git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Dmitry Monakhov <dmonakhov@openvz.org>
	Thu, 29 Jun 2017 18:31:13 +0000 (11:31 -0700)
committer	Jens Axboe <axboe@kernel.dk>
	Mon, 3 Jul 2017 22:56:26 +0000 (16:56 -0600)
commit	b1fb2c52b2d85f51f36f1661409f9aeef94265ff
tree	26f345624f8f3a8adca8689916b2f9d69282051d	tree \| snapshot
parent	128b6f9fdd9ace9e56cb3a263b4bc269658f9c40	commit \| diff

block: guard bvec iteration logic

Currently if some one try to advance bvec beyond it's size we simply
dump WARN_ONCE and continue to iterate beyond bvec array boundaries.
This simply means that we endup dereferencing/corrupting random memory
region.

Sane reaction would be to propagate error back to calling context
But bvec_iter_advance's calling context is not always good for error
handling. For safity reason let truncate iterator size to zero which
will break external iteration loop which prevent us from unpredictable
memory range corruption. And even it caller ignores an error, it will
corrupt it's own bvecs, not others.

This patch does:
- Return error back to caller with hope that it will react on this
- Truncate iterator size

Code was added long time ago here 4550dd6c, luckily no one hit it
in real life :)

Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
[hch: switch to true/false returns instead of errno values]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

drivers/nvdimm/blk.c		diff \| blob \| history
drivers/nvdimm/btt.c		diff \| blob \| history
include/linux/bio.h		diff \| blob \| history
include/linux/bvec.h		diff \| blob \| history