diff options
| author | Al Viro <viro@ZenIV.linux.org.uk> | 2017-09-30 05:28:05 +0100 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2017-11-06 15:17:56 +0100 |
| commit | d8e0975170866b3981e41e1eb556284efaaf441b (patch) | |
| tree | b89a90d6376c69442410e334ee6661db43439e80 /include/linux | |
| parent | b2e43c9c841ee4c367a0451ca4987661b033fc51 (diff) | |
leak in O_DIRECT readv past the EOF
In all versions from 2.5.62 to 3.15, on each iteration through the loop
by iovec array in do_blockdev_direct_IO() we used to do this:
sdio.head = 0;
sdio.tail = 0;
...
retval = do_direct_IO(dio, &sdio, &map_bh);
if (retval) {
dio_cleanup(dio, &sdio);
break;
}
with another dio_cleanup() done after the loop, catching the situation when
retval had been 0. Consider the situation when e.g. the 3rd iovec in 4-iovec
array passed to readv() has crossed the EOF. do_direct_IO() returns 0 and
buggers off *without* exhausting the page array. The loop proceeds to the
next iovec without calling dio_cleanup() and resets sdio.head and sdio.tail.
That reset of sdio.{head,tail} has prevented the eventual dio_cleanup() from
seeing anything and the page reference end up leaking.
Commit 7b2c99d15559 (new helper: iov_iter_get_pages()) in 3.16 had eliminated
the loop by iovec array, along with sdio.head and sdio.tail resets. Backporting
that is too much work - the minimal fix is simply to make sure that the only case
when do_direct_IO() buggers off early without returning non-zero will not skip
dio_cleanup().
The fix applies to all versions from 2.5.62 to 3.15.
Reported-and-tested-by: Venki Pallipadi <venki@cohesity.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions