From: Trond Myklebust trond.myklebust@hammerspace.com
stable inclusion from stable-v6.6.61 commit a2746ab3bbc9c6408da5cd072653ec8c24749235 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AUF CVE: CVE-2024-50272
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit ace149e0830c380ddfce7e466fe860ca502fe4ee upstream.
If the caller supplies an iocb->ki_pos value that is close to the filesystem upper limit, and an iterator with a count that causes us to overflow that limit, then filemap_read() enters an infinite loop.
This behaviour was discovered when testing xfstests generic/525 with the "localio" optimisation for loopback NFS mounts.
Reported-by: Mike Snitzer snitzer@kernel.org Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") Tested-by: Mike Snitzer snitzer@kernel.org Signed-off-by: Trond Myklebust trond.myklebust@hammerspace.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Conflicts: mm/filemap.c [Context conflicts.] Signed-off-by: Jinjiang Tu tujinjiang@huawei.com --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/filemap.c b/mm/filemap.c index 328bc2b1fb58..68c368c0782b 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2554,7 +2554,7 @@ ssize_t generic_file_buffered_read(struct kiocb *iocb, if (unlikely(!iov_iter_count(iter))) return 0;
- iov_iter_truncate(iter, inode->i_sb->s_maxbytes); + iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos);
if (nr_pages > ARRAY_SIZE(pages_onstack)) pages = kmalloc_array(nr_pages, sizeof(void *), GFP_KERNEL);