Jens or Al, will you pick up "[PATCH V2] block: allow for_each_bvec to support zero len bvec" ( https://lkml.kernel.org/r/20200817100055.2495905-1-ming.lei@xxxxxxxxxx ) which needs be backported to 5.5+ kernels in order to avoid DoS attack by a local unprivileged user. David, is the patch show below (which should be backported to 5.5+ kernels) correct? Is splice_from_pipe_next() the better location to check? Are there other consumers which needs to do the same thing? >From 60c3e828f9d8279752865d80411c9b19dbe5c35c Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Date: Thu, 27 Aug 2020 22:17:02 +0900 Subject: [PATCH] splice: fix premature end of input detection splice() from pipe should return 0 when there is no pipe writer. However, since commit a194dfe6e6f6f720 ("pipe: Rearrange sequence in pipe_write() to preallocate slot") started inserting empty pages, splice() from pipe also returns 0 when all ready buffers are empty pages. Since such behavior might confuse splice() users, let's fix it by waiting for non-empty pages before building the vector. Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> Fixes: a194dfe6e6f6f720 ("pipe: Rearrange sequence in pipe_write() to preallocate slot") Cc: stable@xxxxxxxxxxxxxxx # 5.5+ --- fs/splice.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/splice.c b/fs/splice.c index d7c8a7c4db07..52daa5fea879 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -724,6 +724,19 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out, tail = pipe->tail; mask = pipe->ring_size - 1; + /* dismiss the empty buffers */ + while (!pipe_empty(head, tail)) { + struct pipe_buffer *buf = &pipe->bufs[tail & mask]; + + if (likely(buf->len)) + break; + pipe_buf_release(pipe, buf); + pipe->tail = ++tail; + } + /* wait again if all buffers were empty */ + if (unlikely(pipe_empty(head, tail))) + continue; + /* build the vector */ left = sd.total_len; for (n = 0; !pipe_empty(head, tail) && left && n < nbufs; tail++, n++) { -- 2.18.4
