diff options
author | Jan Kara <jack@suse.cz> | 2019-12-16 13:54:32 +0300 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2019-12-16 20:48:10 +0300 |
commit | e0ff126ee7ad405c1ef531f9f3db92929de4f20f (patch) | |
tree | 3db8cda1843d84196659155c7690644449d2bc18 /lib/iov_iter.c | |
parent | e42617b825f8073569da76dc4510bfa019b1c35a (diff) | |
download | linux-e0ff126ee7ad405c1ef531f9f3db92929de4f20f.tar.xz |
pipe: Fix bogus dereference in iov_iter_alignment()
We cannot look at 'i->pipe' unless we know the iter is a pipe. Move the
ring_size load to a branch in iov_iter_alignment() where we've already
checked the iter is a pipe to avoid bogus dereference.
Reported-by: syzbot+bea68382bae9490e7dd6@syzkaller.appspotmail.com
Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'lib/iov_iter.c')
-rw-r--r-- | lib/iov_iter.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/iov_iter.c b/lib/iov_iter.c index fb29c02c6a3c..51595bf3af85 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -1222,11 +1222,12 @@ EXPORT_SYMBOL(iov_iter_discard); unsigned long iov_iter_alignment(const struct iov_iter *i) { - unsigned int p_mask = i->pipe->ring_size - 1; unsigned long res = 0; size_t size = i->count; if (unlikely(iov_iter_is_pipe(i))) { + unsigned int p_mask = i->pipe->ring_size - 1; + if (size && i->iov_offset && allocated(&i->pipe->bufs[i->head & p_mask])) return size | i->iov_offset; return size; |