Skip to content

Commit

Permalink
bcachefs: fix iov_iter count underflow on sub-block dio read
Browse files Browse the repository at this point in the history 
bch2_direct_IO_read() checks the request offset and size for sector
alignment and then falls through to a couple calculations to shrink
the size of the request based on the inode size. The problem is that
these checks round up to the fs block size, which runs the risk of
underflowing iter->count if the block size happens to be large
enough. This is triggered by fstest generic/361 with a 4k block
size, which subsequently leads to a crash. To avoid this crash,
check that the shorten length doesn't exceed the overall length of
the iter.

Fixes:
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Su Yue <glass.su@suse.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
  • Loading branch information
Brian Foster authored and Kent Overstreet committed Feb 25, 2024
1 parent 204f451 commit b58b1b8
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions fs/bcachefs/fs-io-direct.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,8 @@ static int bch2_direct_IO_read(struct kiocb *req, struct iov_iter *iter)
return ret;

shorten = iov_iter_count(iter) - round_up(ret, block_bytes(c));
if (shorten >= iter->count)
shorten = 0;
iter->count -= shorten;

bio = bio_alloc_bioset(NULL,
Expand Down

0 comments on commit b58b1b8

Please sign in to comment.