[thirdparty/kernel/stable-queue.git] / releases / 4.14.93 / dm-verity-fix-crash-on-bufio-buffer-that-was-allocated-with-vmalloc.patch

From e4b069e0945fa14c71cf8b5b89f8b1b2aa68dbc2 Mon Sep 17 00:00:00 2001
From: Mikulas Patocka <mpatocka@redhat.com>
Date: Wed, 22 Aug 2018 12:45:51 -0400
Subject: dm verity: fix crash on bufio buffer that was allocated with vmalloc

From: Mikulas Patocka <mpatocka@redhat.com>

commit e4b069e0945fa14c71cf8b5b89f8b1b2aa68dbc2 upstream.

Since commit d1ac3ff008fb ("dm verity: switch to using asynchronous hash
crypto API") dm-verity uses asynchronous crypto calls for verification,
so that it can use hardware with asynchronous processing of crypto
operations.

These asynchronous calls don't support vmalloc memory, but the buffer data
can be allocated with vmalloc if dm-bufio is short of memory and uses a
reserved buffer that was preallocated in dm_bufio_client_create().

Fix verity_hash_update() so that it deals with vmalloc'd memory
correctly.

Reported-by: "Xiao, Jin" <jin.xiao@intel.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: d1ac3ff008fb ("dm verity: switch to using asynchronous hash crypto API")
Cc: stable@vger.kernel.org # 4.12+
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Acked-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-verity-target.c |   24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -139,10 +139,26 @@ static int verity_hash_update(struct dm_
 {
 	struct scatterlist sg;
 
-	sg_init_one(&sg, data, len);
-	ahash_request_set_crypt(req, &sg, NULL, len);
-
-	return verity_complete_op(res, crypto_ahash_update(req));
+	if (likely(!is_vmalloc_addr(data))) {
+		sg_init_one(&sg, data, len);
+		ahash_request_set_crypt(req, &sg, NULL, len);
+		return verity_complete_op(res, crypto_ahash_update(req));
+	} else {
+		do {
+			int r;
+			size_t this_step = min_t(size_t, len, PAGE_SIZE - offset_in_page(data));
+			flush_kernel_vmap_range((void *)data, this_step);
+			sg_init_table(&sg, 1);
+			sg_set_page(&sg, vmalloc_to_page(data), this_step, offset_in_page(data));
+			ahash_request_set_crypt(req, &sg, NULL, this_step);
+			r = verity_complete_op(res, crypto_ahash_update(req));
+			if (unlikely(r))
+				return r;
+			data += this_step;
+			len -= this_step;
+		} while (len);
+		return 0;
+	}
 }
 
 /*
Commit	Line	Data
1668d1b8 GKH	1	From e4b069e0945fa14c71cf8b5b89f8b1b2aa68dbc2 Mon Sep 17 00:00:00 2001
	2	From: Mikulas Patocka <mpatocka@redhat.com>
	3	Date: Wed, 22 Aug 2018 12:45:51 -0400
	4	Subject: dm verity: fix crash on bufio buffer that was allocated with vmalloc
	5
	6	From: Mikulas Patocka <mpatocka@redhat.com>
	7
	8	commit e4b069e0945fa14c71cf8b5b89f8b1b2aa68dbc2 upstream.
	9
	10	Since commit d1ac3ff008fb ("dm verity: switch to using asynchronous hash
	11	crypto API") dm-verity uses asynchronous crypto calls for verification,
	12	so that it can use hardware with asynchronous processing of crypto
	13	operations.
	14
	15	These asynchronous calls don't support vmalloc memory, but the buffer data
	16	can be allocated with vmalloc if dm-bufio is short of memory and uses a
	17	reserved buffer that was preallocated in dm_bufio_client_create().
	18
	19	Fix verity_hash_update() so that it deals with vmalloc'd memory
	20	correctly.
	21
	22	Reported-by: "Xiao, Jin" <jin.xiao@intel.com>
	23	Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
	24	Fixes: d1ac3ff008fb ("dm verity: switch to using asynchronous hash crypto API")
	25	Cc: stable@vger.kernel.org # 4.12+
	26	Signed-off-by: Mike Snitzer <snitzer@redhat.com>
	27	Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
	28	Acked-by: Mikulas Patocka <mpatocka@redhat.com>
	29	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	30	---
	31	drivers/md/dm-verity-target.c \| 24 ++++++++++++++++++++----
	32	1 file changed, 20 insertions(+), 4 deletions(-)
	33
	34	--- a/drivers/md/dm-verity-target.c
	35	+++ b/drivers/md/dm-verity-target.c
	36	@@ -139,10 +139,26 @@ static int verity_hash_update(struct dm_
	37	{
	38	struct scatterlist sg;
	39
	40	- sg_init_one(&sg, data, len);
	41	- ahash_request_set_crypt(req, &sg, NULL, len);
	42	-
	43	- return verity_complete_op(res, crypto_ahash_update(req));
	44	+ if (likely(!is_vmalloc_addr(data))) {
	45	+ sg_init_one(&sg, data, len);
	46	+ ahash_request_set_crypt(req, &sg, NULL, len);
	47	+ return verity_complete_op(res, crypto_ahash_update(req));
	48	+ } else {
	49	+ do {
	50	+ int r;
	51	+ size_t this_step = min_t(size_t, len, PAGE_SIZE - offset_in_page(data));
	52	+ flush_kernel_vmap_range((void *)data, this_step);
	53	+ sg_init_table(&sg, 1);
	54	+ sg_set_page(&sg, vmalloc_to_page(data), this_step, offset_in_page(data));
	55	+ ahash_request_set_crypt(req, &sg, NULL, this_step);
	56	+ r = verity_complete_op(res, crypto_ahash_update(req));
	57	+ if (unlikely(r))
	58	+ return r;
	59	+ data += this_step;
	60	+ len -= this_step;
	61	+ } while (len);
	62	+ return 0;
	63	+ }
	64	}
65
66	/*