dlm: add usercopy whitelist to dlm_cb cache

The dlm_cb slab cache is created with kmem_cache_create(), which
provides no usercopy whitelist. When a callback carries LVB data,
dlm_user_add_ast() copies the LVB into the inline lvbptr[] array within
the slab-allocated struct dlm_callback and redirects ua->lksb.sb_lvbptr
to point to it. copy_result_to_user() then calls copy_to_user() with
this pointer. With CONFIG_HARDENED_USERCOPY enabled, this triggers
usercopy_abort().

Switch to kmem_cache_create_usercopy() with a whitelist covering the
lvbptr field.

Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Acked-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>

diff --git a/fs/dlm/memory.c b/fs/dlm/memory.c
index 5c35cc67aca4c4dd4d3725ff108f99027a69d876..ee55994ce90d8719ccb4f1221fb3e5ba2c83c7e1 100644 (file)
--- a/fs/dlm/memory.c
+++ b/fs/dlm/memory.c
@@ -48,8 +48,10 @@ int __init dlm_memory_init(void)
        if (!rsb_cache)
                goto rsb;
 
-       cb_cache = kmem_cache_create("dlm_cb", sizeof(struct dlm_callback),
+       cb_cache = kmem_cache_create_usercopy("dlm_cb", sizeof(struct dlm_callback),
                                     __alignof__(struct dlm_callback), 0,
+                                        offsetof(struct dlm_callback, lvbptr),
+                                        sizeof_field(struct dlm_callback, lvbptr),
                                     NULL);
        if (!cb_cache)
                goto cb;