Commit 4d03e3cc authored by Christoph Hellwig's avatar Christoph Hellwig Committed by Al Viro
Browse files

fs: don't allow kernel reads and writes without iter ops 



Don't allow calling ->read or ->write with set_fs as a preparation for
killing off set_fs.  All the instances that we use kernel_read/write on
are using the iter ops already.

If a file has both the regular ->read/->write methods and the iter
variants those could have different semantics for messed up enough
drivers.  Also fails the kernel access to them in that case.

Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 4bd6a735

fs/read_write.c

+42 −25
Original line number Diff line number Diff line
@@ -419,27 +419,41 @@ static ssize_t new_sync_read(struct file *filp, char __user *buf, size_t len, lo 
	return ret;

}



static int warn_unsupported(struct file *file, const char *op)

{

	pr_warn_ratelimited(

		"kernel %s not supported for file %pD4 (pid: %d comm: %.20s)\n",

		op, file, current->pid, current->comm);

	return -EINVAL;

}



ssize_t __kernel_read(struct file *file, void *buf, size_t count, loff_t *pos)

{

	mm_segment_t old_fs = get_fs();

	struct kvec iov = {

		.iov_base	= buf,

		.iov_len	= min_t(size_t, count, MAX_RW_COUNT),

	};

	struct kiocb kiocb;

	struct iov_iter iter;

	ssize_t ret;



	if (WARN_ON_ONCE(!(file->f_mode & FMODE_READ)))

		return -EINVAL;

	if (!(file->f_mode & FMODE_CAN_READ))

		return -EINVAL;

	/*

	 * Also fail if ->read_iter and ->read are both wired up as that

	 * implies very convoluted semantics.

	 */

	if (unlikely(!file->f_op->read_iter || file->f_op->read))

		return warn_unsupported(file, "read");



	if (count > MAX_RW_COUNT)

		count =  MAX_RW_COUNT;

	set_fs(KERNEL_DS);

	if (file->f_op->read)

		ret = file->f_op->read(file, (void __user *)buf, count, pos);

	else if (file->f_op->read_iter)

		ret = new_sync_read(file, (void __user *)buf, count, pos);

	else

		ret = -EINVAL;

	set_fs(old_fs);

	init_sync_kiocb(&kiocb, file);

	kiocb.ki_pos = *pos;

	iov_iter_kvec(&iter, READ, &iov, 1, iov.iov_len);

	ret = file->f_op->read_iter(&kiocb, &iter);

	if (ret > 0) {

		*pos = kiocb.ki_pos;

		fsnotify_access(file);

		add_rchar(current, ret);

	}
@@ -510,28 +524,31 @@ static ssize_t new_sync_write(struct file *filp, const char __user *buf, size_t 
/* caller is responsible for file_start_write/file_end_write */

ssize_t __kernel_write(struct file *file, const void *buf, size_t count, loff_t *pos)

{

	mm_segment_t old_fs;

	const char __user *p;

	struct kvec iov = {

		.iov_base	= (void *)buf,

		.iov_len	= min_t(size_t, count, MAX_RW_COUNT),

	};

	struct kiocb kiocb;

	struct iov_iter iter;

	ssize_t ret;



	if (WARN_ON_ONCE(!(file->f_mode & FMODE_WRITE)))

		return -EBADF;

	if (!(file->f_mode & FMODE_CAN_WRITE))

		return -EINVAL;

	/*

	 * Also fail if ->write_iter and ->write are both wired up as that

	 * implies very convoluted semantics.

	 */

	if (unlikely(!file->f_op->write_iter || file->f_op->write))

		return warn_unsupported(file, "write");



	old_fs = get_fs();

	set_fs(KERNEL_DS);

	p = (__force const char __user *)buf;

	if (count > MAX_RW_COUNT)

		count =  MAX_RW_COUNT;

	if (file->f_op->write)

		ret = file->f_op->write(file, p, count, pos);

	else if (file->f_op->write_iter)

		ret = new_sync_write(file, p, count, pos);

	else

		ret = -EINVAL;

	set_fs(old_fs);

	init_sync_kiocb(&kiocb, file);

	kiocb.ki_pos = *pos;

	iov_iter_kvec(&iter, WRITE, &iov, 1, iov.iov_len);

	ret = file->f_op->write_iter(&kiocb, &iter);

	if (ret > 0) {

		*pos = kiocb.ki_pos;

		fsnotify_modify(file);

		add_wchar(current, ret);

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE