[PATCH v4 03/30] iov_iter: Fix potential underflow in iov_iter_extract_xarray_pages()

[David Howells]

In iov_iter_extract_xarray_pages(), if no pages are extracted because
there's a hole (or something otherwise unextractable) in the xarray, then
the calculation of maxsize at the end can go wrong if the starting offset
is not zero.

Fix this by setting maxsize to 0 if nr is 0.

Note that in the near future, ITER_XARRAY should be removed.

Fixes: 7d58fe731028 ("iov_iter: Add a function to extract a page list from an iterator")
Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Paulo Alcantara <pc at manguebit.org>
cc: Matthew Wilcox <willy at infradead.org>
cc: Christoph Hellwig <hch at infradead.org>
cc: Jens Axboe <axboe at kernel.dk>
cc: Mike Marshall <hubcap at omnibond.com>
cc: netfs at lists.linux.dev
cc: linux-fsdevel at vger.kernel.org
---
 lib/iov_iter.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 243662af1af7..dc9c6eb21bdb 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1595,7 +1595,10 @@ static ssize_t iov_iter_extract_xarray_pages(struct iov_iter *i,
 	}
 	rcu_read_unlock();
 
-	maxsize = min_t(size_t, nr * PAGE_SIZE - offset, maxsize);
+	if (nr > 0)
+		maxsize = min_t(size_t, nr * PAGE_SIZE - offset, maxsize);
+	else
+		maxsize = 0;
 	iov_iter_advance(i, maxsize);
 	return maxsize;
 }