Re: [PATCHSET 0/2] Fix splice from random/urandom

From: Jens Axboe
Date: Thu May 19 2022 - 17:02:38 EST

Next message: Namhyung Kim: "Re: [PATCH 3/6] perf record: Implement basic filtering for off-cpu"
Previous message: Jacob Pan: "Re: [PATCH v3 1/4] iommu/vt-d: Implement domain ops for attach_dev_pasid"
In reply to: Jens Axboe: "Re: [PATCHSET 0/2] Fix splice from random/urandom"
Next in thread: Jason A. Donenfeld: "Re: [PATCHSET 0/2] Fix splice from random/urandom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/19/22 2:49 PM, Jens Axboe wrote:
> On 5/19/22 2:05 PM, Jason A. Donenfeld wrote:
>> Hi Jens,
>>
>> On Thu, May 19, 2022 at 01:31:31PM -0600, Jens Axboe wrote:
>>> Hi,
>>>
>>> We recently had a failure on a kernel upgrade because splice no longer
>>> works on random/urandom. This is due to:
>>>
>>> 6e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
>>
>> Thanks for this. I'd noticed this a few months ago and assumed it has
>> just always been that way, and hadn't gotten to looking at what was up.
>>
>> I'll take a look at these patches in detail when I'm home in a few
>> hours, but one thing maybe you can answer more easily than my digging
>> is:
>
> Sounds good, thanks!
>
>> There's a lot of attention in random.c devoted to not leaving any output
>> around on the stack or in stray buffers. The explicit use of
>> copy_to_user() makes it clear that the output isn't being copied
>> anywhere other than what's the user's responsibility to cleanup. I'm
>> wondering if the switch to copy_to_iter() introduces any buffering or
>> gotchas that you might be aware of.
>
> No, it's just a wrapper around copying to the user memory pointed to by
> the iov_iter. No extra buffering or anything like that. So I think it
> should be fine in that respect, and it actually cleans up the code a bit
> imho since the copy_to_iter() since the return value of "bytes copied"
> is easier to work with than the "bytes not copied".
>
>> Also you may need to rebase this on the random.git tree at
>> https://git.kernel.org/pub/scm/linux/kernel/git/crng/random.git
>
> OK, I will rebase it on that branch, not a problem.

Rebased patches attached, you can also find them here:

https://git.kernel.dk/cgit/linux-block/log/?h=random-splice

Did some basic sanity checking (and with splice too), and seems fine
rebased as well.

--
Jens Axboe
From fd673dac9f7c905d95cbe334cc7519fb36ede678 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Thu, 19 May 2022 13:26:55 -0600
Subject: [PATCH 2/2] random: wire up fops->splice_read_iter()

Now that random/urandom is using read_iter, we can wire it up to using
the generic splice read handler.

Fixes: 36e2c7421f02 ("fs: don't allow splice read/write without explicit ops")
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
drivers/char/random.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 147921d471d8..892513fb7479 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1415,6 +1415,7 @@ const struct file_operations random_fops = {
.compat_ioctl = compat_ptr_ioctl,
.fasync = random_fasync,
.llseek = noop_llseek,
+ .splice_read = generic_file_splice_read,
};

const struct file_operations urandom_fops = {
@@ -1424,6 +1425,7 @@ const struct file_operations urandom_fops = {
.compat_ioctl = compat_ptr_ioctl,
.fasync = random_fasync,
.llseek = noop_llseek,
+ .splice_read = generic_file_splice_read,
};

--
2.35.1

From c65f0221b72173c19398884f3f49ef775e2c668f Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Thu, 19 May 2022 14:55:37 -0600
Subject: [PATCH 1/2] random: convert to using fops->read_iter()

This is a pre-requisite to writing up splice() again for the random
and urandom drivers.

Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
drivers/char/random.c | 39 +++++++++++++++++++--------------------
1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 0958fa91a964..147921d471d8 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -397,11 +397,12 @@ void get_random_bytes(void *buf, size_t len)
}
EXPORT_SYMBOL(get_random_bytes);

-static ssize_t get_random_bytes_user(void __user *ubuf, size_t len)
+static ssize_t get_random_bytes_user(struct iov_iter *to)
{
- size_t block_len, left, ret = 0;
+ size_t block_len, ret = 0;
u32 chacha_state[CHACHA_STATE_WORDS];
u8 output[CHACHA_BLOCK_SIZE];
+ size_t len = iov_iter_count(to);

if (!len)
return 0;
@@ -418,7 +419,7 @@ static ssize_t get_random_bytes_user(void __user *ubuf, size_t len)
* the user directly.
*/
if (len <= CHACHA_KEY_SIZE) {
- ret = len - copy_to_user(ubuf, &chacha_state[4], len);
+ ret = copy_to_iter(&chacha_state[4], len, to);
goto out_zero_chacha;
}

@@ -428,17 +429,12 @@ static ssize_t get_random_bytes_user(void __user *ubuf, size_t len)
++chacha_state[13];

block_len = min_t(size_t, len, CHACHA_BLOCK_SIZE);
- left = copy_to_user(ubuf, output, block_len);
- if (left) {
- ret += block_len - left;
+ block_len = copy_to_iter(output, block_len, to);
+ if (!block_len)
break;
- }

- ubuf += block_len;
ret += block_len;
len -= block_len;
- if (!len)
- break;

BUILD_BUG_ON(PAGE_SIZE % CHACHA_BLOCK_SIZE != 0);
if (ret % PAGE_SIZE == 0) {
@@ -1248,6 +1244,9 @@ static void __cold try_to_generate_entropy(void)

SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags)
{
+ struct iovec iov = { .iov_base = ubuf };
+ struct iov_iter iter;
+
if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
return -EINVAL;

@@ -1270,7 +1269,9 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t, len, unsigned int, flags
if (unlikely(ret))
return ret;
}
- return get_random_bytes_user(ubuf, len);
+ iov.iov_len = len;
+ iov_iter_init(&iter, READ, &iov, 1, len);
+ return get_random_bytes_user(&iter);
}

static __poll_t random_poll(struct file *file, poll_table *wait)
@@ -1314,8 +1315,7 @@ static ssize_t random_write(struct file *file, const char __user *ubuf,
return (ssize_t)len;
}

-static ssize_t urandom_read(struct file *file, char __user *ubuf,
- size_t len, loff_t *ppos)
+static ssize_t urandom_read_iter(struct kiocb *kiocb, struct iov_iter *to)
{
static int maxwarn = 10;

@@ -1332,22 +1332,21 @@ static ssize_t urandom_read(struct file *file, char __user *ubuf,
else if (ratelimit_disable || __ratelimit(&urandom_warning)) {
--maxwarn;
pr_notice("%s: uninitialized urandom read (%zd bytes read)\n",
- current->comm, len);
+ current->comm, iov_iter_count(to));
}
}

- return get_random_bytes_user(ubuf, len);
+ return get_random_bytes_user(to);
}

-static ssize_t random_read(struct file *file, char __user *ubuf,
- size_t len, loff_t *ppos)
+static ssize_t random_read_iter(struct kiocb *kiocb, struct iov_iter *to)
{
int ret;

ret = wait_for_random_bytes();
if (ret != 0)
return ret;
- return get_random_bytes_user(ubuf, len);
+ return get_random_bytes_user(to);
}

static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
@@ -1409,7 +1408,7 @@ static int random_fasync(int fd, struct file *filp, int on)
}

const struct file_operations random_fops = {
- .read = random_read,
+ .read_iter = random_read_iter,
.write = random_write,
.poll = random_poll,
.unlocked_ioctl = random_ioctl,
@@ -1419,7 +1418,7 @@ const struct file_operations random_fops = {
};

const struct file_operations urandom_fops = {
- .read = urandom_read,
+ .read_iter = urandom_read_iter,
.write = random_write,
.unlocked_ioctl = random_ioctl,
.compat_ioctl = compat_ptr_ioctl,
--
2.35.1

Next message: Namhyung Kim: "Re: [PATCH 3/6] perf record: Implement basic filtering for off-cpu"
Previous message: Jacob Pan: "Re: [PATCH v3 1/4] iommu/vt-d: Implement domain ops for attach_dev_pasid"
In reply to: Jens Axboe: "Re: [PATCHSET 0/2] Fix splice from random/urandom"
Next in thread: Jason A. Donenfeld: "Re: [PATCHSET 0/2] Fix splice from random/urandom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]