diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2017-06-29 21:52:57 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2017-06-29 22:21:23 -0400 |
| commit | 72e809ed81edf81b93d3a36b7238ba50d67f043d (patch) | |
| tree | 77da2a68e94ab270adfde753e1fd00ac4bfe1a18 /lib/iov_iter.c | |
| parent | aa28de275a248879f9828cb9f7ee7e119c72ff96 (diff) | |
iov_iter: sanity checks for copy to/from page primitives
for now - just that we don't attempt to cross out of compound page
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'lib/iov_iter.c')
| -rw-r--r-- | lib/iov_iter.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/lib/iov_iter.c b/lib/iov_iter.c index bc4a63ebe91a..b50a478f9d34 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c | |||
| @@ -639,9 +639,20 @@ bool _copy_from_iter_full_nocache(void *addr, size_t bytes, struct iov_iter *i) | |||
| 639 | } | 639 | } |
| 640 | EXPORT_SYMBOL(_copy_from_iter_full_nocache); | 640 | EXPORT_SYMBOL(_copy_from_iter_full_nocache); |
| 641 | 641 | ||
| 642 | static inline bool page_copy_sane(struct page *page, size_t offset, size_t n) | ||
| 643 | { | ||
| 644 | size_t v = n + offset; | ||
| 645 | if (likely(n <= v && v <= (PAGE_SIZE << compound_order(page)))) | ||
| 646 | return true; | ||
| 647 | WARN_ON(1); | ||
| 648 | return false; | ||
| 649 | } | ||
| 650 | |||
| 642 | size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes, | 651 | size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes, |
| 643 | struct iov_iter *i) | 652 | struct iov_iter *i) |
| 644 | { | 653 | { |
| 654 | if (unlikely(!page_copy_sane(page, offset, bytes))) | ||
| 655 | return 0; | ||
| 645 | if (i->type & (ITER_BVEC|ITER_KVEC)) { | 656 | if (i->type & (ITER_BVEC|ITER_KVEC)) { |
| 646 | void *kaddr = kmap_atomic(page); | 657 | void *kaddr = kmap_atomic(page); |
| 647 | size_t wanted = copy_to_iter(kaddr + offset, bytes, i); | 658 | size_t wanted = copy_to_iter(kaddr + offset, bytes, i); |
| @@ -657,6 +668,8 @@ EXPORT_SYMBOL(copy_page_to_iter); | |||
| 657 | size_t copy_page_from_iter(struct page *page, size_t offset, size_t bytes, | 668 | size_t copy_page_from_iter(struct page *page, size_t offset, size_t bytes, |
| 658 | struct iov_iter *i) | 669 | struct iov_iter *i) |
| 659 | { | 670 | { |
| 671 | if (unlikely(!page_copy_sane(page, offset, bytes))) | ||
| 672 | return 0; | ||
| 660 | if (unlikely(i->type & ITER_PIPE)) { | 673 | if (unlikely(i->type & ITER_PIPE)) { |
| 661 | WARN_ON(1); | 674 | WARN_ON(1); |
| 662 | return 0; | 675 | return 0; |
| @@ -713,6 +726,10 @@ size_t iov_iter_copy_from_user_atomic(struct page *page, | |||
| 713 | struct iov_iter *i, unsigned long offset, size_t bytes) | 726 | struct iov_iter *i, unsigned long offset, size_t bytes) |
| 714 | { | 727 | { |
| 715 | char *kaddr = kmap_atomic(page), *p = kaddr + offset; | 728 | char *kaddr = kmap_atomic(page), *p = kaddr + offset; |
| 729 | if (unlikely(!page_copy_sane(page, offset, bytes))) { | ||
| 730 | kunmap_atomic(kaddr); | ||
| 731 | return 0; | ||
| 732 | } | ||
| 716 | if (unlikely(i->type & ITER_PIPE)) { | 733 | if (unlikely(i->type & ITER_PIPE)) { |
| 717 | kunmap_atomic(kaddr); | 734 | kunmap_atomic(kaddr); |
| 718 | WARN_ON(1); | 735 | WARN_ON(1); |