struct bio *bio_map_user_iov(struct request_queue *q, int ret, offset; struct iov_iter i; struct iovec iov; + struct bio_vec *bvec; iov_for_each(iov, i, *iter) { unsigned long uaddr = (unsigned long) iov.iov_base; @@ -1312,7 +1313,12 @@ struct bio *bio_map_user_iov(struct request_queue *q, ret = get_user_pages_fast(uaddr, local_nr_pages, (iter->type & WRITE) != WRITE, &pages[cur_page]); - if (ret < local_nr_pages) { + if (unlikely(ret < local_nr_pages)) { + for (j = cur_page; j < page_limit; j++) { + if (!pages[j]) + break; + put_page(pages[j]); + } ret = -EFAULT; goto out_unmap; } @@ -1374,10 +1380,8 @@ struct bio *bio_map_user_iov(struct request_queue *q, return bio; out_unmap: - for (j = 0; j < nr_pages; j++) { - if (!pages[j]) - break; - page_cache_release(pages[j]); + bio_for_each_segment_all(bvec, bio, j) { + page_cache_release(bvec->bv_page); } out: kfree(pages);