Re: [PATCH 2/2] dlmfs: convert dlmfs_file_read() to copy_to_user()

From: Linus Torvalds
Date: Thu May 28 2020 - 21:27:59 EST

On Thu, May 28, 2020 at 5:04 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
> if (*ppos >= i_size_read(inode))
> return 0;
> + /* don't read past the lvb */
> + if (count > i_size_read(inode) - *ppos)
> + count = i_size_read(inode) - *ppos;

This isn't a new problem, since you effectively just moved this code,
but it's perhaps more obvious now..

"i_size_read()" is not necessarily stable - we do special things on
32-bit to make sure that we get _a_ stable value for it, but it's not
necessarily guaranteed to be the same value when called twice. Think
concurrent pread() with a write..

So the inode size could change in between those two accesses, and the
subtraction might end up underflowing despite the check just above.

This might not be an issue with ocfs2 (I didn't check locking), but ..