mm: replace access_remote_vm() write parameter with gup_flags

commit 6347e8d5bcce33fc36e651901efefbe2c93a43ef upstream.

This removes the 'write' argument from access_remote_vm() and replaces
it with 'gup_flags' as use of this function previously silently implied
FOLL_FORCE, whereas after this patch callers explicitly pass this flag.

We make this explicit as use of FOLL_FORCE can result in surprising
behaviour (and hence bugs) within the mm subsystem.

Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 4beed301e2245d4e6dce35e067cbda4150631b88..445c42b2ec615673bf9de6c843c896ba2c06489a 100644 (file)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -254,7 +254,7 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
         * Inherently racy -- command line shares address space
         * with code and data.
         */
-       rv = access_remote_vm(mm, arg_end - 1, &c, 1, 0);
+       rv = access_remote_vm(mm, arg_end - 1, &c, 1, FOLL_FORCE);
        if (rv <= 0)
                goto out_free_page;
 
@@ -272,7 +272,8 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
                        int nr_read;
 
                        _count = min3(count, len, PAGE_SIZE);
-                       nr_read = access_remote_vm(mm, p, page, _count, 0);
+                       nr_read = access_remote_vm(mm, p, page, _count,
+                                       FOLL_FORCE);
                        if (nr_read < 0)
                                rv = nr_read;
                        if (nr_read <= 0)
@@ -307,7 +308,8 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
                        bool final;
 
                        _count = min3(count, len, PAGE_SIZE);
-                       nr_read = access_remote_vm(mm, p, page, _count, 0);
+                       nr_read = access_remote_vm(mm, p, page, _count,
+                                       FOLL_FORCE);
                        if (nr_read < 0)
                                rv = nr_read;
                        if (nr_read <= 0)
@@ -356,7 +358,8 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
                        bool final;
 
                        _count = min3(count, len, PAGE_SIZE);
-                       nr_read = access_remote_vm(mm, p, page, _count, 0);
+                       nr_read = access_remote_vm(mm, p, page, _count,
+                                       FOLL_FORCE);
                        if (nr_read < 0)
                                rv = nr_read;
                        if (nr_read <= 0)
@@ -868,6 +871,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
        unsigned long addr = *ppos;
        ssize_t copied;
        char *page;
+       unsigned int flags = FOLL_FORCE;
 
        if (!mm)
                return 0;
@@ -880,6 +884,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
        if (!atomic_inc_not_zero(&mm->mm_users))
                goto free;
 
+       if (write)
+               flags |= FOLL_WRITE;
+
        while (count > 0) {
                int this_len = min_t(int, count, PAGE_SIZE);
 
@@ -888,7 +895,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
                        break;
                }
 
-               this_len = access_remote_vm(mm, addr, page, this_len, write);
+               this_len = access_remote_vm(mm, addr, page, this_len, flags);
                if (!this_len) {
                        if (!copied)
                                copied = -EIO;
@@ -1001,7 +1008,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
                this_len = min(max_len, this_len);
 
                retval = access_remote_vm(mm, (env_start + src),
-                       page, this_len, 0);
+                       page, this_len, FOLL_FORCE);
 
                if (retval <= 0) {
                        ret = retval;

diff --git a/include/linux/mm.h b/include/linux/mm.h
index d1cfd3657cce796b6dfcceb09d93fd1ebe3e4e2f..9a0716e900b5c9bb2d0c503ed5fe9bbad0d70839 100644 (file)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1191,7 +1191,7 @@ static inline int fixup_user_fault(struct task_struct *tsk,
 
 extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write);
 extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
-               void *buf, int len, int write);
+               void *buf, int len, unsigned int gup_flags);
 
 long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
                      unsigned long start, unsigned long nr_pages,

diff --git a/mm/memory.c b/mm/memory.c
index 1a0d727687d0a176ff199c7c9adff27d64e6aa2f..fa752df6dc857ac144e5165b174c0848135ab5d1 100644 (file)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3777,19 +3777,14 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
  * @addr:      start address to access
  * @buf:       source or destination buffer
  * @len:       number of bytes to transfer
- * @write:     whether the access is a write
+ * @gup_flags: flags modifying lookup behaviour
  *
  * The caller must hold a reference on @mm.
  */
 int access_remote_vm(struct mm_struct *mm, unsigned long addr,
-               void *buf, int len, int write)
+               void *buf, int len, unsigned int gup_flags)
 {
-       unsigned int flags = FOLL_FORCE;
-
-       if (write)
-               flags |= FOLL_WRITE;
-
-       return __access_remote_vm(NULL, mm, addr, buf, len, flags);
+       return __access_remote_vm(NULL, mm, addr, buf, len, gup_flags);
 }
 
 /*

diff --git a/mm/nommu.c b/mm/nommu.c
index 6ffc6be4344f8c6787a2271ac119463f6241383a..2360546db065edaae9cf70491c91b09ce8a5b123 100644 (file)
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -1967,15 +1967,14 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
  * @addr:      start address to access
  * @buf:       source or destination buffer
  * @len:       number of bytes to transfer
- * @write:     whether the access is a write
+ * @gup_flags: flags modifying lookup behaviour
  *
  * The caller must hold a reference on @mm.
  */
 int access_remote_vm(struct mm_struct *mm, unsigned long addr,
-               void *buf, int len, int write)
+               void *buf, int len, unsigned int gup_flags)
 {
-       return __access_remote_vm(NULL, mm, addr, buf, len,
-                       write ? FOLL_WRITE : 0);
+       return __access_remote_vm(NULL, mm, addr, buf, len, gup_flags);
 }
 
 /*