Re: [PATCH v2 1/4] fs/pipe: Limit the slots in pipe_resize_ring()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: K Prateek Nayak <kprateek.nayak@amd.com>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	<linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	Jan Kara <jack@suse.cz>,
	"Matthew Wilcox (Oracle)" <willy@infradead.org>,
	"Mateusz Guzik" <mjguzik@gmail.com>,
	Rasmus Villemoes <ravi@prevas.dk>,
	"Gautham R. Shenoy" <gautham.shenoy@amd.com>,
	<Neeraj.Upadhyay@amd.com>, <Ananth.narayan@amd.com>,
	Swapnil Sapkal <swapnil.sapkal@amd.com>
Subject: Re: [PATCH v2 1/4] fs/pipe: Limit the slots in pipe_resize_ring()
Date: Fri, 7 Mar 2025 21:46:01 +0530	[thread overview]
Message-ID: <7cbc5845-e890-4bf5-9488-cd2496642f7e@amd.com> (raw)
In-Reply-To: <20250307145125.GE5963@redhat.com>

Hello Oleg,

Thank you for the review.

On 3/7/2025 8:21 PM, Oleg Nesterov wrote:
> On 03/07, K Prateek Nayak wrote:
>>
>> --- a/fs/pipe.c
>> +++ b/fs/pipe.c
>> @@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
>>   	struct pipe_buffer *bufs;
>>   	unsigned int head, tail, mask, n;
>>
>> +	/* nr_slots larger than limits of pipe->{head,tail} */
>> +	if (unlikely(nr_slots > (pipe_index_t)-1u))
>> +		return -EINVAL;
> 
> The whole series look "obviously" good to me,
> 
> Reviewed-by: Oleg Nesterov <oleg@redhat.com>
> 
> -------------------------------------------------------------------------------
> But damn ;) lets look at round_pipe_size(),
> 
> 	unsigned int round_pipe_size(unsigned int size)
> 	{
> 		if (size > (1U << 31))
> 			return 0;
> 
> 		/* Minimum pipe size, as required by POSIX */
> 		if (size < PAGE_SIZE)
> 			return PAGE_SIZE;
> 
> 		return roundup_pow_of_two(size);
> 	}
> 
> it is a bit silly to allow the maximum size == 1U << 31 in pipe_set_size()
> or (more importantly) in /proc/sys/fs/pipe-max-size, and then nack nr_slots
> in pipe_resize_ring().
> 
> So perhaps this check should go into round_pipe_size() ? Although I can't
> suggest a simple/clear check without unnecesary restrictions for the case
> when pipe_index_t is u16.
> 
> pipe_resize_ring() has another caller, watch_queue_set_size(), but it has
> its own hard limits...

"nr_notes" for watch queues cannot cross 512 so we should be covered there.
As for round_pipe_size(), we can do:

diff --git a/fs/pipe.c b/fs/pipe.c
index ce1af7592780..f82098aaa510 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1253,6 +1253,8 @@ const struct file_operations pipefifo_fops = {
   */
  unsigned int round_pipe_size(unsigned int size)
  {
+	unsigned int max_slots;
+
  	if (size > (1U << 31))
  		return 0;
  
@@ -1260,7 +1262,14 @@ unsigned int round_pipe_size(unsigned int size)
  	if (size < PAGE_SIZE)
  		return PAGE_SIZE;
  
-	return roundup_pow_of_two(size);
+	size = roundup_pow_of_two(size);
+	max_slots = size >> PAGE_SHIFT;
+
+	/* Max slots cannot be covered pipe->{head,tail} limits */
+	if (max_slots > (pipe_index_t)-1U)
+		return 0;
+
+	return size;
  }
  
  /*
--

Since pipe_resize_ring() can be called without actually looking at
"pipe_max_size" as is the case with watch queues, we can either keep the
check in pipe_resize_ring() as well out of paranoia or get rid of it
since the current users are within the bounds.

Thoughts?

> 
> Oleg.
> 

-- 
Thanks and Regards,
Prateek

next prev parent reply	other threads:[~2025-03-07 16:16 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-07  5:29 [PATCH v2 0/4] pipe: Trivial cleanups K Prateek Nayak
2025-03-07  5:29 ` [PATCH v2 1/4] fs/pipe: Limit the slots in pipe_resize_ring() K Prateek Nayak
2025-03-07 14:51   ` Oleg Nesterov
2025-03-07 16:16     ` K Prateek Nayak [this message]
2025-03-07 22:30       ` Oleg Nesterov
2025-03-07  5:29 ` [PATCH v2 2/4] kernel/watch_queue: Use pipe_buf() to retrieve the pipe buffer K Prateek Nayak
2025-03-07  5:29 ` [PATCH v2 3/4] fs/pipe: Use pipe_buf() helper to retrieve " K Prateek Nayak
2025-03-07  5:29 ` [PATCH v2 4/4] fs/splice: " K Prateek Nayak
2025-03-10  7:59 ` [PATCH v2 0/4] pipe: Trivial cleanups Christian Brauner

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ce1af759278 dfblob:f82098aaa51 )
 OR (
bs:"Re: [PATCH v2 1/4] fs/pipe: Limit the slots in pipe_resize_ring()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7cbc5845-e890-4bf5-9488-cd2496642f7e@amd.com \
    --to=kprateek.nayak@amd.com \
    --cc=Ananth.narayan@amd.com \
    --cc=Neeraj.Upadhyay@amd.com \
    --cc=brauner@kernel.org \
    --cc=gautham.shenoy@amd.com \
    --cc=jack@suse.cz \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mjguzik@gmail.com \
    --cc=oleg@redhat.com \
    --cc=ravi@prevas.dk \
    --cc=swapnil.sapkal@amd.com \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox