Message ID | 157556650320.20869.10314267987837887098.stgit@warthog.procyon.org.uk (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | pipe: Fixes | expand |
On Thu, Dec 5, 2019 at 9:21 AM David Howells <dhowells@redhat.com> wrote: > > An assertion check was added to pipe_poll() to make sure that the ring > occupancy isn't seen to overflow the ring size. However, since no locks > are held when the three values are read, it is possible for F_SETPIPE_SZ to > intervene and muck up the calculation, thereby causing the oops. > > Fix this by simply removing the assertion and accepting that the > calculation might be approximate. This is not what the patch actually does. The patch you sent only adds the wakeup when the pipe size changes. Please re-generate both patches and re-send. Linus
diff --git a/fs/pipe.c b/fs/pipe.c index 648ce440ca85..5f89f73d4366 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -1176,6 +1176,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg) pipe->max_usage = nr_slots; pipe->tail = tail; pipe->head = head; + wake_up_interruptible_all(&pipe->wait); return pipe->max_usage * PAGE_SIZE; out_revert_acct:
An assertion check was added to pipe_poll() to make sure that the ring occupancy isn't seen to overflow the ring size. However, since no locks are held when the three values are read, it is possible for F_SETPIPE_SZ to intervene and muck up the calculation, thereby causing the oops. Fix this by simply removing the assertion and accepting that the calculation might be approximate. Note that the previous code also had a similar issue, though there was no assertion check, since the occupancy counter and the ring size were not read with a lock held, so it's possible that the poll check might have malfunctioned then too. Also wake up all the waiters so that they can reissue their checks if there was a competing read or write. Fixes: 8cefc107ca54 ("pipe: Use head and tail pointers for the ring, not cursor and length") Reported-by: syzbot+d37abaade33a934f16f2@syzkaller.appspotmail.com Signed-off-by: David Howells <dhowells@redhat.com> cc: Eric Biggers <ebiggers@kernel.org> --- fs/pipe.c | 1 + 1 file changed, 1 insertion(+)