Commit 4385eba0 authored Mar 26, 2025 by Jens Axboe Committed by Zheng Qixing Mar 26, 2025

block: don't revert iter for -EIOCBQUEUED

stable inclusion
from stable-v6.6.78
commit 84671b0630ccb46ae9f1f99a45c7d63ffcd6a474
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBRECT
CVE: CVE-2025-21832

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=84671b0630ccb46ae9f1f99a45c7d63ffcd6a474



------------------

commit b13ee668e8280ca5b07f8ce2846b9957a8a10853 upstream.

blkdev_read_iter() has a few odd checks, like gating the position and
count adjustment on whether or not the result is bigger-than-or-equal to
zero (where bigger than makes more sense), and not checking the return
value of blkdev_direct_IO() before doing an iov_iter_revert(). The
latter can lead to attempting to revert with a negative value, which
when passed to iov_iter_revert() as an unsigned value will lead to
throwing a WARN_ON() because unroll is bigger than MAX_RW_COUNT.

Be sane and don't revert for -EIOCBQUEUED, like what is done in other
spots.

Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>

parent 045e2df9

block/fops.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -730,10 +730,11 @@ static ssize_t blkdev_read_iter(struct kiocb iocb, struct iov_iter to)
		file_accessed(iocb->ki_filp);

		ret = blkdev_direct_IO(iocb, to);
		if (ret >= 0) {
		if (ret > 0) {
		iocb->ki_pos += ret;
		count -= ret;
		}
		if (ret != -EIOCBQUEUED)
		iov_iter_revert(to, count - iov_iter_count(to));
		if (ret < 0 \|\| !count)
		goto reexpand;