From: Matthew Wilcox <willy@infradead.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: mm-commits@vger.kernel.org, ira.weiny@intel.com,
fmdefrancesco@gmail.com, linux-mm@kvack.org
Subject: Re: [merged mm-stable] mm-add-memcpy_from_file_folio.patch removed from -mm tree
Date: Fri, 3 Feb 2023 21:33:50 +0000 [thread overview]
Message-ID: <Y919vmSrtAgsf6K3@casper.infradead.org> (raw)
In-Reply-To: <20230203063850.3246FC4339C@smtp.kernel.org>
On Thu, Feb 02, 2023 at 10:38:49PM -0800, Andrew Morton wrote:
> This patch was dropped because it was merged into the mm-stable branch
> of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
I pick the worst time to find bugs in my own code.
From cf8f62107c965eafc2fa9ad0f839269fcb11991d Mon Sep 17 00:00:00 2001
From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Date: Fri, 3 Feb 2023 16:28:40 -0500
Subject: [PATCH] mm: Fix memcpy_from_file_folio() integer underflow
If we have a HIGHMEM system with a large folio, 'offset' may be larger
than PAGE_SIZE, and so min_t will cap at 'len' instead of the intended
end-of-page. That can overflow into the next page which is likely to
be unmapped and fault, but could theoretically copy the wrong data.
Fixes: [no commit ID yet] ("mm: add memcpy_from_file_folio()")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
---
include/linux/highmem.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux/highmem.h b/include/linux/highmem.h
index 348701dae77f..b06254e76d99 100644
--- a/include/linux/highmem.h
+++ b/include/linux/highmem.h
@@ -431,9 +431,10 @@ static inline size_t memcpy_from_file_folio(char *to, struct folio *folio,
size_t offset = offset_in_folio(folio, pos);
char *from = kmap_local_folio(folio, offset);
- if (folio_test_highmem(folio))
+ if (folio_test_highmem(folio)) {
+ offset = offset_in_page(offset);
len = min_t(size_t, len, PAGE_SIZE - offset);
- else
+ } else
len = min(len, folio_size(folio) - offset);
memcpy(to, from, len);
--
2.35.1
next prev parent reply other threads:[~2023-02-03 21:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-03 6:38 [merged mm-stable] mm-add-memcpy_from_file_folio.patch removed from -mm tree Andrew Morton
2023-02-03 21:33 ` Matthew Wilcox [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-02-10 0:52 Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y919vmSrtAgsf6K3@casper.infradead.org \
--to=willy@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=fmdefrancesco@gmail.com \
--cc=ira.weiny@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mm-commits@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.