lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 25 Jun 2014 16:17:29 +0400
From:	Maxim Patlasov <MPatlasov@...allels.com>
To:	miklos@...redi.hu
Cc:	fuse-devel@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: [PATCH] fuse: avoid scheduling while atomic

As reported by Richard Sharpe, an attempt to use fuse_notify_inval_entry()
triggers complains about scheduling while atomic:

> Jun 23 11:53:24 localhost kernel: BUG: scheduling while atomic:
fuse.hf/13976/0x10000001

This happens because fuse_notify_inval_entry() attempts to allocate memory
with GFP_KERNEL, holding "struct fuse_copy_state" mapped by kmap_atomic().

The patch fixes the problem for fuse_notify_inval_entry() and other notifiers
by unmapping fuse_copy_state before allocations and remapping it again
afterwards.

Reported-by: Richard Sharpe <realrichardsharpe@...il.com>
Signed-off-by: Maxim Patlasov <mpatlasov@...allels.com>
---
 fs/fuse/dev.c |   24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 098f97b..502aa1d 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -755,6 +755,22 @@ static int fuse_copy_fill(struct fuse_copy_state *cs)
 	return lock_request(cs->fc, cs->req);
 }
 
+static void fuse_copy_unmap(struct fuse_copy_state *cs)
+{
+	cs->buf = (void *)(cs->buf - cs->mapaddr);
+	kunmap_atomic(cs->mapaddr);
+}
+
+static void fuse_copy_remap(struct fuse_copy_state *cs)
+{
+	if (cs->currbuf)
+		cs->mapaddr = kmap_atomic(cs->currbuf->page);
+	else
+		cs->mapaddr = kmap_atomic(cs->pg);
+
+	cs->buf = (unsigned long)cs->buf + cs->mapaddr;
+}
+
 /* Do as much copy to/from userspace buffer as we can */
 static int fuse_copy_do(struct fuse_copy_state *cs, void **val, unsigned *size)
 {
@@ -1431,7 +1447,9 @@ static int fuse_notify_inval_entry(struct fuse_conn *fc, unsigned int size,
 	char *buf;
 	struct qstr name;
 
+	fuse_copy_unmap(cs);
 	buf = kzalloc(FUSE_NAME_MAX + 1, GFP_KERNEL);
+	fuse_copy_remap(cs);
 	if (!buf)
 		goto err;
 
@@ -1482,7 +1500,9 @@ static int fuse_notify_delete(struct fuse_conn *fc, unsigned int size,
 	char *buf;
 	struct qstr name;
 
+	fuse_copy_unmap(cs);
 	buf = kzalloc(FUSE_NAME_MAX + 1, GFP_KERNEL);
+	fuse_copy_remap(cs);
 	if (!buf)
 		goto err;
 
@@ -1554,6 +1574,7 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
 
 	nodeid = outarg.nodeid;
 
+	fuse_copy_unmap(cs);
 	down_read(&fc->killsb);
 
 	err = -ENOENT;
@@ -1586,7 +1607,9 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
 			goto out_iput;
 
 		this_num = min_t(unsigned, num, PAGE_CACHE_SIZE - offset);
+		fuse_copy_remap(cs);
 		err = fuse_copy_page(cs, &page, offset, this_num, 0);
+		fuse_copy_unmap(cs);
 		if (!err && offset == 0 &&
 		    (this_num == PAGE_CACHE_SIZE || file_size == end))
 			SetPageUptodate(page);
@@ -1607,6 +1630,7 @@ out_iput:
 	iput(inode);
 out_up_killsb:
 	up_read(&fc->killsb);
+	fuse_copy_remap(cs);
 out_finish:
 	fuse_copy_finish(cs);
 	return err;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