David Howells <dhowells@xxxxxxxxxx> wrote:
> +static size_t __copy_from_iter_mc(void *addr, size_t bytes, struct iov_iter *i)
> {
> - struct iov_iter *iter = priv2;
> + size_t progress;
>
> - if (iov_iter_is_copy_mc(iter))
> - return copy_mc_to_kernel(to + progress, iter_from, len);
> - return memcpy_from_iter(iter_from, progress, len, to, priv2);
> + if (unlikely(i->count < bytes))
> + bytes = i->count;
> + if (unlikely(!bytes))
> + return 0;
> + progress = iterate_bvec(i, bytes, addr, NULL, memcpy_from_iter_mc);
> + i->count -= progress;
i->count shouldn't be decreased here as iterate_bvec() now does that.
This causes the LTP abort01 test to log a warning under KASAN (see below).
I'll remove the line and repush the patches.
David
LTP: starting abort01
==================================================================
BUG: KASAN: stack-out-of-bounds in __copy_from_iter_mc+0x2e6/0x480
Read of size 4 at addr ffffc90004777594 by task abort01/708
CPU: 4 PID: 708 Comm: abort01 Not tainted 99.6.0-rc3-ged6251886a1d #46
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/Incus, BIOS unknown 2/2/2022
Call Trace:
<TASK>
dump_stack_lvl+0x3d/0x70
print_report+0xce/0x650
? lock_acquire+0x1b1/0x330
kasan_report+0xda/0x110
? __copy_from_iter_mc+0x2e6/0x480
? __copy_from_iter_mc+0x2e6/0x480
__copy_from_iter_mc+0x2e6/0x480
copy_page_from_iter_atomic+0x517/0x1350
? __pfx_copy_page_from_iter_atomic+0x10/0x10
? __filemap_get_folio+0x281/0x6c0
? folio_wait_writeback+0x53/0x1e0
? prepare_pages.constprop.0+0x40b/0x6c0
btrfs_copy_from_user+0xc6/0x290
btrfs_buffered_write+0x8c9/0x1190
? __pfx_btrfs_buffered_write+0x10/0x10
? _raw_spin_unlock+0x2d/0x50
? btrfs_file_llseek+0x100/0xf00
? follow_page_mask+0x69f/0x1e10
btrfs_do_write_iter+0x859/0xff0
? __pfx_btrfs_file_llseek+0x10/0x10
? find_held_lock+0x2d/0x110
? __pfx_btrfs_do_write_iter+0x10/0x10
? __up_read+0x211/0x790
? __pfx___get_user_pages+0x10/0x10
? __pfx___up_read+0x10/0x10
? __kernel_write_iter+0x3be/0x6d0
__kernel_write_iter+0x226/0x6d0
? __pfx___kernel_write_iter+0x10/0x10
dump_user_range+0x25d/0x650
? __pfx_dump_user_range+0x10/0x10
? __pfx_writenote+0x10/0x10
elf_core_dump+0x231f/0x2e90
? __pfx_elf_core_dump+0x10/0x10
? do_coredump+0x12a9/0x38c0
? kasan_set_track+0x25/0x30
? __kasan_kmalloc+0xaa/0xb0
? __kmalloc_node+0x6c/0x1b0
? do_coredump+0x12a9/0x38c0
? get_signal+0x1e7d/0x20f0
? 0xffffffffff600000
? mas_next_slot+0x328/0x1dd0
? lock_acquire+0x162/0x330
? do_coredump+0x2537/0x38c0
do_coredump+0x2537/0x38c0
? __pfx_do_coredump+0x10/0x10
? kmem_cache_free+0x114/0x520
? find_held_lock+0x2d/0x110
get_signal+0x1e7d/0x20f0
? __pfx_get_signal+0x10/0x10
? do_send_specific+0xf1/0x1c0
? __pfx_do_send_specific+0x10/0x10
arch_do_signal_or_restart+0x8b/0x4b0
? __pfx_arch_do_signal_or_restart+0x10/0x10
exit_to_user_mode_prepare+0xde/0x210
syscall_exit_to_user_mode+0x16/0x50
do_syscall_64+0x53/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
