From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752250AbcCRTnE (ORCPT ); Fri, 18 Mar 2016 15:43:04 -0400 Received: from smtprelay0072.hostedemail.com ([216.40.44.72]:51658 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751016AbcCRTnB (ORCPT ); Fri, 18 Mar 2016 15:43:01 -0400 X-Session-Marker: 726F737465647440676F6F646D69732E6F7267 X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,rostedt@goodmis.org,:::::::,RULES_HIT:41:196:355:379:541:599:800:960:973:988:989:1260:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1777:1792:2194:2199:2393:2553:2559:2562:3138:3139:3140:3141:3142:3353:3622:3865:3866:3867:3868:3870:3871:3872:3874:4250:4321:5007:6119:6261:7809:7875:7903:8660:9040:10004:10400:10848:10967:11026:11232:11473:11658:11914:12043:12296:12438:12517:12519:12555:12679:12740:13148:13230:13439:14096:14097:14659:14721:21080:30012:30054:30090:30091,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:none,Custom_rules:0:0:0,LFtime:2,LUA_SUMMARY:none X-HE-Tag: metal02_1a1d0f071ad5c X-Filterd-Recvd-Size: 3469 Date: Fri, 18 Mar 2016 15:42:58 -0400 From: Steven Rostedt To: Rabin Vincent Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] splice: handle zero nr_pages in splice_to_pipe() Message-ID: <20160318154258.414072c3@gandalf.local.home> In-Reply-To: <1457641146-9068-1-git-send-email-rabin@rab.in> References: <1457641146-9068-1-git-send-email-rabin@rab.in> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 10 Mar 2016 21:19:06 +0100 Rabin Vincent wrote: > Running the following command: > > busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null > > with any tracing enabled pretty very quickly leads to various NULL > pointer dereferences and VM BUG_ON()s, such as these: > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 > IP: [] generic_pipe_buf_release+0xc/0x40 > Call Trace: > [] splice_direct_to_actor+0x143/0x1e0 > [] ? generic_pipe_buf_nosteal+0x10/0x10 > [] do_splice_direct+0x8f/0xb0 > [] do_sendfile+0x199/0x380 > [] SyS_sendfile64+0x90/0xa0 > [] entry_SYSCALL_64_fastpath+0x12/0x6d > > page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0) > kernel BUG at include/linux/mm.h:367! > invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC > RIP: [] generic_pipe_buf_release+0x3c/0x40 > Call Trace: > [] splice_direct_to_actor+0x143/0x1e0 > [] ? generic_pipe_buf_nosteal+0x10/0x10 > [] do_splice_direct+0x8f/0xb0 > [] do_sendfile+0x199/0x380 > [] SyS_sendfile64+0x90/0xa0 > [] tracesys_phase2+0x84/0x89 > > (busybox's cat uses sendfile(2), unlike the coreutils version) Ouch! > > This is because tracing_splice_read_pipe() can call splice_to_pipe() > with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and > we fill the page pointers and the other fields of the pipe_buffers with > garbage. > > All other callers of splice_to_pipe() avoid calling it when nr_pages == > 0, and we could make tracing_splice_read_pipe() do that too, but it > seems reasonable to have splice_to_page() handle this condition > gracefully. > > Cc: stable@vger.kernel.org > Signed-off-by: Rabin Vincent > --- I think this should definitely be applied, but it's not my code to apply it. I'll add this to make sure that trace_pipe is not the cause anymore: -- Steve diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 0ae46048f724..cb2b708e4ea7 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -4954,7 +4954,10 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, spd.nr_pages = i; - ret = splice_to_pipe(pipe, &spd); + if (i) + ret = splice_to_pipe(pipe, &spd); + else + ret = 0; out: splice_shrink_spd(&spd); return ret;