cxl/mem: Fixes to IOCTL interface

Commit Message

Ben Widawsky Feb. 20, 2021, 9:56 p.m. UTC

When submitting a command for userspace, input and output payload bounce
buffers are allocated. For a given command, both input and output
buffers may exist and so when allocation of the input buffer fails, the
output buffer must be freed. As far as I can tell, userspace can't
easily exploit the leak to OOM a machine unless the machine was already
near OOM state.

This bug was introduced in v5 of the patch and did not exist in prior
revisions.

While here, adjust the variable 'j' found in patch review by Konrad.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com> (v2)
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 drivers/cxl/mem.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Comments

Dan Williams Feb. 21, 2021, 2:38 a.m. UTC | #1

On Sat, Feb 20, 2021 at 1:57 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
>
> When submitting a command for userspace, input and output payload bounce
> buffers are allocated. For a given command, both input and output
> buffers may exist and so when allocation of the input buffer fails, the
> output buffer must be freed. As far as I can tell, userspace can't
> easily exploit the leak to OOM a machine unless the machine was already
> near OOM state.
>
> This bug was introduced in v5 of the patch and did not exist in prior
> revisions.
>

Thanks for the quick turnaround, but I think that speed introduced
some issues...

> While here, adjust the variable 'j' found in patch review by Konrad.

Please split this pure cleanup to its own patch. The subject says
"Fixes", but it's only the one fix.

>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

Since the commit is upstream add a "Fixes" line:

Fixes: 583fa5e71cae ('cxl/mem: Add basic IOCTL interface")

> Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
> Reviewed-by: Dan Williams <dan.j.williams@intel.com> (v2)
> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

Jonathan and I didn't pre-review this.

Ben Widawsky Feb. 21, 2021, 3:47 a.m. UTC | #2

On 21-02-20 18:38:36, Dan Williams wrote:
> On Sat, Feb 20, 2021 at 1:57 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
> >
> > When submitting a command for userspace, input and output payload bounce
> > buffers are allocated. For a given command, both input and output
> > buffers may exist and so when allocation of the input buffer fails, the
> > output buffer must be freed. As far as I can tell, userspace can't
> > easily exploit the leak to OOM a machine unless the machine was already
> > near OOM state.
> >
> > This bug was introduced in v5 of the patch and did not exist in prior
> > revisions.
> >
> 
> Thanks for the quick turnaround, but I think that speed introduced
> some issues...
> 
> > While here, adjust the variable 'j' found in patch review by Konrad.
> 
> Please split this pure cleanup to its own patch. The subject says
> "Fixes", but it's only the one fix.
> 

This was intentional. I pinged you internally to just drop it if you don't like
to combine these kind of things. It didn't feel worthwhile to introduce a new
patch to change the 'j'. I agree with Konrad that 'j' is not the best variable
name to use. Konrad, maybe you'd like to send a fixup for that one?

I will drop this hunk.

> >
> > Cc: Al Viro <viro@zeniv.linux.org.uk>
> > Reported-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> 
> Since the commit is upstream add a "Fixes" line:
> 
> Fixes: 583fa5e71cae ('cxl/mem: Add basic IOCTL interface")
> 
> > Signed-off-by: Ben Widawsky <ben.widawsky@intel.com>
> > Reviewed-by: Dan Williams <dan.j.williams@intel.com> (v2)
> > Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> 
> Jonathan and I didn't pre-review this.

My bad on this. It was a mistake that I pulled the info from the original patch
I was fixing.

Dan Williams Feb. 22, 2021, 4:12 p.m. UTC | #3

On Sat, Feb 20, 2021 at 7:47 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
>
> On 21-02-20 18:38:36, Dan Williams wrote:
> > On Sat, Feb 20, 2021 at 1:57 PM Ben Widawsky <ben.widawsky@intel.com> wrote:
> > >
> > > When submitting a command for userspace, input and output payload bounce
> > > buffers are allocated. For a given command, both input and output
> > > buffers may exist and so when allocation of the input buffer fails, the
> > > output buffer must be freed. As far as I can tell, userspace can't
> > > easily exploit the leak to OOM a machine unless the machine was already
> > > near OOM state.
> > >
> > > This bug was introduced in v5 of the patch and did not exist in prior
> > > revisions.
> > >
> >
> > Thanks for the quick turnaround, but I think that speed introduced
> > some issues...
> >
> > > While here, adjust the variable 'j' found in patch review by Konrad.
> >
> > Please split this pure cleanup to its own patch. The subject says
> > "Fixes", but it's only the one fix.
> >
>
> This was intentional. I pinged you internally to just drop it if you don't like
> to combine these kind of things.

Apologies, I've been offline this weekend and missed that. I will
point out though that in general I will not change patch contents on
the way upstream. The adjusted patch must appear on the mailing list.
The new korg support for attaching attestation to patches requires
they all be on the list, so even small adjustments need new postings.

> It didn't feel worthwhile to introduce a new
> patch to change the 'j'.

Janitorial patches happen all the time, so I think it's ok.

Konrad Rzeszutek Wilk Feb. 22, 2021, 5:19 p.m. UTC | #4

..little snip..
> > > While here, adjust the variable 'j' found in patch review by Konrad.
> > 
> > Please split this pure cleanup to its own patch. The subject says
> > "Fixes", but it's only the one fix.
> > 
> 
> This was intentional. I pinged you internally to just drop it if you don't like
> to combine these kind of things. It didn't feel worthwhile to introduce a new
> patch to change the 'j'. I agree with Konrad that 'j' is not the best variable
> name to use. Konrad, maybe you'd like to send a fixup for that one?

Sure, but let do that _after_ Dan does his git-pull so that the
scripts/get_maintainers.pl will nicely pull the right emails :-)

> 
> I will drop this hunk.

+1

Patch

diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c
index df895bcca63a..626fd7066f4f 100644
--- a/drivers/cxl/mem.c
+++ b/drivers/cxl/mem.c
@@ -514,8 +514,10 @@  static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm,
 	if (cmd->info.size_in) {
 		mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload),
 						   cmd->info.size_in);
-		if (IS_ERR(mbox_cmd.payload_in))
+		if (IS_ERR(mbox_cmd.payload_in)) {
+			kvfree(mbox_cmd.payload_out);
 			return PTR_ERR(mbox_cmd.payload_in);
+		}
 	}
 
 	rc = cxl_mem_mbox_get(cxlm);
@@ -696,7 +698,7 @@  static int cxl_query_cmd(struct cxl_memdev *cxlmd,
 	struct device *dev = &cxlmd->dev;
 	struct cxl_mem_command *cmd;
 	u32 n_commands;
-	int j = 0;
+	int cmds = 0;
 
 	dev_dbg(dev, "Query IOCTL\n");
 
@@ -714,10 +716,10 @@  static int cxl_query_cmd(struct cxl_memdev *cxlmd,
 	cxl_for_each_cmd(cmd) {
 		const struct cxl_command_info *info = &cmd->info;
 
-		if (copy_to_user(&q->commands[j++], info, sizeof(*info)))
+		if (copy_to_user(&q->commands[cmds++], info, sizeof(*info)))
 			return -EFAULT;
 
-		if (j == n_commands)
+		if (cmds == n_commands)
 			break;
 	}