fs: prevent page refcount overflow in pipe_buf_get

Change pipe_buf_get() to return a bool indicating whether it succeeded
in raising the refcount of the page (if the thing in the pipe is a page).
This removes another mechanism for overflowing the page refcount.  All
callers converted to handle a failure.

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

5 files changed, 29 insertions, 15 deletions

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 809c0f2f9942..64f4de983468 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2034,10 +2034,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
                 rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
 
         ret = -EINVAL;
-        if (rem < len) {
-                pipe_unlock(pipe);
-                goto out;
-        }
+        if (rem < len)
+                goto out_free;
 
         rem = len;
         while (rem) {
@@ -2055,7 +2053,9 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
                         pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
                         pipe->nrbufs--;
                 } else {
-                        pipe_buf_get(pipe, ibuf);
+                        if (!pipe_buf_get(pipe, ibuf))
+                                goto out_free;
+
                         *obuf = *ibuf;
                         obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
                         obuf->len = rem;
@@ -2078,11 +2078,11 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
         ret = fuse_dev_do_write(fud, &cs, len);
 
         pipe_lock(pipe);
+out_free:
         for (idx = 0; idx < nbuf; idx++)
                 pipe_buf_release(pipe, &bufs[idx]);
         pipe_unlock(pipe);
 
-out:
         kvfree(bufs);
         return ret;
 }
diff --git a/fs/pipe.c b/fs/pipe.c
index bdc5d3c0977d..b1543b85c14a 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -189,9 +189,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
  *      in the tee() system call, when we duplicate the buffers in one
  *      pipe into another.
  */
-void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
+bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
 {
-        get_page(buf->page);
+        return try_get_page(buf->page);
 }
 EXPORT_SYMBOL(generic_pipe_buf_get);
 
diff --git a/fs/splice.c b/fs/splice.c
index de2ede048473..f30af82b850d 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1588,7 +1588,11 @@ retry:
                          * Get a reference to this pipe buffer,
                          * so we can copy the contents over.
                          */
-                        pipe_buf_get(ipipe, ibuf);
+                        if (!pipe_buf_get(ipipe, ibuf)) {
+                                if (ret == 0)
+                                        ret = -EFAULT;
+                                break;
+                        }
                         *obuf = *ibuf;
 
                         /*
@@ -1660,7 +1664,11 @@ static int link_pipe(struct pipe_inode_info *ipipe,
                  * Get a reference to this pipe buffer,
                  * so we can copy the contents over.
                  */
-                pipe_buf_get(ipipe, ibuf);
+                if (!pipe_buf_get(ipipe, ibuf)) {
+                        if (ret == 0)
+                                ret = -EFAULT;
+                        break;
+                }
 
                 obuf = opipe->bufs + nbuf;
                 *obuf = *ibuf;
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index 5a3bb3b7c9ad..3f2a42c11e20 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -108,18 +108,20 @@ struct pipe_buf_operations {
         /*
          * Get a reference to the pipe buffer.
          */
-        void (*get)(struct pipe_inode_info *, struct pipe_buffer *);
+        bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);
 };
 
 /**
  * pipe_buf_get - get a reference to a pipe_buffer
  * @pipe:       the pipe that the buffer belongs to
  * @buf:        the buffer to get a reference to
+ *
+ * Return: %true if the reference was successfully obtained.
  */
-static inline void pipe_buf_get(struct pipe_inode_info *pipe,
+static inline __must_check bool pipe_buf_get(struct pipe_inode_info *pipe,
                                 struct pipe_buffer *buf)
 {
-        buf->ops->get(pipe, buf);
+        return buf->ops->get(pipe, buf);
 }
 
 /**
@@ -178,7 +180,7 @@ struct pipe_inode_info *alloc_pipe_info(void);
 void free_pipe_info(struct pipe_inode_info *);
 
 /* Generic pipe buffer ops functions */
-void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
+bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
 int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
 int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
 void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index c4238b441624..0f300d488c9f 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6835,12 +6835,16 @@ static void buffer_pipe_buf_release(struct pipe_inode_info *pipe,
         buf->private = 0;
 }
 
-static void buffer_pipe_buf_get(struct pipe_inode_info *pipe,
+static bool buffer_pipe_buf_get(struct pipe_inode_info *pipe,
                                 struct pipe_buffer *buf)
 {
         struct buffer_ref *ref = (struct buffer_ref *)buf->private;
 
+        if (ref->ref > INT_MAX/2)
+                return false;
+
         ref->ref++;
+        return true;
 }
 
 /* Pipe buffer operations for a buffer. */