Commit 75723957 authored by Linus Torvalds's avatar Linus Torvalds

Fix possible splice() mmap_sem deadlock

Nick Piggin points out that splice isn't being good about the mmap
semaphore: while two readers can nest inside each others, it does leave
a possible deadlock if a writer (ie a new mmap()) comes in during that
nesting.

Original "just move the locking" patch by Nick, replaced by one by me
based on an optimistic pagefault_disable().  And then Jens tested and
updated that patch.
Reported-by: default avatarNick Piggin <npiggin@suse.de>
Tested-by: default avatarJens Axboe <jens.axboe@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent e2cd68f7
...@@ -1223,6 +1223,33 @@ static long do_splice(struct file *in, loff_t __user *off_in, ...@@ -1223,6 +1223,33 @@ static long do_splice(struct file *in, loff_t __user *off_in,
return -EINVAL; return -EINVAL;
} }
/*
* Do a copy-from-user while holding the mmap_semaphore for reading, in a
* manner safe from deadlocking with simultaneous mmap() (grabbing mmap_sem
* for writing) and page faulting on the user memory pointed to by src.
* This assumes that we will very rarely hit the partial != 0 path, or this
* will not be a win.
*/
static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n)
{
int partial;
pagefault_disable();
partial = __copy_from_user_inatomic(dst, src, n);
pagefault_enable();
/*
* Didn't copy everything, drop the mmap_sem and do a faulting copy
*/
if (unlikely(partial)) {
up_read(&current->mm->mmap_sem);
partial = copy_from_user(dst, src, n);
down_read(&current->mm->mmap_sem);
}
return partial;
}
/* /*
* Map an iov into an array of pages and offset/length tupples. With the * Map an iov into an array of pages and offset/length tupples. With the
* partial_page structure, we can map several non-contiguous ranges into * partial_page structure, we can map several non-contiguous ranges into
...@@ -1236,31 +1263,26 @@ static int get_iovec_page_array(const struct iovec __user *iov, ...@@ -1236,31 +1263,26 @@ static int get_iovec_page_array(const struct iovec __user *iov,
{ {
int buffers = 0, error = 0; int buffers = 0, error = 0;
/*
* It's ok to take the mmap_sem for reading, even
* across a "get_user()".
*/
down_read(&current->mm->mmap_sem); down_read(&current->mm->mmap_sem);
while (nr_vecs) { while (nr_vecs) {
unsigned long off, npages; unsigned long off, npages;
struct iovec entry;
void __user *base; void __user *base;
size_t len; size_t len;
int i; int i;
/* error = -EFAULT;
* Get user address base and length for this iovec. if (copy_from_user_mmap_sem(&entry, iov, sizeof(entry)))
*/
error = get_user(base, &iov->iov_base);
if (unlikely(error))
break;
error = get_user(len, &iov->iov_len);
if (unlikely(error))
break; break;
base = entry.iov_base;
len = entry.iov_len;
/* /*
* Sanity check this iovec. 0 read succeeds. * Sanity check this iovec. 0 read succeeds.
*/ */
error = 0;
if (unlikely(!len)) if (unlikely(!len))
break; break;
error = -EFAULT; error = -EFAULT;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment