diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2017-05-08 13:54:47 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2017-05-08 13:54:47 -0400 |
| commit | 5b47d59af68a8735e4637bacedcb4baf6f47c73f (patch) | |
| tree | ca26a750a251a2d70c9c3f1616aa58f0c1c3c46d | |
| parent | a6a5993243550b09f620941dea741b7421fdf79c (diff) | |
fix braino in generic_file_read_iter()
Wrong sign of iov_iter_revert() argument. Unfortunately, slipped through
the testing, since most of the time we don't do anything to the iterator
afterwards and potential oops on walking the iter->iov too far backwards
is too infrequent to be easily triggered.
Add a sanity check in iov_iter_revert() to catch bugs like this one;
fortunately, the same braino hadn't happened in other callers, but we'd
better have a warning if such thing crops up.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| -rw-r--r-- | lib/iov_iter.c | 2 | ||||
| -rw-r--r-- | mm/filemap.c | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/lib/iov_iter.c b/lib/iov_iter.c index 60abc44385b7..fc9fb29d00eb 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -790,6 +790,8 @@ void iov_iter_revert(struct iov_iter *i, size_t unroll) { if (!unroll) return; + if (WARN_ON(unroll > MAX_RW_COUNT)) + return; i->count += unroll; if (unlikely(i->type & ITER_PIPE)) { struct pipe_inode_info *pipe = i->pipe; diff --git a/mm/filemap.c b/mm/filemap.c index cc480c07c71b..d6e67be1802e 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2048,7 +2048,7 @@ generic_file_read_iter(struct kiocb *iocb, struct iov_iter *iter) iocb->ki_pos += retval; count -= retval; } - iov_iter_revert(iter, iov_iter_count(iter) - count); + iov_iter_revert(iter, count - iov_iter_count(iter)); /* * Btrfs can have a short DIO read if we encounter |