Commit 91567128 authored by Filipe Manana's avatar Filipe Manana Committed by Greg Kroah-Hartman

btrfs: fix wrong address when faulting in pages in the search ioctl

commit 1c78544e upstream.

When faulting in the pages for the user supplied buffer for the search
ioctl, we are passing only the base address of the buffer to the function
fault_in_pages_writeable(). This means that after the first iteration of
the while loop that searches for leaves, when we have a non-zero offset,
stored in 'sk_offset', we try to fault in a wrong page range.

So fix this by adding the offset in 'sk_offset' to the base address of the
user supplied buffer when calling fault_in_pages_writeable().

Several users have reported that the applications compsize and bees have
started to operate incorrectly since commit a48b73ec ("btrfs: fix
potential deadlock in the search ioctl") was added to stable trees, and
these applications make heavy use of the search ioctls. This fixes their
issues.

Link: https://lore.kernel.org/linux-btrfs/632b888d-a3c3-b085-cdf5-f9bb61017d92@lechevalier.se/
Link: https://github.com/kilobyte/compsize/issues/34
Fixes: a48b73ec ("btrfs: fix potential deadlock in the search ioctl")
CC: stable@vger.kernel.org # 4.4+
Tested-by: default avatarA L <mail@lechevalier.se>
Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b33e13e4
...@@ -2189,7 +2189,8 @@ static noinline int search_ioctl(struct inode *inode, ...@@ -2189,7 +2189,8 @@ static noinline int search_ioctl(struct inode *inode,
key.offset = sk->min_offset; key.offset = sk->min_offset;
while (1) { while (1) {
ret = fault_in_pages_writeable(ubuf, *buf_size - sk_offset); ret = fault_in_pages_writeable(ubuf + sk_offset,
*buf_size - sk_offset);
if (ret) if (ret)
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment