more bio_map_user_iov() leak fixes

we need to take care of failure exit as well - pages already in bio should be dropped by analogue of bio_unmap_pages(), since their refcounts had been bumped only once per reference in bio. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> CVE-CVE-2017-12190 (backported from commit 2b04e8f6) [klebers: page_cache_release() is defined as put_page(), but keep it as page_cache_release() for consistency with the rest of the code.] Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

more bio_map_user_iov() leak fixes
we need to take care of failure exit as well - pages already in bio should be dropped by analogue of bio_unmap_pages(), since their refcounts had been bumped only once per reference in bio. Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> CVE-CVE-2017-12190 (backported from commit 2b04e8f6) [klebers: page_cache_release() is defined as put_page(), but keep it as page_cache_release() for consistency with the rest of the code.] Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
dc41cd4a · Al Viro · Stefan Bader · 63cf10be · dc41cd4a
Commit dc41cd4a authored Dec 08, 2017 by Al Viro Committed by Stefan Bader Jan 23, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 5 deletions

block/bio.c block/bio.c +9 -5

No files found.
--- a/block/bio.c
+++ b/block/bio.c
@@ -1268,6 +1268,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
 	int ret, offset;
 	struct iov_iter i;
 	struct iovec iov;
+	struct bio_vec *bvec;

 	iov_for_each(iov, i, *iter) {
 		unsigned long uaddr = (unsigned long) iov.iov_base;
@@ -1312,7 +1313,12 @@ struct bio *bio_map_user_iov(struct request_queue *q,
 		ret = get_user_pages_fast(uaddr, local_nr_pages,
 				(iter->type & WRITE) != WRITE,
 				&pages[cur_page]);
-		if (ret < local_nr_pages) {
+		if (unlikely(ret < local_nr_pages)) {
+			for (j = cur_page; j < page_limit; j++) {
+				if (!pages[j])
+					break;
+				put_page(pages[j]);
+			}
 			ret = -EFAULT;
 			goto out_unmap;
 		}
@@ -1374,10 +1380,8 @@ struct bio *bio_map_user_iov(struct request_queue *q,
 	return bio;

 out_unmap:
-	for (j = 0; j < nr_pages; j++) {
-		if (!pages[j])
-			break;
-		page_cache_release(pages[j]);
+	bio_for_each_segment_all(bvec, bio, j) {
+		page_cache_release(bvec->bv_page);
 	}
 out:
 	kfree(pages);