diff options
| author | Brian Foster <bfoster@redhat.com> | 2024-02-15 18:16:05 +0100 |
|---|---|---|
| committer | Kent Overstreet <kent.overstreet@linux.dev> | 2024-02-25 02:45:24 +0100 |
| commit | b58b1b883b9b702e25204dbe2b221eecc8ecd159 (patch) | |
| tree | ec7e945eedda13aba942254131514d41a4f9c173 /fs | |
| parent | bcachefs: Fix BTREE_ITER_FILTER_SNAPSHOTS on inodes btree (diff) | |
| download | linux-b58b1b883b9b702e25204dbe2b221eecc8ecd159.tar.xz linux-b58b1b883b9b702e25204dbe2b221eecc8ecd159.zip | |
bcachefs: fix iov_iter count underflow on sub-block dio read
bch2_direct_IO_read() checks the request offset and size for sector
alignment and then falls through to a couple calculations to shrink
the size of the request based on the inode size. The problem is that
these checks round up to the fs block size, which runs the risk of
underflowing iter->count if the block size happens to be large
enough. This is triggered by fstest generic/361 with a 4k block
size, which subsequently leads to a crash. To avoid this crash,
check that the shorten length doesn't exceed the overall length of
the iter.
Fixes:
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Su Yue <glass.su@suse.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/bcachefs/fs-io-direct.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/bcachefs/fs-io-direct.c b/fs/bcachefs/fs-io-direct.c index e3b219e19e10..33cb6da3a5ad 100644 --- a/fs/bcachefs/fs-io-direct.c +++ b/fs/bcachefs/fs-io-direct.c @@ -88,6 +88,8 @@ static int bch2_direct_IO_read(struct kiocb *req, struct iov_iter *iter) return ret; shorten = iov_iter_count(iter) - round_up(ret, block_bytes(c)); + if (shorten >= iter->count) + shorten = 0; iter->count -= shorten; bio = bio_alloc_bioset(NULL, |