mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-16 02:01:18 -04:00
Code Issues Packages Projects Releases Wiki Activity

netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators

Browse Source 
When a process crashes and the kernel writes a core dump to a 9P
filesystem, __kernel_write() creates an ITER_KVEC iterator. This
iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which
only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,
hitting the BUG() for any other type.

Fix this by adding netfs_limit_kvec() following the same pattern as
netfs_limit_bvec(), since both kvec and bvec are simple segment arrays
with pointer and length fields. Dispatch it from netfs_limit_iter() when
the iterator type is ITER_KVEC.

Fixes: cae932d3ae ("netfs: Add func to calculate pagecount/size-limited span of an iterator")
Reported-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd
Tested-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Link: https://patch.msgid.link/20260307090041.359870-1-kartikey406@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
This commit is contained in:
Deepanshu Kartikey
2026-03-07 14:30:41 +05:30
committed by Christian Brauner
parent d320f160aa
commit 67e467a11f
1 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
fs/netfs/iterator.c
View File

@@ -142,6 +142,47 @@ static size_t netfs_limit_bvec(const struct iov_iter *iter, size_t start_offset,
return min(span, max_size);
}
/*
* Select the span of a kvec iterator we're going to use. Limit it by both
* maximum size and maximum number of segments. Returns the size of the span
* in bytes.
*/
static size_t netfs_limit_kvec(const struct iov_iter *iter, size_t start_offset,
size_t max_size, size_t max_segs)
{
const struct kvec *kvecs = iter->kvec;
unsigned int nkv = iter->nr_segs, ix = 0, nsegs = 0;
size_t len, span = 0, n = iter->count;
size_t skip = iter->iov_offset + start_offset;
if (WARN_ON(!iov_iter_is_kvec(iter)) ||
WARN_ON(start_offset > n) ||
n == 0)
return 0;
while (n && ix < nkv && skip) {
len = kvecs[ix].iov_len;
if (skip < len)
break;
skip -= len;
n -= len;
ix++;
}
while (n && ix < nkv) {
len = min3(n, kvecs[ix].iov_len - skip, max_size);
span += len;
nsegs++;
ix++;
if (span >= max_size || nsegs >= max_segs)
break;
skip = 0;
n -= len;
}
return min(span, max_size);
}
/*
* Select the span of an xarray iterator we're going to use. Limit it by both
* maximum size and maximum number of segments. It is assumed that segments
@@ -245,6 +286,8 @@ size_t netfs_limit_iter(const struct iov_iter *iter, size_t start_offset,
return netfs_limit_bvec(iter, start_offset, max_size, max_segs);
if (iov_iter_is_xarray(iter))
return netfs_limit_xarray(iter, start_offset, max_size, max_segs);
if (iov_iter_is_kvec(iter))
return netfs_limit_kvec(iter, start_offset, max_size, max_segs);
BUG();
}
EXPORT_SYMBOL(netfs_limit_iter);