[PATCH v1] iov_iter: fix page_copy_sane for compound pages

[PATCH v1] iov_iter: fix page_copy_sane for compound pages

[Petar Penkov]

Issue is that if the data crosses a page boundary inside a compound
page, this check will incorrectly trigger a WARN_ON.

To fix this, compute the order using the head of the compound page and
adjust the offset to be relative to that head.

Fixes: 72e809ed81ed ("iov_iter: sanity checks for copy to/from page
primitives")

Signed-off-by: Petar Penkov <ppenkov@google.com>
CC: Al Viro <viro@zeniv.linux.org.uk>
CC: Eric Dumazet <edumazet@google.com>
---
 lib/iov_iter.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 52c8dd6d8e82..1c1c06ddc20a 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -687,8 +687,10 @@ EXPORT_SYMBOL(_copy_from_iter_full_nocache);
 
 static inline bool page_copy_sane(struct page *page, size_t offset, size_t n)
 {
-	size_t v = n + offset;
-	if (likely(n <= v && v <= (PAGE_SIZE << compound_order(page))))
+	struct page *head = compound_head(page);
+	size_t v = n + offset + page_address(page) - page_address(head);
+
+	if (likely(n <= v && v <= (PAGE_SIZE << compound_order(head))))
 		return true;
 	WARN_ON(1);
 	return false;
-- 
2.14.1.342.g6490525c54-goog

Re: [v1] iov_iter: fix page_copy_sane for compound pages

[Thiago Macieira]

On Tuesday, 29 August 2017 11:20:32 PDT Petar Penkov wrote:
> Issue is that if the data crosses a page boundary inside a compound
> page, this check will incorrectly trigger a WARN_ON.
> 
> To fix this, compute the order using the head of the compound page and
> adjust the offset to be relative to that head.
> 
> Fixes: 72e809ed81ed ("iov_iter: sanity checks for copy to/from page
> primitives")

Hello

Is this patch slated to end up in one of the 4.13.x updates? It landed on 
v4.14-rc2 already but seems to have missed the 4.13.3 and 4.13.4 tagging.

Without this patch, I can't connect any USB Ethernet or the kernel will start 
producing that WARN_ON message and returning -EFAULT for quite a few programs.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center

Re: [v1] iov_iter: fix page_copy_sane for compound pages

[Eric Dumazet]

On Sat, Sep 30, 2017 at 12:24 PM, Thiago Macieira
<thiago.macieira@intel.com> wrote:
> On Tuesday, 29 August 2017 11:20:32 PDT Petar Penkov wrote:
>> Issue is that if the data crosses a page boundary inside a compound
>> page, this check will incorrectly trigger a WARN_ON.
>>
>> To fix this, compute the order using the head of the compound page and
>> adjust the offset to be relative to that head.
>>
>> Fixes: 72e809ed81ed ("iov_iter: sanity checks for copy to/from page
>> primitives")
>
> Hello
>
> Is this patch slated to end up in one of the 4.13.x updates? It landed on
> v4.14-rc2 already but seems to have missed the 4.13.3 and 4.13.4 tagging.
>
> Without this patch, I can't connect any USB Ethernet or the kernel will start
> producing that WARN_ON message and returning -EFAULT for quite a few programs.
>

Hmm... problem Petar had originally has been solved.

His commit ( 90e33d45940793def6f773b2d528e9f3c84ffdc7 in Dave Miller net-next)
no longer hits the problem, while his prior version triggered the issue.

Relevant and updated part is :

+               page = virt_to_head_page(data);
+               offset = data - page_address(page);
+               skb_fill_page_desc(skb, i - 1, page, offset, fragsz);