| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Sep 2016 14:47:55 -0700
From: Sagi Grimberg <sagi@...mberg.me>
To: Al Viro <viro@...IV.linux.org.uk>, Jens Axboe <axboe@...nel.dk>
Cc: linux-block@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [rfc] weirdness in bio_map_user_iov()
Hey Al,
> What happens if we feed it a 3-element iovec array, one page in each?
> AFAICS, bio_add_pc_page() is called for each of those pages, even if
> the previous calls have failed - break is only out of the inner loop.
>
> Sure, failure due to exceeded request size means that everything after
> that one will fail, but what of e.g.
> /*
> * If the queue doesn't support SG gaps and adding this
> * offset would create a gap, disallow it.
> */
> if (bvec_gap_to_prev(q, prev, offset))
> return 0;
> in there? Won't we risk having the first and the third pages added, with
> the second one quietly skipped? Jens, looks like it had come from you
> (by way of jejb). Am I missing something subtle here?
So AFAICT, 'gappy' iovecs will never reach bio_map_user_iov() because it
is checked before in blk_rq_map_user_iov():
if (map_data)
copy = true;
else if (iov_iter_alignment(iter) & align)
copy = true;
else if (queue_virt_boundary(q))
copy = queue_virt_boundary(q) &
iov_iter_gap_alignment(iter);
if iov_iter_gap_alignment(iter) detects gaps it will use
a nice aligned bounce via bio_copy_user_iov().
Powered by blists - more mailing lists