[PATCH] dax: explain how read(2)/write(2) addresses are validated

From: Ross Zwisler
Date: Wed Aug 16 2017 - 13:36:40 EST


Add a comment explaining how the user addresses provided to read(2) and
write(2) are validated in the DAX I/O path. We call dax_copy_from_iter()
or copy_to_iter() on these without calling access_ok() first in the DAX
code, and there was a concern that the user might be able to read/write to
arbitrary kernel addresses with this path.

Signed-off-by: Ross Zwisler <ross.zwisler@xxxxxxxxxxxxxxx>
---

Adding a comment instead of adding redundant access_ok() calls in the DAX
code. If this is the wrong path to take, please let me know.

fs/dax.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/fs/dax.c b/fs/dax.c
index 8c67517..2d50f32 100644
--- a/fs/dax.c
+++ b/fs/dax.c
@@ -1060,6 +1060,11 @@ dax_iomap_actor(struct inode *inode, loff_t pos, loff_t length, void *data,
if (map_len > end - pos)
map_len = end - pos;

+ /*
+ * The userspace address for the memory copy has already been
+ * validated via access_ok() in either vfs_read() or
+ * vfs_write(), depending on which operation we are doing.
+ */
if (iov_iter_rw(iter) == WRITE)
map_len = dax_copy_from_iter(dax_dev, pgoff, kaddr,
map_len, iter);
--
2.9.5