projects
/
platform
/
kernel
/
linux-rpi.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
409d45b
)
floppy: Add max size check for user space request
author
Xiongwei Song
<sxwjean@gmail.com>
Tue, 16 Nov 2021 13:10:33 +0000
(21:10 +0800)
committer
Greg Kroah-Hartman
<gregkh@linuxfoundation.org>
Thu, 27 Jan 2022 09:54:14 +0000
(10:54 +0100)
[ Upstream commit
545a32498c536ee152331cd2e7d2416aa0f20e01
]
We need to check the max request size that is from user space before
allocating pages. If the request size exceeds the limit, return -EINVAL.
This check can avoid the warning below from page allocator.
WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline]
WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356
Modules linked in:
CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344
Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9
RSP: 0018:
ffffc90023b87850
EFLAGS:
00010246
RAX:
0000000000000000
RBX:
1ffff92004770f0b
RCX:
dffffc0000000000
RDX:
0000000000000000
RSI:
0000000000000033
RDI:
0000000000010cc1
RBP:
0000000000000000
R08:
0000000000000000
R09:
0000000000000001
R10:
ffffffff81bb4686
R11:
0000000000000001
R12:
ffffffff902c1960
R13:
0000000000000033
R14:
0000000000000000
R15:
ffff88804cf64a30
FS:
0000000000000000
(0000) GS:
ffff88802cd00000
(0063) knlGS:
00000000f44b4b40
CS: 0010 DS: 002b ES: 002b CR0:
0000000080050033
CR2:
000000002c921000
CR3:
000000004f507000
CR4:
0000000000150ee0
DR0:
0000000000000000
DR1:
0000000000000000
DR2:
0000000000000000
DR3:
0000000000000000
DR6:
00000000fffe0ff0
DR7:
0000000000000400
Call Trace:
<TASK>
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
__get_free_pages+0x8/0x40 mm/page_alloc.c:5418
raw_cmd_copyin drivers/block/floppy.c:3113 [inline]
raw_cmd_ioctl drivers/block/floppy.c:3160 [inline]
fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528
fd_ioctl drivers/block/floppy.c:3555 [inline]
fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869
compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662
__do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
Reported-by: syzbot+23a02c7df2cf2bc93fa2@syzkaller.appspotmail.com
Link:
https://lore.kernel.org/r/20211116131033.27685-1-sxwjean@me.com
Signed-off-by: Xiongwei Song <sxwjean@gmail.com>
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/block/floppy.c
patch
|
blob
|
history
diff --git
a/drivers/block/floppy.c
b/drivers/block/floppy.c
index eb4f841902aeea377b52e27a36e1e05fcccd4bf3..aaee15058d181409ffeda855dc9b284bcc6c5e70 100644
(file)
--- a/
drivers/block/floppy.c
+++ b/
drivers/block/floppy.c
@@
-3169,6
+3169,8
@@
static void raw_cmd_free(struct floppy_raw_cmd **ptr)
}
}
+#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT)
+
static int raw_cmd_copyin(int cmd, void __user *param,
struct floppy_raw_cmd **rcmd)
{
@@
-3198,7
+3200,7
@@
loop:
ptr->resultcode = 0;
if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
- if (ptr->length <= 0)
+ if (ptr->length <= 0
|| ptr->length >= MAX_LEN
)
return -EINVAL;
ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length);
fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length);