iov_iter: Fix iov_iter_extract_pages() with zero-sized entries

commit f741bd7178 upstream. iov_iter_extract_pages() doesn't correctly handle skipping over initial zero-length entries in ITER_KVEC and ITER_BVEC-type iterators. The problem is that it accidentally reduces maxsize to 0 when it skipping and thus runs to the end of the array and returns 0. Fix this by sticking the calculated size-to-copy in a new variable rather than back in maxsize. Fixes: 7d58fe7310 ("iov_iter: Add a function to extract a page list from an iterator") Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Cc: Christian Brauner <brauner@kernel.org> Cc: Jens Axboe <axboe@kernel.dk> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: David Hildenbrand <david@redhat.com> Cc: John Hubbard <jhubbard@nvidia.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-09-27 12:57:53 +00:00 · 2023-09-08 17:03:20 +01:00 · 2023-09-08 17:03:20 +01:00 · b15d3cbd29
commit b15d3cbd29
parent 5db357b14d
1 changed files with 15 additions and 15 deletions
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@ -2086,14 +2086,14 @@ static ssize_t iov_iter_extract_bvec_pages(struct iov_iter *i,
 					   size_t *offset0)
 {
 	struct page **p, *page;
-	size_t skip = i->iov_offset, offset;
+	size_t skip = i->iov_offset, offset, size;
 	int k;
 	for (;;) {
 		if (i->nr_segs == 0)
 			return 0;
-		maxsize = min(maxsize, i->bvec->bv_len - skip);
+		size = min(maxsize, i->bvec->bv_len - skip);
-		if (maxsize)
+		if (size)
 			break;
 		i->iov_offset = 0;
 		i->nr_segs--;
@ -2106,16 +2106,16 @@ static ssize_t iov_iter_extract_bvec_pages(struct iov_iter *i,
 	offset = skip % PAGE_SIZE;
 	*offset0 = offset;
-	maxpages = want_pages_array(pages, maxsize, offset, maxpages);
+	maxpages = want_pages_array(pages, size, offset, maxpages);
 	if (!maxpages)
 		return -ENOMEM;
 	p = *pages;
 	for (k = 0; k < maxpages; k++)
 		p[k] = page + k;
-	maxsize = min_t(size_t, maxsize, maxpages * PAGE_SIZE - offset);
+	size = min_t(size_t, size, maxpages * PAGE_SIZE - offset);
-	iov_iter_advance(i, maxsize);
+	iov_iter_advance(i, size);
-	return maxsize;
+	return size;
 }
 /*
@ -2130,14 +2130,14 @@ static ssize_t iov_iter_extract_kvec_pages(struct iov_iter *i,
 {
 	struct page **p, *page;
 	const void *kaddr;
-	size_t skip = i->iov_offset, offset, len;
+	size_t skip = i->iov_offset, offset, len, size;
 	int k;
 	for (;;) {
 		if (i->nr_segs == 0)
 			return 0;
-		maxsize = min(maxsize, i->kvec->iov_len - skip);
+		size = min(maxsize, i->kvec->iov_len - skip);
-		if (maxsize)
+		if (size)
 			break;
 		i->iov_offset = 0;
 		i->nr_segs--;
@ -2149,13 +2149,13 @@ static ssize_t iov_iter_extract_kvec_pages(struct iov_iter *i,
 	offset = (unsigned long)kaddr & ~PAGE_MASK;
 	*offset0 = offset;
-	maxpages = want_pages_array(pages, maxsize, offset, maxpages);
+	maxpages = want_pages_array(pages, size, offset, maxpages);
 	if (!maxpages)
 		return -ENOMEM;
 	p = *pages;
 	kaddr -= offset;
-	len = offset + maxsize;
+	len = offset + size;
 	for (k = 0; k < maxpages; k++) {
 		size_t seg = min_t(size_t, len, PAGE_SIZE);
@ -2169,9 +2169,9 @@ static ssize_t iov_iter_extract_kvec_pages(struct iov_iter *i,
 		kaddr += PAGE_SIZE;
 	}
-	maxsize = min_t(size_t, maxsize, maxpages * PAGE_SIZE - offset);
+	size = min_t(size_t, size, maxpages * PAGE_SIZE - offset);
-	iov_iter_advance(i, maxsize);
+	iov_iter_advance(i, size);
-	return maxsize;
+	return size;
 }
 /*