* [PATCH] tty: fix when iov_iter_count() returns 0 in tty_write()
@ 2021-02-17 14:43 Sabyrzhan Tasbolatov
2021-02-17 15:13 ` Greg KH
0 siblings, 1 reply; 5+ messages in thread
From: Sabyrzhan Tasbolatov @ 2021-02-17 14:43 UTC (permalink / raw)
To: gregkh, jirislaby; +Cc: linux-kernel, syzbot+3d2c27c2b7dc2a94814d
syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0,
therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT
warning.
static inline ssize_t do_tty_write()
{
..
size_t count = iov_iter_count(from);
..
size_t size = count;
if (ret != size)
iov_iter_revert(from, size-ret);
[1] WARNING: lib/iov_iter.c:1090
Call Trace:
do_tty_write drivers/tty/tty_io.c:967 [inline]
file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048
call_write_iter include/linux/fs.h:1901 [inline]
new_sync_write+0x426/0x650 fs/read_write.c:518
vfs_write+0x791/0xa30 fs/read_write.c:605
ksys_write+0x12d/0x250 fs/read_write.c:658
Fixes: 494e63ee9c("tty: implement write_iter")
Reported-by: syzbot+3d2c27c2b7dc2a94814d@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
---
drivers/tty/tty_io.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 816e709afa56..8d6d579ecc3b 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -905,6 +905,9 @@ static inline ssize_t do_tty_write(
ssize_t ret, written = 0;
unsigned int chunk;
+ if (!count)
+ return -EINVAL;
+
ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
if (ret < 0)
return ret;
--
2.25.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] tty: fix when iov_iter_count() returns 0 in tty_write() 2021-02-17 14:43 [PATCH] tty: fix when iov_iter_count() returns 0 in tty_write() Sabyrzhan Tasbolatov @ 2021-02-17 15:13 ` Greg KH 2021-02-17 15:15 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2021-02-17 15:13 UTC (permalink / raw) To: Sabyrzhan Tasbolatov; +Cc: jirislaby, linux-kernel, syzbot+3d2c27c2b7dc2a94814d On Wed, Feb 17, 2021 at 08:43:47PM +0600, Sabyrzhan Tasbolatov wrote: > syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0, > therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT > warning. > > static inline ssize_t do_tty_write() > { > .. > size_t count = iov_iter_count(from); > .. > size_t size = count; > if (ret != size) > iov_iter_revert(from, size-ret); > > [1] WARNING: lib/iov_iter.c:1090 > Call Trace: > do_tty_write drivers/tty/tty_io.c:967 [inline] > file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048 > call_write_iter include/linux/fs.h:1901 [inline] > new_sync_write+0x426/0x650 fs/read_write.c:518 > vfs_write+0x791/0xa30 fs/read_write.c:605 > ksys_write+0x12d/0x250 fs/read_write.c:658 > > Fixes: 494e63ee9c("tty: implement write_iter") Nit, you need a ' ' before your '(' character here, otherwise the linux-next scripts will complain. > Reported-by: syzbot+3d2c27c2b7dc2a94814d@syzkaller.appspotmail.com > Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com> > --- > drivers/tty/tty_io.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c > index 816e709afa56..8d6d579ecc3b 100644 > --- a/drivers/tty/tty_io.c > +++ b/drivers/tty/tty_io.c > @@ -905,6 +905,9 @@ static inline ssize_t do_tty_write( > ssize_t ret, written = 0; > unsigned int chunk; > > + if (!count) > + return -EINVAL; According to the man page for write(2), I think this is the wrong error value to return, unless that is the value that was returned on kernels before the commit listed above. Can you verify this? thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] tty: fix when iov_iter_count() returns 0 in tty_write() 2021-02-17 15:13 ` Greg KH @ 2021-02-17 15:15 ` Greg KH 2021-02-17 15:55 ` [PATCH v2] " Sabyrzhan Tasbolatov 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2021-02-17 15:15 UTC (permalink / raw) To: Sabyrzhan Tasbolatov; +Cc: jirislaby, linux-kernel, syzbot+3d2c27c2b7dc2a94814d On Wed, Feb 17, 2021 at 04:13:58PM +0100, Greg KH wrote: > On Wed, Feb 17, 2021 at 08:43:47PM +0600, Sabyrzhan Tasbolatov wrote: > > syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0, > > therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT > > warning. > > > > static inline ssize_t do_tty_write() > > { > > .. > > size_t count = iov_iter_count(from); > > .. > > size_t size = count; > > if (ret != size) > > iov_iter_revert(from, size-ret); > > > > [1] WARNING: lib/iov_iter.c:1090 > > Call Trace: > > do_tty_write drivers/tty/tty_io.c:967 [inline] > > file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048 > > call_write_iter include/linux/fs.h:1901 [inline] > > new_sync_write+0x426/0x650 fs/read_write.c:518 > > vfs_write+0x791/0xa30 fs/read_write.c:605 > > ksys_write+0x12d/0x250 fs/read_write.c:658 > > > > Fixes: 494e63ee9c("tty: implement write_iter") > > Nit, you need a ' ' before your '(' character here, otherwise the > linux-next scripts will complain. Also, you got the git commit id wrong, so this needs to be fixed up anyway. You are pointing to a merge point, I doubt that's what you want to point to here, right? thanks, greg k-h ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2] tty: fix when iov_iter_count() returns 0 in tty_write() 2021-02-17 15:15 ` Greg KH @ 2021-02-17 15:55 ` Sabyrzhan Tasbolatov 2021-02-19 9:17 ` Jiri Slaby 0 siblings, 1 reply; 5+ messages in thread From: Sabyrzhan Tasbolatov @ 2021-02-17 15:55 UTC (permalink / raw) To: gregkh; +Cc: jirislaby, linux-kernel, snovitoll, syzbot+3d2c27c2b7dc2a94814d syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0, therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT warning. static inline ssize_t do_tty_write() { .. size_t count = iov_iter_count(from); .. size_t size = count; if (ret != size) iov_iter_revert(from, size-ret); [1] WARNING: lib/iov_iter.c:1090 Call Trace: do_tty_write drivers/tty/tty_io.c:967 [inline] file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048 call_write_iter include/linux/fs.h:1901 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x791/0xa30 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 Fixes: 9bb48c82aced ("tty: implement write_iter") Reported-by: syzbot+3d2c27c2b7dc2a94814d@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com> --- v2: Fixed "Fixed" tag to proper commit and changed write return to -EFAULT as this statement is valid, tested via strace: write(3, NULL, 0) = -1 EFAULT (Bad address) Updated to -EFAULT, should be a valid exit code as copy_from_iter(.., .., from) returns -EFAULT as well if *from is invalid address. > > Nit, you need a ' ' before your '(' character here, otherwise the > linux-next scripts will complain. > Also, you got the git commit id wrong, so this needs to be fixed up > anyway. You are pointing to a merge point, I doubt that's what you want > to point to here, right? Thanks! --- drivers/tty/tty_io.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 816e709afa56..e1460cad8b7d 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -905,6 +905,9 @@ static inline ssize_t do_tty_write( ssize_t ret, written = 0; unsigned int chunk; + if (!count) + return -EFAULT; + ret = tty_write_lock(tty, file->f_flags & O_NDELAY); if (ret < 0) return ret; -- 2.25.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] tty: fix when iov_iter_count() returns 0 in tty_write() 2021-02-17 15:55 ` [PATCH v2] " Sabyrzhan Tasbolatov @ 2021-02-19 9:17 ` Jiri Slaby 0 siblings, 0 replies; 5+ messages in thread From: Jiri Slaby @ 2021-02-19 9:17 UTC (permalink / raw) To: Sabyrzhan Tasbolatov, gregkh; +Cc: linux-kernel, syzbot+3d2c27c2b7dc2a94814d On 17. 02. 21, 16:55, Sabyrzhan Tasbolatov wrote: > syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0, > therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT > warning. > > static inline ssize_t do_tty_write() > { > .. > size_t count = iov_iter_count(from); > .. > size_t size = count; > if (ret != size) > iov_iter_revert(from, size-ret); > > [1] WARNING: lib/iov_iter.c:1090 > Call Trace: > do_tty_write drivers/tty/tty_io.c:967 [inline] > file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048 > call_write_iter include/linux/fs.h:1901 [inline] > new_sync_write+0x426/0x650 fs/read_write.c:518 > vfs_write+0x791/0xa30 fs/read_write.c:605 > ksys_write+0x12d/0x250 fs/read_write.c:658 > > Fixes: 9bb48c82aced ("tty: implement write_iter") > Reported-by: syzbot+3d2c27c2b7dc2a94814d@syzkaller.appspotmail.com > Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com> > --- > > v2: Fixed "Fixed" tag to proper commit and changed write return to -EFAULT > as this statement is valid, tested via strace: > > write(3, NULL, 0) = -1 EFAULT (Bad address) > > Updated to -EFAULT, should be a valid exit code as > copy_from_iter(.., .., from) returns -EFAULT as well if *from is invalid > address. Exactly, EFAULT is for invalid memory accesses. But this should be IMO EINVAL as it's an invalid argument. BTW what's the reason vfs calls ->write with zero count of iter? >> Nit, you need a ' ' before your '(' character here, otherwise the >> linux-next scripts will complain. > >> Also, you got the git commit id wrong, so this needs to be fixed up >> anyway. You are pointing to a merge point, I doubt that's what you want >> to point to here, right? > > Thanks! > --- > drivers/tty/tty_io.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c > index 816e709afa56..e1460cad8b7d 100644 > --- a/drivers/tty/tty_io.c > +++ b/drivers/tty/tty_io.c > @@ -905,6 +905,9 @@ static inline ssize_t do_tty_write( > ssize_t ret, written = 0; > unsigned int chunk; > > + if (!count) > + return -EFAULT; > + > ret = tty_write_lock(tty, file->f_flags & O_NDELAY); > if (ret < 0) > return ret; > -- js ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-02-19 9:18 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-02-17 14:43 [PATCH] tty: fix when iov_iter_count() returns 0 in tty_write() Sabyrzhan Tasbolatov 2021-02-17 15:13 ` Greg KH 2021-02-17 15:15 ` Greg KH 2021-02-17 15:55 ` [PATCH v2] " Sabyrzhan Tasbolatov 2021-02-19 9:17 ` Jiri Slaby
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.