From patchwork Fri Sep 18 02:24:16 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sasha Levin <sasha.levin@oracle.com>
X-Patchwork-Id: 7212611
Return-Path: <linux-fsdevel-owner@kernel.org>
X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 3BC5D9F372
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Fri, 18 Sep 2015 02:24:46 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 7365E20747
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Fri, 18 Sep 2015 02:24:45 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 8C15820723
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Fri, 18 Sep 2015 02:24:44 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752545AbbIRCY2 (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Thu, 17 Sep 2015 22:24:28 -0400
Received: from userp1040.oracle.com ([156.151.31.81]:24666 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751246AbbIRCY1 (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 17 Sep 2015 22:24:27 -0400
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
	by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)
	with ESMTP id t8I2OKoA002653
	(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Fri, 18 Sep 2015 02:24:21 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
	by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t8I2OK32027727
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Fri, 18 Sep 2015 02:24:20 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
	by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id
	t8I2OJ2L024157; Fri, 18 Sep 2015 02:24:19 GMT
Received: from [10.154.156.136] (/10.154.156.136)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Thu, 17 Sep 2015 19:24:18 -0700
Message-ID: <55FB75D0.7060403@oracle.com>
Date: Thu, 17 Sep 2015 22:24:16 -0400
From: Sasha Levin <sasha.levin@oracle.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Al Viro <viro@ZenIV.linux.org.uk>,
	Andrey Ryabinin <ryabinin.a.a@gmail.com>, willy@linux.intel.com
CC: Chuck Ebbert <cebbert.lkml@gmail.com>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: fs: out of bounds on stack in iov_iter_advance
References: <55CB5484.6080000@oracle.com> <20150815161338.4ea210ff@as>
	<55D1A6D4.3080605@gmail.com>
	<20150819054650.GD18890@ZenIV.linux.org.uk>
In-Reply-To: <20150819054650.GD18890@ZenIV.linux.org.uk>
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On 08/19/2015 01:46 AM, Al Viro wrote:
>> or mapping->a_ops->direct_IO() returned more
>> > than 'count'.
> 	Was there DAX involved?  ->direct_IO() in there is blkdev_direct_IO(),
> which takes rather different paths in those cases...
> 

So I've traced this all the way back to dax_io(). I can trigger this with:

So it seems that iter gets moved twice here: once in dax_io(), and once again
back at generic_file_read_iter().

I don't see how it ever worked. Am I missing something?


Thanks,
Sasha
---
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/fs/dax.c b/fs/dax.c
index 93bf2f9..2cdb8a5 100644
--- a/fs/dax.c
+++ b/fs/dax.c
@@ -178,6 +178,7 @@ static ssize_t dax_io(struct inode *inode, struct iov_iter *iter,
        if (need_wmb)
                wmb_pmem();

+       WARN_ON((pos == start) && (pos - start > iov_iter_count(iter)));
        return (pos == start) ? retval : pos - start;
 }