From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478737461576.6860066455931; Tue, 30 May 2023 13:32:17 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541396.844140 (Exim 4.92) (envelope-from ) id 1q460R-0002FK-CB; Tue, 30 May 2023 20:31:47 +0000 Received: by outflank-mailman (output) from mailman id 541396.844140; Tue, 30 May 2023 20:31:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460R-0002FD-7s; Tue, 30 May 2023 20:31:47 +0000 Received: by outflank-mailman (input) for mailman id 541396; Tue, 30 May 2023 20:31:45 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460P-0001yj-NG for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:31:45 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id fa180845-ff28-11ed-b231-6b7b168915f2; Tue, 30 May 2023 22:31:42 +0200 (CEST) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id E111C3200564; Tue, 30 May 2023 16:31:36 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Tue, 30 May 2023 16:31:37 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:35 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: fa180845-ff28-11ed-b231-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478696; x=1685565096; bh=YCzACzClxG a/ktYTHwJaaNWjaN7phPISbw1cPfpWZUo=; b=A2bqaqsodYaS3trUBnAvHbPHd3 LVnzv94OZsAab6NwgPLjBRfIiWlcKcR9Am7w7rrKWKhPylPRgC/Z2VcNnFU62eUL QTY6dlRFGDe23eZCW+dp0yNNmIRdMnyt2GgAGoiZhtgYvFZOA0VagWHCdhatNzfh TUgJDh+kiXR5cwVFR2KVVnJ7q4TZ5ZwBzCrj9Ax6A1mxFH11UB3jAjTrIxT82ler iv2JQNpLTLFvHis5VI4rWrAU32RDGijA49HX+5RYgB9Kc80xrRJg46IUUWg09Whp OfnQ4sOEVlnEOjG350bX8Xu2+XWR1rAuxgIrN4SPyci767A9fPU8B1J2jDPA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478696; x= 1685565096; bh=YCzACzClxGa/ktYTHwJaaNWjaN7phPISbw1cPfpWZUo=; b=W WCIJ4Q1thNeJ9imoVk0+dlu1mJom8VM4vHfRKeLxMXjDqr0PwWHi8Pq8EqycYuWd pRyrl8aldz+pjfYnAgy+Kh35P1CyNuQUI3mrEIQOCMgmmSGUUCfVBQT72wavTR/V 4z3iS7j2NEdfQcwwDSR32YarwaCCyQuGbfUgprJEbygrw8xplcCYQEFQbiREHXnq Bl8hQ68TiF84tjWjP2sbeAf3ceMf3sytqQt110go28ao3jtHtBvxsYJ0Fby4sCtP d3nB1fS6fQM0vzfbFfklzcPFwD3Fcw3Mj0ihhxf+Z72Q9IW+KDqdO2d8eoW5rmDb GSIQ01eTKLxX0YWgJcCqA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, stable@vger.kernel.org Subject: [PATCH v2 01/16] device-mapper: Check that target specs are sufficiently aligned Date: Tue, 30 May 2023 16:31:01 -0400 Message-Id: <20230530203116.2008-2-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478739197100001 Content-Type: text/plain; charset="utf-8" Otherwise subsequent code will dereference a misaligned `struct dm_target_spec *`, which is undefined behavior. Signed-off-by: Demi Marie Obenour Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org --- drivers/md/dm-ioctl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index cc77cf3d410921432eb0c62cdede7d55b9aa674a..34fa74c6a70db8aa67aaba3f6a2= fc4f38ef736bc 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1394,6 +1394,13 @@ static inline fmode_t get_mode(struct dm_ioctl *para= m) static int next_target(struct dm_target_spec *last, uint32_t next, void *e= nd, struct dm_target_spec **spec, char **target_params) { + static_assert(_Alignof(struct dm_target_spec) <=3D 8, + "struct dm_target_spec has excessive alignment requirements"); + if (next % 8) { + DMERR("Next target spec (offset %u) is not 8-byte aligned", next); + return -EINVAL; + } + *spec =3D (struct dm_target_spec *) ((unsigned char *) last + next); *target_params =3D (char *) (*spec + 1); =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 168547873470859.96244202884225; Tue, 30 May 2023 13:32:14 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541395.844129 (Exim 4.92) (envelope-from ) id 1q460Q-0001zR-3Y; Tue, 30 May 2023 20:31:46 +0000 Received: by outflank-mailman (output) from mailman id 541395.844129; Tue, 30 May 2023 20:31:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460Q-0001zH-0Z; Tue, 30 May 2023 20:31:46 +0000 Received: by outflank-mailman (input) for mailman id 541395; Tue, 30 May 2023 20:31:45 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460P-0001yj-1Q for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:31:45 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id fc04f68a-ff28-11ed-b231-6b7b168915f2; Tue, 30 May 2023 22:31:42 +0200 (CEST) Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 26C5032005C1; Tue, 30 May 2023 16:31:40 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Tue, 30 May 2023 16:31:40 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:38 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: fc04f68a-ff28-11ed-b231-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478699; x=1685565099; bh=aSjkzE25S8 BxmyJfHmxx2kjK812O0BGlmJS9UYp63Y4=; b=iK+uxXhV6X4xM7zdOsRLRNl7Rl GeCaXb9nofcQLJMH5PYa8rM5mPH1np/a+6qzHLKH/xgr4kR4IXAg30xdIqri75uf f/HA4WZkCSFcOo7cNqUyy8XM/mAA5BKtkkdZ1PCLM6dnhelU1vC8pavl7AWFfugt 4sRiOO97mcVcpXj5MGvFR7i96rhwtfyMeXrQMUlsQduztFxlYcDLQG/EDvZSk3wq x92Oroq+S25UkVnqRiLhrdY1NyoS9E0KaGS1k185wNunE+FkLZv0bi0cekflq7QK YcsOdasoRS8hfC8B5I4G2Y5doOhecSPGwC5fQwkbDtySEHXq8JzjTicIZO5g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478699; x= 1685565099; bh=aSjkzE25S8BxmyJfHmxx2kjK812O0BGlmJS9UYp63Y4=; b=f Zri7GXfSSveOOtYOhvOUEtsANsXmWURASgkB/lbtLP/WL+xtmXsMnGdWCIJvHxk9 3P4owz460lQ0tIW2GadrRZrHamxcLGygApj4txw8+S26mwTJy70Xa5MgAmR7OD28 3BQxHlhnew0PgxDnyK6jr8OsOqZ89aJi5/efdD/8P7nMYdHdPt9KGKs8Fpq9Gt2K 0fZnUTtGA/5zoxj5fzQ1MjgpSQTy7yTSwtJplgo44KMf2SM3jJ6mFQ4hQbuicwEG 2NH0Z9/cMmeK3OtsVQ7bqYjG2KfdqSm8iVBn9slACvUrWPUr7xWilidlX88F519A zhCVORCXIU4SPKqCtRt2A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, stable@vger.kernel.org Subject: [PATCH v2 02/16] device-mapper: Avoid pointer arithmetic overflow Date: Tue, 30 May 2023 16:31:02 -0400 Message-Id: <20230530203116.2008-3-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478735376100003 Content-Type: text/plain; charset="utf-8" Especially on 32-bit systems, it is possible for the pointer arithmetic to overflow and cause a userspace pointer to be dereferenced in the kernel. Signed-off-by: Demi Marie Obenour Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org --- drivers/md/dm-ioctl.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 34fa74c6a70db8aa67aaba3f6a2fc4f38ef736bc..64e8f16d344c47057de5e2d29e3= d63202197dca0 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1396,6 +1396,25 @@ static int next_target(struct dm_target_spec *last, = uint32_t next, void *end, { static_assert(_Alignof(struct dm_target_spec) <=3D 8, "struct dm_target_spec has excessive alignment requirements"); + static_assert(offsetof(struct dm_ioctl, data) >=3D sizeof(struct dm_targe= t_spec), + "struct dm_target_spec too big"); + + /* + * Number of bytes remaining, starting with last. This is always + * sizeof(struct dm_target_spec) or more, as otherwise *last was + * out of bounds already. + */ + size_t remaining =3D (char *)end - (char *)last; + + /* + * There must be room for both the next target spec and the + * NUL-terminator of the target itself. + */ + if (remaining - sizeof(struct dm_target_spec) <=3D next) { + DMERR("Target spec extends beyond end of parameters"); + return -EINVAL; + } + if (next % 8) { DMERR("Next target spec (offset %u) is not 8-byte aligned", next); return -EINVAL; --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478740548253.27857810498108; Tue, 30 May 2023 13:32:20 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541397.844150 (Exim 4.92) (envelope-from ) id 1q460S-0002VK-Im; Tue, 30 May 2023 20:31:48 +0000 Received: by outflank-mailman (output) from mailman id 541397.844150; Tue, 30 May 2023 20:31:48 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460S-0002VD-FV; Tue, 30 May 2023 20:31:48 +0000 Received: by outflank-mailman (input) for mailman id 541397; Tue, 30 May 2023 20:31:46 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460Q-0001iX-Su for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:31:46 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id fde95d2e-ff28-11ed-8611-37d641c3527e; Tue, 30 May 2023 22:31:45 +0200 (CEST) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 07F803200914; Tue, 30 May 2023 16:31:42 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 30 May 2023 16:31:43 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:41 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: fde95d2e-ff28-11ed-8611-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478702; x=1685565102; bh=pmcUjAGIZx Pp5PqEOgEqhVPemyqe9EdThZVOp4My7W0=; b=dxLeUTcWcURIKF3tIdl1etnJR5 N5UmHb7gYi+h6qFr1h6Z9SC0wxIykswHISO17mCPtNq0NeJ2R7ZcfGGhLXwnTney w8vxVkRbqSYZPBXyoXLHByjIvnG7lVS1jupBNpog/rJiveBJkSUPozGoVJ7YSQ2s 5WwQwq4OgSFQTe9eiKn7KoyWGFsUiGRonLvgMZjB7AU41/HyAj9TrO8UFizlMc2Z kjC/rqLsVAqk9UrzpS9OE5eKXjHUQXPwX7RzgO3B8+rrUSBY/uIyHCeXOIFrFBUx 973IopAKjgCl01cB9/nuRm3U4VY/cNn+Itf/ju/WYCERZTrBTExuvORyanOw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478702; x= 1685565102; bh=pmcUjAGIZxPp5PqEOgEqhVPemyqe9EdThZVOp4My7W0=; b=R UawBqS8r1YDIM4po3y2qsUXbp4zg/tVMtIWDUkXk2Kttv3pfjWUl31EWtaAo+jxK /kXxCsfVJzLogYbQFIxM2poNZdJNrkxjSdHCH5xBtj6GqDUUr/oIGSviHONsPWSr 5v6LrhEM6HNy5GTorYKFgU7SqRGmewjInn2Q1ucsg36zNhg2F569jrlQRLrzGISB VIPuAEgV8JZufoZHXDa5LvBF0VsBt0uhRJzkJEAj0jc5U4TnTzHUo0/sRvcLbXSc m5CjwzswZE+AcQvkKG85UgCo8pJ17KM+Ph8DKWcmh0kLvVw8cL/Rv4b9TOLUJLWc mOiGUxDYt8n0bB7FAA8WA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudegkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, stable@vger.kernel.org Subject: [PATCH v2 03/16] device-mapper: do not allow targets to overlap 'struct dm_ioctl' Date: Tue, 30 May 2023 16:31:03 -0400 Message-Id: <20230530203116.2008-4-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478741247100003 Content-Type: text/plain; charset="utf-8" This prevents dm_split_args() from corrupting this struct. Signed-off-by: Demi Marie Obenour Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org --- drivers/md/dm-ioctl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 64e8f16d344c47057de5e2d29e3d63202197dca0..a1d5fe64e1d0d9d3dcb06924249= b89fe661944ab 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1444,6 +1444,12 @@ static int populate_table(struct dm_table *table, return -EINVAL; } =20 + if (next < sizeof(struct dm_ioctl)) { + DMERR("%s: first target spec (offset %u) overlaps 'struct dm_ioctl'", + __func__, next); + return -EINVAL; + } + for (i =3D 0; i < param->target_count; i++) { =20 r =3D next_target(spec, next, end, &spec, &target_params); --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478745092626.7378922255677; Tue, 30 May 2023 13:32:25 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541398.844160 (Exim 4.92) (envelope-from ) id 1q460T-0002lt-Sb; Tue, 30 May 2023 20:31:49 +0000 Received: by outflank-mailman (output) from mailman id 541398.844160; Tue, 30 May 2023 20:31:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460T-0002le-Nq; Tue, 30 May 2023 20:31:49 +0000 Received: by outflank-mailman (input) for mailman id 541398; Tue, 30 May 2023 20:31:49 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460T-0001yj-19 for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:31:49 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id ff8aeea6-ff28-11ed-b231-6b7b168915f2; Tue, 30 May 2023 22:31:48 +0200 (CEST) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 210F1320093A; Tue, 30 May 2023 16:31:46 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 30 May 2023 16:31:46 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:44 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: ff8aeea6-ff28-11ed-b231-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478705; x=1685565105; bh=LxAfFq0335 m1ZlqqDrmxnqhMzXdNPPiOcKKMsIZRgGo=; b=aBkNicTIxTqaQMJAexZulqIRdm sIjZXtSOPgxSMACSgvF+9fjyKzTAG1i01eFAX1OK0NcsCEBDoXpuJyaQV6d/I0VA q/z3N4LwMEW1FIuYTzFbKbGtY+U3bZe1LREkgWbnGVo31RGnMs1i+RkUSauMA528 b4f5/xVkZzCMR/eOmXM/no/o50kRvZdfkpjBHP+rZNTkawHhelZmjQubT6/xZFhM sB3+I0E3oDcdU9YB1PUvv3WTY3Cgz2c4tnkoPPKHzeYbYbxqStm6MaHhEQnNl0DE JrlecR96jAUXIBg4rTOGs1nHiRk+cCArx0I66C52cFKOY4AV+RksbuC93x9Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478705; x= 1685565105; bh=LxAfFq0335m1ZlqqDrmxnqhMzXdNPPiOcKKMsIZRgGo=; b=d sVyDy4dBBVGtlMpWhrLCib5j+MpYeJykog270K0270985oiQ+CD+XqCmJf5w8okS 3WHwdWZsn/VRIjpx5J+h2FUQSjGYLcZmnx9dLpvjIHy8M4HDT4rnwvAyUMLNSXUX EgawqZuIFSn4KyYS3JrTDlQIPAUT/0+Gk/yu0UXMiPqrGZPZY/fjoU9AbdzThyf4 L26yfyQlhx8iDEUWKiIYjUH1A3/OL9QGVvyrDGN/OqpWq3Tw25tgEbIpzAMPdc+h 5peIq/Yrn5aH9irvh3og9e7PEFL6Qs5Di/lIAk/sYO/pP/cGvtLIZYFIXPWUwGqY ZbbD9fIEV7MXFyjcopT5A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 04/16] device-mapper: Better error message for too-short target spec Date: Tue, 30 May 2023 16:31:04 -0400 Message-Id: <20230530203116.2008-5-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478747189100001 Content-Type: text/plain; charset="utf-8" Previously the error was "unable to find target", which is not helpful. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index a1d5fe64e1d0d9d3dcb06924249b89fe661944ab..9f505abba3dc22bffc6acb335c0= bf29fec288fd5 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1423,9 +1423,6 @@ static int next_target(struct dm_target_spec *last, u= int32_t next, void *end, *spec =3D (struct dm_target_spec *) ((unsigned char *) last + next); *target_params =3D (char *) (*spec + 1); =20 - if (*spec < (last + 1)) - return -EINVAL; - return invalid_str(*target_params, end); } =20 @@ -1451,6 +1448,11 @@ static int populate_table(struct dm_table *table, } =20 for (i =3D 0; i < param->target_count; i++) { + if (next < sizeof(*spec)) { + DMERR("%s: next target spec (offset %u) overlaps 'struct dm_target_spec= '", + __func__, next); + return -EINVAL; + } =20 r =3D next_target(spec, next, end, &spec, &target_params); if (r) { --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478749905906.2064038919132; Tue, 30 May 2023 13:32:29 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541399.844170 (Exim 4.92) (envelope-from ) id 1q460Y-0003AT-4s; Tue, 30 May 2023 20:31:54 +0000 Received: by outflank-mailman (output) from mailman id 541399.844170; Tue, 30 May 2023 20:31:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460Y-0003AG-16; Tue, 30 May 2023 20:31:54 +0000 Received: by outflank-mailman (input) for mailman id 541399; Tue, 30 May 2023 20:31:52 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460W-0001iX-Sz for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:31:52 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 016dd7dd-ff29-11ed-8611-37d641c3527e; Tue, 30 May 2023 22:31:51 +0200 (CEST) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id E7B28320091C; Tue, 30 May 2023 16:31:48 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 30 May 2023 16:31:49 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:47 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 016dd7dd-ff29-11ed-8611-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478708; x=1685565108; bh=9dA8w08Lf6 yLxBKaYsZib4B6okJI6Rf5TV9rO9Rq5kQ=; b=RqK1KJ1X1SLFXUPUiLR1ErkxSG wtKH1zEfrkJGt+cTam8om+jkJorj31HumCzC/S/NBs42VK9J2wPDcvRJtfbOY/PF LzxWIsfwLXWGb7AxPlJ+e9IZ0X7jZ/z50ke/BXkU2TVtU0G1j5omrVQ2OdS1YxCW t/51b1V8oIA+9ZyeONf7TZzODRQdx/JUayG7fSa+zO2QmmQE8w63GnLlKq+2l5bP J5JFEIp5z0YHGwPY8OdfIQlO1/OuUlcVKYbTHF8/ZPUYhtPBuBVIxIylNt97ox2P MzGhApOEsQ6j1W/JMW5aBKxVbzfonneR3x5JGYO5PGF86JEMjtyBJwlxTCUA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478708; x= 1685565108; bh=9dA8w08Lf6yLxBKaYsZib4B6okJI6Rf5TV9rO9Rq5kQ=; b=D Msesq2aD/zsowges6BdJEmb3SXxsFD50z2JBIaZKcphdbkZ8bDmxUs+DpndiTUmB 28v8uLd5dcZv2la0SPjq1IwvKXdC+gIuyMcnYmia7XsERzw2uH7FI8XCSafdXsu5 EwMa0FI0jMTfRMekX9dRzZzq/aXRflH8qoHSxBLO1INLOvf1SoFV0H7bKQGsjupU NaniLmIVlRC/FaEd2D59ZYclkFgzLdscGM91ChlBj2LB5LbIQ847VIEasOMlHpNj nXWlcHyU433Z0l3bCdc9lS+C0bcphxZM4Q8ER2dJu2pRsL2pebnHxAxThnCbO/IS edfGYluS8mDU8v5EtX9dg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudegkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedune curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, stable@vger.kernel.org Subject: [PATCH v2 05/16] device-mapper: Target parameters must not overlap next target spec Date: Tue, 30 May 2023 16:31:05 -0400 Message-Id: <20230530203116.2008-6-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478751210100005 Content-Type: text/plain; charset="utf-8" The NUL terminator for each target parameter string must preceed the following 'struct dm_target_spec'. Otherwise, dm_split_args() might corrupt this struct. Signed-off-by: Demi Marie Obenour Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org --- drivers/md/dm-ioctl.c | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 9f505abba3dc22bffc6acb335c0bf29fec288fd5..491ef55b9e8662c3b02a2162b8c= 93ee086c078a1 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1391,7 +1391,7 @@ static inline fmode_t get_mode(struct dm_ioctl *param) return mode; } =20 -static int next_target(struct dm_target_spec *last, uint32_t next, void *e= nd, +static int next_target(struct dm_target_spec *last, uint32_t next, const c= har *end, struct dm_target_spec **spec, char **target_params) { static_assert(_Alignof(struct dm_target_spec) <=3D 8, @@ -1404,7 +1404,7 @@ static int next_target(struct dm_target_spec *last, u= int32_t next, void *end, * sizeof(struct dm_target_spec) or more, as otherwise *last was * out of bounds already. */ - size_t remaining =3D (char *)end - (char *)last; + size_t remaining =3D end - (char *)last; =20 /* * There must be room for both the next target spec and the @@ -1423,7 +1423,7 @@ static int next_target(struct dm_target_spec *last, u= int32_t next, void *end, *spec =3D (struct dm_target_spec *) ((unsigned char *) last + next); *target_params =3D (char *) (*spec + 1); =20 - return invalid_str(*target_params, end); + return 0; } =20 static int populate_table(struct dm_table *table, @@ -1433,24 +1433,21 @@ static int populate_table(struct dm_table *table, unsigned int i =3D 0; struct dm_target_spec *spec =3D (struct dm_target_spec *) param; uint32_t next =3D param->data_start; - void *end =3D (void *) param + param_size; + const char *const end =3D (const char *) param + param_size; char *target_params; + size_t min_size =3D sizeof(struct dm_ioctl); =20 if (!param->target_count) { DMERR("%s: no targets specified", __func__); return -EINVAL; } =20 - if (next < sizeof(struct dm_ioctl)) { - DMERR("%s: first target spec (offset %u) overlaps 'struct dm_ioctl'", - __func__, next); - return -EINVAL; - } - for (i =3D 0; i < param->target_count; i++) { - if (next < sizeof(*spec)) { - DMERR("%s: next target spec (offset %u) overlaps 'struct dm_target_spec= '", - __func__, next); + const char *nul_terminator; + + if (next < min_size) { + DMERR("%s: next target spec (offset %u) overlaps %s", + __func__, next, i ? "previous target" : "'struct dm_ioctl'"); return -EINVAL; } =20 @@ -1460,6 +1457,15 @@ static int populate_table(struct dm_table *table, return r; } =20 + nul_terminator =3D memchr(target_params, 0, (size_t)(end - target_params= )); + if (nul_terminator =3D=3D NULL) { + DMERR("%s: target parameters not NUL-terminated", __func__); + return -EINVAL; + } + + /* Add 1 for NUL terminator */ + min_size =3D (nul_terminator - (const char *)spec) + 1; + r =3D dm_table_add_target(table, spec->target_type, (sector_t) spec->sector_start, (sector_t) spec->length, --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF6CCC7EE31 for ; Tue, 30 May 2023 20:32:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233495AbjE3UcH (ORCPT ); Tue, 30 May 2023 16:32:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233504AbjE3UcC (ORCPT ); Tue, 30 May 2023 16:32:02 -0400 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 01D8A18B; Tue, 30 May 2023 13:31:53 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id CC58F3200907; Tue, 30 May 2023 16:31:51 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 30 May 2023 16:31:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478711; x=1685565111; bh=+cZsXk5aGi IWIF6vp9UgbBTuPJSW9vQMqM9Fi3GWErs=; b=b1X2ZZBno2R9/Fq0Y4byMWClkM yztjlEXBXhErAHMyu5pxVYfR1cLCApT4g/uUiO8kteIoPOYfwcM0QS5x9QWviai0 +l213muvhmIojTILm+7p2eZtNtybubHmo4N4zNfbU1BjaH8lPNaOphi2xkYZuv4e h9L6gqPCJK3eOF1vIMloUMmjbsguyKqi2f1W5Tt/wuZ0+GYvxCApjlVAavetYN/A 7tGd5rz/o5D0PfB0ZRMW60nhh19bpt9llkSd4Y6Kat2KL+JrOgTCciUHA3vZPkBb IVcmnbvx3CmJqx5G5vutH15atOF/5DmD2t9dwwAa4lNLI929ZeF3n8ClPHNw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478711; x= 1685565111; bh=+cZsXk5aGiIWIF6vp9UgbBTuPJSW9vQMqM9Fi3GWErs=; b=U P15hdGQ/gq4QBXzqjvd7c1poQOzI9V99fFI4wL2BV4l6rOOg1UHF/IH0Rvn8DD2t 8inNtSYO4AkLeCdh5u8DSWVX/Y3zi6mmFEbSB6KWnmKzE/gaGSfbS0/UhxzMo5IL 2kibkVKxrhJBYHcxY0e9g8+oJElSF3YfB39B1l6n3IKWdY+LTIfj2T0Ioc7C6O44 lgjwvbG10GpFJ0/Ji6FLUTiSnJaiSTElzXZUfNjXE4ABmx+5vaVNfCETg0Sz7mcl +DhnaD34G3OifmWX9w/p4yj414+40b2No5vBXQ/3zcAauZ+scwTIQY4dPuM5DQKT JWusrvBDFegrRj+Ts3bOw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedune curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:50 -0400 (EDT) From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, stable@vger.kernel.org Subject: [PATCH v2 06/16] device-mapper: Avoid double-fetch of version Date: Tue, 30 May 2023 16:31:06 -0400 Message-Id: <20230530203116.2008-7-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The version is fetched once in check_version(), which then does some validation and then overwrites the version in userspace with the API version supported by the kernel. copy_params() then fetches the version from userspace *again*, and this time no validation is done. The result is that the kernel's version number is completely controllable by userspace, provided that userspace can win a race condition. Fix this flaw by not copying the version back to the kernel the second time. This is not exploitable as the version is not further used in the kernel. However, it could become a problem if future patches start relying on the version field. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 491ef55b9e8662c3b02a2162b8c93ee086c078a1..20f452b6c61c1c4d20259fd0fc5= 443977e4454a0 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1873,12 +1873,13 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int = *ioctl_flags) * As well as checking the version compatibility this always * copies the kernel interface version out. */ -static int check_version(unsigned int cmd, struct dm_ioctl __user *user) +static int check_version(unsigned int cmd, struct dm_ioctl __user *user, + struct dm_ioctl *kernel_params) { - uint32_t version[3]; int r =3D 0; + uint32_t *version =3D kernel_params->version; =20 - if (copy_from_user(version, user->version, sizeof(version))) + if (copy_from_user(version, user->version, sizeof(user->version))) return -EFAULT; =20 if ((version[0] !=3D DM_VERSION_MAJOR) || @@ -1922,7 +1923,10 @@ static int copy_params(struct dm_ioctl __user *user,= struct dm_ioctl *param_kern const size_t minimum_data_size =3D offsetof(struct dm_ioctl, data); unsigned int noio_flag; =20 - if (copy_from_user(param_kernel, user, minimum_data_size)) + /* Version has been copied from userspace already, avoid TOCTOU */ + if (copy_from_user((char *)param_kernel + sizeof(param_kernel->version), + (char __user *)user + sizeof(param_kernel->version), + minimum_data_size - sizeof(param_kernel->version))) return -EFAULT; =20 if (param_kernel->data_size < minimum_data_size) { @@ -2034,7 +2038,7 @@ static int ctl_ioctl(struct file *file, uint command,= struct dm_ioctl __user *us * Check the interface version passed in. This also * writes out the kernel's interface version. */ - r =3D check_version(cmd, user); + r =3D check_version(cmd, user, ¶m_kernel); if (r) return r; =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478758306772.2804677850128; Tue, 30 May 2023 13:32:38 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541402.844190 (Exim 4.92) (envelope-from ) id 1q460e-00044H-UZ; Tue, 30 May 2023 20:32:00 +0000 Received: by outflank-mailman (output) from mailman id 541402.844190; Tue, 30 May 2023 20:32:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460e-000445-Ox; Tue, 30 May 2023 20:32:00 +0000 Received: by outflank-mailman (input) for mailman id 541402; Tue, 30 May 2023 20:31:58 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460c-0001yj-Jx for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:31:58 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 04d32778-ff29-11ed-b231-6b7b168915f2; Tue, 30 May 2023 22:31:56 +0200 (CEST) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id AB9E13200920; Tue, 30 May 2023 16:31:54 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Tue, 30 May 2023 16:31:55 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:53 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 04d32778-ff29-11ed-b231-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478714; x=1685565114; bh=G/PZMKR5fM icHWYQT0GxcmUHbUsQVYWUtsZvrUHCJuU=; b=Fx+b8PAh3kQful+76g25YMRpI5 OX2hyNg04HQUYaN44eHLXL/rFm2SALtFR0112VOAhcyu7Q2sJwY1i66PmyE2SnTT GQ8zTaVT5pxBlG08qTCZ+FS3117iMs4IgwF+YZnRQsIjYuCt9Q9EcokEF1/w2QFv Twymq+8VxvVG/76A/z0fBAsNeDIatL11QxQzfwr7rrvR/Yezfnoab4FX2SdDIO8+ 3Z09WdrcZcDTQYfG4wiLLpb2iXwlJVjKAN2ocz+agmZSrrgePipjWehEJVX2cKu6 l8BXqqbyb62oQpkjHAq0YFkp+2SFAkTxICtIqKbr7Q7NzkLJZ8C4XaiyGSzQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478714; x= 1685565114; bh=G/PZMKR5fMicHWYQT0GxcmUHbUsQVYWUtsZvrUHCJuU=; b=s iYr85F64Hkrtm1e26WXimQt3qTnsJz10WHrpr4PvU8EdZ5UO6Qfqj67YBBt2BbFO PUipDPJEr6g34YqFLy8Hwa01eC3ltU7TdIquoCIcGBTWPS2otA5rs1uHUbwazjjK Ww7dGsxlG99lt+yj4HNnXShCkklC9RuO2GIiKVVdrv7njlCf5lZcH+cU8FlYF758 DVOQ5dzfsR+WfY5BDpMPF7W7vjmlnSsmy/B0Ll5i1cVddn1sbTTYzNIoUN9Ql6Ib XM5XK8sKDq8W6Feu9Fioasb6HgQXeG3lzMjwIN3YEC91VleFfGumhwAmWhtxq+H3 0DWvG8HfoOsaY0EOEduGg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedune curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 07/16] device-mapper: Allow userspace to opt-in to strict parameter checks Date: Tue, 30 May 2023 16:31:07 -0400 Message-Id: <20230530203116.2008-8-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478759367100005 Content-Type: text/plain; charset="utf-8" Currently, device-mapper ioctls ignore unknown flags. This makes adding new flags to a given ioctl risky, as it could potentially break old userspace. To solve this problem, allow userspace to pass 5 as the major version to any ioctl. This causes the kernel to reject any flags that are not supported by the ioctl, as well as nonzero padding and names and UUIDs that are not NUL-terminated. New flags will only be recognized if major version 5 is used. Kernels without this patch return -EINVAL if the major version is 5, so this is backwards compatible. