From patchwork Thu Mar 10 20:19:06 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rabin Vincent X-Patchwork-Id: 8559921 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id A9ED5C0553 for ; Thu, 10 Mar 2016 20:19:56 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D54B62034B for ; Thu, 10 Mar 2016 20:19:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DB1F520260 for ; Thu, 10 Mar 2016 20:19:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932135AbcCJUTh (ORCPT ); Thu, 10 Mar 2016 15:19:37 -0500 Received: from mail-wm0-f51.google.com ([74.125.82.51]:38359 "EHLO mail-wm0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932123AbcCJUTg (ORCPT ); Thu, 10 Mar 2016 15:19:36 -0500 Received: by mail-wm0-f51.google.com with SMTP id l68so2420236wml.1; Thu, 10 Mar 2016 12:19:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id; bh=mXHiqMRUxjCaJfr03ceh/+acObX/777x8Pi6YD0IWIo=; b=Nt17Qjzh4itpOYnIX1ujS9/gdSJ5ctt6IQan3vn+4Xc1FeDcXwWnsLsUKo7TGGkMdx q/aY4+7o4MOKFNnqZ7WkDAeRh54WJS/DXD7/hLRO0qCDB3s7wqQMTycx/7kxgSBKQ77H 8SyLwNLy/mOavmzeoqDWA4QETCRS37SZbUaDAMcWCFjE1tMZOFaVosuiAdhvDDZdZBIy V3fcLEND35Yodr1DhOAnckR73mfz8xgw6icsA8+GF8JXU8rb2dUcknVbypD9sVBsg/uW gWUSd3fvnyyhcjBsr+fweOPqTE3LtX94SZ5MBUn8E18yCNOJXflDN0I6dJZCWxN9h8Dp OE5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=mXHiqMRUxjCaJfr03ceh/+acObX/777x8Pi6YD0IWIo=; b=FHAAl1KAXNBqqvKwykakbxvN9fzShQ0znvfjycFFIxxGw+xUvcSK4+M+GLnl3H4x+Q cJ3p9/xuerirNe9lC3E+yscFfoC8EL4RFYKP8nXssCWAQN8qH8a6uGc36sAQlxboipRY P5qeL5fnqN5YoNZxrx6AE+QD/02gUGCrENMh40JlfW4PaAmMv+T01G/Uhqux3e+2T/5g 6obeD0Po7o9KOHgaa+Ge/eMIK3PZp9aOa4fGNIWrrbNnFW4fodhTcDXDVoUzXial6RnS 5tZuOhS7GtYE+yzEtv9bHKl8R7GgHDuoGRtrZ9LGINspg0Um7DZgHZI0VgrMD7YwkHyL 94RA== X-Gm-Message-State: AD7BkJJFFC5fSykVLzzp5s+0sUh6PVJa6SxMqe4eDPEnyVL2wkIl1YvzFvhuDAgiigeouw== X-Received: by 10.194.171.66 with SMTP id as2mr5919429wjc.110.1457641175276; Thu, 10 Mar 2016 12:19:35 -0800 (PST) Received: from localhost.localdomain (90-231-144-194-no56.tbcn.telia.com. [90.231.144.194]) by smtp.gmail.com with ESMTPSA id u4sm5145772wjz.4.2016.03.10.12.19.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 10 Mar 2016 12:19:34 -0800 (PST) From: Rabin Vincent To: viro@zeniv.linux.org.uk, Steven Rostedt Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Rabin Vincent Subject: [PATCH] splice: handle zero nr_pages in splice_to_pipe() Date: Thu, 10 Mar 2016 21:19:06 +0100 Message-Id: <1457641146-9068-1-git-send-email-rabin@rab.in> X-Mailer: git-send-email 2.7.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Running the following command: busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null with any tracing enabled pretty very quickly leads to various NULL pointer dereferences and VM BUG_ON()s, such as these: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] generic_pipe_buf_release+0xc/0x40 Call Trace: [] splice_direct_to_actor+0x143/0x1e0 [] ? generic_pipe_buf_nosteal+0x10/0x10 [] do_splice_direct+0x8f/0xb0 [] do_sendfile+0x199/0x380 [] SyS_sendfile64+0x90/0xa0 [] entry_SYSCALL_64_fastpath+0x12/0x6d page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0) kernel BUG at include/linux/mm.h:367! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC RIP: [] generic_pipe_buf_release+0x3c/0x40 Call Trace: [] splice_direct_to_actor+0x143/0x1e0 [] ? generic_pipe_buf_nosteal+0x10/0x10 [] do_splice_direct+0x8f/0xb0 [] do_sendfile+0x199/0x380 [] SyS_sendfile64+0x90/0xa0 [] tracesys_phase2+0x84/0x89 (busybox's cat uses sendfile(2), unlike the coreutils version) This is because tracing_splice_read_pipe() can call splice_to_pipe() with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and we fill the page pointers and the other fields of the pipe_buffers with garbage. All other callers of splice_to_pipe() avoid calling it when nr_pages == 0, and we could make tracing_splice_read_pipe() do that too, but it seems reasonable to have splice_to_page() handle this condition gracefully. Cc: stable@vger.kernel.org Signed-off-by: Rabin Vincent Reviewed-by: Christoph Hellwig --- fs/splice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/splice.c b/fs/splice.c index 82bc0d64fc38..19e0b103d253 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -185,6 +185,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, unsigned int spd_pages = spd->nr_pages; int ret, do_wakeup, page_nr; + if (!spd_pages) + return 0; + ret = 0; do_wakeup = 0; page_nr = 0;