tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators

When a process crashes and the kernel writes a core dump to a 9P
filesystem, __kernel_write() creates an ITER_KVEC iterator. This
iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which
only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,
hitting the BUG() for any other type.

Fix this by adding netfs_limit_kvec() following the same pattern as
netfs_limit_bvec(), since both kvec and bvec are simple segment arrays
with pointer and length fields. Dispatch it from netfs_limit_iter() when
the iterator type is ITER_KVEC.

Fixes: cae932d3aee5 ("netfs: Add func to calculate pagecount/size-limited span of an iterator")
Reported-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd
Tested-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Link: https://patch.msgid.link/20260307090041.359870-1-kartikey406@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by

Deepanshu Kartikey and committed by
Christian Brauner 67e467a1 d320f160

+43
+43
fs/netfs/iterator.c
··· 143 143 } 144 144 145 145 /* 146 + * Select the span of a kvec iterator we're going to use. Limit it by both 147 + * maximum size and maximum number of segments. Returns the size of the span 148 + * in bytes. 149 + */ 150 + static size_t netfs_limit_kvec(const struct iov_iter *iter, size_t start_offset, 151 + size_t max_size, size_t max_segs) 152 + { 153 + const struct kvec *kvecs = iter->kvec; 154 + unsigned int nkv = iter->nr_segs, ix = 0, nsegs = 0; 155 + size_t len, span = 0, n = iter->count; 156 + size_t skip = iter->iov_offset + start_offset; 157 + 158 + if (WARN_ON(!iov_iter_is_kvec(iter)) || 159 + WARN_ON(start_offset > n) || 160 + n == 0) 161 + return 0; 162 + 163 + while (n && ix < nkv && skip) { 164 + len = kvecs[ix].iov_len; 165 + if (skip < len) 166 + break; 167 + skip -= len; 168 + n -= len; 169 + ix++; 170 + } 171 + 172 + while (n && ix < nkv) { 173 + len = min3(n, kvecs[ix].iov_len - skip, max_size); 174 + span += len; 175 + nsegs++; 176 + ix++; 177 + if (span >= max_size || nsegs >= max_segs) 178 + break; 179 + skip = 0; 180 + n -= len; 181 + } 182 + 183 + return min(span, max_size); 184 + } 185 + 186 + /* 146 187 * Select the span of an xarray iterator we're going to use. Limit it by both 147 188 * maximum size and maximum number of segments. It is assumed that segments 148 189 * can be larger than a page in size, provided they're physically contiguous. ··· 286 245 return netfs_limit_bvec(iter, start_offset, max_size, max_segs); 287 246 if (iov_iter_is_xarray(iter)) 288 247 return netfs_limit_xarray(iter, start_offset, max_size, max_segs); 248 + if (iov_iter_is_kvec(iter)) 249 + return netfs_limit_kvec(iter, start_offset, max_size, max_segs); 289 250 BUG(); 290 251 } 291 252 EXPORT_SYMBOL(netfs_limit_iter);