diff mbox series

[net] Fix a potential infinite loop in extract_user_to_sg()

Message ID 1967121.1714034372@warthog.procyon.org.uk (mailing list archive)
State New, archived
Headers show
Series [net] Fix a potential infinite loop in extract_user_to_sg() | expand

Commit Message

David Howells April 25, 2024, 8:39 a.m. UTC
Fix extract_user_to_sg() so that it will break out of the loop if
iov_iter_extract_pages() returns 0 rather than looping around forever.

[Note that I've included two fixes lines as the function got moved to a
different file and renamed]

Fixes: 85dd2c8ff368 ("netfs: Add a function to extract a UBUF or IOVEC into a BVEC iterator")
Fixes: f5f82cd18732 ("Move netfs_extract_iter_to_sg() to lib/scatterlist.c")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jeff Layton <jlayton@kernel.org>
cc: Steve French <sfrench@samba.org>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: netfs@lists.linux.dev
cc: linux-crypto@vger.kernel.org
cc: linux-cifs@vger.kernel.org
cc: linux-fsdevel@vger.kernel.org
cc: netdev@vger.kernel.org
---
 lib/scatterlist.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jakub Kicinski April 25, 2024, 3:45 p.m. UTC | #1
On Thu, 25 Apr 2024 09:39:32 +0100 David Howells wrote:
> Fix extract_user_to_sg() so that it will break out of the loop if
> iov_iter_extract_pages() returns 0 rather than looping around forever.

Is "goto fail" the right way to break out here?
My intuition would be "break".

On a quick read it seems like res = 0 may occur if we run out of
iterator, is passing maxsize > iter->count illegal?
David Howells April 26, 2024, 8 a.m. UTC | #2
Jakub Kicinski <kuba@kernel.org> wrote:

> On Thu, 25 Apr 2024 09:39:32 +0100 David Howells wrote:
> > Fix extract_user_to_sg() so that it will break out of the loop if
> > iov_iter_extract_pages() returns 0 rather than looping around forever.
> 
> Is "goto fail" the right way to break out here?
> My intuition would be "break".
> 
> On a quick read it seems like res = 0 may occur if we run out of
> iterator, is passing maxsize > iter->count illegal?

I would say that you're not allowed to ask for more than is in the iterator.
In a number of places this is called, it's a clear failure if you can't get
that the requested amount out of it - for example, if we're building a cifs
message and have set all the fields in the header and are trying to encrypt
the message.

David
patchwork-bot+netdevbpf@kernel.org April 26, 2024, 7:50 p.m. UTC | #3
Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu, 25 Apr 2024 09:39:32 +0100 you wrote:
> Fix extract_user_to_sg() so that it will break out of the loop if
> iov_iter_extract_pages() returns 0 rather than looping around forever.
> 
> [Note that I've included two fixes lines as the function got moved to a
> different file and renamed]
> 
> Fixes: 85dd2c8ff368 ("netfs: Add a function to extract a UBUF or IOVEC into a BVEC iterator")
> Fixes: f5f82cd18732 ("Move netfs_extract_iter_to_sg() to lib/scatterlist.c")
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Jeff Layton <jlayton@kernel.org>
> cc: Steve French <sfrench@samba.org>
> cc: Herbert Xu <herbert@gondor.apana.org.au>
> cc: "David S. Miller" <davem@davemloft.net>
> cc: Eric Dumazet <edumazet@google.com>
> cc: Jakub Kicinski <kuba@kernel.org>
> cc: Paolo Abeni <pabeni@redhat.com>
> cc: netfs@lists.linux.dev
> cc: linux-crypto@vger.kernel.org
> cc: linux-cifs@vger.kernel.org
> cc: linux-fsdevel@vger.kernel.org
> cc: netdev@vger.kernel.org
> 
> [...]

Here is the summary with links:
  - [net] Fix a potential infinite loop in extract_user_to_sg()
    https://git.kernel.org/netdev/net/c/6a30653b604a

You are awesome, thank you!
diff mbox series

Patch

diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index 68b45c82c37a..7bc2220fea80 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1124,7 +1124,7 @@  static ssize_t extract_user_to_sg(struct iov_iter *iter,
 	do {
 		res = iov_iter_extract_pages(iter, &pages, maxsize, sg_max,
 					     extraction_flags, &off);
-		if (res < 0)
+		if (res <= 0)
 			goto failed;
 
 		len = res;