diff options
| author | Catalin Marinas <catalin.marinas@arm.com> | 2020-07-01 19:46:06 +0300 |
|---|---|---|
| committer | Catalin Marinas <catalin.marinas@arm.com> | 2020-09-04 14:46:07 +0300 |
| commit | d563d678aa0be06e7bff2953c986f5ff0355f79c (patch) | |
| tree | f816dcd2271211869df0846df64580d996146d09 /mm/shmem.c | |
| parent | 2200aa7154cb7ef76bac93e98326883ba64bfa2e (diff) | |
| download | linux-d563d678aa0be06e7bff2953c986f5ff0355f79c.tar.xz | |
fs: Handle intra-page faults in copy_mount_options()
The copy_mount_options() function takes a user pointer argument but no
size and it tries to read up to a PAGE_SIZE. However, copy_from_user()
is not guaranteed to return all the accessible bytes if, for example,
the access crosses a page boundary and gets a fault on the second page.
To work around this, the current copy_mount_options() implementation
performs two copy_from_user() passes, first to the end of the current
page and the second to what's left in the subsequent page.
On arm64 with MTE enabled, access to a user page may trigger a fault
after part of the buffer in a page has been copied (when the user
pointer tag, bits 56-59, no longer matches the allocation tag stored in
memory). Allow copy_mount_options() to handle such intra-page faults by
resorting to byte at a time copy in case of copy_from_user() failure.
Note that copy_from_user() handles the zeroing of the kernel buffer in
case of error.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'mm/shmem.c')
0 files changed, 0 insertions, 0 deletions