Message ID | 20250307052919.34542-2-kprateek.nayak@amd.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | pipe: Trivial cleanups | expand |
On 03/07, K Prateek Nayak wrote: > > --- a/fs/pipe.c > +++ b/fs/pipe.c > @@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) > struct pipe_buffer *bufs; > unsigned int head, tail, mask, n; > > + /* nr_slots larger than limits of pipe->{head,tail} */ > + if (unlikely(nr_slots > (pipe_index_t)-1u)) > + return -EINVAL; The whole series look "obviously" good to me, Reviewed-by: Oleg Nesterov <oleg@redhat.com> ------------------------------------------------------------------------------- But damn ;) lets look at round_pipe_size(), unsigned int round_pipe_size(unsigned int size) { if (size > (1U << 31)) return 0; /* Minimum pipe size, as required by POSIX */ if (size < PAGE_SIZE) return PAGE_SIZE; return roundup_pow_of_two(size); } it is a bit silly to allow the maximum size == 1U << 31 in pipe_set_size() or (more importantly) in /proc/sys/fs/pipe-max-size, and then nack nr_slots in pipe_resize_ring(). So perhaps this check should go into round_pipe_size() ? Although I can't suggest a simple/clear check without unnecesary restrictions for the case when pipe_index_t is u16. pipe_resize_ring() has another caller, watch_queue_set_size(), but it has its own hard limits... Oleg.
Hello Oleg, Thank you for the review. On 3/7/2025 8:21 PM, Oleg Nesterov wrote: > On 03/07, K Prateek Nayak wrote: >> >> --- a/fs/pipe.c >> +++ b/fs/pipe.c >> @@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) >> struct pipe_buffer *bufs; >> unsigned int head, tail, mask, n; >> >> + /* nr_slots larger than limits of pipe->{head,tail} */ >> + if (unlikely(nr_slots > (pipe_index_t)-1u)) >> + return -EINVAL; > > The whole series look "obviously" good to me, > > Reviewed-by: Oleg Nesterov <oleg@redhat.com> > > ------------------------------------------------------------------------------- > But damn ;) lets look at round_pipe_size(), > > unsigned int round_pipe_size(unsigned int size) > { > if (size > (1U << 31)) > return 0; > > /* Minimum pipe size, as required by POSIX */ > if (size < PAGE_SIZE) > return PAGE_SIZE; > > return roundup_pow_of_two(size); > } > > it is a bit silly to allow the maximum size == 1U << 31 in pipe_set_size() > or (more importantly) in /proc/sys/fs/pipe-max-size, and then nack nr_slots > in pipe_resize_ring(). > > So perhaps this check should go into round_pipe_size() ? Although I can't > suggest a simple/clear check without unnecesary restrictions for the case > when pipe_index_t is u16. > > pipe_resize_ring() has another caller, watch_queue_set_size(), but it has > its own hard limits... "nr_notes" for watch queues cannot cross 512 so we should be covered there. As for round_pipe_size(), we can do: diff --git a/fs/pipe.c b/fs/pipe.c index ce1af7592780..f82098aaa510 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -1253,6 +1253,8 @@ const struct file_operations pipefifo_fops = { */ unsigned int round_pipe_size(unsigned int size) { + unsigned int max_slots; + if (size > (1U << 31)) return 0; @@ -1260,7 +1262,14 @@ unsigned int round_pipe_size(unsigned int size) if (size < PAGE_SIZE) return PAGE_SIZE; - return roundup_pow_of_two(size); + size = roundup_pow_of_two(size); + max_slots = size >> PAGE_SHIFT; + + /* Max slots cannot be covered pipe->{head,tail} limits */ + if (max_slots > (pipe_index_t)-1U) + return 0; + + return size; } /* -- Since pipe_resize_ring() can be called without actually looking at "pipe_max_size" as is the case with watch queues, we can either keep the check in pipe_resize_ring() as well out of paranoia or get rid of it since the current users are within the bounds. Thoughts? > > Oleg. >
On 03/07, K Prateek Nayak wrote: > > On 3/7/2025 8:21 PM, Oleg Nesterov wrote: > >On 03/07, K Prateek Nayak wrote: > >> > >>--- a/fs/pipe.c > >>+++ b/fs/pipe.c > >>@@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) > >> struct pipe_buffer *bufs; > >> unsigned int head, tail, mask, n; > >> > >>+ /* nr_slots larger than limits of pipe->{head,tail} */ > >>+ if (unlikely(nr_slots > (pipe_index_t)-1u)) > >>+ return -EINVAL; > > > >The whole series look "obviously" good to me, > > > >Reviewed-by: Oleg Nesterov <oleg@redhat.com> So, in case it wasn't clear, you could safely ignore everything else below ;) > >pipe_resize_ring() has another caller, watch_queue_set_size(), but it has > >its own hard limits... > > "nr_notes" for watch queues cannot cross 512 so we should be covered there. Yes, yes, this is what I meant, > As for round_pipe_size(), we can do: > > diff --git a/fs/pipe.c b/fs/pipe.c > index ce1af7592780..f82098aaa510 100644 > --- a/fs/pipe.c > +++ b/fs/pipe.c > @@ -1253,6 +1253,8 @@ const struct file_operations pipefifo_fops = { > */ > unsigned int round_pipe_size(unsigned int size) > { > + unsigned int max_slots; > + > if (size > (1U << 31)) > return 0; > @@ -1260,7 +1262,14 @@ unsigned int round_pipe_size(unsigned int size) > if (size < PAGE_SIZE) > return PAGE_SIZE; > - return roundup_pow_of_two(size); > + size = roundup_pow_of_two(size); > + max_slots = size >> PAGE_SHIFT; > + > + /* Max slots cannot be covered pipe->{head,tail} limits */ > + if (max_slots > (pipe_index_t)-1U) > + return 0; Sure, this will work, but still it doesn't look clear/clean to me. But no, no, I don't blame your suggestion. To me, round_pipe_size() looks confusing with or without the changes we discuss. Why does it use "1U << 31" as a maximum size? OK, this is because that "1 << 31" is the maximum power-of-2 which can fit into u32. But, even if this code assumes that pipe->head/tail are u32, why this restriction? Most probably I missed something, but I don't understand. > Since pipe_resize_ring() can be called without actually looking at > "pipe_max_size" Again, only if the caller is watch_queue_set_size(), but it has its own hard limit. So. I won't argue either way. Whatever looks better to you. My ack still stands. Sorry for (yet another) confusing and almost off-topic email from me. Oleg.
diff --git a/fs/pipe.c b/fs/pipe.c index 4d0799e4e719..88e81f84e3ea 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) struct pipe_buffer *bufs; unsigned int head, tail, mask, n; + /* nr_slots larger than limits of pipe->{head,tail} */ + if (unlikely(nr_slots > (pipe_index_t)-1u)) + return -EINVAL; + bufs = kcalloc(nr_slots, sizeof(*bufs), GFP_KERNEL_ACCOUNT | __GFP_NOWARN); if (unlikely(!bufs))
Limit the number of slots in pipe_resize_ring() to the maximum value representable by pipe->{head,tail}. Values beyond the max limit can lead to incorrect pipe occupancy related calculations where the pipe will never appear full. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com> --- Changelog: RFC v1..v2: o Use (pipe_index_t)-1u as the limit instead of BITS_PER_TYPE() hackery. (Oleg) o Added the "Suggested-by:" tag. --- fs/pipe.c | 4 ++++ 1 file changed, 4 insertions(+)