Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp770965ybl; Wed, 11 Dec 2019 07:16:40 -0800 (PST) X-Google-Smtp-Source: APXvYqw9m/pGek1lvgsZ3CmQZKbiA3W/UkATB/WEuy72pcR8we/CSHPeb16WSEgy76PTchwqVA7o X-Received: by 2002:a54:4f14:: with SMTP id e20mr3105321oiy.84.1576077400350; Wed, 11 Dec 2019 07:16:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576077400; cv=none; d=google.com; s=arc-20160816; b=K2IIFVDqu9hyzU4zv+xtxFaYPJy6GMZFpPsJOoTgHsFPUk/kgw+y2Dpu3pJsXCyMnd z9JgpCkuT34PqWrkrGNgABkE0DSKBMhB5MaFgTDfRmvRNa7Kc1UQ9s3OzHnRijFXuS0u AuiZRpbdIqpGbo5MAfJoUpiM7E9s7KlSTWwXlvmGyCp6TRvjzcvDDu8DThdt9CsTPYQq Jyf60q57OpCArDyANwnq0/t06XTI0Y5u1G1yr4UFEgnAP0ARjckVGbco0nyMYSzW7nRA UfVjBApVwF946B3TAsXfmaJC7GklaJ0PdIqk8LI6ovMgV7PD0Qlq+DQQBEpBgdqAQwPl bJyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sb84eFl4oniQqDr4AIN34nd2qTt3cr7TqU9ieoFT04o=; b=Z0EGSwdjFYbWRlbpCuz3/AfeFIftB749ZUgd6/Ey6G2nVf4OeE3ZNiFsJyvnIDEOyI p/6Wu/x3MPGypALU8L9QiEfAjDa8bJ0OOn7jXHFGPhMBqkgJGorPCIu9WpteDHexB2CA dwvRStuh9M19Y1TtolFP8erBWfRMyVyHh7dDPiFQJDMbYimhgcFANaXgp0IO2BT/q5hx GSrJAw3jKgaJzNksdh7kFv0rmxF8fI+2U3IBAZBt+HgvQ5ItFJvMl607POkBD88TKuXw 6Q1Xp6YX0y2pikaVvUc8dqR86L54ZfdKG8cblbXb8bxA2G8/7at2ayWM+uz1/Xe3UFmt /Hpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sMZSFBMT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q22si1541901otm.304.2019.12.11.07.16.27; Wed, 11 Dec 2019 07:16:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sMZSFBMT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731089AbfLKPPq (ORCPT + 99 others); Wed, 11 Dec 2019 10:15:46 -0500 Received: from mail.kernel.org ([198.145.29.99]:41358 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729996AbfLKPPT (ORCPT ); Wed, 11 Dec 2019 10:15:19 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 627762465C; Wed, 11 Dec 2019 15:15:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576077318; bh=iH6s6hb83y0+8ucvZhthbdgyKVAB00e62LYQeVafVRo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sMZSFBMTaw6COZ+rav6z4Ttc8WV0jS7tWYnSlugxU8DUGITXcBdgkSQ3+IriY0xay Dc+TQl/ZAR6n41ZfHC1WT/SfCe2dDyM1aXF+zLwCJrUenUiRwqQpv/4tZjeY9DPYK9 hczMACsJsLWF57wiXANPlOvm5LJFVKc6BNfA4KTs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com, Jan Kara , "Darrick J. Wong" , Christoph Hellwig Subject: [PATCH 5.3 100/105] iomap: Fix pipe page leakage during splicing Date: Wed, 11 Dec 2019 16:06:29 +0100 Message-Id: <20191211150303.825813412@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191211150221.153659747@linuxfoundation.org> References: <20191211150221.153659747@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Kara commit 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 upstream. When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages because bio_iov_iter_get_pages() records that the pipe will have full extent worth of data however if file size is not block size aligned iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up and splice code gets confused leaking a pipe page with the file tail. Handle the situation similarly to the old direct IO implementation and revert iter to actually returned read amount which makes iter consistent with value returned from iomap_dio_rw() and thus the splice code is happy. Fixes: ff6a9292e6f6 ("iomap: implement direct I/O") CC: stable@vger.kernel.org Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com Signed-off-by: Jan Kara Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman --- fs/iomap/direct-io.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/fs/iomap/direct-io.c +++ b/fs/iomap/direct-io.c @@ -501,8 +501,15 @@ iomap_dio_rw(struct kiocb *iocb, struct } pos += ret; - if (iov_iter_rw(iter) == READ && pos >= dio->i_size) + if (iov_iter_rw(iter) == READ && pos >= dio->i_size) { + /* + * We only report that we've read data up to i_size. + * Revert iter to a state corresponding to that as + * some callers (such as splice code) rely on it. + */ + iov_iter_revert(iter, pos - dio->i_size); break; + } } while ((count = iov_iter_count(iter)) > 0); blk_finish_plug(&plug);