1. Patchew
  2. linux
  3. View series

[PATCH net] Fix a potential infinite loop in extract_user_to_sg()

David Howells posted 1 patch 1 year, 9 months ago 
lib/scatterlist.c |    2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH net] Fix a potential infinite loop in extract_user_to_sg()
Posted by David Howells 1 year, 9 months ago 
    
Fix extract_user_to_sg() so that it will break out of the loop if
iov_iter_extract_pages() returns 0 rather than looping around forever.

[Note that I've included two fixes lines as the function got moved to a
different file and renamed]

Fixes: 85dd2c8ff368 ("netfs: Add a function to extract a UBUF or IOVEC into a BVEC iterator")
Fixes: f5f82cd18732 ("Move netfs_extract_iter_to_sg() to lib/scatterlist.c")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jeff Layton <jlayton@kernel.org>
cc: Steve French <sfrench@samba.org>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: netfs@lists.linux.dev
cc: linux-crypto@vger.kernel.org
cc: linux-cifs@vger.kernel.org
cc: linux-fsdevel@vger.kernel.org
cc: netdev@vger.kernel.org
---
 lib/scatterlist.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/scatterlist.c b/lib/scatterlist.c
index 68b45c82c37a..7bc2220fea80 100644
--- a/lib/scatterlist.c
+++ b/lib/scatterlist.c
@@ -1124,7 +1124,7 @@ static ssize_t extract_user_to_sg(struct iov_iter *iter,
 	do {
 		res = iov_iter_extract_pages(iter, &pages, maxsize, sg_max,
 					     extraction_flags, &off);
-		if (res < 0)
+		if (res <= 0)
 			goto failed;
 
 		len = res;
Re: [PATCH net] Fix a potential infinite loop in extract_user_to_sg()
Posted by Jakub Kicinski 1 year, 9 months ago 
On Thu, 25 Apr 2024 09:39:32 +0100 David Howells wrote:
> Fix extract_user_to_sg() so that it will break out of the loop if
> iov_iter_extract_pages() returns 0 rather than looping around forever.

Is "goto fail" the right way to break out here?
My intuition would be "break".

On a quick read it seems like res = 0 may occur if we run out of
iterator, is passing maxsize > iter->count illegal?
Re: [PATCH net] Fix a potential infinite loop in extract_user_to_sg()
Posted by David Howells 1 year, 9 months ago 
Jakub Kicinski <kuba@kernel.org> wrote:

> On Thu, 25 Apr 2024 09:39:32 +0100 David Howells wrote:
> > Fix extract_user_to_sg() so that it will break out of the loop if
> > iov_iter_extract_pages() returns 0 rather than looping around forever.
> 
> Is "goto fail" the right way to break out here?
> My intuition would be "break".
> 
> On a quick read it seems like res = 0 may occur if we run out of
> iterator, is passing maxsize > iter->count illegal?

I would say that you're not allowed to ask for more than is in the iterator.
In a number of places this is called, it's a clear failure if you can't get
that the requested amount out of it - for example, if we're building a cifs
message and have set all the fields in the header and are trying to encrypt
the message.

David

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.