Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6b3a7077 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'page-refs' (page ref overflow) 

Merge page ref overflow branch.

Jann Horn reported that he can overflow the page ref count with
sufficient memory (and a filesystem that is intentionally extremely
slow).

Admittedly it's not exactly easy.  To have more than four billion
references to a page requires a minimum of 32GB of kernel memory just
for the pointers to the pages, much less any metadata to keep track of
those pointers.  Jann needed a total of 140GB of memory and a specially
crafted filesystem that leaves all reads pending (in order to not ever
free the page references and just keep adding more).

Still, we have a fairly straightforward way to limit the two obvious
user-controllable sources of page references: direct-IO like page
references gotten through get_user_pages(), and the splice pipe page
duplication.  So let's just do that.

* branch page-refs:
  fs: prevent page refcount overflow in pipe_buf_get
  mm: prevent get_user_pages() from overflowing page refcount
  mm: add 'try_get_page()' helper function
  mm: make page ref count overflow check tighter and more explicit
parents 4443f8e6 15fab63e

fs/fuse/dev.c

+6 −6
Original line number Diff line number Diff line
@@ -2056,10 +2056,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe, 
		rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;



	ret = -EINVAL;

	if (rem < len) {

		pipe_unlock(pipe);

		goto out;

	}

	if (rem < len)

		goto out_free;



	rem = len;

	while (rem) {
@@ -2077,7 +2075,9 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe, 
			pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);

			pipe->nrbufs--;

		} else {

			pipe_buf_get(pipe, ibuf);

			if (!pipe_buf_get(pipe, ibuf))

				goto out_free;



			*obuf = *ibuf;

			obuf->flags &= ~PIPE_BUF_FLAG_GIFT;

			obuf->len = rem;
@@ -2100,11 +2100,11 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe, 
	ret = fuse_dev_do_write(fud, &cs, len);



	pipe_lock(pipe);

out_free:

	for (idx = 0; idx < nbuf; idx++)

		pipe_buf_release(pipe, &bufs[idx]);

	pipe_unlock(pipe);



out:

	kvfree(bufs);

	return ret;

}

fs/pipe.c

+2 −2
Original line number Diff line number Diff line
@@ -188,9 +188,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal); 
 *	in the tee() system call, when we duplicate the buffers in one

 *	pipe into another.

 */

void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)

bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)

{

	get_page(buf->page);

	return try_get_page(buf->page);

}

EXPORT_SYMBOL(generic_pipe_buf_get);

fs/splice.c

+10 −2
Original line number Diff line number Diff line
@@ -1593,7 +1593,11 @@ static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe, 
			 * Get a reference to this pipe buffer,

			 * so we can copy the contents over.

			 */

			pipe_buf_get(ipipe, ibuf);

			if (!pipe_buf_get(ipipe, ibuf)) {

				if (ret == 0)

					ret = -EFAULT;

				break;

			}

			*obuf = *ibuf;



			/*
@@ -1667,7 +1671,11 @@ static int link_pipe(struct pipe_inode_info *ipipe, 
		 * Get a reference to this pipe buffer,

		 * so we can copy the contents over.

		 */

		pipe_buf_get(ipipe, ibuf);

		if (!pipe_buf_get(ipipe, ibuf)) {

			if (ret == 0)

				ret = -EFAULT;

			break;

		}



		obuf = opipe->bufs + nbuf;

		*obuf = *ibuf;

include/linux/mm.h

+14 −1
Original line number Diff line number Diff line
@@ -966,6 +966,10 @@ static inline bool is_pci_p2pdma_page(const struct page *page) 
}

#endif /* CONFIG_DEV_PAGEMAP_OPS */



/* 127: arbitrary random number, small enough to assemble well */

#define page_ref_zero_or_close_to_overflow(page) \

	((unsigned int) page_ref_count(page) + 127u <= 127u)



static inline void get_page(struct page *page)

{

	page = compound_head(page);
@@ -973,8 +977,17 @@ static inline void get_page(struct page *page) 
	 * Getting a normal page or the head of a compound page

	 * requires to already have an elevated page->_refcount.

	 */

	VM_BUG_ON_PAGE(page_ref_count(page) <= 0, page);

	VM_BUG_ON_PAGE(page_ref_zero_or_close_to_overflow(page), page);

	page_ref_inc(page);

}



static inline __must_check bool try_get_page(struct page *page)

{

	page = compound_head(page);

	if (WARN_ON_ONCE(page_ref_count(page) <= 0))

		return false;

	page_ref_inc(page);

	return true;

}



static inline void put_page(struct page *page)

include/linux/pipe_fs_i.h

+6 −4
Original line number Diff line number Diff line
@@ -101,18 +101,20 @@ struct pipe_buf_operations { 
	/*

	 * Get a reference to the pipe buffer.

	 */

	void (*get)(struct pipe_inode_info *, struct pipe_buffer *);

	bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);

};



/**

 * pipe_buf_get - get a reference to a pipe_buffer

 * @pipe:	the pipe that the buffer belongs to

 * @buf:	the buffer to get a reference to

 *

 * Return: %true if the reference was successfully obtained.

 */

static inline void pipe_buf_get(struct pipe_inode_info *pipe,

static inline __must_check bool pipe_buf_get(struct pipe_inode_info *pipe,

				struct pipe_buffer *buf)

{

	buf->ops->get(pipe, buf);

	return buf->ops->get(pipe, buf);

}



/**
@@ -171,7 +173,7 @@ struct pipe_inode_info *alloc_pipe_info(void); 
void free_pipe_info(struct pipe_inode_info *);



/* Generic pipe buffer ops functions */

void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);

bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);

int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);

int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);

void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);