fix braino in generic_file_read_iter()

Wrong sign of iov_iter_revert() argument.  Unfortunately, slipped through
the testing, since most of the time we don't do anything to the iterator
afterwards and potential oops on walking the iter->iov too far backwards
is too infrequent to be easily triggered.

Add a sanity check in iov_iter_revert() to catch bugs like this one;
fortunately, the same braino hadn't happened in other callers, but we'd
better have a warning if such thing crops up.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 60abc44385b795de7449b3810e9e294b7d2c48fc..fc9fb29d00eba257c99fa63de7c990a80bf075a4 100644 (file)
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -790,6 +790,8 @@ void iov_iter_revert(struct iov_iter *i, size_t unroll)
 {
        if (!unroll)
                return;
+       if (WARN_ON(unroll > MAX_RW_COUNT))
+               return;
        i->count += unroll;
        if (unlikely(i->type & ITER_PIPE)) {
                struct pipe_inode_info *pipe = i->pipe;

diff --git a/mm/filemap.c b/mm/filemap.c
index cc480c07c71bad5b838e26f194e1d5b3e466e00f..d6e67be1802ef5290a3d49ebbc8464eaf0353a90 100644 (file)
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2048,7 +2048,7 @@ generic_file_read_iter(struct kiocb *iocb, struct iov_iter *iter)
                        iocb->ki_pos += retval;
                        count -= retval;
                }
-               iov_iter_revert(iter, iov_iter_count(iter) - count);
+               iov_iter_revert(iter, count - iov_iter_count(iter));
 
                /*
                 * Btrfs can have a short DIO read if we encounter