diff mbox series

proc: use vmalloc for our kernel buffer

Message ID 20200813145305.805730-1-josef@toxicpanda.com (mailing list archive)
State New, archived
Headers show
Series proc: use vmalloc for our kernel buffer | expand

Commit Message

Josef Bacik Aug. 13, 2020, 2:53 p.m. UTC
Since

  sysctl: pass kernel pointers to ->proc_handler

we have been pre-allocating a buffer to copy the data from the proc
handlers into, and then copying that to userspace.  The problem is this
just blind kmalloc()'s the buffer size passed in from the read, which in
the case of our 'cat' binary was 64kib.  Order-4 allocations are not
awesome, and since we can potentially allocate up to our maximum order,
use vmalloc for these buffers.

Fixes: 32927393dc1c ("sysctl: pass kernel pointers to ->proc_handler")
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
---
 fs/proc/proc_sysctl.c  |  6 +++---
 include/linux/string.h |  1 +
 mm/util.c              | 26 ++++++++++++++++++++++++++
 3 files changed, 30 insertions(+), 3 deletions(-)

Comments

Matthew Wilcox Aug. 13, 2020, 2:59 p.m. UTC | #1
On Thu, Aug 13, 2020 at 10:53:05AM -0400, Josef Bacik wrote:
> +/**
> + * vmemdup_user - duplicate memory region from user space and NUL-terminate

vmemdup_user_nul()

> +void *vmemdup_user_nul(const void __user *src, size_t len)
> +{
> +	void *p;
> +
> +	p = kvmalloc(len, GFP_USER);

len+1, shirley?

> +	if (!p)
> +		return ERR_PTR(-ENOMEM);
> +
> +	if (copy_from_user(p, src, len)) {
> +		kvfree(p);
> +		return ERR_PTR(-EFAULT);
> +	}

I think you forgot

        p[len] = '\0';

> +	return p;
> +}
> +EXPORT_SYMBOL(vmemdup_user_nul);
> +
>  /**
>   * strndup_user - duplicate an existing string from user space
>   * @s: The string to duplicate
> -- 
> 2.24.1
>
Josef Bacik Aug. 13, 2020, 3:08 p.m. UTC | #2
On 8/13/20 10:59 AM, Matthew Wilcox wrote:
> On Thu, Aug 13, 2020 at 10:53:05AM -0400, Josef Bacik wrote:
>> +/**
>> + * vmemdup_user - duplicate memory region from user space and NUL-terminate
> 
> vmemdup_user_nul()
> 
>> +void *vmemdup_user_nul(const void __user *src, size_t len)
>> +{
>> +	void *p;
>> +
>> +	p = kvmalloc(len, GFP_USER);
> 
> len+1, shirley?
> 
>> +	if (!p)
>> +		return ERR_PTR(-ENOMEM);
>> +
>> +	if (copy_from_user(p, src, len)) {
>> +		kvfree(p);
>> +		return ERR_PTR(-EFAULT);
>> +	}
> 
> I think you forgot
> 
>          p[len] = '\0';
> 

Sweet lord I need more sleep, my bad.  Thanks,

Josef
David Laight Aug. 13, 2020, 4:19 p.m. UTC | #3
From: Josef Bacik
> Sent: 13 August 2020 15:53
> 
>   sysctl: pass kernel pointers to ->proc_handler
> 
> we have been pre-allocating a buffer to copy the data from the proc
> handlers into, and then copying that to userspace.  The problem is this
> just blind kmalloc()'s the buffer size passed in from the read, which in
> the case of our 'cat' binary was 64kib.  Order-4 allocations are not
> awesome, and since we can potentially allocate up to our maximum order,
> use vmalloc for these buffers.

What happens if I run 'dd bs=16M ...' ?

