From: Brian Foster <bfoster@redhat.com>
To: linux-bcachefs@vger.kernel.org
Subject: [PATCH v2] bcachefs: fix iov_iter count underflow on sub-block dio read
Date: Thu, 15 Feb 2024 12:16:05 -0500 [thread overview]
Message-ID: <20240215171605.162107-1-bfoster@redhat.com> (raw)
bch2_direct_IO_read() checks the request offset and size for sector
alignment and then falls through to a couple calculations to shrink
the size of the request based on the inode size. The problem is that
these checks round up to the fs block size, which runs the risk of
underflowing iter->count if the block size happens to be large
enough. This is triggered by fstest generic/361 with a 4k block
size, which subsequently leads to a crash. To avoid this crash,
check that the shorten length doesn't exceed the overall length of
the iter.
Signed-off-by: Brian Foster <bfoster@redhat.com>
---
Ok, I think Su expressed preference for this variant over v1. I'm off
for a bit after today so I'm throwing this up onto CI in the event that
we'd like to at least get the crash problem fixed. If there's more to
look into here, let me know and I'll add it to the todo list after I'm
back..
Brian
v2:
- Check for underflow instead of removing shorten entirely.
v1: https://lore.kernel.org/linux-bcachefs/20240205154814.910664-1-bfoster@redhat.com/
fs/bcachefs/fs-io-direct.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/bcachefs/fs-io-direct.c b/fs/bcachefs/fs-io-direct.c
index e3b219e19e10..33cb6da3a5ad 100644
--- a/fs/bcachefs/fs-io-direct.c
+++ b/fs/bcachefs/fs-io-direct.c
@@ -88,6 +88,8 @@ static int bch2_direct_IO_read(struct kiocb *req, struct iov_iter *iter)
return ret;
shorten = iov_iter_count(iter) - round_up(ret, block_bytes(c));
+ if (shorten >= iter->count)
+ shorten = 0;
iter->count -= shorten;
bio = bio_alloc_bioset(NULL,
--
2.42.0
next reply other threads:[~2024-02-15 17:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-15 17:16 Brian Foster [this message]
2024-02-15 23:58 ` [PATCH v2] bcachefs: fix iov_iter count underflow on sub-block dio read Su Yue
2024-02-16 0:14 ` Kent Overstreet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240215171605.162107-1-bfoster@redhat.com \
--to=bfoster@redhat.com \
--cc=linux-bcachefs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).