Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
* Re: [PATCH] block: allow for_each_bvec to support zero len bvec
       [not found]     ` <4ec1b96f-b23c-6f9c-2dc1-8c3d47689a77@i-love.sakura.ne.jp>
@ 2020-08-27 13:27       ` Tetsuo Handa
  0 siblings, 0 replies; only message in thread
From: Tetsuo Handa @ 2020-08-27 13:27 UTC (permalink / raw)
  To: Jens Axboe, Al Viro, David Howells
  Cc: Ming Lei, linux-block, Matthew Wilcox, linux-fsdevel

Jens or Al, will you pick up
"[PATCH V2] block: allow for_each_bvec to support zero len bvec"
( https://lkml.kernel.org/r/20200817100055.2495905-1-ming.lei@redhat.com )
which needs be backported to 5.5+ kernels in order to avoid DoS attack
by a local unprivileged user.

David, is the patch show below (which should be backported to 5.5+ kernels)
correct? Is splice_from_pipe_next() the better location to check?
Are there other consumers which needs to do the same thing?

From 60c3e828f9d8279752865d80411c9b19dbe5c35c Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Thu, 27 Aug 2020 22:17:02 +0900
Subject: [PATCH] splice: fix premature end of input detection

splice() from pipe should return 0 when there is no pipe writer. However,
since commit a194dfe6e6f6f720 ("pipe: Rearrange sequence in pipe_write()
to preallocate slot") started inserting empty pages, splice() from pipe
also returns 0 when all ready buffers are empty pages. Since such behavior
might confuse splice() users, let's fix it by waiting for non-empty pages
before building the vector.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: a194dfe6e6f6f720 ("pipe: Rearrange sequence in pipe_write() to preallocate slot")
Cc: stable@vger.kernel.org # 5.5+
---
 fs/splice.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/splice.c b/fs/splice.c
index d7c8a7c4db07..52daa5fea879 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -724,6 +724,19 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 		tail = pipe->tail;
 		mask = pipe->ring_size - 1;
 
+		/* dismiss the empty buffers */
+		while (!pipe_empty(head, tail)) {
+			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+
+			if (likely(buf->len))
+				break;
+			pipe_buf_release(pipe, buf);
+			pipe->tail = ++tail;
+		}
+		/* wait again if all buffers were empty */
+		if (unlikely(pipe_empty(head, tail)))
+			continue;
+
 		/* build the vector */
 		left = sd.total_len;
 		for (n = 0; !pipe_empty(head, tail) && left && n < nbufs; tail++, n++) {
-- 
2.18.4


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-08-27 14:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20200810031915.2209658-1-ming.lei@redhat.com>
     [not found] ` <db57f8ca-b3c3-76ec-1e49-d8f8161ba78d@i-love.sakura.ne.jp>
     [not found]   ` <20200810162331.GA2215158@T590>
     [not found]     ` <4ec1b96f-b23c-6f9c-2dc1-8c3d47689a77@i-love.sakura.ne.jp>
2020-08-27 13:27       ` [PATCH] block: allow for_each_bvec to support zero len bvec Tetsuo Handa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).