Re: [PATCH] fix: general protection fault in iter_file_splice_write

From: Daniel Yang
Date: Mon Nov 04 2024 - 11:55:21 EST

Next message: Rafael J. Wysocki: "Re: [PATCH v2] ACPI: processor: Move arch_init_invariance_cppc() call later"
Previous message: Anton Ivanov: "Re: [PATCH 2/4] um: ubd: Do not use drvdata in release"
In reply to: Jan Kara: "Re: [PATCH] fix: general protection fault in iter_file_splice_write"
Next in thread: Al Viro: "Re: [PATCH] fix: general protection fault in iter_file_splice_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > - pipe_buf_release(pipe, buf);
> > + if (buf->ops)
> > + pipe_buf_release(pipe, buf);
>
> Umm, already released pipe buf? How would it get here?

If you're talking about the pipe_buf_release before the if statement,
that line is a - not a + so I basically just added the if statement
before release to check that buf->ops does not get deterrences in
pipe_buf_release while null. It's the same two lines as when pipe is
released in splice_direct_to_actor.

> We have filled the
> buffers shortly before so IMHO it indicates some deeper problem. Can you
> please explain a bit more?

I just worked off of this crash log:
https://syzkaller.appspot.com/text?tag=CrashReport&x=16adfaa7980000

If the buffer is filled before, does that mean the issue would be in
do_send_file or do_splice_direct?

Next message: Rafael J. Wysocki: "Re: [PATCH v2] ACPI: processor: Move arch_init_invariance_cppc() call later"
Previous message: Anton Ivanov: "Re: [PATCH 2/4] um: ubd: Do not use drvdata in release"
In reply to: Jan Kara: "Re: [PATCH] fix: general protection fault in iter_file_splice_write"
Next in thread: Al Viro: "Re: [PATCH] fix: general protection fault in iter_file_splice_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]