| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Jun 2022 03:03:58 +0800
From: Gao Xiang <xiang@...nel.org>
To: David Howells <dhowells@...hat.com>
Cc: jlayton@...nel.org, Alexander Viro <viro@...iv.linux.org.uk>,
Dominique Martinet <asmadeus@...ewreck.org>,
Mike Marshall <hubcap@...ibond.com>,
Gao Xiang <xiang@...nel.org>, linux-afs@...ts.infradead.org,
v9fs-developer@...ts.sourceforge.net, devel@...ts.orangefs.org,
linux-erofs@...ts.ozlabs.org, linux-cachefs@...hat.com,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] iov_iter: Fix iter_xarray_get_pages{,_alloc}()
On Thu, Jun 09, 2022 at 09:07:01AM +0100, David Howells wrote:
> The maths at the end of iter_xarray_get_pages() to calculate the actual
> size doesn't work under some circumstances, such as when it's been asked to
> extract a partial single page. Various terms of the equation cancel out
> and you end up with actual == offset. The same issue exists in
> iter_xarray_get_pages_alloc().
>
> Fix these to just use min() to select the lesser amount from between the
> amount of page content transcribed into the buffer, minus the offset, and
> the size limit specified.
>
> This doesn't appear to have caused a problem yet upstream because network
> filesystems aren't getting the pages from an xarray iterator, but rather
> passing it directly to the socket, which just iterates over it. Cachefiles
> *does* do DIO from one to/from ext4/xfs/btrfs/etc. but it always asks for
> whole pages to be written or read.
>
> Fixes: 7ff5062079ef ("iov_iter: Add ITER_XARRAY")
> Reported-by: Jeff Layton <jlayton@...nel.org>
> Signed-off-by: David Howells <dhowells@...hat.com>
> cc: Alexander Viro <viro@...iv.linux.org.uk>
> cc: Dominique Martinet <asmadeus@...ewreck.org>
> cc: Mike Marshall <hubcap@...ibond.com>
> cc: Gao Xiang <xiang@...nel.org>
> cc: linux-afs@...ts.infradead.org
> cc: v9fs-developer@...ts.sourceforge.net
> cc: devel@...ts.orangefs.org
> cc: linux-erofs@...ts.ozlabs.org
> cc: linux-cachefs@...hat.com
> cc: linux-fsdevel@...r.kernel.org
Looks good to me,
Reviewed-by: Gao Xiang <xiang@...nel.org>
Thanks,
Gao Xiang
> ---
>
> lib/iov_iter.c | 20 ++++----------------
> 1 file changed, 4 insertions(+), 16 deletions(-)
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index 834e1e268eb6..814f65fd0c42 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -1434,7 +1434,7 @@ static ssize_t iter_xarray_get_pages(struct iov_iter *i,
> {
> unsigned nr, offset;
> pgoff_t index, count;
> - size_t size = maxsize, actual;
> + size_t size = maxsize;
> loff_t pos;
>
> if (!size || !maxpages)
> @@ -1461,13 +1461,7 @@ static ssize_t iter_xarray_get_pages(struct iov_iter *i,
> if (nr == 0)
> return 0;
>
> - actual = PAGE_SIZE * nr;
> - actual -= offset;
> - if (nr == count && size > 0) {
> - unsigned last_offset = (nr > 1) ? 0 : offset;
> - actual -= PAGE_SIZE - (last_offset + size);
> - }
> - return actual;
> + return min(nr * PAGE_SIZE - offset, maxsize);
> }
>
> /* must be done on non-empty ITER_IOVEC one */
> @@ -1602,7 +1596,7 @@ static ssize_t iter_xarray_get_pages_alloc(struct iov_iter *i,
> struct page **p;
> unsigned nr, offset;
> pgoff_t index, count;
> - size_t size = maxsize, actual;
> + size_t size = maxsize;
> loff_t pos;
>
> if (!size)
> @@ -1631,13 +1625,7 @@ static ssize_t iter_xarray_get_pages_alloc(struct iov_iter *i,
> if (nr == 0)
> return 0;
>
> - actual = PAGE_SIZE * nr;
> - actual -= offset;
> - if (nr == count && size > 0) {
> - unsigned last_offset = (nr > 1) ? 0 : offset;
> - actual -= PAGE_SIZE - (last_offset + size);
> - }
> - return actual;
> + return min(nr * PAGE_SIZE - offset, maxsize);
> }
>
> ssize_t iov_iter_get_pages_alloc(struct iov_iter *i,
>
>
Powered by blists - more mailing lists