From: Al Viro <viro@ZenIV.linux.org.uk>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>,
willy@linux.intel.com, Chuck Ebbert <cebbert.lkml@gmail.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>, Jens Axboe <axboe@kernel.dk>,
Linus Torvalds <torvalds@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>
Subject: Re: fs: out of bounds on stack in iov_iter_advance
Date: Fri, 6 Nov 2015 02:19:00 +0000 [thread overview]
Message-ID: <20151106021858.GU22011@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20151106013402.GT22011@ZenIV.linux.org.uk>
On Fri, Nov 06, 2015 at 01:34:02AM +0000, Al Viro wrote:
> Could you try to reproduce it with this:
>
> dax_io(): don't let non-error value escape via retval instead of EFAULT
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
> diff --git a/fs/dax.c b/fs/dax.c
> index a86d3cc..7b653e9 100644
> --- a/fs/dax.c
> +++ b/fs/dax.c
> @@ -169,8 +169,10 @@ static ssize_t dax_io(struct inode *inode, struct iov_iter *iter,
> else
> len = iov_iter_zero(max - pos, iter);
>
> - if (!len)
> + if (!len) {
> + retval = -EFAULT;
> break;
> + }
>
> pos += len;
> addr += len;
>
PS: "block, dax: fix lifetime of in-kernel dax mappings with dax_map_atomic()"
Dan Williams had posted a while ago does change the things a bit, but
AFAICS only in turning "return a bogus positive value" into "return an
uninitialized value"; if applying that one after it, s/retval/rc/ in
the above. And whether it fixes the bug Sasha had been able to trigger,
the bug is real and needs fixing - it's been there since 4.0 when fs/dax.c
went into the tree.
How are we going to handle that one? I can put it into mainline pull
request via vfs.git, with Cc: stable, but if e.g. Jens prefers to take it
via the block tree, I'll be glad to leave it for him to deal with.
next prev parent reply other threads:[~2015-11-06 2:19 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-12 14:13 fs: out of bounds on stack in iov_iter_advance Sasha Levin
2015-08-15 20:13 ` Chuck Ebbert
2015-08-17 9:18 ` Andrey Ryabinin
2015-08-19 5:46 ` Al Viro
2015-09-02 20:00 ` Sasha Levin
2015-09-18 2:24 ` Sasha Levin
2015-09-30 21:30 ` Sasha Levin
2015-10-17 19:22 ` Sasha Levin
2015-10-18 4:17 ` Ross Zwisler
2015-10-19 23:34 ` Sasha Levin
2015-11-06 1:34 ` Al Viro
2015-11-06 2:19 ` Al Viro [this message]
2015-11-06 3:38 ` Linus Torvalds
2015-11-06 16:06 ` Jens Axboe
2015-11-11 2:21 ` Linus Torvalds
2015-11-11 2:25 ` Jens Axboe
2015-11-11 2:31 ` Linus Torvalds
2015-11-11 2:40 ` Jens Axboe
2015-11-11 2:41 ` Jens Axboe
2015-11-11 2:44 ` Jens Axboe
2015-11-11 3:06 ` Al Viro
2015-11-11 3:07 ` Jens Axboe
2015-11-11 3:20 ` Sasha Levin
2015-11-11 2:56 ` Al Viro
2015-11-11 3:30 ` Al Viro
2015-11-11 4:36 ` Linus Torvalds
2015-11-11 7:43 ` Al Viro
2015-11-11 8:16 ` Stephen Rothwell
2015-11-11 10:19 ` Al Viro
2015-11-11 10:28 ` Stephen Rothwell
2015-11-11 16:25 ` Mike Marshall
2015-11-11 16:36 ` Al Viro
2015-11-11 16:56 ` Mike Marshall
2015-11-11 16:33 ` Al Viro
2015-11-11 21:47 ` Stephen Rothwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151106021858.GU22011@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=axboe@kernel.dk \
--cc=cebbert.lkml@gmail.com \
--cc=dan.j.williams@intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=sasha.levin@oracle.com \
--cc=torvalds@linux-foundation.org \
--cc=willy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.