lib/iov_iter: initialize "flags" in new pipe_buffer

commit 9d2231c5d74e13b2a0546fee6737ee4446017903 upstream.

The functions copy_page_to_iter_pipe() and push_pipe() can both
allocate a new pipe_buffer, but the "flags" member initializer is
missing.

Mot-CRs-fixed:(CR)
CVE-Fixed: CVE-2022-0847
Bug: 220741611

Change-Id: I36246a705a96500e979874a130e89cfe4cca1ed5
Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed")
To: Alexander Viro <viro@zeniv.linux.org.uk>
To: linux-fsdevel@vger.kernel.org
To: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gajjala Chakradhar <gajjalac@motorola.com>
Reviewed-on: https://gerrit.mot.com/2242217
SME-Granted: SME Approvals Granted
SLTApproved: Slta Waiver
Tested-by: Jira Key
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 1c1c06ddc20a8a961d7d9f73e43d65b695636d5d..f20a79e277b953a6eb744ee7e4635c37c3b5df1f 100644 (file)
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -393,6 +393,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
                return 0;
        pipe->nrbufs++;
        buf->ops = &page_cache_pipe_buf_ops;
+       buf->flags = 0;
        get_page(buf->page = page);
        buf->offset = offset;
        buf->len = bytes;
@@ -517,6 +518,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
                        break;
                pipe->nrbufs++;
                pipe->bufs[idx].ops = &default_pipe_buf_ops;
+               pipe->bufs[idx].flags = 0;
                pipe->bufs[idx].page = page;
                pipe->bufs[idx].offset = 0;
                if (left <= PAGE_SIZE) {