| Message ID | 20180716160344.7015-2-aryabinin@virtuozzo.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, Jul 16, 2018 at 6:03 PM, Andrey Ryabinin <aryabinin@virtuozzo.com> wrote: > The 'bufs' array contains 'pipe->buffers' elements, but the > fuse_dev_splice_write() uses only 'pipe->nrbufs' elements. Hmm, only valid with pipe lock held, AFAICS. True for using ->buffers as well... Would you mind resending this series with an additional starting patch that moves the bufs allocations inside pipe_lock()/pipe_unlock() to fix races with fcntl(F_SETPIPE_SZ). Thanks, Miklos
On 07/17/2018 05:47 PM, Miklos Szeredi wrote: > On Mon, Jul 16, 2018 at 6:03 PM, Andrey Ryabinin > <aryabinin@virtuozzo.com> wrote: >> The 'bufs' array contains 'pipe->buffers' elements, but the >> fuse_dev_splice_write() uses only 'pipe->nrbufs' elements. > > Hmm, only valid with pipe lock held, AFAICS. > > True for using ->buffers as well... > > Would you mind resending this series with an additional starting patch > that moves the bufs allocations inside pipe_lock()/pipe_unlock() to > fix races with fcntl(F_SETPIPE_SZ). > Sure, will do shortly. I suppose the patch should go with a stable tag, right? > Thanks, > Miklos >
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 74900571546d..39789f070cde 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1944,7 +1944,7 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe, if (!fud) return -EPERM; - bufs = kvmalloc_array(pipe->buffers, sizeof(struct pipe_buffer), + bufs = kvmalloc_array(pipe->nrbufs, sizeof(struct pipe_buffer), GFP_KERNEL); if (!bufs) return -ENOMEM;
The 'bufs' array contains 'pipe->buffers' elements, but the fuse_dev_splice_write() uses only 'pipe->nrbufs' elements. So reduce the allocation size to 'pipe->nrbufs' elements. Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> --- fs/fuse/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)