1. 09 Jan, 2016 8 commits
    • Abhi Das's avatar
      fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE · 90330e68
      Abhi Das authored
      During testing, I discovered that __generic_file_splice_read() returns
      0 (EOF) when aops->readpage fails with AOP_TRUNCATED_PAGE on the first
      page of a single/multi-page splice read operation. This EOF return code
      causes the userspace test to (correctly) report a zero-length read error
      when it was expecting otherwise.
      
      The current strategy of returning a partial non-zero read when ->readpage
      returns AOP_TRUNCATED_PAGE works only when the failed page is not the
      first of the lot being processed.
      
      This patch attempts to retry lookup and call ->readpage again on pages
      that had previously failed with AOP_TRUNCATED_PAGE. With this patch, my
      tests pass and I haven't noticed any unwanted side effects.
      
      This version removes the thrice-retry loop and instead indefinitely
      retries lookups on AOP_TRUNCATED_PAGE errors from ->readpage. This
      behavior is now similar to do_generic_file_read().
      Signed-off-by: default avatarAbhi Das <adas@redhat.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: Bob Peterson <rpeterso@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      90330e68
    • Richard Weinberger's avatar
      fs: xattr: Use kvfree() · 0b2a6f23
      Richard Weinberger authored
      ... instead of open coding it.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0b2a6f23
    • Al Viro's avatar
    • Al Viro's avatar
      nbd: use ->compat_ioctl() · 263a3df1
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      263a3df1
    • Al Viro's avatar
      Merge branch 'for-linus' into work.misc · 6108209c
      Al Viro authored
      6108209c
    • Jann Horn's avatar
      compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS) · a7f61e89
      Jann Horn authored
      This replaces all code in fs/compat_ioctl.c that translated
      ioctl arguments into a in-kernel structure, then performed
      do_ioctl under set_fs(KERNEL_DS), with code that allocates
      data on the user stack and can call the VFS ioctl handler
      under USER_DS.
      
      This is done as a hardening measure because the caller
      does not know what kind of ioctl handler will be invoked,
      only that no corresponding compat_ioctl handler exists and
      what the ioctl command number is. The accidental
      invocation of an unlocked_ioctl handler that unexpectedly
      calls copy_to_user could be a severe security issue.
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a7f61e89
    • Al Viro's avatar
      66cf191f
    • Jann Horn's avatar
      compat_ioctl: don't look up the fd twice · b4341721
      Jann Horn authored
      In code in fs/compat_ioctl.c that translates ioctl arguments
      into a in-kernel structure, then performs sys_ioctl, possibly
      under set_fs(KERNEL_DS), this commit changes the sys_ioctl
      calls to do_ioctl calls. do_ioctl is a new function that does
      the same thing as sys_ioctl, but doesn't look up the fd again.
      
      This change is made to avoid (potential) security issues
      because of ioctl handlers that accept one of the ioctl
      commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
      TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
      This can happen for multiple reasons:
      
       - The ioctl command number could be reused.
       - The ioctl handler might not check the full ioctl
         command. This is e.g. true for drm_ioctl.
       - The ioctl handler is very special, e.g. cuse_file_ioctl
      
      The real issue is that set_fs(KERNEL_DS) is used here,
      but that's fixed in a separate commit
      "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".
      
      This change mitigates potential security issues by
      preventing a race that permits invocation of
      unlocked_ioctl handlers under KERNEL_DS through compat
      code even if a corresponding compat_ioctl handler exists.
      
      So far, no way has been identified to use this to damage
      kernel memory without having CAP_SYS_ADMIN in the init ns
      (with the capability, doing reads/writes at arbitrary
      kernel addresses should be easy through CUSE's ioctl
      handler with FUSE_IOCTL_UNRESTRICTED set).
      
      [AV: two missed sys_ioctl() taken care of]
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b4341721
  2. 06 Jan, 2016 8 commits
  3. 04 Jan, 2016 22 commits
  4. 03 Jan, 2016 2 commits