On Tue, Sep 19, 2023 at 03:55:36PM +0200, Max Kellermann wrote: > On Tue, Sep 19, 2023 at 3:45 PM Christian Brauner <brauner@xxxxxxxxxx> wrote: > > So pipe_buf->private may now contain garbage. > > NULL is just as garbage as the other 2^64-1 possible pointer values. > NULL isn't special here, nobody checks the field for NULL. This field You're changing how the code currently works which is written in a way that ensures all fields are initialized to zero. The fact that currently nothing looks at private is irrelevant. Following your argument below this might very easily be the cause for another CVE when something starts looking at this. Wouldn't it make more sense to have the pipe_buf_init() initialize the whole thing and for the place where it leaves buf->private untouched you can just do: unsigned long private = buf->private pipe_buf_init(buf, page, 0, 0, &anon_pipe_buf_ops, PIPE_BUF_FLAG_CAN_MERGE, private) So just use a compound initializer in pipe_buf_init() just like we do in copy_clone_args_from_user()?
