Commit 51eecfe8 authored Dec 02, 2024 by Trond Myklebust Committed by Kaixiong Yu Dec 02, 2024

filemap: Fix bounds checking in filemap_read()

stable inclusion
from stable-v6.6.61
commit a2746ab3bbc9c6408da5cd072653ec8c24749235
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AUF
CVE: CVE-2024-50272

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a2746ab3bbc9c6408da5cd072653ec8c24749235



--------------------------------

commit ace149e0830c380ddfce7e466fe860ca502fe4ee upstream.

If the caller supplies an iocb->ki_pos value that is close to the
filesystem upper limit, and an iterator with a count that causes us to
overflow that limit, then filemap_read() enters an infinite loop.

This behaviour was discovered when testing xfstests generic/525 with the
"localio" optimisation for loopback NFS mounts.

Reported-by: Mike Snitzer <snitzer@kernel.org>
Fixes: c2a9737f ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
Tested-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Conflicts:
	mm/filemap.c
[Context conflicts.]
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>

parent 929a9df3

mm/filemap.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2554,7 +2554,7 @@ ssize_t generic_file_buffered_read(struct kiocb *iocb,
		if (unlikely(!iov_iter_count(iter)))
		return 0;

		iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
		iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos);

		if (nr_pages > ARRAY_SIZE(pages_onstack))
		pages = kmalloc_array(nr_pages, sizeof(void *), GFP_KERNEL);