syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0, therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT warning.
static inline ssize_t do_tty_write() { .. size_t count = iov_iter_count(from); .. size_t size = count; if (ret != size) iov_iter_revert(from, size-ret); [1] WARNING: lib/iov_iter.c:1090 Call Trace: do_tty_write drivers/tty/tty_io.c:967 [inline] file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048 call_write_iter include/linux/fs.h:1901 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x791/0xa30 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 Fixes: 494e63ee9c("tty: implement write_iter") Reported-by: syzbot+3d2c27c2b7dc2a948...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov <snovit...@gmail.com> --- drivers/tty/tty_io.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 816e709afa56..8d6d579ecc3b 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -905,6 +905,9 @@ static inline ssize_t do_tty_write( ssize_t ret, written = 0; unsigned int chunk; + if (!count) + return -EINVAL; + ret = tty_write_lock(tty, file->f_flags & O_NDELAY); if (ret < 0) return ret; -- 2.25.1