From patchwork Fri Dec  8 13:37:56 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 846229
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3ytYMP2flmz9s82;
	Sat,  9 Dec 2017 00:38:09 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1eNIqq-00073Z-A5; Fri, 08 Dec 2017 13:38:04 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1eNIqp-00073A-7S
	for kernel-team@lists.ubuntu.com; Fri, 08 Dec 2017 13:38:03 +0000
Received: from mail-wr0-f197.google.com ([209.85.128.197])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1eNIqp-00042F-0N
	for kernel-team@lists.ubuntu.com; Fri, 08 Dec 2017 13:38:03 +0000
Received: by mail-wr0-f197.google.com with SMTP id t92so6023825wrc.13
	for <kernel-team@lists.ubuntu.com>;
	Fri, 08 Dec 2017 05:38:03 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=myNvGgnHQ8ERpjWtwt5iuwvGnVIBPfmTyHTROkaRZRw=;
	b=Tq177DfZ8ATXA4SzPEX07k0U+7orq5gs5sAtJQ9sZou3xkcjIuvO6V0caOUYajAMEQ
	Zo8pWplaGgLWeaaBGQmL3UyHzGjh6TnZJrJH6i7/3l69QUeuCENHaw74vJdAWl4t2vnS
	yjVPANpiv7YjOgzbBFNeyQeX7+UKIsjia6f6Z7mTdTC+6QKDgzR0sJVuByFeD6u+cIfh
	utoH1Mj1Qw6xKXo8RIvla8I7xUgFK+A7KuDmuJjSWj94BDKWLGyxAg5VXYlGjobfVaAi
	N26tkEUCXjTjLymhb9wy9EYcl9WgLP9B5W/Cknd5VwfCD6KK/tZpQNskDJ5Fxrm7jT+h
	OhoQ==
X-Gm-Message-State: AKGB3mLW3EFQHdCZnHVgqp0FAFSDPCePPM6ukWq1y0JSk3CDvThgoMPz
	gECo+0he9vkoolXM4qsrVsvIF1ECwsSWto075LsQSuZSaDxxFfCyYrErlQbEQ/tFDwpwj6jKGrd
	4aYJ8xmfuNPidxLqgzY2TmmsVQREsPPpXmnWBJbKFJQ==
X-Received: by 10.28.232.70 with SMTP id f67mr4446415wmh.90.1512740282355;
	Fri, 08 Dec 2017 05:38:02 -0800 (PST)
X-Google-Smtp-Source: 
 AGs4zMYE2MUn2GSVRc3FLfJYSjx7xLv/xLP0M5kFYRqGHoNAj4N0omsNv6DPc8+wB8jtGK7pnxlQfQ==
X-Received: by 10.28.232.70 with SMTP id f67mr4446402wmh.90.1512740282135;
	Fri, 08 Dec 2017 05:38:02 -0800 (PST)
Received: from localhost ([212.121.131.210])
	by smtp.gmail.com with ESMTPSA id
	r14sm7972876wra.71.2017.12.08.05.38.01
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 08 Dec 2017 05:38:01 -0800 (PST)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][PATCH 2/2] more bio_map_user_iov() leak fixes
Date: Fri,  8 Dec 2017 14:37:56 +0100
Message-Id: <20171208133756.18662-3-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20171208133756.18662-1-kleber.souza@canonical.com>
References: <20171208133756.18662-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Al Viro <viro@zeniv.linux.org.uk>

we need to take care of failure exit as well - pages already
in bio should be dropped by analogue of bio_unmap_pages(),
since their refcounts had been bumped only once per reference
in bio.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

CVE-2017-12190
(backported from commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058)
[klebers:
 - Fixed file path from block/bio.c to fs/bio.c.
 - page_cache_release() is defined as put_page(), but keep it as
   page_cache_release() for consistency with the rest of the code.]
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 fs/bio.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/fs/bio.c b/fs/bio.c
index 3311aa0f3dd9..2dde9b514b1c 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -1234,6 +1234,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
 	struct bio *bio;
 	int cur_page = 0;
 	int ret, offset;
+	struct bio_vec *bvec;
 
 	for (i = 0; i < iov_count; i++) {
 		unsigned long uaddr = (unsigned long)iov[i].iov_base;
@@ -1277,7 +1278,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
 
 		ret = get_user_pages_fast(uaddr, local_nr_pages,
 				write_to_vm, &pages[cur_page]);
-		if (ret < local_nr_pages) {
+		if (unlikely(ret < local_nr_pages)) {
+			for (j = cur_page; j < page_limit; j++) {
+				if (!pages[j])
+					break;
+				put_page(pages[j]);
+			}
 			ret = -EFAULT;
 			goto out_unmap;
 		}
@@ -1332,10 +1338,8 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
 	return bio;
 
  out_unmap:
-	for (i = 0; i < nr_pages; i++) {
-		if(!pages[i])
-			break;
-		page_cache_release(pages[i]);
+	bio_for_each_segment_all(bvec, bio, i) {
+		page_cache_release(bvec->bv_page);
 	}
  out:
 	kfree(pages);