[Devel] [PATCH RHEL7 COMMIT] vfs: panic in guard_bio_eod() if truncated_bytes > bvec->bv_len
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Dec 5 01:08:35 PST 2016
The commit is pushed to "branch-rh7-3.10.0-327.36.1.vz7.20.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.36.1.vz7.20.10
------>
commit 37d9a5c875a6617c010882813c246875d3f86a3c
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Mon Dec 5 13:08:35 2016 +0400
vfs: panic in guard_bio_eod() if truncated_bytes > bvec->bv_len
In bug we crashed in zero_fill_bio when trying to zero memset bio_vec:
struct bio_vec {
bv_page = 0xffffea0004437500,
bv_len = 4294948864,
bv_offset = 0
}
which is bigger than its bio->bi_size = 104448, guard_bio_eod might
lead to these bv_len overflow and is suspicious as quiet recently
in vz7.19.4 we've ported commit 2573b2539875("vfs: make guard_bh_eod()
more generic") which adds bv_len reduction, and before that there
were no crash.
https://jira.sw.ru/browse/PSBM-55105
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>
khorenko@: s/WARN_ON/BUG_ON/ because we'll crash anyway a moment later
or corrupt memory which is also unacceptable.
---
fs/buffer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/buffer.c b/fs/buffer.c
index c45200d..13a6d56 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -3009,6 +3009,7 @@ void guard_bio_eod(int rw, struct bio *bio)
/* Truncate the bio.. */
bio->bi_size -= truncated_bytes;
+ BUG_ON(truncated_bytes > bvec->bv_len);
bvec->bv_len -= truncated_bytes;
/* ..and clear the end of the buffer for reads */
More information about the Devel
mailing list