On Mon, Dec 8, 2014 at 10:20 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> I certainly had missed that insanity during the analysis - we don't do
> a lot of O_DIRECT IO to/from kernel addresses of any sort... This
> codepath allows it ;-/ Ability to trigger it is equivalent to ability
> to run any code in kernel mode, so it's not an additional security hole,
> but...
Is there any chance we could just return EINVAL for this case?
Who does O_DIRECT on module load anyway? If this is only for
finit_module(), that uses "kernel_read()", and maybe we could just
make sure that the kernel_read() function never ever uses the
direct-IO paths?
[ Time passes, I look at the code ]
Oh crap. So the reason it triggers seems to be that we basically get a
random file descriptor that we didn't open, and then we have
vfs_read() ->
xfs_file_operations->read() ->
ew_sync_read() ->
xfs_file_operations->read_iter()
xfs_file_read_iter()
and we are stuck with this iterator that really just wants to do copies.
How about we make "kernel_read()" just clear O_DIRECT? Does that fix
it to just use copies?
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