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 301 ++++++++++++++++++++++++++-------- include/uapi/linux/dm-ioctl.h | 30 +++- 2 files changed, 260 insertions(+), 71 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 20f452b6c61c1c4d20259fd0fc5443977e4454a0..cf752e72ef6a2d8f8230e5bd6d1= a6dc817a4f597 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -64,7 +64,8 @@ struct vers_iter { static struct rb_root name_rb_tree =3D RB_ROOT; static struct rb_root uuid_rb_tree =3D RB_ROOT; =20 -static void dm_hash_remove_all(bool keep_open_devices, bool mark_deferred,= bool only_deferred); +static void dm_hash_remove_all(bool keep_open_devices, bool mark_deferred,= bool only_deferred, + struct dm_ioctl *param); =20 /* * Guards access to both hash tables. @@ -78,7 +79,7 @@ static DEFINE_MUTEX(dm_hash_cells_mutex); =20 static void dm_hash_exit(void) { - dm_hash_remove_all(false, false, false); + dm_hash_remove_all(false, false, false, NULL); } =20 /* @@ -333,7 +334,8 @@ static struct dm_table *__hash_remove(struct hash_cell = *hc) return table; } =20 -static void dm_hash_remove_all(bool keep_open_devices, bool mark_deferred,= bool only_deferred) +static void dm_hash_remove_all(bool keep_open_devices, bool mark_deferred,= bool only_deferred, + struct dm_ioctl *param) { int dev_skipped; struct rb_node *n; @@ -367,6 +369,8 @@ static void dm_hash_remove_all(bool keep_open_devices, = bool mark_deferred, bool dm_table_destroy(t); } dm_ima_measure_on_device_remove(md, true); + if (param !=3D NULL && !dm_kobject_uevent(md, KOBJ_REMOVE, param->event_= nr, false)) + param->flags |=3D DM_UEVENT_GENERATED_FLAG; dm_put(md); if (likely(keep_open_devices)) dm_destroy(md); @@ -513,7 +517,7 @@ static struct mapped_device *dm_hash_rename(struct dm_i= octl *param, =20 void dm_deferred_remove(void) { - dm_hash_remove_all(true, false, true); + dm_hash_remove_all(true, false, true, NULL); } =20 /* @@ -529,7 +533,7 @@ typedef int (*ioctl_fn)(struct file *filp, struct dm_io= ctl *param, size_t param_ =20 static int remove_all(struct file *filp, struct dm_ioctl *param, size_t pa= ram_size) { - dm_hash_remove_all(true, !!(param->flags & DM_DEFERRED_REMOVE), false); + dm_hash_remove_all(true, !!(param->flags & DM_DEFERRED_REMOVE), false, pa= ram); param->data_size =3D 0; return 0; } @@ -892,8 +896,6 @@ static int dev_create(struct file *filp, struct dm_ioct= l *param, size_t param_si return r; } =20 - param->flags &=3D ~DM_INACTIVE_PRESENT_FLAG; - __dev_status(md, param); =20 dm_put(md); @@ -947,8 +949,6 @@ static struct hash_cell *__find_device_hash_cell(struct= dm_ioctl *param) =20 if (hc->new_map) param->flags |=3D DM_INACTIVE_PRESENT_FLAG; - else - param->flags &=3D ~DM_INACTIVE_PRESENT_FLAG; =20 return hc; } @@ -1161,7 +1161,6 @@ static int do_resume(struct dm_ioctl *param) =20 new_map =3D hc->new_map; hc->new_map =3D NULL; - param->flags &=3D ~DM_INACTIVE_PRESENT_FLAG; =20 up_write(&_hash_lock); =20 @@ -1426,6 +1425,32 @@ static int next_target(struct dm_target_spec *last, = uint32_t next, const char *e return 0; } =20 +static inline bool sloppy_checks(const struct dm_ioctl *param) +{ + return param->version[0] < DM_VERSION_MAJOR_STRICT; +} + +static bool no_non_nul_after_nul(const char *untrusted_str, size_t size, + unsigned int cmd, const char *msg) +{ + const char *cursor; + const char *endp =3D untrusted_str + size; + const char *nul_terminator =3D memchr(untrusted_str, '\0', size); + + if (nul_terminator =3D=3D NULL) { + DMERR("%s not NUL-terminated, cmd(%u)", msg, cmd); + return false; + } + for (cursor =3D nul_terminator; cursor < endp; cursor++) { + if (*cursor !=3D 0) { + DMERR("%s has non-NUL byte at %zd after NUL byte at %zd, cmd(%u)", + msg, cursor - untrusted_str, nul_terminator - untrusted_str, cmd); + return false; + } + } + return true; +} + static int populate_table(struct dm_table *table, struct dm_ioctl *param, size_t param_size) { @@ -1436,12 +1461,19 @@ static int populate_table(struct dm_table *table, const char *const end =3D (const char *) param + param_size; char *target_params; size_t min_size =3D sizeof(struct dm_ioctl); + bool const strict =3D !sloppy_checks(param); =20 if (!param->target_count) { DMERR("%s: no targets specified", __func__); return -EINVAL; } =20 + if (strict && param_size % 8 !=3D 0) { + DMERR("%s: parameter size %zu not multiple of 8", + __func__, param_size); + return -EINVAL; + } + for (i =3D 0; i < param->target_count; i++) { const char *nul_terminator; =20 @@ -1466,6 +1498,18 @@ static int populate_table(struct dm_table *table, /* Add 1 for NUL terminator */ min_size =3D (nul_terminator - (const char *)spec) + 1; =20 + if (strict) { + if (!no_non_nul_after_nul(spec->target_type, sizeof(spec->target_type), + DM_TABLE_LOAD_CMD, "target type")) + return -EINVAL; + + if (spec->status) { + DMERR("%s: status in target spec must be zero, not %u", + __func__, spec->status); + return -EINVAL; + } + } + r =3D dm_table_add_target(table, spec->target_type, (sector_t) spec->sector_start, (sector_t) spec->length, @@ -1476,6 +1520,32 @@ static int populate_table(struct dm_table *table, } =20 next =3D spec->next; + + if (strict) { + uint64_t zero =3D 0; + /* + * param_size is a multiple of 8 so this is still in + * bounds (or 1 past the end). + */ + size_t expected_next =3D round_up(min_size, 8); + + if (expected_next !=3D next) { + DMERR("%s: in strict mode, expected next to be %zu but it was %u", + __func__, expected_next, next); + return -EINVAL; + } + + if (memcmp(&zero, nul_terminator, next - min_size + 1) !=3D 0) { + DMERR("%s: in strict mode, padding must be zeroed", __func__); + return -EINVAL; + } + } + } + + if (strict && next !=3D (size_t)(end - (const char *)spec)) { + DMERR("%s: last target size is %u, but %zd bytes remaining in target spe= c", + __func__, next, end - (const char *)spec); + return -EINVAL; } =20 return dm_table_complete(table); @@ -1823,48 +1893,67 @@ static int target_message(struct file *filp, struct= dm_ioctl *param, size_t para * the ioctl. */ #define IOCTL_FLAGS_NO_PARAMS 1 -#define IOCTL_FLAGS_ISSUE_GLOBAL_EVENT 2 +#define IOCTL_FLAGS_TAKES_EVENT_NR 2 +#define IOCTL_FLAGS_ISSUE_GLOBAL_EVENT (IOCTL_FLAGS_TAKES_EVENT_NR | 4) =20 /* *--------------------------------------------------------------- * Implementation of open/close/ioctl on the special char device. *--------------------------------------------------------------- */ -static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags) +static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags, uint32_t = *supported_flags) { static const struct { int cmd; int flags; ioctl_fn fn; + uint32_t supported_flags; } _ioctls[] =3D { - {DM_VERSION_CMD, 0, NULL}, /* version is dealt with elsewhere */ - {DM_REMOVE_ALL_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVE= NT, remove_all}, - {DM_LIST_DEVICES_CMD, 0, list_devices}, + /* Macro to make the structure initializers somewhat readable */ +#define I(cmd, flags, fn, supported_flags) { \ + (cmd), \ + (flags), \ + (fn), \ + /* \ + * Supported flags in sloppy mode must not include anything in DM_STRICT_= ONLY_FLAGS. \ + * Use BUILD_BUG_ON_ZERO to check for that. \ + */ \ + (supported_flags) | BUILD_BUG_ON_ZERO((supported_flags) & DM_STRICT_ONLY_= FLAGS), \ +} + I(DM_VERSION_CMD, 0, NULL, 0), /* version is dealt with elsewhere */ + I(DM_REMOVE_ALL_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EV= ENT, remove_all, + DM_DEFERRED_REMOVE), + I(DM_LIST_DEVICES_CMD, 0, list_devices, DM_UUID_FLAG), + I(DM_DEV_CREATE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EV= ENT, dev_create, + DM_PERSISTENT_DEV_FLAG), + I(DM_DEV_REMOVE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EV= ENT, dev_remove, + DM_DEFERRED_REMOVE), + I(DM_DEV_RENAME_CMD, IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_rename, + DM_QUERY_INACTIVE_TABLE_FLAG | DM_UUID_FLAG), + I(DM_DEV_SUSPEND_CMD, IOCTL_FLAGS_NO_PARAMS, dev_suspend, + DM_QUERY_INACTIVE_TABLE_FLAG | DM_SUSPEND_FLAG | DM_SKIP_LOCKFS_FLAG | = DM_NOFLUSH_FLAG), + I(DM_DEV_STATUS_CMD, IOCTL_FLAGS_NO_PARAMS, dev_status, DM_QUERY_INACTIV= E_TABLE_FLAG), + I(DM_DEV_WAIT_CMD, IOCTL_FLAGS_TAKES_EVENT_NR, dev_wait, + DM_QUERY_INACTIVE_TABLE_FLAG | DM_STATUS_TABLE_FLAG | DM_NOFLUSH_FLAG), + I(DM_TABLE_LOAD_CMD, 0, table_load, DM_QUERY_INACTIVE_TABLE_FLAG | DM_RE= ADONLY_FLAG), + I(DM_TABLE_CLEAR_CMD, IOCTL_FLAGS_NO_PARAMS, table_clear, DM_QUERY_INACT= IVE_TABLE_FLAG), + I(DM_TABLE_DEPS_CMD, 0, table_deps, DM_QUERY_INACTIVE_TABLE_FLAG), + I(DM_TABLE_STATUS_CMD, 0, table_status, + DM_QUERY_INACTIVE_TABLE_FLAG | DM_STATUS_TABLE_FLAG | DM_NOFLUSH_FLAG), =20 - {DM_DEV_CREATE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVE= NT, dev_create}, - {DM_DEV_REMOVE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVE= NT, dev_remove}, - {DM_DEV_RENAME_CMD, IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_rename}, - {DM_DEV_SUSPEND_CMD, IOCTL_FLAGS_NO_PARAMS, dev_suspend}, - {DM_DEV_STATUS_CMD, IOCTL_FLAGS_NO_PARAMS, dev_status}, - {DM_DEV_WAIT_CMD, 0, dev_wait}, + I(DM_LIST_VERSIONS_CMD, 0, list_versions, 0), =20 - {DM_TABLE_LOAD_CMD, 0, table_load}, - {DM_TABLE_CLEAR_CMD, IOCTL_FLAGS_NO_PARAMS, table_clear}, - {DM_TABLE_DEPS_CMD, 0, table_deps}, - {DM_TABLE_STATUS_CMD, 0, table_status}, - - {DM_LIST_VERSIONS_CMD, 0, list_versions}, - - {DM_TARGET_MSG_CMD, 0, target_message}, - {DM_DEV_SET_GEOMETRY_CMD, 0, dev_set_geometry}, - {DM_DEV_ARM_POLL_CMD, IOCTL_FLAGS_NO_PARAMS, dev_arm_poll}, - {DM_GET_TARGET_VERSION_CMD, 0, get_target_version}, + I(DM_TARGET_MSG_CMD, 0, target_message, DM_QUERY_INACTIVE_TABLE_FLAG), + I(DM_DEV_SET_GEOMETRY_CMD, 0, dev_set_geometry, 0), + I(DM_DEV_ARM_POLL_CMD, IOCTL_FLAGS_NO_PARAMS, dev_arm_poll, 0), + I(DM_GET_TARGET_VERSION_CMD, 0, get_target_version, 0), }; =20 if (unlikely(cmd >=3D ARRAY_SIZE(_ioctls))) return NULL; =20 cmd =3D array_index_nospec(cmd, ARRAY_SIZE(_ioctls)); + *supported_flags =3D _ioctls[cmd].supported_flags; *ioctl_flags =3D _ioctls[cmd].flags; return _ioctls[cmd].fn; } @@ -1877,27 +1966,34 @@ static int check_version(unsigned int cmd, struct d= m_ioctl __user *user, struct dm_ioctl *kernel_params) { int r =3D 0; - uint32_t *version =3D kernel_params->version; + uint32_t expected_major_version =3D DM_VERSION_MAJOR; =20 - if (copy_from_user(version, user->version, sizeof(user->version))) + if (copy_from_user(kernel_params->version, user->version, sizeof(kernel_p= arams->version))) return -EFAULT; =20 - if ((version[0] !=3D DM_VERSION_MAJOR) || - (version[1] > DM_VERSION_MINOR)) { + if (kernel_params->version[0] >=3D DM_VERSION_MAJOR_STRICT) + expected_major_version =3D DM_VERSION_MAJOR_STRICT; + + if ((kernel_params->version[0] !=3D expected_major_version) || + (kernel_params->version[1] > DM_VERSION_MINOR)) { DMERR("ioctl interface mismatch: kernel(%u.%u.%u), user(%u.%u.