[Devel,RHEL7,COMMIT] vfs: panic in guard_bio_eod() if truncated_bytes > bvec->bv_len

Submitted by Konstantin Khorenko on Dec. 5, 2016, 9:08 a.m.


Message ID 201612050908.uB598ZVE019929@finist_cl7.x64_64.work.ct
State New
Series "vfs: add warning in guard_bio_eod() if truncated_bytes > bvec->bv_len"
Headers show

Commit Message

Konstantin Khorenko Dec. 5, 2016, 9:08 a.m.
The commit is pushed to "branch-rh7-3.10.0-327.36.1.vz7.20.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.36.1.vz7.20.10
commit 37d9a5c875a6617c010882813c246875d3f86a3c
Author: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Date:   Mon Dec 5 13:08:35 2016 +0400

    vfs: panic in guard_bio_eod() if truncated_bytes > bvec->bv_len
    In bug we crashed in zero_fill_bio when trying to zero memset bio_vec:
    struct bio_vec {
      bv_page = 0xffffea0004437500,
      bv_len = 4294948864,
      bv_offset = 0
    which is bigger than its bio->bi_size = 104448, guard_bio_eod might
    lead to these bv_len overflow and is suspicious as quiet recently
    in vz7.19.4 we've ported commit 2573b2539875("vfs: make guard_bh_eod()
    more generic") which adds bv_len reduction, and before that there
    were no crash.
    Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
    Acked-by: Konstantin Khorenko <khorenko@virtuozzo.com>
    khorenko@: s/WARN_ON/BUG_ON/ because we'll crash anyway a moment later
    or corrupt memory which is also unacceptable.
 fs/buffer.c | 1 +
 1 file changed, 1 insertion(+)

Patch hide | download patch | download mbox

diff --git a/fs/buffer.c b/fs/buffer.c
index c45200d..13a6d56 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -3009,6 +3009,7 @@  void guard_bio_eod(int rw, struct bio *bio)
 	/* Truncate the bio.. */
 	bio->bi_size -= truncated_bytes;
+	BUG_ON(truncated_bytes > bvec->bv_len);
 	bvec->bv_len -= truncated_bytes;
 	/* ..and clear the end of the buffer for reads */