[PATCH 0/7] lib/iov_iter: fix bugs found via cross-function consistency review

[Josh Law]

A systematic review of lib/iov_iter.c checking that each iterator type
is handled consistently across all functions turned up seven issues:

- Two can cause kernel oops: a missing allocation failure check in
  iov_iter_extract_bvec_pages() (NULL deref under memory pressure), and
  a missing NULL check in iov_iter_folioq_revert() (NULL deref when
  reverting past the head of a folio_queue chain).

- Two return wrong values for partially consumed iterators:
  iov_iter_single_seg_count() ignores iov_offset for folioq, and
  iov_iter_gap_alignment() ignores iov_offset for the first iovec
  segment.

- One fires a spurious WARN_ON_ONCE for kvec iterators in
  iov_iter_restore() due to a misplaced parenthesis.

- One can read out of bounds: iov_iter_alignment_iovec/bvec enter
  their do-while loops unconditionally even when count is zero.

- One is a testing gap: copy_to_user_iter_mc() lacks the
  should_fail_usercopy() check present in all other copy helpers.

All found through code review; no runtime failures were needed to
discover them.  Each patch is independent and can be applied
separately.

Josh Law (7):
  lib/iov_iter: fix missing allocation failure check in
    iov_iter_extract_bvec_pages()
  lib/iov_iter: add NULL check on folioq->prev in
    iov_iter_folioq_revert()
  lib/iov_iter: fix misplaced parenthesis in iov_iter_restore() kvec
    check
  lib/iov_iter: account for iov_offset in iov_iter_single_seg_count()
    folioq path
  lib/iov_iter: account for iov_offset in iov_iter_gap_alignment()
  lib/iov_iter: guard iov_iter_alignment() against zero-count iovec/bvec
    iterators
  lib/iov_iter: add missing should_fail_usercopy() in
    copy_to_user_iter_mc()

 lib/iov_iter.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

-- 
2.34.1