Commit f741bd71 authored by David Howells's avatar David Howells Committed by Linus Torvalds
Browse files

iov_iter: Fix iov_iter_extract_pages() with zero-sized entries 



iov_iter_extract_pages() doesn't correctly handle skipping over initial
zero-length entries in ITER_KVEC and ITER_BVEC-type iterators.

The problem is that it accidentally reduces maxsize to 0 when it
skipping and thus runs to the end of the array and returns 0.

Fix this by sticking the calculated size-to-copy in a new variable
rather than back in maxsize.

Fixes: 7d58fe73 ("iov_iter: Add a function to extract a page list from an iterator")
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: David Hildenbrand <david@redhat.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 6b8bb5b8

lib/iov_iter.c

+15 −15
Original line number Diff line number Diff line
@@ -1654,14 +1654,14 @@ static ssize_t iov_iter_extract_bvec_pages(struct iov_iter *i, 
					   size_t *offset0)

{

	struct page **p, *page;

	size_t skip = i->iov_offset, offset;

	size_t skip = i->iov_offset, offset, size;

	int k;



	for (;;) {

		if (i->nr_segs == 0)

			return 0;

		maxsize = min(maxsize, i->bvec->bv_len - skip);

		if (maxsize)

		size = min(maxsize, i->bvec->bv_len - skip);

		if (size)

			break;

		i->iov_offset = 0;

		i->nr_segs--;
@@ -1674,16 +1674,16 @@ static ssize_t iov_iter_extract_bvec_pages(struct iov_iter *i, 
	offset = skip % PAGE_SIZE;

	*offset0 = offset;



	maxpages = want_pages_array(pages, maxsize, offset, maxpages);

	maxpages = want_pages_array(pages, size, offset, maxpages);

	if (!maxpages)

		return -ENOMEM;

	p = *pages;

	for (k = 0; k < maxpages; k++)

		p[k] = page + k;



	maxsize = min_t(size_t, maxsize, maxpages * PAGE_SIZE - offset);

	iov_iter_advance(i, maxsize);

	return maxsize;

	size = min_t(size_t, size, maxpages * PAGE_SIZE - offset);

	iov_iter_advance(i, size);

	return size;

}



/*
@@ -1698,14 +1698,14 @@ static ssize_t iov_iter_extract_kvec_pages(struct iov_iter *i, 
{

	struct page **p, *page;

	const void *kaddr;

	size_t skip = i->iov_offset, offset, len;

	size_t skip = i->iov_offset, offset, len, size;

	int k;



	for (;;) {

		if (i->nr_segs == 0)

			return 0;

		maxsize = min(maxsize, i->kvec->iov_len - skip);

		if (maxsize)

		size = min(maxsize, i->kvec->iov_len - skip);

		if (size)

			break;

		i->iov_offset = 0;

		i->nr_segs--;
@@ -1717,13 +1717,13 @@ static ssize_t iov_iter_extract_kvec_pages(struct iov_iter *i, 
	offset = (unsigned long)kaddr & ~PAGE_MASK;

	*offset0 = offset;



	maxpages = want_pages_array(pages, maxsize, offset, maxpages);

	maxpages = want_pages_array(pages, size, offset, maxpages);

	if (!maxpages)

		return -ENOMEM;

	p = *pages;



	kaddr -= offset;

	len = offset + maxsize;

	len = offset + size;

	for (k = 0; k < maxpages; k++) {

		size_t seg = min_t(size_t, len, PAGE_SIZE);
@@ -1737,9 +1737,9 @@ static ssize_t iov_iter_extract_kvec_pages(struct iov_iter *i, 
		kaddr += PAGE_SIZE;

	}



	maxsize = min_t(size_t, maxsize, maxpages * PAGE_SIZE - offset);

	iov_iter_advance(i, maxsize);

	return maxsize;

	size = min_t(size_t, size, maxpages * PAGE_SIZE - offset);

	iov_iter_advance(i, size);

	return size;

}



/*