lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250209150811.GB16999@redhat.com>
Date: Sun, 9 Feb 2025 16:08:11 +0100
From: Oleg Nesterov <oleg@...hat.com>
To: Christian Brauner <brauner@...nel.org>,
	Jeff Layton <jlayton@...nel.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Cc: David Howells <dhowells@...hat.com>,
	"Gautham R. Shenoy" <gautham.shenoy@....com>,
	K Prateek Nayak <kprateek.nayak@....com>,
	Mateusz Guzik <mjguzik@...il.com>,
	Neeraj Upadhyay <Neeraj.Upadhyay@....com>,
	Oliver Sang <oliver.sang@...el.com>,
	Swapnil Sapkal <swapnil.sapkal@....com>,
	WangYuli <wangyuli@...ontech.com>, linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH 2/2] splice: add some pipe_buf_assert_len() checks

After the previous patch the readers can't (hopefully) hit a zero-sized
buffer, add a few pipe_buf_assert_len() debugging checks.

pipe_buf_assert_len() can probably have more users, including the writers
which update pipe->head.

While at it, simplify eat_empty_buffer(), it can use pipe_buf(pipe->tail).

Signed-off-by: Oleg Nesterov <oleg@...hat.com>
---
 fs/splice.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/fs/splice.c b/fs/splice.c
index 28cfa63aa236..fb7841c07edd 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -453,7 +453,7 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
 	while (!pipe_empty(head, tail)) {
 		struct pipe_buffer *buf = &pipe->bufs[tail & mask];
 
-		sd->len = buf->len;
+		sd->len = pipe_buf_assert_len(buf);
 		if (sd->len > sd->total_len)
 			sd->len = sd->total_len;
 
@@ -494,13 +494,11 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
 /* We know we have a pipe buffer, but maybe it's empty? */
 static inline bool eat_empty_buffer(struct pipe_inode_info *pipe)
 {
-	unsigned int tail = pipe->tail;
-	unsigned int mask = pipe->ring_size - 1;
-	struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+	struct pipe_buffer *buf = pipe_buf(pipe, pipe->tail);
 
-	if (unlikely(!buf->len)) {
+	if (unlikely(!pipe_buf_assert_len(buf))) {
 		pipe_buf_release(pipe, buf);
-		pipe->tail = tail+1;
+		pipe->tail++;
 		return true;
 	}
 
@@ -717,7 +715,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 		left = sd.total_len;
 		for (n = 0; !pipe_empty(head, tail) && left && n < nbufs; tail++) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
-			size_t this_len = buf->len;
+			size_t this_len = pipe_buf_assert_len(buf);
 
 			/* zero-length bvecs are not supported, skip them */
 			if (!this_len)
@@ -852,7 +850,7 @@ ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
 			size_t seg;
 
-			if (!buf->len) {
+			if (!pipe_buf_assert_len(buf)) {
 				tail++;
 				continue;
 			}
-- 
2.25.1.362.g51ebf55

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