On 19/09/2019 19.19, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 288b9117 Add linux-next specific files for 20190918 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=17e86645600000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f6126e51304ef1c3 > dashboard link: > https://syzkaller.appspot.com/bug?extid=3c01db6025f26530cf8d > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11855769600000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143580a1600000 > > The bug was bisected to: > > commit cfb864757d8690631aadf1c4b80022c18ae865b3 > Author: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > Date: Tue Sep 17 16:05:22 2019 +0000 > > splice: only read in as much information as there is pipe buffer space The middle hunk (the one before splice_pipe_to_pipe()) accesses opipe->{buffers, nrbufs}, but opipe is not locked at that point. So maybe we end up passing len==0, which seems (once there's room in opipe) it would put a zero-length pipe_buffer in opipe - and that probably violates an invariant somewhere. But does the splice_pipe_to_pipe() case even need that extra logic? Doesn't it handle short writes correctly already? Rasmus
