From patchwork Sat Feb 20 21:56:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Widawsky X-Patchwork-Id: 12097093 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 335DBC433DB for ; Sat, 20 Feb 2021 21:57:01 +0000 (UTC) Received: from ml01.01.org (ml01.01.org [198.145.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7837764EB8 for ; Sat, 20 Feb 2021 21:57:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7837764EB8 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-nvdimm-bounces@lists.01.org Received: from ml01.vlan13.01.org (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 4D9F4100EC1EE; Sat, 20 Feb 2021 13:57:00 -0800 (PST) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.55.52.88; helo=mga01.intel.com; envelope-from=ben.widawsky@intel.com; receiver= Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9814D100EF275 for ; Sat, 20 Feb 2021 13:56:57 -0800 (PST) IronPort-SDR: 1VfPVEKpzDH6xq+TDxh7NCYIT2/4uXZnxw4dwq5F56r68PdZEU+BktNi3TlIXEBgNxrIkjOsNs X7v/GrRD6DRw== X-IronPort-AV: E=McAfee;i="6000,8403,9901"; a="203480424" X-IronPort-AV: E=Sophos;i="5.81,193,1610438400"; d="scan'208";a="203480424" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Feb 2021 13:56:56 -0800 IronPort-SDR: ikalQYO+NUG6LwPKxGUsVz2zehEYdZR8tpl7eBur99Bat7zOpmrK1Nv8jo4zm7iE2GYSTCnpYi Y1RHgj88+DOg== X-IronPort-AV: E=Sophos;i="5.81,193,1610438400"; d="scan'208";a="379397680" Received: from aevangel-mobl.amr.corp.intel.com (HELO bwidawsk-mobl5.local) ([10.252.134.76]) by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Feb 2021 13:56:56 -0800 From: Ben Widawsky To: Dan Williams , linux-cxl@vger.kernel.org, linux-nvdimm@lists.01.org Subject: [PATCH] cxl/mem: Fixes to IOCTL interface Date: Sat, 20 Feb 2021 13:56:41 -0800 Message-Id: <20210220215641.604535-1-ben.widawsky@intel.com> X-Mailer: git-send-email 2.30.1 MIME-Version: 1.0 Message-ID-Hash: SLM35BIM5IDYTVKSJPNYX7FUOMRN234E X-Message-ID-Hash: SLM35BIM5IDYTVKSJPNYX7FUOMRN234E X-MailFrom: ben.widawsky@intel.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation CC: Alison Schofield , Ben Widawsky , Al Viro , Konrad Rzeszutek Wilk , Jonathan Cameron X-Mailman-Version: 3.1.1 Precedence: list List-Id: "Linux-nvdimm developer list." Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: When submitting a command for userspace, input and output payload bounce buffers are allocated. For a given command, both input and output buffers may exist and so when allocation of the input buffer fails, the output buffer must be freed. As far as I can tell, userspace can't easily exploit the leak to OOM a machine unless the machine was already near OOM state. This bug was introduced in v5 of the patch and did not exist in prior revisions. While here, adjust the variable 'j' found in patch review by Konrad. Cc: Al Viro Reported-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Widawsky Reviewed-by: Dan Williams (v2) Reviewed-by: Jonathan Cameron --- drivers/cxl/mem.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c index df895bcca63a..626fd7066f4f 100644 --- a/drivers/cxl/mem.c +++ b/drivers/cxl/mem.c @@ -514,8 +514,10 @@ static int handle_mailbox_cmd_from_user(struct cxl_mem *cxlm, if (cmd->info.size_in) { mbox_cmd.payload_in = vmemdup_user(u64_to_user_ptr(in_payload), cmd->info.size_in); - if (IS_ERR(mbox_cmd.payload_in)) + if (IS_ERR(mbox_cmd.payload_in)) { + kvfree(mbox_cmd.payload_out); return PTR_ERR(mbox_cmd.payload_in); + } } rc = cxl_mem_mbox_get(cxlm); @@ -696,7 +698,7 @@ static int cxl_query_cmd(struct cxl_memdev *cxlmd, struct device *dev = &cxlmd->dev; struct cxl_mem_command *cmd; u32 n_commands; - int j = 0; + int cmds = 0; dev_dbg(dev, "Query IOCTL\n"); @@ -714,10 +716,10 @@ static int cxl_query_cmd(struct cxl_memdev *cxlmd, cxl_for_each_cmd(cmd) { const struct cxl_command_info *info = &cmd->info; - if (copy_to_user(&q->commands[j++], info, sizeof(*info))) + if (copy_to_user(&q->commands[cmds++], info, sizeof(*info))) return -EFAULT; - if (j == n_commands) + if (cmds == n_commands) break; }