From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel@vger.kernel.org,
Christoph Hellwig <hch@infradead.org>,
Matthew Bobrowski <mbobrowski@mbobrowski.org>,
Eric Biggers <ebiggers@kernel.org>,
stable@vger.kernel.org
Subject: Re: [PATCH 1/2] iomap: Fix pipe page leakage during splicing
Date: Thu, 21 Nov 2019 15:55:28 -0800 [thread overview]
Message-ID: <20191121235528.GO6211@magnolia> (raw)
In-Reply-To: <20191121161538.18445-1-jack@suse.cz>
On Thu, Nov 21, 2019 at 05:15:34PM +0100, Jan Kara wrote:
> When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages
> because bio_iov_iter_get_pages() records that the pipe will have full
> extent worth of data however if file size is not block size aligned
> iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up
> and splice code gets confused leaking a pipe page with the file tail.
>
> Handle the situation similarly to the old direct IO implementation and
> revert iter to actually returned read amount which makes iter consistent
> with value returned from iomap_dio_rw() and thus the splice code is
> happy.
>
> Fixes: ff6a9292e6f6 ("iomap: implement direct I/O")
> CC: stable@vger.kernel.org
> Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com
> Signed-off-by: Jan Kara <jack@suse.cz>
> ---
> fs/iomap/direct-io.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c
> index 1fc28c2da279..30189652c560 100644
> --- a/fs/iomap/direct-io.c
> +++ b/fs/iomap/direct-io.c
> @@ -497,8 +497,15 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter,
> }
> pos += ret;
>
> - if (iov_iter_rw(iter) == READ && pos >= dio->i_size)
> + if (iov_iter_rw(iter) == READ && pos >= dio->i_size) {
> + /*
> + * We will report we've read data only upto i_size.
Nit: "up to"; will fix that on the way in.
> + * Revert iter to a state corresponding to that as
> + * some callers (such as splice code) rely on it.
> + */
> + iov_iter_revert(iter, pos - dio->i_size);
Just to make sure I'm getting this right, iov_iter_revert walks the
iterator variables backwards through pipe buffers/bvec/iovec, which has
the effect of undoing whatever iterator walking we've just done.
In contrast, iov_iter_reexpand undoes a previous subtraction to
iov->count which was (presumably) done via iov_iter_truncate.
Or to put it another way, _revert walks the iteration pointer backwards,
whereas _truncate/_reexpand modify where the iteration ends. Right?
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
--D
> break;
> + }
> } while ((count = iov_iter_count(iter)) > 0);
> blk_finish_plug(&plug);
>
> --
> 2.16.4
>
next prev parent reply other threads:[~2019-11-21 23:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-21 16:15 [PATCH 0/2] iomap: Fix leakage of pipe pages while splicing Jan Kara
2019-11-21 16:15 ` [PATCH 1/2] iomap: Fix pipe page leakage during splicing Jan Kara
2019-11-21 23:55 ` Darrick J. Wong [this message]
2019-11-22 6:04 ` Matthew Bobrowski
2019-11-22 10:47 ` Jan Kara
2019-11-22 13:17 ` Christoph Hellwig
2019-11-21 16:15 ` [PATCH 2/2] iomap: Do not create fake iter in iomap_dio_bio_actor() Jan Kara
2019-11-22 0:02 ` Darrick J. Wong
2019-11-22 12:11 ` Jan Kara
2019-11-22 13:26 ` Christoph Hellwig
2019-11-25 8:18 ` Jan Kara
2019-11-21 16:58 ` [PATCH 0/2] iomap: Fix leakage of pipe pages while splicing Darrick J. Wong
2019-11-21 17:15 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191121235528.GO6211@magnolia \
--to=darrick.wong@oracle.com \
--cc=ebiggers@kernel.org \
--cc=hch@infradead.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mbobrowski@mbobrowski.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.