From: Al Viro <viro@ZenIV.linux.org.uk>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>,
willy@linux.intel.com, Chuck Ebbert <cebbert.lkml@gmail.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>, Jens Axboe <axboe@kernel.dk>,
Linus Torvalds <torvalds@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>
Subject: Re: fs: out of bounds on stack in iov_iter_advance
Date: Fri, 6 Nov 2015 02:19:00 +0000 [thread overview]
Message-ID: <20151106021858.GU22011@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20151106013402.GT22011@ZenIV.linux.org.uk>
On Fri, Nov 06, 2015 at 01:34:02AM +0000, Al Viro wrote:
> Could you try to reproduce it with this:
>
> dax_io(): don't let non-error value escape via retval instead of EFAULT
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
> diff --git a/fs/dax.c b/fs/dax.c
> index a86d3cc..7b653e9 100644
> --- a/fs/dax.c
> +++ b/fs/dax.c
> @@ -169,8 +169,10 @@ static ssize_t dax_io(struct inode *inode, struct iov_iter *iter,
> else
> len = iov_iter_zero(max - pos, iter);
>
> - if (!len)
> + if (!len) {
> + retval = -EFAULT;
> break;
> + }
>
> pos += len;
> addr += len;
>
PS: "block, dax: fix lifetime of in-kernel dax mappings with dax_map_atomic()"
Dan Williams had posted a while ago does change the things a bit, but
AFAICS only in turning "return a bogus positive value" into "return an
uninitialized value"; if applying that one after it, s/retval/rc/ in
the above. And whether it fixes the bug Sasha had been able to trigger,
the bug is real and needs fixing - it's been there since 4.0 when fs/dax.c
went into the tree.
How are we going to handle that one? I can put it into mainline pull
request via vfs.git, with Cc: stable, but if e.g. Jens prefers to take it
via the block tree, I'll be glad to leave it for him to deal with.
next prev parent reply other threads:[~2015-11-06 2:19 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-12 14:13 fs: out of bounds on stack in iov_iter_advance Sasha Levin
2015-08-15 20:13 ` Chuck Ebbert
2015-08-17 9:18 ` Andrey Ryabinin
2015-08-19 5:46 ` Al Viro
2015-09-02 20:00 ` Sasha Levin
2015-09-18 2:24 ` Sasha Levin
2015-09-30 21:30 ` Sasha Levin
2015-10-17 19:22 ` Sasha Levin
2015-10-18 4:17 ` Ross Zwisler
2015-10-19 23:34 ` Sasha Levin
2015-11-06 1:34 ` Al Viro
2015-11-06 2:19 ` Al Viro [this message]
2015-11-06 3:38 ` Linus Torvalds
2015-11-06 16:06 ` Jens Axboe
2015-11-11 2:21 ` Linus Torvalds
2015-11-11 2:25 ` Jens Axboe
2015-11-11 2:31 ` Linus Torvalds
2015-11-11 2:40 ` Jens Axboe
2015-11-11 2:41 ` Jens Axboe
2015-11-11 2:44 ` Jens Axboe
2015-11-11 3:06 ` Al Viro
2015-11-11 3:07 ` Jens Axboe
2015-11-11 3:20 ` Sasha Levin
2015-11-11 2:56 ` Al Viro
2015-11-11 3:30 ` Al Viro
2015-11-11 4:36 ` Linus Torvalds
2015-11-11 7:43 ` Al Viro
2015-11-11 8:16 ` Stephen Rothwell
2015-11-11 10:19 ` Al Viro
2015-11-11 10:28 ` Stephen Rothwell
2015-11-11 16:25 ` Mike Marshall
2015-11-11 16:36 ` Al Viro
2015-11-11 16:56 ` Mike Marshall
2015-11-11 16:33 ` Al Viro
2015-11-11 21:47 ` Stephen Rothwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151106021858.GU22011@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=axboe@kernel.dk \
--cc=cebbert.lkml@gmail.com \
--cc=dan.j.williams@intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ryabinin.a.a@gmail.com \
--cc=sasha.levin@oracle.com \
--cc=torvalds@linux-foundation.org \
--cc=willy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).