Commit 4c2e4bef authored by Eric Biggers's avatar Eric Biggers Committed by Linus Torvalds
Browse files

pipe, sysctl: drop 'min' parameter from pipe-max-size converter 

Patch series "pipe: buffer limits fixes and cleanups", v2.

This series simplifies the sysctl handler for pipe-max-size and fixes
another set of bugs related to the pipe buffer limits:

- The root user wasn't allowed to exceed the limits when creating new
  pipes.

- There was an off-by-one error when checking the limits, so a limit of
  N was actually treated as N - 1.

- F_SETPIPE_SZ accepted values over UINT_MAX.

- Reading the pipe buffer limits could be racy.

This patch (of 7):

Before validating the given value against pipe_min_size,
do_proc_dopipe_max_size_conv() calls round_pipe_size(), which rounds the
value up to pipe_min_size.  Therefore, the second check against
pipe_min_size is redundant.  Remove it.

Link: http://lkml.kernel.org/r/20180111052902.14409-2-ebiggers3@gmail.com


Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Acked-by: default avatarKees Cook <keescook@chromium.org>
Acked-by: default avatarJoe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent e7c52b84

fs/pipe.c

+3 −7
Original line number Diff line number Diff line
@@ -35,11 +35,6 @@ 
 */

unsigned int pipe_max_size = 1048576;



/*

 * Minimum pipe size, as required by POSIX

 */

unsigned int pipe_min_size = PAGE_SIZE;



/* Maximum allocatable pages per user. Hard limit is unset by default, soft

 * matches default values.

 */
@@ -1024,8 +1019,9 @@ unsigned int round_pipe_size(unsigned int size) 
{

	unsigned long nr_pages;



	if (size < pipe_min_size)

		size = pipe_min_size;

	/* Minimum pipe size, as required by POSIX */

	if (size < PAGE_SIZE)

		size = PAGE_SIZE;



	nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;

	if (nr_pages == 0)

include/linux/pipe_fs_i.h

+1 −1
Original line number Diff line number Diff line
@@ -167,7 +167,7 @@ void pipe_lock(struct pipe_inode_info *); 
void pipe_unlock(struct pipe_inode_info *);

void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *);



extern unsigned int pipe_max_size, pipe_min_size;

extern unsigned int pipe_max_size;

extern unsigned long pipe_user_pages_hard;

extern unsigned long pipe_user_pages_soft;

int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *);

kernel/sysctl.c

+1 −14
Original line number Diff line number Diff line
@@ -1813,7 +1813,6 @@ static struct ctl_table fs_table[] = { 
		.maxlen		= sizeof(pipe_max_size),

		.mode		= 0644,

		.proc_handler	= &pipe_proc_fn,

		.extra1		= &pipe_min_size,

	},

	{

		.procname	= "pipe-user-pages-hard",
@@ -2615,16 +2614,10 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, 
				 do_proc_douintvec_minmax_conv, &param);

}



struct do_proc_dopipe_max_size_conv_param {

	unsigned int *min;

};



static int do_proc_dopipe_max_size_conv(unsigned long *lvalp,

					unsigned int *valp,

					int write, void *data)

{

	struct do_proc_dopipe_max_size_conv_param *param = data;



	if (write) {

		unsigned int val;
@@ -2635,9 +2628,6 @@ static int do_proc_dopipe_max_size_conv(unsigned long *lvalp, 
		if (val == 0)

			return -EINVAL;



		if (param->min && *param->min > val)

			return -ERANGE;



		*valp = val;

	} else {

		unsigned int val = *valp;
@@ -2650,11 +2640,8 @@ static int do_proc_dopipe_max_size_conv(unsigned long *lvalp, 
int proc_dopipe_max_size(struct ctl_table *table, int write,

			 void __user *buffer, size_t *lenp, loff_t *ppos)

{

	struct do_proc_dopipe_max_size_conv_param param = {

		.min = (unsigned int *) table->extra1,

	};

	return do_proc_douintvec(table, write, buffer, lenp, ppos,

				 do_proc_dopipe_max_size_conv, &param);

				 do_proc_dopipe_max_size_conv, NULL);

}



static void validate_coredump_safety(void)

CRA Git | Maintained and supported by SUSTech CRA and CCSE