Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp782414ybl; Wed, 11 Dec 2019 07:26:49 -0800 (PST) X-Google-Smtp-Source: APXvYqw99XUS8VR4dlHi8f387z5ZVkE5JDi224lnIj7PoQ3g0pRuMdet1FKeBagNwofFDfqVVRou X-Received: by 2002:aca:1c09:: with SMTP id c9mr3344312oic.85.1576078009034; Wed, 11 Dec 2019 07:26:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576078009; cv=none; d=google.com; s=arc-20160816; b=YME0mdwEUlkNtzya3lMlL0v3WQyDh0/Pz70l7Wxup4VzbxKzFZa9JONNmkTdjETXP5 NPwyS4bqO6VJlyEkC49vUBwWb2aXUIrws8kC7/F41CmDKtmi6XzyPlJ8v6JOpmloDROW mrXAWsld2bFlnM8VDgaAmQenQ6eFRM5nw4yQi0HQyhWRwE9cuwv/0qGiH3vCZGS8nwZt gmhsGdt6xAoOi0+Vp0wlrZLv/4B1egbasrOu2Mkp2arHhC6X82koxKqr/2cTuwzWAJuM HhykwtPpIVnQFfZJW9CYV2FVgdfipzwibrg3RozSOzTR9eu4By8BSB66gu9AAXBRGy+O yzFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xulA7q0WPH0RpRgSEbyj6nolDQYSUOeozDPPKtTvi7E=; b=BrgGMgqoDOBScRC1//8yWjuSP0F0ALDJDLR2O56GfVBkIJElqxsffrGUYGTGx+hJQX QX7w6o20Z5diJlNvhMRqkr1BGwE1HLQl/o8uy8yxT5CVyWg2FVdbQI4IoQTPai3rWIOq IRVazkQFfZXFmDp5CUc4vHrBr0/tkcLC1992gFuU5TXeaghBuSuflJP04KO2Vtqd8XZi /L6gdoAOTerNxSJh0fb+1oSPZu/QwewC2NRan+UwyMkiqgzfU6oTsDwKlavmw4pCflYw 9b1uF0+GLxEKujB0PxwmNHkHFAM/yoWKsRuXZlN3qIyeQQUnLJHJh+3O1fGHJyonhXX3 g3Iw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=daaeIyrI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m24si1271340otn.67.2019.12.11.07.26.36; Wed, 11 Dec 2019 07:26:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=daaeIyrI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733071AbfLKP0I (ORCPT + 99 others); Wed, 11 Dec 2019 10:26:08 -0500 Received: from mail.kernel.org ([198.145.29.99]:58974 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733057AbfLKP0F (ORCPT ); Wed, 11 Dec 2019 10:26:05 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C0231222C4; Wed, 11 Dec 2019 15:26:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576077965; bh=i5BGrY1ElwEElS/X7wKf37aj7r/syxINuT+nIDrQYPo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=daaeIyrITpVgQJue3l/TMsfVcbTbrmWHY4c0ZVUICXkMNwJujD4ZX84qFj2/X68m0 zcI6WYwHWqGejY4cwcK7KnKGIsoMp1Fp5h49Wy2rsQcgKMHdPCCFeSYb5OhWhXTDMv y2MWPXuQHdQR6mEisHeFiM8OcW6HxP8O7JkMJrHM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com, Jan Kara , "Darrick J. Wong" , Christoph Hellwig Subject: [PATCH 4.19 239/243] iomap: Fix pipe page leakage during splicing Date: Wed, 11 Dec 2019 16:06:41 +0100 Message-Id: <20191211150355.471454825@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191211150339.185439726@linuxfoundation.org> References: <20191211150339.185439726@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Kara commit 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 upstream. When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages because bio_iov_iter_get_pages() records that the pipe will have full extent worth of data however if file size is not block size aligned iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up and splice code gets confused leaking a pipe page with the file tail. Handle the situation similarly to the old direct IO implementation and revert iter to actually returned read amount which makes iter consistent with value returned from iomap_dio_rw() and thus the splice code is happy. Fixes: ff6a9292e6f6 ("iomap: implement direct I/O") CC: stable@vger.kernel.org Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com Signed-off-by: Jan Kara Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman --- fs/iomap.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/fs/iomap.c +++ b/fs/iomap.c @@ -1913,8 +1913,15 @@ iomap_dio_rw(struct kiocb *iocb, struct } pos += ret; - if (iov_iter_rw(iter) == READ && pos >= dio->i_size) + if (iov_iter_rw(iter) == READ && pos >= dio->i_size) { + /* + * We only report that we've read data up to i_size. + * Revert iter to a state corresponding to that as + * some callers (such as splice code) rely on it. + */ + iov_iter_revert(iter, pos - dio->i_size); break; + } } while ((count = iov_iter_count(iter)) > 0); blk_finish_plug(&plug);