| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Jan 2017 20:08:27 +0000
From: Al Viro <viro@...IV.linux.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: "Alan J. Wylie" <alan@...ie.me.uk>,
Thorsten Leemhuis <regressions@...mhuis.info>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: 4.9.0 regression in pipe-backed iov_iter with systemd-nspawn
On Fri, Jan 13, 2017 at 11:33:18AM -0800, Linus Torvalds wrote:
> What am I missing?
The fact that we want to free the _tail_, not the beginning of the
damn thing.
> Why is "pipe_advance()" written in that incomprehensible form? Why
> don't we do the pipe_buf_release() as we advance through it, instead
> of doing it at the end?
>
> Also, the line
>
> buf->len = size;
>
> in that pipe_advance() function looks buggy. "size" is how much we
> *remove* from buf->len, shouldn't we update buf->len by subtracting
> size?
Because it's "truncate to size", not "throw everything up to that point
out".
We have some amount of data pushed into pipe (in this case - 0) and we
have some buffers allocated by ..._get_pages() past the end of it.
Some of that we want to keep (again, in this case - none) and have the next
copy_to_iter() go after those, the rest we discard.
Powered by blists - more mailing lists