From: Linus Torvalds <torvalds@linux-foundation.org>
To: manish honap <manish_honap_vit@yahoo.co.in>
Cc: "tytso@mit.edu" <tytso@mit.edu>,
"adilger.kernel@dilger.ca" <adilger.kernel@dilger.ca>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH 1/1] ext4, dio: Remove overflow for size >2G in aio-dio code.
Date: Sun, 20 May 2012 21:50:24 -0700 [thread overview]
Message-ID: <CA+55aFxA0Do37AxoM2MPH5nnMa2VAPHp1pKJ7CiafGGQL-b0wQ@mail.gmail.com> (raw)
In-Reply-To: <1337570918.78986.YahooMailNeo@web192406.mail.sg3.yahoo.com>
[-- Attachment #1: Type: text/plain, Size: 806 bytes --]
On Sun, May 20, 2012 at 8:28 PM, manish honap
<manish_honap_vit@yahoo.co.in> wrote:
> Hello Linus,
>
> The overflow issue was seen during async dio path
Christ. fs/aio.c doesn't do the proper rw_verify_area().
As a result, it doesn't check file locks, and it doesn't seem to check
offset overflows either.
The vector versions kind of get the size limit by mistake (because
they at least use rw_copy_check_uvector(), which does limit things to
MAX_RW_COUNT), but they don't do the offset overflow check either.
Does this patch work for you? What it *should* do is the same that the
other read/write paths do (and the vector path for aio already do),
namely truncate reads or writes to MAX_RW_COUNT (which is INT_MAX
aligned down to a page).
This patch is entirely untested,
Linus
[-- Attachment #2: patch.diff --]
[-- Type: application/octet-stream, Size: 2545 bytes --]
fs/aio.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/fs/aio.c b/fs/aio.c
index 67a6db3e1b6f..e7f2fad7b4ce 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1456,6 +1456,10 @@ static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
if (ret < 0)
goto out;
+ ret = rw_verify_area(type, kiocb->ki_filp, &kiocb->ki_pos, ret);
+ if (ret < 0)
+ goto out;
+
kiocb->ki_nr_segs = kiocb->ki_nbytes;
kiocb->ki_cur_seg = 0;
/* ki_nbytes/left now reflect bytes instead of segs */
@@ -1467,11 +1471,17 @@ out:
return ret;
}
-static ssize_t aio_setup_single_vector(struct kiocb *kiocb)
+static ssize_t aio_setup_single_vector(int type, struct file * file, struct kiocb *kiocb)
{
+ int bytes;
+
+ bytes = rw_verify_area(type, file, &kiocb->ki_pos, kiocb->ki_left);
+ if (bytes < 0)
+ return bytes;
+
kiocb->ki_iovec = &kiocb->ki_inline_vec;
kiocb->ki_iovec->iov_base = kiocb->ki_buf;
- kiocb->ki_iovec->iov_len = kiocb->ki_left;
+ kiocb->ki_iovec->iov_len = bytes;
kiocb->ki_nr_segs = 1;
kiocb->ki_cur_seg = 0;
return 0;
@@ -1496,10 +1506,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
if (unlikely(!access_ok(VERIFY_WRITE, kiocb->ki_buf,
kiocb->ki_left)))
break;
- ret = security_file_permission(file, MAY_READ);
- if (unlikely(ret))
- break;
- ret = aio_setup_single_vector(kiocb);
+ ret = aio_setup_single_vector(READ, file, kiocb);
if (ret)
break;
ret = -EINVAL;
@@ -1514,10 +1521,7 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
if (unlikely(!access_ok(VERIFY_READ, kiocb->ki_buf,
kiocb->ki_left)))
break;
- ret = security_file_permission(file, MAY_WRITE);
- if (unlikely(ret))
- break;
- ret = aio_setup_single_vector(kiocb);
+ ret = aio_setup_single_vector(WRITE, file, kiocb);
if (ret)
break;
ret = -EINVAL;
@@ -1528,9 +1532,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
ret = -EBADF;
if (unlikely(!(file->f_mode & FMODE_READ)))
break;
- ret = security_file_permission(file, MAY_READ);
- if (unlikely(ret))
- break;
ret = aio_setup_vectored_rw(READ, kiocb, compat);
if (ret)
break;
@@ -1542,9 +1543,6 @@ static ssize_t aio_setup_iocb(struct kiocb *kiocb, bool compat)
ret = -EBADF;
if (unlikely(!(file->f_mode & FMODE_WRITE)))
break;
- ret = security_file_permission(file, MAY_WRITE);
- if (unlikely(ret))
- break;
ret = aio_setup_vectored_rw(WRITE, kiocb, compat);
if (ret)
break;
next prev parent reply other threads:[~2012-05-21 4:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <F9014F50-D1F6-4B64-8535-7452CC64B18A@qualexsystems.com>
2012-05-20 8:01 ` [PATCH 1/1] ext4, dio: Remove overflow for size >2G in aio-dio code manish honap
2012-05-20 18:33 ` Linus Torvalds
2012-05-21 3:28 ` manish honap
2012-05-21 4:50 ` Linus Torvalds [this message]
2012-05-21 22:22 ` Linus Torvalds
2012-05-21 23:31 ` Ted Ts'o
2012-05-22 16:11 ` Eric Sandeen
2012-05-22 19:02 ` Eric Sandeen
2012-05-22 16:13 ` manish honap
2012-05-22 19:26 ` [PATCH 1/1] xfstests 286: test for 2G overflows in AIO Eric Sandeen
2012-05-22 20:41 ` [PATCH 1/1] ext4, dio: Remove overflow for size >2G in aio-dio code Jeff Moyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+55aFxA0Do37AxoM2MPH5nnMa2VAPHp1pKJ7CiafGGQL-b0wQ@mail.gmail.com \
--to=torvalds@linux-foundation.org \
--cc=adilger.kernel@dilger.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=manish_honap_vit@yahoo.co.in \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).