* + fs-pipec-implement-minimum-pipe-size-for-arg==0.patch added to -mm tree
@ 2017-09-28 21:49 akpm
0 siblings, 0 replies; only message in thread
From: akpm @ 2017-09-28 21:49 UTC (permalink / raw)
To: rdunlap, mtk.manpages, sp3485, viro, mm-commits
The patch titled
Subject: fs/pipe.c: implement minimum pipe size for arg==0
has been added to the -mm tree. Its filename is
fs-pipec-implement-minimum-pipe-size-for-arg==0.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/fs-pipec-implement-minimum-pipe-size-for-arg%3D%3D0.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/fs-pipec-implement-minimum-pipe-size-for-arg%3D%3D0.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Randy Dunlap <rdunlap@infradead.org>
Subject: fs/pipe.c: implement minimum pipe size for arg==0
Shankara reports that running Syskaller with UBSAN causes this message:
UBSAN: Undefined behaviour in ./include/linux/log2.h:57:13
Syzkaller is trying to set the pipe size to 0UL. The call chain is:
pipe_set_size(pipe, 0UL)
...
size = round_pipe_size(arg); // arg == 0UL
which does
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; // = 0UL
return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
which is undefined when the argument is 0... and which calls
fls_long(-1) // == 64
and then returns 1UL << 64. This is where UBSAN kicks in.
The fcntl() man page [http://man7.org/linux/man-pages/man2/fcntl.2.html]
says that:
Attempts to set the pipe capacity below the page size are
silently rounded up to the page size.
We could try to fix the basic low-level functions to handle 0 (where
<linux/log2.h> says the result is undefined when n == 0), but the safest
path for now is probably just to patch fs/pipe.c to make the documented
default happen when arg is 0.
Link: http://lkml.kernel.org/r/b1c6b6fa-1917-da84-f1f4-0fafd6cac732@infradead.org
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Shankara Pailoor <sp3485@columbia.edu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
fs/pipe.c | 2 ++
1 file changed, 2 insertions(+)
diff -puN fs/pipe.c~fs-pipec-implement-minimum-pipe-size-for-arg==0 fs/pipe.c
--- a/fs/pipe.c~fs-pipec-implement-minimum-pipe-size-for-arg==0
+++ a/fs/pipe.c
@@ -1038,6 +1038,8 @@ static long pipe_set_size(struct pipe_in
unsigned long user_bufs;
long ret = 0;
+ if (!arg)
+ arg = PAGE_SIZE;
size = round_pipe_size(arg);
nr_pages = size >> PAGE_SHIFT;
_
Patches currently in -mm which might be from rdunlap@infradead.org are
fs-pipec-implement-minimum-pipe-size-for-arg==0.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-09-28 21:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-28 21:49 + fs-pipec-implement-minimum-pipe-size-for-arg==0.patch added to -mm tree akpm
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.