syzbot found WARNING in iov_iter_revert[1] when iov_iter_count() returns 0, therefore INT_MAX is passed to iov_iter_revert() causing > MAX_RW_COUNT warning.
static inline ssize_t do_tty_write() { .. size_t count = iov_iter_count(from); .. size_t size = count; if (ret != size) iov_iter_revert(from, size-ret); [1] WARNING: lib/iov_iter.c:1090 Call Trace: do_tty_write drivers/tty/tty_io.c:967 [inline] file_tty_write.constprop.0+0x55f/0x8f0 drivers/tty/tty_io.c:1048 call_write_iter include/linux/fs.h:1901 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x791/0xa30 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 Fixes: 9bb48c82aced ("tty: implement write_iter") Reported-by: syzbot+3d2c27c2b7dc2a948...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov <snovit...@gmail.com> --- v2: Fixed "Fixed" tag to proper commit and changed write return to -EFAULT as this statement is valid, tested via strace: write(3, NULL, 0) = -1 EFAULT (Bad address) Updated to -EFAULT, should be a valid exit code as copy_from_iter(.., .., from) returns -EFAULT as well if *from is invalid address. > > Nit, you need a ' ' before your '(' character here, otherwise the > linux-next scripts will complain. > Also, you got the git commit id wrong, so this needs to be fixed up > anyway. You are pointing to a merge point, I doubt that's what you want > to point to here, right? Thanks! --- drivers/tty/tty_io.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 816e709afa56..e1460cad8b7d 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -905,6 +905,9 @@ static inline ssize_t do_tty_write( ssize_t ret, written = 0; unsigned int chunk; + if (!count) + return -EFAULT; + ret = tty_write_lock(tty, file->f_flags & O_NDELAY); if (ret < 0) return ret; -- 2.25.1