On 19/09/2019 19.19, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 288b9117 Add linux-next specific files for 20190918
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e86645600000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f6126e51304ef1c3
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=3c01db6025f26530cf8d
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11855769600000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143580a1600000
>
> The bug was bisected to:
>
> commit cfb864757d8690631aadf1c4b80022c18ae865b3
> Author: Darrick J. Wong <[email protected]>
> Date: Tue Sep 17 16:05:22 2019 +0000
>
> splice: only read in as much information as there is pipe buffer space
The middle hunk (the one before splice_pipe_to_pipe()) accesses
opipe->{buffers, nrbufs}, but opipe is not locked at that point. So
maybe we end up passing len==0, which seems (once there's room in opipe)
it would put a zero-length pipe_buffer in opipe - and that probably
violates an invariant somewhere.
But does the splice_pipe_to_pipe() case even need that extra logic?
Doesn't it handle short writes correctly already?
Rasmus
