lib/iov_iter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
If iov_offset is non-zero, then we need to consider iov_offset in length
calculation, otherwise we might pass smaller IOs such as 512 bytes, in
below scenario[1].
This issue is reproducible using lib-uring test/fixed-seg.c application
with fixed buffer on a 512 LBA formatted device.
[1]
At present we pass the alignment check,
for 512 LBA formatted devices, len_mask = 511
when IO is smaller, i->count = 512
has an offset, i->io_offset = 3584
with bvec values, bvec->bv_offset = 256, bvec->bv_len = 3840.
In short, the first 256 bytes are in the current page,
next 256 bytes are in the another page.
Ideally we expect to fail the IO.
Fixes: 2263639f96f2 ("iov_iter: streamline iovec/bvec alignment iteration")
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
Signed-off-by: Nitesh Shetty <nj.shetty@samsung.com>
---
lib/iov_iter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index bc9391e55d57..9ce83ab71bac 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -820,7 +820,7 @@ static bool iov_iter_aligned_bvec(const struct iov_iter *i, unsigned addr_mask,
size_t size = i->count;
do {
- size_t len = bvec->bv_len;
+ size_t len = bvec->bv_len - skip;
if (len > size)
len = size;
base-commit: 02ddfb981de88a2c15621115dd7be2431252c568
--
2.43.0On Mon, 28 Apr 2025 15:28:48 +0530 Nitesh Shetty <nj.shetty@samsung.com> wrote: > If iov_offset is non-zero, then we need to consider iov_offset in length > calculation, otherwise we might pass smaller IOs such as 512 bytes, in > below scenario[1]. > This issue is reproducible using lib-uring test/fixed-seg.c application > with fixed buffer on a 512 LBA formatted device. > > [1] > At present we pass the alignment check, > for 512 LBA formatted devices, len_mask = 511 > when IO is smaller, i->count = 512 > has an offset, i->io_offset = 3584 > with bvec values, bvec->bv_offset = 256, bvec->bv_len = 3840. > In short, the first 256 bytes are in the current page, > next 256 bytes are in the another page. > Ideally we expect to fail the IO. Thanks. Can you please send us a description of the userspace-visible effects of this issue? That will help others to determine whether a -stable backport is desirable and it will be helpful to people who are wondering whether this patch will fix an issue they are experiencing.
On Mon, Apr 28, 2025 at 4:23 PM Nitesh Shetty <nj.shetty@samsung.com> wrote:
>
> If iov_offset is non-zero, then we need to consider iov_offset in length
> calculation, otherwise we might pass smaller IOs such as 512 bytes, in
> below scenario[1].
> This issue is reproducible using lib-uring test/fixed-seg.c application
> with fixed buffer on a 512 LBA formatted device.
>
> [1]
> At present we pass the alignment check,
> for 512 LBA formatted devices, len_mask = 511
> when IO is smaller, i->count = 512
> has an offset, i->io_offset = 3584
> with bvec values, bvec->bv_offset = 256, bvec->bv_len = 3840.
> In short, the first 256 bytes are in the current page,
> next 256 bytes are in the another page.
> Ideally we expect to fail the IO.
>
> Fixes: 2263639f96f2 ("iov_iter: streamline iovec/bvec alignment iteration")
> Reviewed-by: Jens Axboe <axboe@kernel.dk>
> Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
> Signed-off-by: Nitesh Shetty <nj.shetty@samsung.com>
> ---
Hi Andrew,
Can you review and pick this change ?
Thank you,
Nitesh
© 2016 - 2025 Red Hat, Inc.