lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 20 May 2020 18:58:52 -0600
From:   Jens Axboe <axboe@...nel.dk>
To:     David Howells <dhowells@...hat.com>
Cc:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH]: splice fix opipe_prep() full check

On 5/20/20 6:42 PM, Jens Axboe wrote:
> The patch converting pipes to head and tail pointers mistakenly
> turned the splice pipe-to-pipe opipe check into something
> nonsensical. It's supposed to check if we have room in the pipe,
> and return success if we do. If not, wait for room in the pipe.
> Instead it's now returning success for a full pipe, and entering
> the slow path for a non-full pipe.

Forgot to CC Linus - Linus, could you pick this up, or do you want
me to queue it up. Moving to 5.6 internally at FB triggers this
pretty easily, causing a hard hang as we'll get stuck in an infinite
busy loop in splice_pipe_to_pipe().

> 
> Cc: stable@...r.kernel.org
> Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length")
> Signed-off-by: Jens Axboe <axboe@...nel.dk>
> 
> ---
> 
> I didn't check if the offending commit had other logical fumbles.
> 
> diff --git a/fs/splice.c b/fs/splice.c
> index fd0a1e7e5959..4e53efbd621d 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1494,7 +1494,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
>  	 * Check pipe occupancy without the inode lock first. This function
>  	 * is speculative anyways, so missing one is ok.
>  	 */
> -	if (pipe_full(pipe->head, pipe->tail, pipe->max_usage))
> +	if (!pipe_full(pipe->head, pipe->tail, pipe->max_usage))
>  		return 0;
>  
>  	ret = 0;
> 


-- 
Jens Axboe

Powered by blists - more mailing lists