diff options
author | NeilBrown <neilb@suse.com> | 2017-04-02 21:30:34 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-04-12 06:41:11 -0400 |
commit | d9eedab38395ac98c21545a5aa0664112af0526b (patch) | |
tree | 5c7086647f188433fe38207e336490c137d945a1 | |
parent | 4ddd24d54fedff301e8f020d7b9f70116383af31 (diff) |
sysfs: be careful of error returns from ops->show()
commit c8a139d001a1aab1ea8734db14b22dac9dd143b6 upstream.
ops->show() can return a negative error code.
Commit 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.")
(in v4.4) caused this to be stored in an unsigned 'size_t' variable, so errors
would look like large numbers.
As a result, if an error is returned, sysfs_kf_read() will return the
value of 'count', typically 4096.
Commit 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs")
(in v4.8) extended this error to use the unsigned large 'len' as a size for
memmove().
Consequently, if ->show returns an error, then the first read() on the
sysfs file will return 4096 and could return uninitialized memory to
user-space.
If the application performs a subsequent read, this will trigger a memmove()
with extremely large count, and is likely to crash the machine is bizarre ways.
This bug can currently only be triggered by reading from an md
sysfs attribute declared with __ATTR_PREALLOC() during the
brief period between when mddev_put() deletes an mddev from
the ->all_mddevs list, and when mddev_delayed_delete() - which is
scheduled on a workqueue - completes.
Before this, an error won't be returned by the ->show()
After this, the ->show() won't be called.
I can reproduce it reliably only by putting delay like
usleep_range(500000,700000);
early in mddev_delayed_delete(). Then after creating an
md device md0 run
echo clear > /sys/block/md0/md/array_state; cat /sys/block/md0/md/array_state
The bug can be triggered without the usleep.
Fixes: 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.")
Fixes: 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs")
Signed-off-by: NeilBrown <neilb@suse.com>
Acked-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Miroslav Benes <mbenes@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | fs/sysfs/file.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c index b803213d1307..39c75a86c67f 100644 --- a/fs/sysfs/file.c +++ b/fs/sysfs/file.c | |||
@@ -108,7 +108,7 @@ static ssize_t sysfs_kf_read(struct kernfs_open_file *of, char *buf, | |||
108 | { | 108 | { |
109 | const struct sysfs_ops *ops = sysfs_file_ops(of->kn); | 109 | const struct sysfs_ops *ops = sysfs_file_ops(of->kn); |
110 | struct kobject *kobj = of->kn->parent->priv; | 110 | struct kobject *kobj = of->kn->parent->priv; |
111 | size_t len; | 111 | ssize_t len; |
112 | 112 | ||
113 | /* | 113 | /* |
114 | * If buf != of->prealloc_buf, we don't know how | 114 | * If buf != of->prealloc_buf, we don't know how |
@@ -117,13 +117,15 @@ static ssize_t sysfs_kf_read(struct kernfs_open_file *of, char *buf, | |||
117 | if (WARN_ON_ONCE(buf != of->prealloc_buf)) | 117 | if (WARN_ON_ONCE(buf != of->prealloc_buf)) |
118 | return 0; | 118 | return 0; |
119 | len = ops->show(kobj, of->kn->priv, buf); | 119 | len = ops->show(kobj, of->kn->priv, buf); |
120 | if (len < 0) | ||
121 | return len; | ||
120 | if (pos) { | 122 | if (pos) { |
121 | if (len <= pos) | 123 | if (len <= pos) |
122 | return 0; | 124 | return 0; |
123 | len -= pos; | 125 | len -= pos; |
124 | memmove(buf, buf + pos, len); | 126 | memmove(buf, buf + pos, len); |
125 | } | 127 | } |
126 | return min(count, len); | 128 | return min_t(ssize_t, count, len); |
127 | } | 129 | } |
128 | 130 | ||
129 | /* kernfs write callback for regular sysfs files */ | 131 | /* kernfs write callback for regular sysfs files */ |