%u), cmd(%= d)", - DM_VERSION_MAJOR, DM_VERSION_MINOR, + expected_major_version, + DM_VERSION_MINOR, DM_VERSION_PATCHLEVEL, - version[0], version[1], version[2], cmd); + kernel_params->version[0], + kernel_params->version[1], + kernel_params->version[2], + cmd); r =3D -EINVAL; } =20 /* * Fill in the kernel version. */ - version[0] =3D DM_VERSION_MAJOR; - version[1] =3D DM_VERSION_MINOR; - version[2] =3D DM_VERSION_PATCHLEVEL; - if (copy_to_user(user->version, version, sizeof(version))) + kernel_params->version[0] =3D expected_major_version; + kernel_params->version[1] =3D DM_VERSION_MINOR; + kernel_params->version[2] =3D DM_VERSION_PATCHLEVEL; + if (copy_to_user(user->version, kernel_params->version, sizeof(kernel_par= ams->version))) return -EFAULT; =20 return r; @@ -1920,9 +2016,12 @@ static int copy_params(struct dm_ioctl __user *user,= struct dm_ioctl *param_kern { struct dm_ioctl *dmi; int secure_data; - const size_t minimum_data_size =3D offsetof(struct dm_ioctl, data); + const size_t minimum_data_size =3D sloppy_checks(param_kernel) ? + offsetof(struct dm_ioctl, data) : sizeof(struct dm_ioctl); unsigned int noio_flag; =20 + static_assert(offsetof(struct dm_ioctl, data_size) =3D=3D sizeof(param_ke= rnel->version)); + static_assert(offsetof(struct dm_ioctl, data_size) =3D=3D 12); /* Version has been copied from userspace already, avoid TOCTOU */ if (copy_from_user((char *)param_kernel + sizeof(param_kernel->version), (char __user *)user + sizeof(param_kernel->version), @@ -1930,12 +2029,13 @@ static int copy_params(struct dm_ioctl __user *user= , struct dm_ioctl *param_kern return -EFAULT; =20 if (param_kernel->data_size < minimum_data_size) { - DMERR("Invalid data size in the ioctl structure: %u", - param_kernel->data_size); + DMERR("Invalid data size in the ioctl structure: %u (minimum %zu)", + param_kernel->data_size, minimum_data_size); return -EINVAL; } =20 secure_data =3D param_kernel->flags & DM_SECURE_DATA_FLAG; + param_kernel->flags &=3D ~DM_SECURE_DATA_FLAG; =20 *param_flags =3D secure_data ? DM_WIPE_BUFFER : 0; =20 @@ -1966,7 +2066,8 @@ static int copy_params(struct dm_ioctl __user *user, = struct dm_ioctl *param_kern /* Copy from param_kernel (which was already copied from user) */ memcpy(dmi, param_kernel, minimum_data_size); =20 - if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size, + if (copy_from_user((char *)dmi + minimum_data_size, + (char __user *)user + minimum_data_size, param_kernel->data_size - minimum_data_size)) goto bad; data_copied: @@ -1983,33 +2084,86 @@ static int copy_params(struct dm_ioctl __user *user= , struct dm_ioctl *param_kern return -EFAULT; } =20 -static int validate_params(uint cmd, struct dm_ioctl *param) +static int validate_params(uint cmd, struct dm_ioctl *param, + uint32_t ioctl_flags, uint32_t supported_flags) { - /* Always clear this flag */ - param->flags &=3D ~DM_BUFFER_FULL_FLAG; - param->flags &=3D ~DM_UEVENT_GENERATED_FLAG; - param->flags &=3D ~DM_SECURE_DATA_FLAG; - param->flags &=3D ~DM_DATA_OUT_FLAG; - - /* Ignores parameters */ - if (cmd =3D=3D DM_REMOVE_ALL_CMD || - cmd =3D=3D DM_LIST_DEVICES_CMD || - cmd =3D=3D DM_LIST_VERSIONS_CMD) - return 0; + static_assert(__same_type(param->flags, supported_flags)); + u64 zero =3D 0; =20 if (cmd =3D=3D DM_DEV_CREATE_CMD) { if (!*param->name) { DMERR("name not supplied when creating device"); return -EINVAL; } - } else if (*param->uuid && *param->name) { - DMERR("only supply one of name or uuid, cmd(%u)", cmd); + } else { + if (*param->uuid && *param->name) { + DMERR("only supply one of name or uuid, cmd(%u)", cmd); + return -EINVAL; + } + } + + if (sloppy_checks(param)) { + /* Ensure strings are terminated */ + param->name[DM_NAME_LEN - 1] =3D '\0'; + param->uuid[DM_UUID_LEN - 1] =3D '\0'; + /* Mask off bits that could confuse other code */ + param->flags &=3D ~DM_STRICT_ONLY_FLAGS; + /* Skip strict checks */ + return 0; + } + + /* Check that strings are terminated */ + if (!no_non_nul_after_nul(param->name, DM_NAME_LEN, cmd, "Name") || + !no_non_nul_after_nul(param->uuid, DM_UUID_LEN, cmd, "UUID")) { return -EINVAL; } =20 - /* Ensure strings are terminated */ - param->name[DM_NAME_LEN - 1] =3D '\0'; - param->uuid[DM_UUID_LEN - 1] =3D '\0'; + if (memcmp(param->data, &zero, sizeof(param->data)) !=3D 0) { + DMERR("second padding field not zeroed in strict mode (cmd %u)", cmd); + return -EINVAL; + } + + if (param->flags & ~supported_flags) { + DMERR("unsupported flags 0x%x specified, cmd(%u)", + param->flags & ~supported_flags, cmd); + return -EINVAL; + } + + if (param->padding) { + DMERR("padding not zeroed in strict mode (got %u, cmd %u)", + param->padding, cmd); + return -EINVAL; + } + + if (param->open_count !=3D 0) { + DMERR("open_count not zeroed in strict mode (got %d, cmd %u)", + param->open_count, cmd); + return -EINVAL; + } + + if (param->event_nr !=3D 0 && (ioctl_flags & IOCTL_FLAGS_TAKES_EVENT_NR) = =3D=3D 0) { + DMERR("Event number not zeroed for command that does not take one (got %= u, cmd %u)", + param->event_nr, cmd); + return -EINVAL; + } + + if (ioctl_flags & IOCTL_FLAGS_NO_PARAMS) { + /* Ignores parameters */ + if (param->data_size !=3D sizeof(struct dm_ioctl)) { + DMERR("command %u must not have parameters", cmd); + return -EINVAL; + } + + if (param->target_count !=3D 0) { + DMERR("command %u must have zero target_count", cmd); + return -EINVAL; + } + + if (param->data_start) { + DMERR("command %u must have zero data_start", cmd); + return -EINVAL; + } + } =20 return 0; } @@ -2024,6 +2178,7 @@ static int ctl_ioctl(struct file *file, uint command,= struct dm_ioctl __user *us ioctl_fn fn =3D NULL; size_t input_param_size; struct dm_ioctl param_kernel; + uint32_t supported_flags, old_flags; =20 /* only root can play with this */ if (!capable(CAP_SYS_ADMIN)) @@ -2039,7 +2194,7 @@ static int ctl_ioctl(struct file *file, uint command,= struct dm_ioctl __user *us * writes out the kernel's interface version. */ r =3D check_version(cmd, user, ¶m_kernel); - if (r) + if (r !=3D 0) return r; =20 /* @@ -2048,7 +2203,7 @@ static int ctl_ioctl(struct file *file, uint command,= struct dm_ioctl __user *us if (cmd =3D=3D DM_VERSION_CMD) return 0; =20 - fn =3D lookup_ioctl(cmd, &ioctl_flags); + fn =3D lookup_ioctl(cmd, &ioctl_flags, &supported_flags); if (!fn) { DMERR("dm_ctl_ioctl: unknown command 0x%x", command); return -ENOTTY; @@ -2063,11 +2218,20 @@ static int ctl_ioctl(struct file *file, uint comman= d, struct dm_ioctl __user *us return r; =20 input_param_size =3D param->data_size; - r =3D validate_params(cmd, param); + + /* + * In sloppy mode, validate_params will clear some + * flags to ensure other code does not get confused. + * Save the original flags here. + */ + old_flags =3D param->flags; + r =3D validate_params(cmd, param, ioctl_flags, supported_flags); if (r) goto out; + /* This XOR keeps only the flags validate_params has changed. */ + old_flags ^=3D param->flags; =20 - param->data_size =3D offsetof(struct dm_ioctl, data); + param->data_size =3D sloppy_checks(param) ? offsetof(struct dm_ioctl, dat= a) : sizeof(struct dm_ioctl); r =3D fn(file, param, input_param_size); =20 if (unlikely(param->flags & DM_BUFFER_FULL_FLAG) && @@ -2077,6 +2241,9 @@ static int ctl_ioctl(struct file *file, uint command,= struct dm_ioctl __user *us if (!r && ioctl_flags & IOCTL_FLAGS_ISSUE_GLOBAL_EVENT) dm_issue_global_event(); =20 + /* Resture the flags that validate_params cleared */ + param->flags |=3D old_flags; + /* * Copy the results back to userland. */ diff --git a/include/uapi/linux/dm-ioctl.h b/include/uapi/linux/dm-ioctl.h index 1990b5700f6948243def314cec22f380926aca2e..81103e1dcdac3015204e9c05d73= 037191e965d59 100644 --- a/include/uapi/linux/dm-ioctl.h +++ b/include/uapi/linux/dm-ioctl.h @@ -171,8 +171,11 @@ struct dm_target_spec { =20 /* * Parameter string starts immediately after this object. - * Be careful to add padding after string to ensure correct - * alignment of subsequent dm_target_spec. + * Be careful to add padding after string to ensure 8-byte + * alignment of subsequent dm_target_spec. If the major version + * is DM_VERSION_MAJOR_STRICT, the padding must be at most 7 bytes, + * (not including the terminating NULt that ends the string) and + * must be zeroed. */ }; =20 @@ -285,14 +288,25 @@ enum { #define DM_TARGET_MSG _IOWR(DM_IOCTL, DM_TARGET_MSG_CMD, struct dm_ioctl) #define DM_DEV_SET_GEOMETRY _IOWR(DM_IOCTL, DM_DEV_SET_GEOMETRY_CMD, struc= t dm_ioctl) =20 +/* Legacy major version */ #define DM_VERSION_MAJOR 4 -#define DM_VERSION_MINOR 48 +/* + * New major version. Enforces strict parameter checks and is required for + * using some new features, such as new flags. Should be used by all new = code. + * + * If one uses DM_VERSION_MAJOR_STRICT, it is possible for the behavior of + * ioctls to depend on the minor version passed by userspace. Userspace m= ust + * not pass a minor version greater than the version it was designed for. + */ +#define DM_VERSION_MAJOR_STRICT 5 +#define DM_VERSION_MINOR 49 #define DM_VERSION_PATCHLEVEL 0 #define DM_VERSION_EXTRA "-ioctl (2023-03-01)" =20 /* Status bits */ #define DM_READONLY_FLAG (1 << 0) /* In/Out */ #define DM_SUSPEND_FLAG (1 << 1) /* In/Out */ +#define DM_EXISTS_FLAG (1 << 2) /* Not used by kernel, reserved for libde= vmapper in userland */ #define DM_PERSISTENT_DEV_FLAG (1 << 3) /* In */ =20 /* @@ -315,7 +329,8 @@ enum { #define DM_BUFFER_FULL_FLAG (1 << 8) /* Out */ =20 /* - * This flag is now ignored. + * This flag is now ignored if DM_VERSION_MAJOR is used, and causes + * -EINVAL if DM_VERSION_MAJOR_STRICT is used. */ #define DM_SKIP_BDGET_FLAG (1 << 9) /* In */ =20 @@ -382,4 +397,11 @@ enum { */ #define DM_IMA_MEASUREMENT_FLAG (1 << 19) /* In */ =20 +/* + * If DM_VERSION_MAJOR is used, these flags are ignored by the kernel. + * If DM_VERSION_MAJOR_STRICT is used, these flags are reserved and + * must be zeroed. + */ +#define DM_STRICT_ONLY_FLAGS ((__u32)0xFFF00004) + #endif /* _LINUX_DM_IOCTL_H */ --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478750924121.70515837497783; Tue, 30 May 2023 13:32:30 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541404.844200 (Exim 4.92) (envelope-from ) id 1q460h-0004Vi-EI; Tue, 30 May 2023 20:32:03 +0000 Received: by outflank-mailman (output) from mailman id 541404.844200; Tue, 30 May 2023 20:32:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460h-0004VX-9q; Tue, 30 May 2023 20:32:03 +0000 Received: by outflank-mailman (input) for mailman id 541404; Tue, 30 May 2023 20:32:02 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460g-0001iX-DY for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:32:02 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 06b2bc50-ff29-11ed-8611-37d641c3527e; Tue, 30 May 2023 22:32:00 +0200 (CEST) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id CFA993200344; Tue, 30 May 2023 16:31:57 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Tue, 30 May 2023 16:31:58 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:56 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 06b2bc50-ff29-11ed-8611-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478717; x=1685565117; bh=BECTYLtMds TyiT4uJYQfU+Mj8zJcihG/8pwIemyERcA=; b=BykYK4wdtoBrIVjSpxxaRPRuTr MGlY8mwYSF1nHQ3142m3NqrwVH/EijYHPymM56mLBuX227aHbQ5F2PW5DWZe4u7U lg8XpJpFzf5qQ9+uusq9GdBCE1en27c6fJjqiCBAmOvo5OlNdjA8tBsW+mrUjfCA i1VUPE3DVLVEEMqpNIzK/oylyXHY1ECWck487vgg36SRTL69g96Tmj2WP4WDhRDh YNZvRk872QnPn4w1V/NYR4fwDxLVOwskMoaUGoK62UfRSFaRcP0Nn2L5GVVeNhGI Mpu4eTYXCdD6V6NuJeZKduMF5daf+4pRdw20W2896KNxKazcdsRNJffWFNqA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478717; x= 1685565117; bh=BECTYLtMdsTyiT4uJYQfU+Mj8zJcihG/8pwIemyERcA=; b=s 1U5rNqdd3Uckhl+Jago2iM9Gf3UuVkhxSSUEaHhOfU7d6pLz10aattbKXvAzKLeQ p1y5pQ1q5M00Eb5JYCPaur978/NUoipGyMmasqpMjNPg+sH8guBmsx8gQC0lwOro MY4VFHjl8LbuDVnyVN2fMFbfJceUfRG9ptJUJYBiPSq9qQUzYzkfHdW5LQwKwknv 96fbB4tjlsJ8Yaw7xsE64N4Kn6Ygh34s6DgbFGBnQuD99EyXiIgJjQHQLcg36Bvw KrOCQFa/X5wdDAAOODfQIkmoW8hRj7E40BSZhiPyo5FnrEg0N/s3wQacji9NgkkI 38DoAfhisfRspgBJoSDkw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedvne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 08/16] device-mapper: Allow userspace to provide expected diskseq Date: Tue, 30 May 2023 16:31:08 -0400 Message-Id: <20230530203116.2008-9-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478751340100006 Content-Type: text/plain; charset="utf-8" This can be used to avoid race conditions in which a device is destroyed and recreated with the same major/minor, name, or UUID. diskseqs are only honored if strict parameter checking is on, to avoid any risk of breaking old userspace. