From: David Howells <dhowells@redhat.com>
To: Christian Brauner <christian@brauner.io>,
Matthew Wilcox <willy@infradead.org>,
Christoph Hellwig <hch@infradead.org>
Cc: David Howells <dhowells@redhat.com>,
Paulo Alcantara <pc@manguebit.org>, Jens Axboe <axboe@kernel.dk>,
Leon Romanovsky <leon@kernel.org>,
Steve French <sfrench@samba.org>,
ChenXiaoSong <chenxiaosong@chenxiaosong.com>,
Marc Dionne <marc.dionne@auristor.com>,
Eric Van Hensbergen <ericvh@kernel.org>,
Dominique Martinet <asmadeus@codewreck.org>,
Ilya Dryomov <idryomov@gmail.com>,
netfs@lists.linux.dev, linux-afs@lists.infradead.org,
linux-cifs@vger.kernel.org, linux-nfs@vger.kernel.org,
ceph-devel@vger.kernel.org, v9fs@lists.linux.dev,
linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, Mike Marshall <hubcap@omnibond.com>
Subject: [PATCH v4 03/30] iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()
Date: Tue, 16 Jun 2026 11:07:52 +0100 [thread overview]
Message-ID: <20260616100821.2062304-4-dhowells@redhat.com> (raw)
In-Reply-To: <20260616100821.2062304-1-dhowells@redhat.com>
In iov_iter_extract_xarray_pages(), if no pages are extracted because
there's a hole (or something otherwise unextractable) in the xarray, then
the calculation of maxsize at the end can go wrong if the starting offset
is not zero.
Fix this by setting maxsize to 0 if nr is 0.
Note that in the near future, ITER_XARRAY should be removed.
Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Paulo Alcantara <pc@manguebit.org>
cc: Matthew Wilcox <willy@infradead.org>
cc: Christoph Hellwig <hch@infradead.org>
cc: Jens Axboe <axboe@kernel.dk>
cc: Mike Marshall <hubcap@omnibond.com>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
---
lib/iov_iter.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 243662af1af7..dc9c6eb21bdb 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1595,7 +1595,10 @@ static ssize_t iov_iter_extract_xarray_pages(struct iov_iter *i,
}
rcu_read_unlock();
- maxsize = min_t(size_t, nr * PAGE_SIZE - offset, maxsize);
+ if (nr > 0)
+ maxsize = min_t(size_t, nr * PAGE_SIZE - offset, maxsize);
+ else
+ maxsize = 0;
iov_iter_advance(i, maxsize);
return maxsize;
}
next prev parent reply other threads:[~2026-06-16 10:09 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 10:07 [PATCH v4 00/30] netfs: Keep track of folios in a segmented bio_vec[] chain David Howells
2026-06-16 10:07 ` [PATCH v4 01/30] netfs: Fix decision whether to disallow write-streaming due to fscache use David Howells
2026-06-16 10:07 ` [PATCH v4 02/30] cachefiles: Fix double fput David Howells
2026-06-16 10:07 ` David Howells [this message]
2026-06-16 10:07 ` [PATCH v4 04/30] iov_iter: Fix missing alloc fail check in iov_iter_extract_bvec_pages() David Howells
2026-06-16 10:07 ` [PATCH v4 05/30] iov_iter: Remove unused variable in kunit_iov_iter.c David Howells
2026-06-16 10:07 ` [PATCH v4 06/30] scatterlist: Fix offset in folio calc in extract_xarray_to_sg() David Howells
2026-06-16 10:07 ` [PATCH v4 07/30] netfs: Replace wb_lock with a bit lock for asynchronicity David Howells
2026-06-16 10:07 ` [PATCH v4 08/30] netfs: Fix kdoc warning David Howells
2026-06-16 10:07 ` [PATCH v4 09/30] cachefiles: Don't rely on backing fs storage map for most use cases David Howells
2026-06-16 10:07 ` [PATCH v4 10/30] netfs: Add the cache object ID to netfs_read/write tracepoints David Howells
2026-06-16 10:08 ` [PATCH v4 11/30] mm: Make readahead store folio count in readahead_control David Howells
2026-06-16 10:08 ` [PATCH v4 12/30] netfs: Bulk load the readahead-provided folios up front David Howells
2026-06-16 10:08 ` [PATCH v4 13/30] Add a function to kmap one page of a multipage bio_vec David Howells
2026-06-16 10:08 ` [PATCH v4 14/30] iov_iter: Make iov_iter_get_pages*() wrap iov_iter_extract_pages() David Howells
2026-06-16 10:08 ` [PATCH v4 15/30] iov_iter: Add a segmented queue of bio_vec[] David Howells
2026-06-16 10:08 ` [PATCH v4 16/30] netfs: Add some tools for managing bvecq chains David Howells
2026-06-16 10:08 ` [PATCH v4 17/30] netfs: Add a function to extract from an iter into a bvecq David Howells
2026-06-16 10:08 ` [PATCH v4 18/30] afs: Use a bvecq to hold dir content rather than folioq David Howells
2026-06-16 10:08 ` [PATCH v4 19/30] cifs: Use a bvecq for buffering instead of a folioq David Howells
2026-06-16 10:08 ` [PATCH v4 20/30] smbdirect: Support ITER_BVECQ in smbdirect_map_sges_from_iter() David Howells
2026-06-16 10:08 ` [PATCH v4 21/30] netfs: Switch to using bvecq rather than folio_queue and rolling_buffer David Howells
2026-06-16 10:08 ` [PATCH v4 22/30] smbdirect: Remove support for ITER_FOLIOQ from smbdirect_map_sges_from_iter() David Howells
2026-06-16 10:08 ` [PATCH v4 23/30] netfs: Remove netfs_alloc/free_folioq_buffer() David Howells
2026-06-16 10:08 ` [PATCH v4 24/30] netfs: Remove netfs_extract_user_iter() David Howells
2026-06-16 10:08 ` [PATCH v4 25/30] iov_iter: Remove ITER_FOLIOQ David Howells
2026-06-16 10:08 ` [PATCH v4 26/30] netfs: Remove folio_queue and rolling_buffer David Howells
2026-06-16 10:08 ` [PATCH v4 27/30] netfs: Check for too much data being read David Howells
2026-06-16 10:08 ` [PATCH v4 28/30] netfs: Limit the minimum trigger for progress reporting David Howells
2026-06-16 10:08 ` [PATCH v4 29/30] netfs: Combine prepare and issue ops and grab the buffers on request David Howells
2026-06-16 10:08 ` [PATCH v4 30/30] CHANGES David Howells
2026-06-16 12:47 ` ChenXiaoSong
2026-06-16 12:51 ` David Howells
2026-06-16 12:38 ` [PATCH v4 00/30] netfs: Keep track of folios in a segmented bio_vec[] chain Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616100821.2062304-4-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=asmadeus@codewreck.org \
--cc=axboe@kernel.dk \
--cc=ceph-devel@vger.kernel.org \
--cc=chenxiaosong@chenxiaosong.com \
--cc=christian@brauner.io \
--cc=ericvh@kernel.org \
--cc=hch@infradead.org \
--cc=hubcap@omnibond.com \
--cc=idryomov@gmail.com \
--cc=leon@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=netfs@lists.linux.dev \
--cc=pc@manguebit.org \
--cc=sfrench@samba.org \
--cc=v9fs@lists.linux.dev \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox