From patchwork Fri Mar 18 19:42:58 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steven Rostedt X-Patchwork-Id: 8623571 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id BA8089F6E1 for ; Fri, 18 Mar 2016 19:48:22 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id C3FBE201B9 for ; Fri, 18 Mar 2016 19:48:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id ADEE020165 for ; Fri, 18 Mar 2016 19:48:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751969AbcCRTsT (ORCPT ); Fri, 18 Mar 2016 15:48:19 -0400 Received: from smtprelay0037.hostedemail.com ([216.40.44.37]:45653 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751016AbcCRTsS (ORCPT ); Fri, 18 Mar 2016 15:48:18 -0400 X-Greylist: delayed 317 seconds by postgrey-1.27 at vger.kernel.org; Fri, 18 Mar 2016 15:48:18 EDT Received: from smtprelay.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by smtpgrave08.hostedemail.com (Postfix) with ESMTP id D3BAC211AFC for ; Fri, 18 Mar 2016 19:43:02 +0000 (UTC) Received: from filter.hostedemail.com (unknown [216.40.38.60]) by smtprelay06.hostedemail.com (Postfix) with ESMTP id 092A09EA16; Fri, 18 Mar 2016 19:43:00 +0000 (UTC) X-Session-Marker: 726F737465647440676F6F646D69732E6F7267 X-Spam-Summary: 2, 0, 0, , d41d8cd98f00b204, rostedt@goodmis.org, :::::::, RULES_HIT:41:196:355:379:541:599:800:960:973:988:989:1260:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1777:1792:2194:2199:2393:2553:2559:2562:3138:3139:3140:3141:3142:3353:3622:3865:3866:3867:3868:3870:3871:3872:3874:4250:4321:5007:6119:6261:7809:7875:7903:8660:9040:10004:10400:10848:10967:11026:11232:11473:11658:11914:12043:12296:12438:12517:12519:12555:12679:12740:13148:13230:13439:14096:14097:14659:14721:21080:30012:30054:30090:30091, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:fn, MSBL:0, DNSBL:none, Custom_rules:0:0:0, LFtime:2, LUA_SUMMARY:none X-HE-Tag: metal02_1a1d0f071ad5c X-Filterd-Recvd-Size: 3469 Received: from gandalf.local.home (cpe-67-246-153-56.stny.res.rr.com [67.246.153.56]) (Authenticated sender: rostedt@goodmis.org) by omf09.hostedemail.com (Postfix) with ESMTPA; Fri, 18 Mar 2016 19:42:59 +0000 (UTC) Date: Fri, 18 Mar 2016 15:42:58 -0400 From: Steven Rostedt To: Rabin Vincent Cc: viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] splice: handle zero nr_pages in splice_to_pipe() Message-ID: <20160318154258.414072c3@gandalf.local.home> In-Reply-To: <1457641146-9068-1-git-send-email-rabin@rab.in> References: <1457641146-9068-1-git-send-email-rabin@rab.in> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu) MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Thu, 10 Mar 2016 21:19:06 +0100 Rabin Vincent wrote: > Running the following command: > > busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null > > with any tracing enabled pretty very quickly leads to various NULL > pointer dereferences and VM BUG_ON()s, such as these: > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 > IP: [] generic_pipe_buf_release+0xc/0x40 > Call Trace: > [] splice_direct_to_actor+0x143/0x1e0 > [] ? generic_pipe_buf_nosteal+0x10/0x10 > [] do_splice_direct+0x8f/0xb0 > [] do_sendfile+0x199/0x380 > [] SyS_sendfile64+0x90/0xa0 > [] entry_SYSCALL_64_fastpath+0x12/0x6d > > page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0) > kernel BUG at include/linux/mm.h:367! > invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC > RIP: [] generic_pipe_buf_release+0x3c/0x40 > Call Trace: > [] splice_direct_to_actor+0x143/0x1e0 > [] ? generic_pipe_buf_nosteal+0x10/0x10 > [] do_splice_direct+0x8f/0xb0 > [] do_sendfile+0x199/0x380 > [] SyS_sendfile64+0x90/0xa0 > [] tracesys_phase2+0x84/0x89 > > (busybox's cat uses sendfile(2), unlike the coreutils version) Ouch! > > This is because tracing_splice_read_pipe() can call splice_to_pipe() > with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and > we fill the page pointers and the other fields of the pipe_buffers with > garbage. > > All other callers of splice_to_pipe() avoid calling it when nr_pages == > 0, and we could make tracing_splice_read_pipe() do that too, but it > seems reasonable to have splice_to_page() handle this condition > gracefully. > > Cc: stable@vger.kernel.org > Signed-off-by: Rabin Vincent > --- I think this should definitely be applied, but it's not my code to apply it. I'll add this to make sure that trace_pipe is not the cause anymore: -- Steve --- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 0ae46048f724..cb2b708e4ea7 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -4954,7 +4954,10 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, spd.nr_pages = i; - ret = splice_to_pipe(pipe, &spd); + if (i) + ret = splice_to_pipe(pipe, &spd); + else + ret = 0; out: splice_shrink_spd(&spd); return ret;