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 48 ++++++++++++++++++++++++++++------- include/uapi/linux/dm-ioctl.h | 33 +++++++++++++++++++++--- 2 files changed, 69 insertions(+), 12 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index cf752e72ef6a2d8f8230e5bd6d1a6dc817a4f597..01cdf57bcafbf7f3e1b8304eec2= 8792c6b24642d 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -871,6 +871,9 @@ static void __dev_status(struct mapped_device *md, stru= ct dm_ioctl *param) } dm_put_live_table(md, srcu_idx); } + + if (param->version[0] >=3D DM_VERSION_MAJOR_STRICT) + dm_set_diskseq(param, disk->diskseq); } =20 static int dev_create(struct file *filp, struct dm_ioctl *param, size_t pa= ram_size) @@ -889,6 +892,8 @@ static int dev_create(struct file *filp, struct dm_ioct= l *param, size_t param_si if (r) return r; =20 + param->flags &=3D ~DM_INACTIVE_PRESENT_FLAG; + r =3D dm_hash_insert(param->name, *param->uuid ? param->uuid : NULL, md); if (r) { dm_put(md); @@ -909,6 +914,7 @@ static int dev_create(struct file *filp, struct dm_ioct= l *param, size_t param_si static struct hash_cell *__find_device_hash_cell(struct dm_ioctl *param) { struct hash_cell *hc =3D NULL; + static_assert(offsetof(struct dm_ioctl, diskseq_high) =3D=3D offsetof(str= uct dm_ioctl, data) + 3); =20 if (*param->uuid) { if (*param->name || param->dev) { @@ -937,6 +943,27 @@ static struct hash_cell *__find_device_hash_cell(struc= t dm_ioctl *param) } else return NULL; =20 + if (param->version[0] >=3D DM_VERSION_MAJOR_STRICT) { + u64 expected_diskseq =3D dm_get_diskseq(param); + u64 diskseq; + struct mapped_device *md =3D hc->md; + + if (WARN_ON_ONCE(md->disk =3D=3D NULL)) + return NULL; + diskseq =3D md->disk->diskseq; + if (WARN_ON_ONCE(diskseq =3D=3D 0)) + return NULL; + if (expected_diskseq !=3D 0) { + if (expected_diskseq !=3D diskseq) { + DMERR("Diskseq mismatch: expected %llu actual %llu", + expected_diskseq, diskseq); + return NULL; + } + } else { + dm_set_diskseq(param, diskseq); + } + } + /* * Sneakily write in both the name and the uuid * while we have the cell. @@ -2088,7 +2115,6 @@ static int validate_params(uint cmd, struct dm_ioctl = *param, uint32_t ioctl_flags, uint32_t supported_flags) { static_assert(__same_type(param->flags, supported_flags)); - u64 zero =3D 0; =20 if (cmd =3D=3D DM_DEV_CREATE_CMD) { if (!*param->name) { @@ -2112,14 +2138,24 @@ static int validate_params(uint cmd, struct dm_ioct= l *param, return 0; } =20 + if (param->data_size < sizeof(struct dm_ioctl)) { + DMERR("Entire struct dm_ioctl (size %zu) must be valid, but only %u was = valid", + sizeof(struct dm_ioctl), param->data_size); + return -EINVAL; + } + /* Check that strings are terminated */ if (!no_non_nul_after_nul(param->name, DM_NAME_LEN, cmd, "Name") || !no_non_nul_after_nul(param->uuid, DM_UUID_LEN, cmd, "UUID")) { return -EINVAL; } =20 - if (memcmp(param->data, &zero, sizeof(param->data)) !=3D 0) { - DMERR("second padding field not zeroed in strict mode (cmd %u)", cmd); + /* + * This also reads the NUL terminator of the UUID, but that has already b= een + * checked to be zero by no_non_nul_after_nul(). + */ + if (*(const u32 *)((const char *)param + sizeof(struct dm_ioctl) - 8) != =3D 0) { + DMERR("padding field not zeroed in strict mode (cmd %u)", cmd); return -EINVAL; } =20 @@ -2129,12 +2165,6 @@ static int validate_params(uint cmd, struct dm_ioctl= *param, return -EINVAL; } =20 - if (param->padding) { - DMERR("padding not zeroed in strict mode (got %u, cmd %u)", - param->padding, cmd); - return -EINVAL; - } - if (param->open_count !=3D 0) { DMERR("open_count not zeroed in strict mode (got %d, cmd %u)", param->open_count, cmd); diff --git a/include/uapi/linux/dm-ioctl.h b/include/uapi/linux/dm-ioctl.h index 81103e1dcdac3015204e9c05d73037191e965d59..5647b218f24b626f5c1cefe8bec= 18dc04373c3d0 100644 --- a/include/uapi/linux/dm-ioctl.h +++ b/include/uapi/linux/dm-ioctl.h @@ -136,16 +136,43 @@ struct dm_ioctl { * For output, the ioctls return the event number, not the cookie. */ __u32 event_nr; /* in/out */ - __u32 padding; + + union { + /* valid if DM_VERSION_MAJOR is used */ + __u32 padding; /* padding */ + /* valid if DM_VERSION_MAJOR_STRICT is used */ + __u32 diskseq_low; /* in/out: low 4 bytes of the diskseq */ + }; =20 __u64 dev; /* in/out */ =20 char name[DM_NAME_LEN]; /* device name */ char uuid[DM_UUID_LEN]; /* unique identifier for * the block device */ - char data[7]; /* padding or data */ + union { + /* valid if DM_VERSION_MAJOR is used */ + char data[7]; /* padding or data */ + /* valid if DM_VERSION_MAJOR_STRICT is used */ + struct { + char _padding[3]; /* padding */ + __u32 diskseq_high; /* in/out: high 4 bytes of the diskseq */ + } __attribute__((packed)); + }; }; =20 +__attribute__((always_inline)) static inline __u64 +dm_get_diskseq(const struct dm_ioctl *_i) +{ + return (__u64)_i->diskseq_high << 32 | (__u64)_i->diskseq_low; +} + +__attribute__((always_inline)) static inline void +dm_set_diskseq(struct dm_ioctl *_i, __u64 _diskseq) +{ + _i->diskseq_low =3D (__u32)(_diskseq & 0xFFFFFFFFU); + _i->diskseq_high =3D (__u32)(_diskseq >> 32); +} + /* * Used to specify tables. These structures appear after the * dm_ioctl. @@ -402,6 +429,6 @@ enum { * If DM_VERSION_MAJOR_STRICT is used, these flags are reserved and * must be zeroed. */ -#define DM_STRICT_ONLY_FLAGS ((__u32)0xFFF00004) +#define DM_STRICT_ONLY_FLAGS ((__u32)(~((1UL << 19) - 1) | 1 << 9 | 1 << 7= )) =20 #endif /* _LINUX_DM_IOCTL_H */ --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478756607628.6324897976887; Tue, 30 May 2023 13:32:36 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541407.844210 (Exim 4.92) (envelope-from ) id 1q460k-0004xO-Pf; Tue, 30 May 2023 20:32:06 +0000 Received: by outflank-mailman (output) from mailman id 541407.844210; Tue, 30 May 2023 20:32:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460k-0004x8-Lt; Tue, 30 May 2023 20:32:06 +0000 Received: by outflank-mailman (input) for mailman id 541407; Tue, 30 May 2023 20:32:04 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460i-0001yj-NG for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:32:04 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 087f76e2-ff29-11ed-b231-6b7b168915f2; Tue, 30 May 2023 22:32:03 +0200 (CEST) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 279DD320091D; Tue, 30 May 2023 16:32:01 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Tue, 30 May 2023 16:32:01 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:31:59 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 087f76e2-ff29-11ed-b231-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478720; x=1685565120; bh=aAfoA6tajO I3DdZbN+5gNp3o1Bf92v6/idOtFVwuqiE=; b=XYryrGSs9af08o9XzJZlWkP7YS JLLfR1m5fe8QVd3QR+6WCZdGftB4WKelk4w73RWFcsldPXK/6kET4skLGHEjfyR9 9raZlXBEqMOY3lcfb3RKOIXooZ6bPv1MTjeKMBqsKjXscnwDbIJTiVZqWxMgeHZ+ X0fukMQ6rp3BZHVQA/h3abeEGZylMMkQPtqmNC1qKQK7FYeXv1VabGc/J9HKQHj5 hNwxe11yXZPnYOujIsBfr07INd/FWOq3WMM/AhxJFTOsJjo3mZCX0BTyTGB+HOpO sm9nG/rSIhh+fS7BiI2cZ7Vx1W96+WzIAyAKIkO+GaPZ1WnP1yjbU6VnCMAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478720; x= 1685565120; bh=aAfoA6tajOI3DdZbN+5gNp3o1Bf92v6/idOtFVwuqiE=; b=B LBapeZTHOetv6cE0GTwPpL73JQDH4RfekajwyobPYL6NNCpVV58gVIFMYzREQE9O cIOpGoxbNrxHuDPmwJ6eVXN4MozN4uVBcS2b7Rl5bxt7Fp/e93CHX+VipbnxUY/t 0eVrwRVlPeCVOVUbuTwecqzI4e02b7wsokNIEUeINpoAmY9Qqcvt0HGvOuTlydim /NVfmnLxWbVFFibA08/xffwRWQU38ugjH9Qo+9YaNfAmM4rJErVXAHQBctyESQ2V 8rewIK4P5DUD8YH+0lVTRQv+lSSc80A0ROaBPwCP1s7qkVpwdFzgyTOMjWxqbCIt 0TXQT4E0HMZaYYSRHSDSw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedvne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 09/16] device-mapper: Allow userspace to suppress uevent generation Date: Tue, 30 May 2023 16:31:09 -0400 Message-Id: <20230530203116.2008-10-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478757416100001 Content-Type: text/plain; charset="utf-8" Userspace can use this to avoid spamming udev with events that udev should ignore. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-core.h | 2 + drivers/md/dm-ioctl.c | 78 ++++++++++++++++++----------------- drivers/md/dm.c | 5 ++- include/linux/device-mapper.h | 2 +- include/uapi/linux/dm-ioctl.h | 14 +++++-- 5 files changed, 57 insertions(+), 44 deletions(-) diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index aecab0c0720f77ae2a0ab048304ea3d1023f9959..a033f85d1a9d9b3d8ec893efd65= 52fb48d2b3541 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -115,6 +115,8 @@ struct mapped_device { =20 /* for blk-mq request-based DM support */ bool init_tio_pdu:1; + /* If set, do not emit any uevents. */ + bool disable_uevents:1; struct blk_mq_tag_set *tag_set; =20 struct dm_stats stats; diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 01cdf57bcafbf7f3e1b8304eec28792c6b24642d..52aa5505d23b2f3d9c0faf6e8a9= 1b74cd7845581 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -814,6 +814,11 @@ static struct dm_table *dm_get_live_or_inactive_table(= struct mapped_device *md, dm_get_inactive_table(md, srcu_idx) : dm_get_live_table(md, srcu_idx); } =20 +static inline bool sloppy_checks(const struct dm_ioctl *param) +{ + return param->version[0] < DM_VERSION_MAJOR_STRICT; +} + /* * Fills in a dm_ioctl structure, ready for sending back to * userland. @@ -872,7 +877,7 @@ static void __dev_status(struct mapped_device *md, stru= ct dm_ioctl *param) dm_put_live_table(md, srcu_idx); } =20 - if (param->version[0] >=3D DM_VERSION_MAJOR_STRICT) + if (!sloppy_checks(param)) dm_set_diskseq(param, disk->diskseq); } =20 @@ -888,7 +893,7 @@ static int dev_create(struct file *filp, struct dm_ioct= l *param, size_t param_si if (param->flags & DM_PERSISTENT_DEV_FLAG) m =3D MINOR(huge_decode_dev(param->dev)); =20 - r =3D dm_create(m, &md); + r =3D dm_create(m, &md, param->flags & DM_DISABLE_UEVENTS_FLAG); if (r) return r; =20 @@ -1452,11 +1457,6 @@ static int next_target(struct dm_target_spec *last, = uint32_t next, const char *e return 0; } =20 -static inline bool sloppy_checks(const struct dm_ioctl *param) -{ - return param->version[0] < DM_VERSION_MAJOR_STRICT; -} - static bool no_non_nul_after_nul(const char *untrusted_str, size_t size, unsigned int cmd, const char *msg) { @@ -1928,59 +1928,61 @@ static int target_message(struct file *filp, struct= dm_ioctl *param, size_t para * Implementation of open/close/ioctl on the special char device. *--------------------------------------------------------------- */ -static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags, uint32_t = *supported_flags) +static ioctl_fn lookup_ioctl(unsigned int cmd, bool strict, int *ioctl_fla= gs, uint32_t *supported_flags) { static const struct { int cmd; int flags; ioctl_fn fn; uint32_t supported_flags; + uint32_t strict_flags; } _ioctls[] =3D { /* Macro to make the structure initializers somewhat readable */ -#define I(cmd, flags, fn, supported_flags) { \ - (cmd), \ - (flags), \ - (fn), \ - /* \ - * Supported flags in sloppy mode must not include anything in DM_STRICT_= ONLY_FLAGS. \ - * Use BUILD_BUG_ON_ZERO to check for that. \ - */ \ - (supported_flags) | BUILD_BUG_ON_ZERO((supported_flags) & DM_STRICT_ONLY_= FLAGS), \ +#define I(cmd, flags, fn, supported_flags, strict_flags) { \ + (cmd), \ + (flags), \ + (fn), \ + /* \ + * Supported flags in sloppy mode must not include anything in DM_STRICT_= ONLY_FLAGS. \ + * Use BUILD_BUG_ON_ZERO to check for that. \ + */ \ + (supported_flags) | BUILD_BUG_ON_ZERO((supported_flags) & DM_STRICT_ONLY_= FLAGS), \ + (strict_flags) | (supported_flags) | BUILD_BUG_ON_ZERO((supported_flags) = & (strict_flags)), \ } - I(DM_VERSION_CMD, 0, NULL, 0), /* version is dealt with elsewhere */ + I(DM_VERSION_CMD, 0, NULL, 0, 0), /* version is dealt with elsewhere */ I(DM_REMOVE_ALL_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EV= ENT, remove_all, - DM_DEFERRED_REMOVE), - I(DM_LIST_DEVICES_CMD, 0, list_devices, DM_UUID_FLAG), + DM_DEFERRED_REMOVE, 0), + I(DM_LIST_DEVICES_CMD, 0, list_devices, DM_UUID_FLAG, 0), I(DM_DEV_CREATE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EV= ENT, dev_create, - DM_PERSISTENT_DEV_FLAG), + DM_PERSISTENT_DEV_FLAG, DM_DISABLE_UEVENTS_FLAG), I(DM_DEV_REMOVE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EV= ENT, dev_remove, - DM_DEFERRED_REMOVE), + DM_DEFERRED_REMOVE, 0), I(DM_DEV_RENAME_CMD, IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_rename, - DM_QUERY_INACTIVE_TABLE_FLAG | DM_UUID_FLAG), + DM_QUERY_INACTIVE_TABLE_FLAG | DM_UUID_FLAG, 0), I(DM_DEV_SUSPEND_CMD, IOCTL_FLAGS_NO_PARAMS, dev_suspend, - DM_QUERY_INACTIVE_TABLE_FLAG | DM_SUSPEND_FLAG | DM_SKIP_LOCKFS_FLAG | = DM_NOFLUSH_FLAG), - I(DM_DEV_STATUS_CMD, IOCTL_FLAGS_NO_PARAMS, dev_status, DM_QUERY_INACTIV= E_TABLE_FLAG), + DM_QUERY_INACTIVE_TABLE_FLAG | DM_SUSPEND_FLAG | DM_SKIP_LOCKFS_FLAG | = DM_NOFLUSH_FLAG, 0), + I(DM_DEV_STATUS_CMD, IOCTL_FLAGS_NO_PARAMS, dev_status, DM_QUERY_INACTIV= E_TABLE_FLAG, 0), I(DM_DEV_WAIT_CMD, IOCTL_FLAGS_TAKES_EVENT_NR, dev_wait, - DM_QUERY_INACTIVE_TABLE_FLAG | DM_STATUS_TABLE_FLAG | DM_NOFLUSH_FLAG), - I(DM_TABLE_LOAD_CMD, 0, table_load, DM_QUERY_INACTIVE_TABLE_FLAG | DM_RE= ADONLY_FLAG), - I(DM_TABLE_CLEAR_CMD, IOCTL_FLAGS_NO_PARAMS, table_clear, DM_QUERY_INACT= IVE_TABLE_FLAG), - I(DM_TABLE_DEPS_CMD, 0, table_deps, DM_QUERY_INACTIVE_TABLE_FLAG), + DM_QUERY_INACTIVE_TABLE_FLAG | DM_STATUS_TABLE_FLAG | DM_NOFLUSH_FLAG, = 0), + I(DM_TABLE_LOAD_CMD, 0, table_load, DM_QUERY_INACTIVE_TABLE_FLAG | DM_RE= ADONLY_FLAG, 0), + I(DM_TABLE_CLEAR_CMD, IOCTL_FLAGS_NO_PARAMS, table_clear, DM_QUERY_INACT= IVE_TABLE_FLAG, 0), + I(DM_TABLE_DEPS_CMD, 0, table_deps, DM_QUERY_INACTIVE_TABLE_FLAG, 0), I(DM_TABLE_STATUS_CMD, 0, table_status, - DM_QUERY_INACTIVE_TABLE_FLAG | DM_STATUS_TABLE_FLAG | DM_NOFLUSH_FLAG), + DM_QUERY_INACTIVE_TABLE_FLAG | DM_STATUS_TABLE_FLAG | DM_NOFLUSH_FLAG, = 0), =20 - I(DM_LIST_VERSIONS_CMD, 0, list_versions, 0), + I(DM_LIST_VERSIONS_CMD, 0, list_versions, 0, 0), =20 - I(DM_TARGET_MSG_CMD, 0, target_message, DM_QUERY_INACTIVE_TABLE_FLAG), - I(DM_DEV_SET_GEOMETRY_CMD, 0, dev_set_geometry, 0), - I(DM_DEV_ARM_POLL_CMD, IOCTL_FLAGS_NO_PARAMS, dev_arm_poll, 0), - I(DM_GET_TARGET_VERSION_CMD, 0, get_target_version, 0), + I(DM_TARGET_MSG_CMD, 0, target_message, DM_QUERY_INACTIVE_TABLE_FLAG, 0), + I(DM_DEV_SET_GEOMETRY_CMD, 0, dev_set_geometry, 0, 0), + I(DM_DEV_ARM_POLL_CMD, IOCTL_FLAGS_NO_PARAMS, dev_arm_poll, 0, 0), + I(DM_GET_TARGET_VERSION_CMD, 0, get_target_version, 0, 0), }; =20 if (unlikely(cmd >=3D ARRAY_SIZE(_ioctls))) return NULL; =20 cmd =3D array_index_nospec(cmd, ARRAY_SIZE(_ioctls)); - *supported_flags =3D _ioctls[cmd].supported_flags; + *supported_flags =3D strict ? _ioctls[cmd].strict_flags : _ioctls[cmd].su= pported_flags; *ioctl_flags =3D _ioctls[cmd].flags; return _ioctls[cmd].fn; } @@ -2233,7 +2235,7 @@ static int ctl_ioctl(struct file *file, uint command,= struct dm_ioctl __user *us if (cmd =3D=3D DM_VERSION_CMD) return 0; =20 - fn =3D lookup_ioctl(cmd, &ioctl_flags, &supported_flags); + fn =3D lookup_ioctl(cmd, !sloppy_checks(¶m_kernel), &ioctl_flags, &su= pported_flags); if (!fn) { DMERR("dm_ctl_ioctl: unknown command 0x%x", command); return -ENOTTY; @@ -2451,7 +2453,7 @@ int __init dm_early_create(struct dm_ioctl *dmi, m =3D MINOR(huge_decode_dev(dmi->dev)); =20 /* alloc dm device */ - r =3D dm_create(m, &md); + r =3D dm_create(m, &md, false); if (r) return r; =20 diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 3b694ba3a106e68d4c0d5e64cd9136cf7abce237..efdf70a331cb681a88490f45d26= 259c29ddac850 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2276,13 +2276,14 @@ static struct dm_table *__unbind(struct mapped_devi= ce *md) /* * Constructor for a new device. */ -int dm_create(int minor, struct mapped_device **result) +int dm_create(int minor, struct mapped_device **result, bool disable_ueven= ts) { struct mapped_device *md; =20 md =3D alloc_dev(minor); if (!md) return -ENXIO; + md->disable_uevents =3D disable_uevents; =20 dm_ima_reset_data(md); =20 @@ -2999,6 +3000,8 @@ int dm_kobject_uevent(struct mapped_device *md, enum = kobject_action action, char udev_cookie[DM_COOKIE_LENGTH]; char *envp[3] =3D { NULL, NULL, NULL }; char **envpp =3D envp; + if (md->disable_uevents) + return 0; if (cookie) { snprintf(udev_cookie, DM_COOKIE_LENGTH, "%s=3D%u", DM_COOKIE_ENV_VAR_NAME, cookie); diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h index a52d2b9a68460ac7951ad6ebe76d9a1cfccf7afb..7c8d7a7e8798d20e517e2264c06= 772ecd8b41ef3 100644 --- a/include/linux/device-mapper.h +++ b/include/linux/device-mapper.h @@ -463,7 +463,7 @@ void dm_consume_args(struct dm_arg_set *as, unsigned in= t num_args); * DM_ANY_MINOR chooses the next available minor number. */ #define DM_ANY_MINOR (-1) -int dm_create(int minor, struct mapped_device **md); +int dm_create(int minor, struct mapped_device **md, bool disable_uevents); =20 /* * Reference counting for md. diff --git a/include/uapi/linux/dm-ioctl.h b/include/uapi/linux/dm-ioctl.h index 5647b218f24b626f5c1cefe8bec18dc04373c3d0..07cc5bbb6944ebaa42ddfec6fd5= e0413c535e7ff 100644 --- a/include/uapi/linux/dm-ioctl.h +++ b/include/uapi/linux/dm-ioctl.h @@ -356,8 +356,16 @@ enum { #define DM_BUFFER_FULL_FLAG (1 << 8) /* Out */ =20 /* - * This flag is now ignored if DM_VERSION_MAJOR is used, and causes - * -EINVAL if DM_VERSION_MAJOR_STRICT is used. + * This flag is only recognized when DM_VERSION_MAJOR_STRICT is used. + * It tells the kernel to not generate any uevents for the newly-created + * device. Using it outside of DM_DEV_CREATE results in -EINVAL. When + * DM_VERSION_MAJOR is used this flag is ignored. + */ +#define DM_DISABLE_UEVENTS_FLAG (1 << 9) /* In */ + +/* + * This flag is now ignored if DM_VERSION_MAJOR is used. When + * DM_VERSION_MAJOR_STRICT is used it is an alias for DM_DISABLE_UEVENT_FL= AG. */ #define DM_SKIP_BDGET_FLAG (1 << 9) /* In */ =20 @@ -426,8 +434,6 @@ enum { =20 /* * If DM_VERSION_MAJOR is used, these flags are ignored by the kernel. - * If DM_VERSION_MAJOR_STRICT is used, these flags are reserved and - * must be zeroed. */ #define DM_STRICT_ONLY_FLAGS ((__u32)(~((1UL << 19) - 1) | 1 << 9 | 1 << 7= )) =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478757644941.8372278317056; Tue, 30 May 2023 13:32:37 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541410.844220 (Exim 4.92) (envelope-from ) id 1q460o-0005T8-5o; Tue, 30 May 2023 20:32:10 +0000 Received: by outflank-mailman (output) from mailman id 541410.844220; Tue, 30 May 2023 20:32:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460n-0005Sr-VF; Tue, 30 May 2023 20:32:09 +0000 Received: by outflank-mailman (input) for mailman id 541410; Tue, 30 May 2023 20:32:08 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460m-0001iX-Nd for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:32:08 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 0a5c0882-ff29-11ed-8611-37d641c3527e; Tue, 30 May 2023 22:32:06 +0200 (CEST) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id F2B183200930; Tue, 30 May 2023 16:32:03 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Tue, 30 May 2023 16:32:04 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:32:02 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 0a5c0882-ff29-11ed-8611-37d641c3527e DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478723; x=1685565123; bh=rwGIL/9NRS MhUwVWwsxjoxS5AMM8VOhnzZgHY9xGhxg=; b=qkBueq2r2OyWcbusDQUrjajFFr 8ESqGro3ggJwym7lFf9BI9ESX7xekhNhstWp8F1ueTG3NmoZqthNHTWOXbCGq5Vw 67eIWybB+EGrobvjODoQqwC70WtdLXTl2k5nQabcp3ZQs/dQWH2f+QrTvapYJOrW JrHz90N9W+aLbcMlDjF0cjaNT1cyK5hLdd/RpV3VjOJWSictxkSNvJ89RwdrBPZG E9Kxm85hwY5s7dhDK62GqfSywSV09msrreFFwcypf91DJsdE3WhAfmU038D6fTNC IJwxS9XPoI4erBBQzlRsVtR6w58sX6QtAWlnzP3FUVoK+Ii+7VvWyJVHGyBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478723; x= 1685565123; bh=rwGIL/9NRSMhUwVWwsxjoxS5AMM8VOhnzZgHY9xGhxg=; b=y 4N/s9MUZzZd4QAK3LutuCyRwXJa6PV0apyBdJJ0IvWA7d2gGhkz/XsZL7+VJH2SG iOcTbZxxHnngGWA/vK1Cy/hWHcqG4/qzaYGV3DdLfQBhITU6JQPFY6rYK8F78XZs GsFx5qwOlj2SIdDWk5FlJyasxkbCa3R96lDH1Hm2Dvhf2k7z0wpQK4fuV1Q/mMRI fUSMAzPyoOA+uwmX+9p0bB+XYk6wNk3PB/5bWjVYO6PrYeHoE9udaLaxIrHaFqnW IaScZZBdVbuKJ7vOHjBpV2ygqFDhJvzlolEe5vP4KmsAbmnCAoIBk1ZiIgIsCNXl w1VoeHG8LsGkBO7eC24Bg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 10/16] device-mapper: Refuse to create device named "control" Date: Tue, 30 May 2023 16:31:10 -0400 Message-Id: <20230530203116.2008-11-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478759260100003 Content-Type: text/plain; charset="utf-8" Typical userspace setups create a symlink under /dev/mapper with the name of the device, but /dev/mapper/control is reserved for the control device. Therefore, trying to create such a device is almost certain to be a userspace bug. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 52aa5505d23b2f3d9c0faf6e8a91b74cd7845581..9ae00e3c1a72c19575814cf4737= 74835b364320b 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -771,7 +771,12 @@ static int get_target_version(struct file *filp, struc= t dm_ioctl *param, size_t static int check_name(const char *name) { if (strchr(name, '/')) { - DMERR("invalid device name"); + DMERR("device name cannot contain '/'"); + return -EINVAL; + } + + if (strcmp(name, DM_CONTROL_NODE) =3D=3D 0) { + DMERR("device name cannot be \"%s\"", DM_CONTROL_NODE); return -EINVAL; } =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1685478759441145.5196831015993; Tue, 30 May 2023 13:32:39 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.541413.844230 (Exim 4.92) (envelope-from ) id 1q460p-0005nA-Ky; Tue, 30 May 2023 20:32:11 +0000 Received: by outflank-mailman (output) from mailman id 541413.844230; Tue, 30 May 2023 20:32:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460p-0005m4-Eg; Tue, 30 May 2023 20:32:11 +0000 Received: by outflank-mailman (input) for mailman id 541413; Tue, 30 May 2023 20:32:10 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1q460n-0001yj-UB for xen-devel@lists.xenproject.org; Tue, 30 May 2023 20:32:09 +0000 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 0bda8dbd-ff29-11ed-b231-6b7b168915f2; Tue, 30 May 2023 22:32:08 +0200 (CEST) Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id C38563200948; Tue, 30 May 2023 16:32:06 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Tue, 30 May 2023 16:32:07 -0400 Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:32:05 -0400 (EDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 0bda8dbd-ff29-11ed-b231-6b7b168915f2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478726; x=1685565126; bh=eT2dle5SRu lVFDzi62TQ1IQZDI2oVYJkexEdj7/Fslc=; b=TjsQAkSuKW8jtKf3DGsyG9k8zB Trnwh7BYpObxsovagPyZP1xIVriYTxgHNSH5nj9ifAbA9gdN6AbnhABYUrz7X2Zz KpEy+jDQaGp2QjfZ4PUwmZEO98fqknFuIn6qaYfZfNH4vntEEHsm4e4VAkqo4yo0 PnkSH+j3F9HYaNylPFWtqgof0/h6RnGJmADeTa+W0iOQ/33+BsxtUOzDvpOhuWyA pRxIpcnJp87HASHTkoCnA+XuZLjzC5ReS3XQCm6OVf1wK7aoDpuRON/3CGE8D3hA TVOl0GJyhdVvxWcF1R6HiMZ2JYdtrEIzCiMn7PYtSWSKaryTZBhGxMxOJMpQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478726; x= 1685565126; bh=eT2dle5SRulVFDzi62TQ1IQZDI2oVYJkexEdj7/Fslc=; b=f x+WGuknoInsViw78HCTgMny6arWnrKDaevCR8NIQfxAqzpjLevOC+ucbiCUnt8No wfD1dHHzk4dunu2DDvLgkxgvQcvcbLuITSJjFO1dZ6QYMU2EYxHMT4yLaVN4S07e YWJ37QTAJGrcHBVA4qwlGST9+Hu998Nj53zoG9/psvzFlUVLP7246H1dAOyf2cO6 /TKVgGoVfRr6YDDbw7Wlv4ZUL1wEgu2LEIaitpXknaBbAtMtwdgCVZB86ZjR6/9s V6CvT6TpCsRdaZOMkl0LfAzvQUxC1DMUqe5tQBYSfFcaz8Jjc2YKLKxsMqowUIfF 2SwuwNy1+1MMOXK1ij1PA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedune curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 11/16] device-mapper: "." and ".." are not valid symlink names Date: Tue, 30 May 2023 16:31:11 -0400 Message-Id: <20230530203116.2008-12-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1685478761331100007 Content-Type: text/plain; charset="utf-8" Using either of these is going to greatly confuse userspace, as they are not valid symlink names and so creating the usual /dev/mapper/NAME symlink will not be possible. As creating a device with either of these names is almost certainly a userspace bug, just error out. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 9ae00e3c1a72c19575814cf473774835b364320b..17ece816d490b6c40d019da131a= de44c9a201dab 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -775,8 +775,10 @@ static int check_name(const char *name) return -EINVAL; } =20 - if (strcmp(name, DM_CONTROL_NODE) =3D=3D 0) { - DMERR("device name cannot be \"%s\"", DM_CONTROL_NODE); + if (strcmp(name, DM_CONTROL_NODE) =3D=3D 0 || + strcmp(name, ".") =3D=3D 0 || + strcmp(name, "..") =3D=3D 0) { + DMERR("device name cannot be \"%s\", \".\", or \"..