diff mbox series

[v2,1/4] fs/pipe: Limit the slots in pipe_resize_ring()

Message ID 20250307052919.34542-2-kprateek.nayak@amd.com (mailing list archive)
State New
Headers show
Series pipe: Trivial cleanups | expand

Commit Message

K Prateek Nayak March 7, 2025, 5:29 a.m. UTC
Limit the number of slots in pipe_resize_ring() to the maximum value
representable by pipe->{head,tail}. Values beyond the max limit can
lead to incorrect pipe occupancy related calculations where the pipe
will never appear full.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com>
---
Changelog:

RFC v1..v2:

o Use (pipe_index_t)-1u as the limit instead of BITS_PER_TYPE()
  hackery. (Oleg)

o Added the "Suggested-by:" tag.
---
 fs/pipe.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Oleg Nesterov March 7, 2025, 2:51 p.m. UTC | #1
On 03/07, K Prateek Nayak wrote:
>
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
>  	struct pipe_buffer *bufs;
>  	unsigned int head, tail, mask, n;
>
> +	/* nr_slots larger than limits of pipe->{head,tail} */
> +	if (unlikely(nr_slots > (pipe_index_t)-1u))
> +		return -EINVAL;

The whole series look "obviously" good to me,

Reviewed-by: Oleg Nesterov <oleg@redhat.com>

-------------------------------------------------------------------------------
But damn ;) lets look at round_pipe_size(),

	unsigned int round_pipe_size(unsigned int size)
	{
		if (size > (1U << 31))
			return 0;

		/* Minimum pipe size, as required by POSIX */
		if (size < PAGE_SIZE)
			return PAGE_SIZE;

		return roundup_pow_of_two(size);
	}

it is a bit silly to allow the maximum size == 1U << 31 in pipe_set_size()
or (more importantly) in /proc/sys/fs/pipe-max-size, and then nack nr_slots
in pipe_resize_ring().

So perhaps this check should go into round_pipe_size() ? Although I can't
suggest a simple/clear check without unnecesary restrictions for the case
when pipe_index_t is u16.

pipe_resize_ring() has another caller, watch_queue_set_size(), but it has
its own hard limits...

Oleg.
K Prateek Nayak March 7, 2025, 4:16 p.m. UTC | #2
Hello Oleg,

Thank you for the review.

On 3/7/2025 8:21 PM, Oleg Nesterov wrote:
> On 03/07, K Prateek Nayak wrote:
>>
>> --- a/fs/pipe.c
>> +++ b/fs/pipe.c
>> @@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
>>   	struct pipe_buffer *bufs;
>>   	unsigned int head, tail, mask, n;
>>
>> +	/* nr_slots larger than limits of pipe->{head,tail} */
>> +	if (unlikely(nr_slots > (pipe_index_t)-1u))
>> +		return -EINVAL;
> 
> The whole series look "obviously" good to me,
> 
> Reviewed-by: Oleg Nesterov <oleg@redhat.com>
> 
> -------------------------------------------------------------------------------
> But damn ;) lets look at round_pipe_size(),
> 
> 	unsigned int round_pipe_size(unsigned int size)
> 	{
> 		if (size > (1U << 31))
> 			return 0;
> 
> 		/* Minimum pipe size, as required by POSIX */
> 		if (size < PAGE_SIZE)
> 			return PAGE_SIZE;
> 
> 		return roundup_pow_of_two(size);
> 	}
> 
> it is a bit silly to allow the maximum size == 1U << 31 in pipe_set_size()
> or (more importantly) in /proc/sys/fs/pipe-max-size, and then nack nr_slots
> in pipe_resize_ring().
> 
> So perhaps this check should go into round_pipe_size() ? Although I can't
> suggest a simple/clear check without unnecesary restrictions for the case
> when pipe_index_t is u16.
> 
> pipe_resize_ring() has another caller, watch_queue_set_size(), but it has
> its own hard limits...

