[PATCH openEuler-5.10] lib/iov_iter: initialize "flags" in new pipe_buffer - Kernel

8 Mar 2022

From: Max Kellermann max.kellermann@ionos.com
mainline inclusion
from mainline-v5.17-rc6
commit 9d2231c5d74e13b2a0546fee6737ee4446017903
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4WUKP?from=project-issue
CVE: CVE-2022-0847
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/li...
--------------------------------
The functions copy_page_to_iter_pipe() and push_pipe() can both
allocate a new pipe_buffer, but the "flags" member initializer is
missing.
Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed")
To: Alexander Viro viro@zeniv.linux.org.uk
To: linux-fsdevel@vger.kernel.org
To: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Max Kellermann max.kellermann@ionos.com
Signed-off-by: Al Viro viro@zeniv.linux.org.uk
Signed-off-by: Zhihao Cheng chengzhihao1@huawei.com
Reviewed-by: Zhang Yi yi.zhang@huawei.com
Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com
---
 lib/iov_iter.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index b364231b5fc8..1b0a349fbcd9 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -407,6 +407,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
    	return 0;
buf->ops = &page_cache_pipe_buf_ops;
+	buf->flags = 0;
    get_page(page);
    buf->page = page;
    buf->offset = offset;
@@ -543,6 +544,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
    		break;
buf->ops = &default_pipe_buf_ops;
+		buf->flags = 0;
    	buf->page = page;
    	buf->offset = 0;
    	buf->len = min_t(ssize_t, left, PAGE_SIZE);
-- 
2.20.1

    