\"", DM_CONTROL_NODE); return -EINVAL; } =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1FFDFC7EE23 for ; Tue, 30 May 2023 20:33:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233512AbjE3UdZ (ORCPT ); Tue, 30 May 2023 16:33:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233112AbjE3UdE (ORCPT ); Tue, 30 May 2023 16:33:04 -0400 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F0CF10C0; Tue, 30 May 2023 13:32:33 -0700 (PDT) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 723F63200943; Tue, 30 May 2023 16:32:09 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 30 May 2023 16:32:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478729; x=1685565129; bh=irr2EYlMc/ ep40A7KRI/xWi2gREEnIhu2G5hCeO8CLU=; b=hURAEgyL29RZKJ+OYcTsErbDM/ S1Ul5/NUJUPSUYPM5HMp20PXXk0gLiNmvxjoP1CB2io9qAj/T4B/cqHiaSjgGmi8 0OUe8kLmaoL/YVBAxDpvilMIDBf/Y2qDnpqjA2O6Z1bm6pdtSzAuU8pbwRpb/64E t3nTRGtgH4YjIZNDyv9MRjk+yomLwVCQZeoxQogkrfQEBvmCXu28G+w8CDjq/W3w Mx9lG3fpLwdz3h+U33/HWIfxkCWVZsJU414cVmYbYoJ0vUv3StWVENMkJBzowoLX 64xRWpZtQ+yZbqGZ94lNuiuB4ECWPLAOLRd5LUD0psVSjobpmBc7joc+izig== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478729; x= 1685565129; bh=irr2EYlMc/ep40A7KRI/xWi2gREEnIhu2G5hCeO8CLU=; b=T fCfk4e0EN396eUbVOrH0ULWVryoukeqNEcqlz5QS2HXpBrwM99heFQhEMM352iV6 XAioIqwlM6bC2bcJ15QZDtZssrnTAGcrNi3nu0JQPPTg/gHaMcm2YXhbjbcvIdQQ 4+3ZjJ25Umxss9+sYsD2GfoZvAZN93/LREI/kYsX68VNvJdeBwv4W88M+K8GvrLk GhCudBNacqw+ctxx40im2bofmCkHltz0hoFc6VCGvIwgHePd+PRtAT6qflQL54sH rbfRPUaLSDzs1SnGq04bsIi17Eg2y8geLVB1gOhZF3+sb+8P2bG2PY/EzAnSWset u/evqcp9ruAl8Jc+bKtNg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:32:08 -0400 (EDT) From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 12/16] device-mapper: inform caller about already-existing device Date: Tue, 30 May 2023 16:31:12 -0400 Message-Id: <20230530203116.2008-13-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Not only is this helpful for debugging, it also saves the caller an ioctl in the case where a device should be used if it exists or created otherwise. To ensure existing userspace is not broken, this feature is only enabled in strict mode. Signed-off-by: Demi Marie Obenour --- drivers/md/dm-ioctl.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 17ece816d490b6c40d019da131ade44c9a201dab..44425093d3b908abf80e05e1fc9= 9a26b17e18a42 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -256,11 +256,13 @@ static void free_cell(struct hash_cell *hc) } } =20 +static void __dev_status(struct mapped_device *md, struct dm_ioctl *param); + /* * The kdev_t and uuid of a device can never change once it is * initially inserted. */ -static int dm_hash_insert(const char *name, const char *uuid, struct mappe= d_device *md) +static int dm_hash_insert(const char *name, const char *uuid, struct mappe= d_device *md, struct dm_ioctl *param) { struct hash_cell *cell, *hc; =20 @@ -277,6 +279,8 @@ static int dm_hash_insert(const char *name, const char = *uuid, struct mapped_devi down_write(&_hash_lock); hc =3D __get_name_cell(name); if (hc) { + if (param) + __dev_status(hc->md, param); dm_put(hc->md); goto bad; } @@ -287,6 +291,8 @@ static int dm_hash_insert(const char *name, const char = *uuid, struct mapped_devi hc =3D __get_uuid_cell(uuid); if (hc) { __unlink_name(cell); + if (param) + __dev_status(hc->md, param); dm_put(hc->md); goto bad; } @@ -901,12 +907,14 @@ static int dev_create(struct file *filp, struct dm_io= ctl *param, size_t param_si m =3D MINOR(huge_decode_dev(param->dev)); =20 r =3D dm_create(m, &md, param->flags & DM_DISABLE_UEVENTS_FLAG); - if (r) + if (r) { + DMERR("Could not create device-mapper device"); return r; + } =20 param->flags &=3D ~DM_INACTIVE_PRESENT_FLAG; =20 - r =3D dm_hash_insert(param->name, *param->uuid ? param->uuid : NULL, md); + r =3D dm_hash_insert(param->name, *param->uuid ? param->uuid : NULL, md, = param); if (r) { dm_put(md); dm_destroy(md); @@ -2269,7 +2277,6 @@ static int ctl_ioctl(struct file *file, uint command,= struct dm_ioctl __user *us goto out; /* This XOR keeps only the flags validate_params has changed. */ old_flags ^=3D param->flags; - param->data_size =3D sloppy_checks(param) ? offsetof(struct dm_ioctl, dat= a) : sizeof(struct dm_ioctl); r =3D fn(file, param, input_param_size); =20 @@ -2284,9 +2291,14 @@ static int ctl_ioctl(struct file *file, uint command= , struct dm_ioctl __user *us param->flags |=3D old_flags; =20 /* - * Copy the results back to userland. + * Copy the results back to userland if either: + * + * - The ioctl succeeded. + * - The ioctl is DM_DEV_CREATE, the return value is -EBUSY, + * and strict parameter checking is enabled. */ - if (!r && copy_to_user(user, param, param->data_size)) + if ((!r || (!sloppy_checks(param) && cmd =3D=3D DM_DEV_CREATE_CMD && r = =3D=3D -EBUSY)) && + copy_to_user(user, param, param->data_size)) r =3D -EFAULT; =20 out: @@ -2465,7 +2477,7 @@ int __init dm_early_create(struct dm_ioctl *dmi, return r; =20 /* hash insert */ - r =3D dm_hash_insert(dmi->name, *dmi->uuid ? dmi->uuid : NULL, md); + r =3D dm_hash_insert(dmi->name, *dmi->uuid ? dmi->uuid : NULL, md, NULL); if (r) goto err_destroy_dm; =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E1FDC7EE24 for ; Tue, 30 May 2023 20:33:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231546AbjE3Udf (ORCPT ); Tue, 30 May 2023 16:33:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233484AbjE3UdQ (ORCPT ); Tue, 30 May 2023 16:33:16 -0400 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B48CBE49; Tue, 30 May 2023 13:32:45 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 6EF803200934; Tue, 30 May 2023 16:32:12 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 30 May 2023 16:32:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478732; x=1685565132; bh=KqvPH9pDDf rZerL/j1Q0a8RK2jTSm93zECezjcEfZ7Y=; b=CeUdXfyO67/whbrhgac9/avXLW eru7QHUZqMx94QYfPMlVXU+ui+tRFdwVPN9xlP9gICmNJdQalLaUVoS7Zc943wjC sJFZiHqqQBqawmzSq2uS5sj0kejzU2ucPIFyOcLtjPgoyrOKSyZ8v6CejqHwIIVf QhSSQhpepZN1qfTatTXNiFRN45qghiX/endy/GoXyAo4OF5DvAqSC+R4tvUZql/g Twf7nZVK/OZ+O5hzh/GEO/K+xp6lZGqfRa1L4ridR6SwKojehZihM4jei6a9/TkB 0NXGvH2/Oo567MZ7sqO1hRGDy2T5AnJVIsGfHDdoKrXfptumV12qVDqo43kA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478732; x= 1685565132; bh=KqvPH9pDDfrZerL/j1Q0a8RK2jTSm93zECezjcEfZ7Y=; b=x 1E+gfj51gX0i5a8eh20dla4FZptdVnV/3RIPZB3nB5jAIbu455IAdaMdcicMgN6O 4SBqvYe9KR4Kej10pm88BwhRbA3HJRbxH//tVjialFMNZJrovhqgY1UDyRu1wJcw QHLv45kgxPU7huWf9ipWhx6WsGloc+WqNO4rAhShCMykuP4wA6usnjDEyY/0gRna EhIOGzw6Zx9L9zjSbhcDkSFqBm1jjKHdeYRfdE5UB3scu3hnpjdt5yJterqlZrbv J5cY6BQYk5xcpeviB3QRy1CADT22E0N/XTiASKCzbXfOkz55iiiWUGOl+t2QGjsf 0fnwF/t6q5vZO+QP/5VMg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedvne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:32:11 -0400 (EDT) From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 13/16] xen-blkback: Implement diskseq checks Date: Tue, 30 May 2023 16:31:13 -0400 Message-Id: <20230530203116.2008-14-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This allows specifying a disk sequence number in XenStore. If it does not match the disk sequence number of the underlying device, the device will not be exported and a warning will be logged. Userspace can use this to eliminate race conditions due to major/minor number reuse. Old kernels do not support the new syntax, but a later patch will allow userspace to discover that the new syntax is supported. Signed-off-by: Demi Marie Obenour --- drivers/block/xen-blkback/xenbus.c | 112 +++++++++++++++++++++++------ 1 file changed, 89 insertions(+), 23 deletions(-) diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback= /xenbus.c index 4807af1d58059394d7a992335dabaf2bc3901721..9c3eb148fbd802c74e626c3d7bc= d69dcb09bd921 100644 --- a/drivers/block/xen-blkback/xenbus.c +++ b/drivers/block/xen-blkback/xenbus.c @@ -24,6 +24,7 @@ struct backend_info { struct xenbus_watch backend_watch; unsigned major; unsigned minor; + unsigned long long diskseq; char *mode; }; =20 @@ -479,7 +480,7 @@ static void xen_vbd_free(struct xen_vbd *vbd) =20 static int xen_vbd_create(struct xen_blkif *blkif, blkif_vdev_t handle, unsigned major, unsigned minor, int readonly, - int cdrom) + bool cdrom, u64 diskseq) { struct xen_vbd *vbd; struct block_device *bdev; @@ -507,6 +508,26 @@ static int xen_vbd_create(struct xen_blkif *blkif, blk= if_vdev_t handle, xen_vbd_free(vbd); return -ENOENT; } + + if (diskseq) { + struct gendisk *disk =3D bdev->bd_disk; + + if (unlikely(disk =3D=3D NULL)) { + pr_err("%s: device %08x has no gendisk\n", + __func__, vbd->pdevice); + xen_vbd_free(vbd); + return -EFAULT; + } + + if (unlikely(disk->diskseq !=3D diskseq)) { + pr_warn("%s: device %08x has incorrect sequence " + "number 0x%llx (expected 0x%llx)\n", + __func__, vbd->pdevice, disk->diskseq, diskseq); + xen_vbd_free(vbd); + return -ENODEV; + } + } + vbd->size =3D vbd_sz(vbd); =20 if (cdrom || disk_to_cdi(vbd->bdev->bd_disk)) @@ -707,6 +728,9 @@ static void backend_changed(struct xenbus_watch *watch, int cdrom =3D 0; unsigned long handle; char *device_type; + char *diskseq_str =3D NULL; + int diskseq_len; + unsigned long long diskseq; =20 pr_debug("%s %p %d\n", __func__, dev, dev->otherend_id); =20 @@ -725,10 +749,46 @@ static void backend_changed(struct xenbus_watch *watc= h, return; } =20 - if (be->major | be->minor) { - if (be->major !=3D major || be->minor !=3D minor) - pr_warn("changing physical device (from %x:%x to %x:%x) not supported.\= n", - be->major, be->minor, major, minor); + diskseq_str =3D xenbus_read(XBT_NIL, dev->nodename, "diskseq", &diskseq_l= en); + if (IS_ERR(diskseq_str)) { + int err =3D PTR_ERR(diskseq_str); + diskseq_str =3D NULL; + + /* + * If this does not exist, it means legacy userspace that does not + * support diskseq. + */ + if (unlikely(!XENBUS_EXIST_ERR(err))) { + xenbus_dev_fatal(dev, err, "reading diskseq"); + return; + } + diskseq =3D 0; + } else if (diskseq_len <=3D 0) { + xenbus_dev_fatal(dev, -EFAULT, "diskseq must not be empty"); + goto fail; + } else if (diskseq_len > 16) { + xenbus_dev_fatal(dev, -ERANGE, "diskseq too long: got %d but limit is 16= ", + diskseq_len); + goto fail; + } else if (diskseq_str[0] =3D=3D '0') { + xenbus_dev_fatal(dev, -ERANGE, "diskseq must not start with '0'"); + goto fail; + } else { + char *diskseq_end; + diskseq =3D simple_strtoull(diskseq_str, &diskseq_end, 16); + if (diskseq_end !=3D diskseq_str + diskseq_len) { + xenbus_dev_fatal(dev, -EINVAL, "invalid diskseq"); + goto fail; + } + kfree(diskseq_str); + diskseq_str =3D NULL; + } + + if (be->major | be->minor | be->diskseq) { + if (be->major !=3D major || be->minor !=3D minor || be->diskseq !=3D dis= kseq) + pr_warn("changing physical device (from %x:%x:%llx to %x:%x:%llx)" + " not supported.\n", + be->major, be->minor, be->diskseq, major, minor, diskseq); return; } =20 @@ -756,29 +816,35 @@ static void backend_changed(struct xenbus_watch *watc= h, =20 be->major =3D major; be->minor =3D minor; + be->diskseq =3D diskseq; =20 err =3D xen_vbd_create(be->blkif, handle, major, minor, - !strchr(be->mode, 'w'), cdrom); - - if (err) - xenbus_dev_fatal(dev, err, "creating vbd structure"); - else { - err =3D xenvbd_sysfs_addif(dev); - if (err) { - xen_vbd_free(&be->blkif->vbd); - xenbus_dev_fatal(dev, err, "creating sysfs entries"); - } - } + !strchr(be->mode, 'w'), cdrom, diskseq); =20 if (err) { - kfree(be->mode); - be->mode =3D NULL; - be->major =3D 0; - be->minor =3D 0; - } else { - /* We're potentially connected now */ - xen_update_blkif_status(be->blkif); + xenbus_dev_fatal(dev, err, "creating vbd structure"); + goto fail; } + + err =3D xenvbd_sysfs_addif(dev); + if (err) { + xenbus_dev_fatal(dev, err, "creating sysfs entries"); + goto free_vbd; + } + + /* We're potentially connected now */ + xen_update_blkif_status(be->blkif); + return; + +free_vbd: + xen_vbd_free(&be->blkif->vbd); +fail: + kfree(diskseq_str); + kfree(be->mode); + be->mode =3D NULL; + be->major =3D 0; + be->minor =3D 0; + be->diskseq =3D 0; } =20 /* --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 567F5C7EE24 for ; Tue, 30 May 2023 20:34:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233524AbjE3Ud7 (ORCPT ); Tue, 30 May 2023 16:33:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56462 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233533AbjE3Udq (ORCPT ); Tue, 30 May 2023 16:33:46 -0400 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1141EE68; Tue, 30 May 2023 13:33:19 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 4714F3200941; Tue, 30 May 2023 16:32:15 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 30 May 2023 16:32:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478734; x=1685565134; bh=g5zq4E4lPj cpxmqA493MTNjpJWMfGCfLjfMtSBIRfwE=; b=btbUEJhZQrCus6G2cmEF0UCOcj HNQw5o5uoDqCKaQPz1xaoENxf/gqQkjPOKEpiYtWko86dN7B8bAa/1edBnKcRD7G oQ35bPjRiDM3Jv8XO1PvPnA7DMenzs5QntueBspv43BZbVUDcRuKnOjgJrhEm+4R rrkZDloEyf4nIxvooH5WoAn0qyYo1buSox+f90jbf6nqe8FEXeQXhcBszbyjJ0PT OKbXpnhvHop3pjBRjTF1k5EOi6rr3vwj7D2WCRY0I3CPSydA9M5iRpuK60HEX8jy 2JVKqdSSuG8cj0Mk9QjkKkJcPE3ivgkave7ORC7XdxNQ5YP17scWJOh05bXw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478734; x= 1685565134; bh=g5zq4E4lPjcpxmqA493MTNjpJWMfGCfLjfMtSBIRfwE=; b=H SuVjZAMaB+BwxGijqAt8c9WB79vIciVrFRlLtCOky9UQfMhAcjJT6a0VfxdmETVV 8nEF3+nsP3QXtkVaQ9HylXOplwnBU37jG6FMC+6U3sAiOJR8vllWwxVRB/bJAJGE o8bZWd+Fr97H/XWkQ3GYu4EmvQTHh7b+bAUlYcKH2xBKKmp1xkiy2sC9i429aUhn bZzm0AYgIdeait5fZO9zhL7go84uaGta1a6TuurzUQSKqG7xTdxpGanhw3S6PklV 3SdizlKHz/Q1lWeSqDcVd6A7ngssgCYCwK1H8wUbPyw4kwtT5lUkDxT+HIHKtiXM h1f1eXwlT0CBcdLaEOlRQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedvne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:32:14 -0400 (EDT) From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 14/16] block, loop: Increment diskseq when releasing a loop device Date: Tue, 30 May 2023 16:31:14 -0400 Message-Id: <20230530203116.2008-15-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The previous patch for checking diskseq in blkback is not enough to prevent the following race: 1. Program X opens a loop device 2. Program X gets the diskseq of the loop device. 