"nr_notes" for watch queues cannot cross 512 so we should be covered there.
As for round_pipe_size(), we can do:

diff --git a/fs/pipe.c b/fs/pipe.c
index ce1af7592780..f82098aaa510 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1253,6 +1253,8 @@ const struct file_operations pipefifo_fops = {
   */
  unsigned int round_pipe_size(unsigned int size)
  {
+	unsigned int max_slots;
+
  	if (size > (1U << 31))
  		return 0;
  
@@ -1260,7 +1262,14 @@ unsigned int round_pipe_size(unsigned int size)
  	if (size < PAGE_SIZE)
  		return PAGE_SIZE;
  
-	return roundup_pow_of_two(size);
+	size = roundup_pow_of_two(size);
+	max_slots = size >> PAGE_SHIFT;
+
+	/* Max slots cannot be covered pipe->{head,tail} limits */
+	if (max_slots > (pipe_index_t)-1U)
+		return 0;
+
+	return size;
  }
  
  /*
--

Since pipe_resize_ring() can be called without actually looking at
"pipe_max_size" as is the case with watch queues, we can either keep the
check in pipe_resize_ring() as well out of paranoia or get rid of it
since the current users are within the bounds.

Thoughts?

> 
> Oleg.
>
Oleg Nesterov March 7, 2025, 10:30 p.m. UTC | #3
On 03/07, K Prateek Nayak wrote:
>
> On 3/7/2025 8:21 PM, Oleg Nesterov wrote:
> >On 03/07, K Prateek Nayak wrote:
> >>
> >>--- a/fs/pipe.c
> >>+++ b/fs/pipe.c
> >>@@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
> >>  	struct pipe_buffer *bufs;
> >>  	unsigned int head, tail, mask, n;
> >>
> >>+	/* nr_slots larger than limits of pipe->{head,tail} */
> >>+	if (unlikely(nr_slots > (pipe_index_t)-1u))
> >>+		return -EINVAL;
> >
> >The whole series look "obviously" good to me,
> >
> >Reviewed-by: Oleg Nesterov <oleg@redhat.com>

So, in case it wasn't clear, you could safely ignore everything else below ;)

> >pipe_resize_ring() has another caller, watch_queue_set_size(), but it has
> >its own hard limits...
>
> "nr_notes" for watch queues cannot cross 512 so we should be covered there.

Yes, yes, this is what I meant,

> As for round_pipe_size(), we can do:
>
> diff --git a/fs/pipe.c b/fs/pipe.c
> index ce1af7592780..f82098aaa510 100644
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -1253,6 +1253,8 @@ const struct file_operations pipefifo_fops = {
>   */
>  unsigned int round_pipe_size(unsigned int size)
>  {
> +	unsigned int max_slots;
> +
>  	if (size > (1U << 31))
>  		return 0;
> @@ -1260,7 +1262,14 @@ unsigned int round_pipe_size(unsigned int size)
>  	if (size < PAGE_SIZE)
>  		return PAGE_SIZE;
> -	return roundup_pow_of_two(size);
> +	size = roundup_pow_of_two(size);
> +	max_slots = size >> PAGE_SHIFT;
> +
> +	/* Max slots cannot be covered pipe->{head,tail} limits */
> +	if (max_slots > (pipe_index_t)-1U)
> +		return 0;

Sure, this will work, but still it doesn't look clear/clean to me.
But no, no, I don't blame your suggestion.

To me, round_pipe_size() looks confusing with or without the changes we
discuss. Why does it use "1U << 31" as a maximum size? OK, this is because
that "1 << 31" is the maximum power-of-2 which can fit into u32.

But, even if this code assumes that pipe->head/tail are u32, why this
restriction? Most probably I missed something, but I don't understand.

> Since pipe_resize_ring() can be called without actually looking at
> "pipe_max_size"

Again, only if the caller is watch_queue_set_size(), but it has its own
hard limit.

So. I won't argue either way. Whatever looks better to you. My ack
still stands.

Sorry for (yet another) confusing and almost off-topic email from me.

Oleg.
diff mbox series

Patch

diff --git a/fs/pipe.c b/fs/pipe.c
index 4d0799e4e719..88e81f84e3ea 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1271,6 +1271,10 @@  int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
 	struct pipe_buffer *bufs;
 	unsigned int head, tail, mask, n;
 
+	/* nr_slots larger than limits of pipe->{head,tail} */
+	if (unlikely(nr_slots > (pipe_index_t)-1u))
+		return -EINVAL;
+
 	bufs = kcalloc(nr_slots, sizeof(*bufs),
 		       GFP_KERNEL_ACCOUNT | __GFP_NOWARN);
 	if (unlikely(!bufs))