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Al Viro Aug. 13, 2020, 4:21 p.m. UTC | #4
On Thu, Aug 13, 2020 at 04:19:27PM +0000, David Laight wrote:
> From: Josef Bacik
> > Sent: 13 August 2020 15:53
> > 
> >   sysctl: pass kernel pointers to ->proc_handler
> > 
> > we have been pre-allocating a buffer to copy the data from the proc
> > handlers into, and then copying that to userspace.  The problem is this
> > just blind kmalloc()'s the buffer size passed in from the read, which in
> > the case of our 'cat' binary was 64kib.  Order-4 allocations are not
> > awesome, and since we can potentially allocate up to our maximum order,
> > use vmalloc for these buffers.
> 
> What happens if I run 'dd bs=16M ...' ?

Try it.
Josef Bacik Aug. 13, 2020, 5:08 p.m. UTC | #5
On 8/13/20 12:19 PM, David Laight wrote:
> From: Josef Bacik
>> Sent: 13 August 2020 15:53
>>
>>    sysctl: pass kernel pointers to ->proc_handler
>>
>> we have been pre-allocating a buffer to copy the data from the proc
>> handlers into, and then copying that to userspace.  The problem is this
>> just blind kmalloc()'s the buffer size passed in from the read, which in
>> the case of our 'cat' binary was 64kib.  Order-4 allocations are not
>> awesome, and since we can potentially allocate up to our maximum order,
>> use vmalloc for these buffers.
> 
> What happens if I run 'dd bs=16M ...' ?
> 
> 	David
> 

         /* don't even try if the size is too large */
         error = -ENOMEM;
         if (count >= KMALLOC_MAX_SIZE)
                 goto out;

is above this code, thanks,

Josef
diff mbox series

Patch

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 6c1166ccdaea..207ac6e6e028 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -571,13 +571,13 @@  static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 		goto out;
 
 	if (write) {
-		kbuf = memdup_user_nul(ubuf, count);
+		kbuf = vmemdup_user_nul(ubuf, count);
 		if (IS_ERR(kbuf)) {
 			error = PTR_ERR(kbuf);
 			goto out;
 		}
 	} else {
-		kbuf = kzalloc(count, GFP_KERNEL);
+		kbuf = kvzalloc(count, GFP_KERNEL);
 		if (!kbuf)
 			goto out;
 	}
@@ -600,7 +600,7 @@  static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 
 	error = count;
 out_free_buf:
-	kfree(kbuf);
+	kvfree(kbuf);
 out:
 	sysctl_head_finish(head);
 
diff --git a/include/linux/string.h b/include/linux/string.h
index 9b7a0632e87a..aee3689fb865 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -12,6 +12,7 @@ 
 extern char *strndup_user(const char __user *, long);
 extern void *memdup_user(const void __user *, size_t);
 extern void *vmemdup_user(const void __user *, size_t);
+extern void *vmemdup_user_nul(const void __user *, size_t);
 extern void *memdup_user_nul(const void __user *, size_t);
 
 /*
diff --git a/mm/util.c b/mm/util.c
index 5ef378a2a038..4de3b4b0f358 100644
--- a/mm/util.c
+++ b/mm/util.c
@@ -208,6 +208,32 @@  void *vmemdup_user(const void __user *src, size_t len)
 }
 EXPORT_SYMBOL(vmemdup_user);
 
+/**
+ * vmemdup_user - duplicate memory region from user space and NUL-terminate
+ *
+ * @src: source address in user space
+ * @len: number of bytes to copy
+ *
+ * Return: an ERR_PTR() on failure.  Result may be not
+ * physically contiguous.  Use kvfree() to free.
+ */
+void *vmemdup_user_nul(const void __user *src, size_t len)
+{
+	void *p;
+
+	p = kvmalloc(len, GFP_USER);
+	if (!p)
+		return ERR_PTR(-ENOMEM);
+
+	if (copy_from_user(p, src, len)) {
+		kvfree(p);
+		return ERR_PTR(-EFAULT);
+	}
+
+	return p;
+}
+EXPORT_SYMBOL(vmemdup_user_nul);
+
 /**
  * strndup_user - duplicate an existing string from user space
  * @s: The string to duplicate