3. Program X associates a file with the loop device. 4. Program X passes the loop device major, minor, and diskseq to something, such as Xen blkback. 5. Program X exits. 6. Program Y detaches the file from the loop device. 7. Program Y attaches a different file to the loop device. 8. Xen blkback finally gets around to opening the loop device and checks that the diskseq is what it expects it to be. Even though the diskseq is the expected value, the result is that blkback is accessing the wrong file. To prevent this race condition, increment the diskseq of a loop device when it is detached from its file descriptor. This causes blkback (or any other program, for that matter) to fail at step 8. Export the inc_diskseq() function to make this possible. Signed-off-by: Demi Marie Obenour --- I considered destroying the loop device altogether instead of bumping its diskseq, but was not able to accomplish that. Suggestions welcome. --- block/genhd.c | 1 + drivers/block/loop.c | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/block/genhd.c b/block/genhd.c index 1cb489b927d50ab06a84a4bfd6913ca8ba7318d4..c0ca2c387732171321555cd5756= 5fbc606768505 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -1502,3 +1502,4 @@ void inc_diskseq(struct gendisk *disk) { disk->diskseq =3D atomic64_inc_return(&diskseq); } +EXPORT_SYMBOL(inc_diskseq); diff --git a/drivers/block/loop.c b/drivers/block/loop.c index bc31bb7072a2cb7294d32066f5d0aa14130349b4..05ea5fb41508b4106f184dd6b4c= 37942716bdcac 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -1205,6 +1205,12 @@ static void __loop_clr_fd(struct loop_device *lo, bo= ol release) if (!part_shift) set_bit(GD_SUPPRESS_PART_SCAN, &lo->lo_disk->state); mutex_lock(&lo->lo_mutex); + + /* + * Increment the disk sequence number, so that userspace knows this + * device now points to something else. + */ + inc_diskseq(lo->lo_disk); lo->lo_state =3D Lo_unbound; mutex_unlock(&lo->lo_mutex); =20 --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD67BC7EE24 for ; Tue, 30 May 2023 20:34:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233277AbjE3UeK (ORCPT ); Tue, 30 May 2023 16:34:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233159AbjE3UeC (ORCPT ); Tue, 30 May 2023 16:34:02 -0400 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53C801B3; Tue, 30 May 2023 13:33:27 -0700 (PDT) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 32CF03200962; Tue, 30 May 2023 16:32:18 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 30 May 2023 16:32:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm1; t=1685478737; x=1685565137; bh=1g 7wCby6gdLY4jovUh0//kEDEi26QbSZsUz9aHtBM2E=; b=PTeqRnmYVEq0wVDDJD v2NgZMyQcplu/m14wNSYj0ve2VYJmp8/HYabLKde0hrBjhqPZg+BxcpirBxApwy2 KvE46HYM5wnhC/4Udrw7hIu2L32qAPNxDFZSBSqYYIz8YujdBJci/NpTNo+p53K/ ZP8rfzYLpird6egQYWSHAANqz/RZSLswiBplOl2A/y0OyIu1BxIicwKMkAPHGDmV WessmjZhCG8zKV4Ukgz9PvctwW0ATp+S5OvpXekfubo5VoPLDLWvcXJBYNxtQwjv 35EuDW8XkpOFiyYumD6qGJ1/GAkIvB5AhpkolWi7yQxyzJUOn5vpE8RhOvgoL7fS IUPg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1685478737; x=1685565137; bh=1g7wCby6gdLY4jovUh0//kEDEi26QbSZsUz 9aHtBM2E=; b=r0rkmSaGTkR2+3ZnA69S5XdEOZnX5eZ1eqBMohYZ6j1pDR1bBh3 P1bQkHb1aiBf1/paYWLWZ6AQv38yySL0NXXisjeAkN/2Fw6/19D61jXb67QHtocH nY2dPHsGsa+vj/j56DVnnMYRzaWKLjV/o+G6vMbtTDRYca8UuWRp7PMHxrv2wb8g cdHne0mqgpSzSUcH6DyBsqFNuKPGlHeL7aPXNEEqKgjzioAq5o9+iWqS12vVJbzI VeUakDmBw1pkRDsIoh9JGCA82dK2Ag5zfwJrLSviRxJc/0zfHHW/oSddQhvVWtM4 21jj9qe9xf4rI1JLfrZVS7uAi/G3uQwtsKw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfgggtgfesthekredtredtjeenucfhrhhomhepffgv mhhiucforghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhih hnghhslhgrsgdrtghomheqnecuggftrfgrthhtvghrnhepkeefieekhfdtgeeuueelleeg vdetieehgfejteduvedvvdejudetudelfedukefhnecuffhomhgrihhnpehinhguihhrvg gtthdrnhhrpdhinhguihhrvggtthdrihgunecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhslh grsgdrtghomh X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:32:16 -0400 (EDT) From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 15/16] xen-blkback: Minor cleanups Date: Tue, 30 May 2023 16:31:15 -0400 Message-Id: <20230530203116.2008-16-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This adds a couple of BUILD_BUG_ON()s and moves some arithmetic after the validation code that checks the arithmetic=E2=80=99s preconditions. The previous code was correct but could potentially trip sanitizers that check for unsigned integer wraparound. Signed-off-by: Demi Marie Obenour --- drivers/block/xen-blkback/blkback.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkbac= k/blkback.c index c362f4ad80ab07bfb58caff0ed7da37dc1484fc5..ac760a08d559085ab875784f1c5= 8cdf2ead95a43 100644 --- a/drivers/block/xen-blkback/blkback.c +++ b/drivers/block/xen-blkback/blkback.c @@ -1342,6 +1342,8 @@ static int dispatch_rw_block_io(struct xen_blkif_ring= *ring, nseg =3D req->operation =3D=3D BLKIF_OP_INDIRECT ? req->u.indirect.nr_segments : req->u.rw.nr_segments; =20 + BUILD_BUG_ON(offsetof(struct blkif_request, u.rw.id) !=3D 8); + BUILD_BUG_ON(offsetof(struct blkif_request, u.indirect.id) !=3D 8); if (unlikely(nseg =3D=3D 0 && operation_flags !=3D REQ_PREFLUSH) || unlikely((req->operation !=3D BLKIF_OP_INDIRECT) && (nseg > BLKIF_MAX_SEGMENTS_PER_REQUEST)) || @@ -1365,13 +1367,13 @@ static int dispatch_rw_block_io(struct xen_blkif_ri= ng *ring, preq.sector_number =3D req->u.rw.sector_number; for (i =3D 0; i < nseg; i++) { pages[i]->gref =3D req->u.rw.seg[i].gref; - seg[i].nsec =3D req->u.rw.seg[i].last_sect - - req->u.rw.seg[i].first_sect + 1; - seg[i].offset =3D (req->u.rw.seg[i].first_sect << 9); if ((req->u.rw.seg[i].last_sect >=3D (XEN_PAGE_SIZE >> 9)) || (req->u.rw.seg[i].last_sect < req->u.rw.seg[i].first_sect)) goto fail_response; + seg[i].nsec =3D req->u.rw.seg[i].last_sect - + req->u.rw.seg[i].first_sect + 1; + seg[i].offset =3D (req->u.rw.seg[i].first_sect << 9); preq.nr_sects +=3D seg[i].nsec; } } else { --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab From nobody Wed Nov 27 22:54:16 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A0B4C7EE23 for ; Tue, 30 May 2023 20:34:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233534AbjE3UeN (ORCPT ); Tue, 30 May 2023 16:34:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229893AbjE3UeJ (ORCPT ); Tue, 30 May 2023 16:34:09 -0400 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50BDDE42; Tue, 30 May 2023 13:33:32 -0700 (PDT) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 0D022320096E; Tue, 30 May 2023 16:32:20 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Tue, 30 May 2023 16:32:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= invisiblethingslab.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1685478740; x=1685565140; bh=gJtXKfjMb5 k3PryJlBFsKsS3ZINd0EksqBFZ4ekKEDw=; b=iSW8ttt26dngYvxurKxiOI2vd1 WHoQ92v7hwye8qiWm/sMzD3pqp5ya8c2OA22dKJKDKSCyzxijZP+Dp144KoNmvpt K8OI+kD4ismX23LXNvkYBIS8haogcvQd7EEZ19u32N/1GOR8sh6VaGOBsVQxw9Bq zrT17xw8paAPsuaett1MoyqWDe6uGCPznnCFymKvWzjN2rUubwy9Ob0uFq6jMg76 gqlN1m7Mc8Mkxu+yjAxvH0vX7/PlJqdVVec52wcaqJpFToYt9AxPY3yOgBt+RjEI aG4fzuzWpC22NKMBxr6O/RMjHdv28qKWfTHlwgkpaOz+BcWrwFwxRmGMeaMg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1685478740; x= 1685565140; bh=gJtXKfjMb5k3PryJlBFsKsS3ZINd0EksqBFZ4ekKEDw=; b=o QbHhAjdGI/824Nl01Pip/x1ESJBxXGnNCUCk4Arc6BskEm0MTh9UC6MZYaR2q79S k1Uqb9Vj1z9f6r5u3H1HVCqm/h4f+Vs2C2I55ZxnoCF18+ZrNegBzgUSduwuENN3 ZelAmC1BB6EziOQZ1m0S4cDcLpBIGrjkaMEsTbam0kd7jHN3XymXk0VF7iAEn4+L g585WZp+QBIJWRDnqGJWJT85ZYmZick+DsS7QTOGtDLjDvulDczBAEFMf2pxjFDZ z70/jIsQbBWGVBj2a0QhQ3776f+UlGOsyvyOBXKD9nxTQaFTHfPjpO3nn2UqnNoO C4Idzu7QZyx3OsqotLhew== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeekjedgudeglecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpeffvghm ihcuofgrrhhivgcuqfgsvghnohhurhcuoeguvghmihesihhnvhhishhisghlvghthhhinh hgshhlrggsrdgtohhmqeenucggtffrrghtthgvrhhnpeejffejgffgueegudevvdejkefg hefghffhffejteekleeufeffteffhfdtudehteenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpeguvghmihesihhnvhhishhisghlvghthhhinhhg shhlrggsrdgtohhm X-ME-Proxy: Feedback-ID: iac594737:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 30 May 2023 16:32:19 -0400 (EDT) From: Demi Marie Obenour To: Jens Axboe , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Alasdair Kergon , Mike Snitzer , dm-devel@redhat.com Cc: Demi Marie Obenour , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org Subject: [PATCH v2 16/16] xen-blkback: Inform userspace that device has been opened Date: Tue, 30 May 2023 16:31:16 -0400 Message-Id: <20230530203116.2008-17-demi@invisiblethingslab.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230530203116.2008-1-demi@invisiblethingslab.com> References: <20230530203116.2008-1-demi@invisiblethingslab.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Set "opened" to "0" before the hotplug script is called. Once the device node has been opened, set "opened" to "1". "opened" is used exclusively by userspace. It serves two purposes: 1. It tells userspace that the diskseq Xenstore entry is supported. 2. It tells userspace that it can wait for "opened" to be set to 1. Once "opened" is 1, blkback has a reference to the device, so userspace doesn't need to keep one. Together, these changes allow userspace to use block devices with delete-on-close behavior, such as loop devices with the autoclear flag set or device-mapper devices with the deferred-remove flag set. Signed-off-by: Demi Marie Obenour --- drivers/block/xen-blkback/xenbus.c | 35 ++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback= /xenbus.c index 9c3eb148fbd802c74e626c3d7bcd69dcb09bd921..519a78aa9073d1faa1dce5c1b36= e95ae58da534b 100644 --- a/drivers/block/xen-blkback/xenbus.c +++ b/drivers/block/xen-blkback/xenbus.c @@ -3,6 +3,20 @@ Copyright (C) 2005 Rusty Russell Copyright (C) 2005 XenSource Ltd =20 +In addition to the Xenstore nodes required by the Xen block device +specification, this implementation of blkback uses a new Xenstore +node: "opened". blkback sets "opened" to "0" before the hotplug script +is called. Once the device node has been opened, blkback sets "opened" +to "1". + +"opened" is read exclusively by userspace. It serves two purposes: + +1. It tells userspace that diskseq@major:minor syntax for "physical-device= " is + supported. + +2. It tells userspace that it can wait for "opened" to be set to 1 after w= riting + "physical-device". Once "opened" is 1, blkback has a reference to the + device, so userspace doesn't need to keep one. =20 */ =20 @@ -699,6 +713,14 @@ static int xen_blkbk_probe(struct xenbus_device *dev, if (err) pr_warn("%s write out 'max-ring-page-order' failed\n", __func__); =20 + /* + * This informs userspace that the "opened" node will be set to "1" when + * the device has been opened successfully. + */ + err =3D xenbus_write(XBT_NIL, dev->nodename, "opened", "0"); + if (err) + goto fail; + err =3D xenbus_switch_state(dev, XenbusStateInitWait); if (err) goto fail; @@ -826,6 +848,19 @@ static void backend_changed(struct xenbus_watch *watch, goto fail; } =20 + /* + * Tell userspace that the device has been opened and that blkback has a + * reference to it. Userspace can then close the device or mark it as + * delete-on-close, knowing that blkback will keep the device open as + * long as necessary. + */ + err =3D xenbus_write(XBT_NIL, dev->nodename, "opened", "1"); + if (err) { + xenbus_dev_fatal(dev, err, "%s: notifying userspace device has been open= ed", + dev->nodename); + goto free_vbd; + } + err =3D xenvbd_sysfs_addif(dev); if (err) { xenbus_dev_fatal(dev, err, "creating sysfs entries"); --=20 Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab