From: Trond Myklebust <trond.myklebust@hammerspace.com> stable inclusion from stable-v6.6.61 commit a2746ab3bbc9c6408da5cd072653ec8c24749235 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AUF CVE: CVE-2024-50272 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit ace149e0830c380ddfce7e466fe860ca502fe4ee upstream. If the caller supplies an iocb->ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop. This behaviour was discovered when testing xfstests generic/525 with the "localio" optimisation for loopback NFS mounts. Reported-by: Mike Snitzer <snitzer@kernel.org> Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") Tested-by: Mike Snitzer <snitzer@kernel.org> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: mm/filemap.c [Context conflicts.] Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com> --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/filemap.c b/mm/filemap.c index 328bc2b1fb58..68c368c0782b 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2554,7 +2554,7 @@ ssize_t generic_file_buffered_read(struct kiocb *iocb, if (unlikely(!iov_iter_count(iter))) return 0; - iov_iter_truncate(iter, inode->i_sb->s_maxbytes); + iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos); if (nr_pages > ARRAY_SIZE(pages_onstack)) pages = kmalloc_array(nr_pages, sizeof(void *), GFP_KERNEL); -- 2.34.1