Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp252369lqp; Wed, 22 May 2024 03:42:50 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVnwf/dXGz65pdYbeg4EjMzaM1IlVO72ziTpTCuHvw1f4HtFZH+A5d3GRszZdPTDBKLr4dP1FUIJUlJu/dUaqi6sjOw1tO/RPDFAjDofQ== X-Google-Smtp-Source: AGHT+IF/Sh88ZMaK7FAogjNcTTks+eQTH1DXs9+j+1EYaBuBe1bIkC8+i6immj6ZYluBsfTWZnau X-Received: by 2002:a05:6871:284:b0:24c:4f80:a59b with SMTP id 586e51a60fabf-24c68e733abmr1536556fac.58.1716374570178; Wed, 22 May 2024 03:42:50 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716374570; cv=pass; d=google.com; s=arc-20160816; b=qlPSbLKaxB0qYKdLXUdR7TJMqbt+4ezdg9xF7jq9X1y4rqwiWbfO6KxT3n8R/dDZh+ eWdbXHuOMBBEOoO/QFL+0WZBg62AfxFpowz8WiJj6S+w1FryDJrHCmxeCtsK8joEdPPn ImwwifeVRSo++tOgOe8BYQaZcU243IqJWWncv7RY0MIo4CL+HarPIst+tm4OUknqDTYy HX8H6N3I0pgS7C45SWVCKXs6a5qFL6J9Mh5Uo3USesKQJifnQiNd6l/UUvGuUbzmF2Ya MV0lzJAz4ZibznycWNsFwAje6Gg8Yf90IDmJ9QBK63txJN6h1rXqe7HsKBrFKc7cQtjM UsRQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date :subject:cc:to:from:message-id:dkim-signature; bh=//B4H6k4q2guLm8x+8aMNL7vMnHQ6Gcoas3TjGr/WV8=; fh=ILPO/jubW2wmMeItWoPQvwnMteVlZhl4BGwRUiDutDg=; b=CQ6A9JfzF265UkEI5/oapdKXbV8FB1wYCrkOpsOIWRiCNoLeHstnrNS1ELbMN8OhAo BWpRO42lb9PoNNw8BFtj+DwKRFg7EsyFHOXwdi50RNh3oAQp3DkN++h2b8afBM2iQ+8X FLM+l3huK7trkFFle0q/ujpNj0akjwwN2GCiXi5foEvt6aTUwouVg45q/xeGANwp/WF4 hf3RvK/nUfn/6UeMcT1qsWkuVKG05no2vpHmecUY96ntfhWgwuo4JYSzikMiCZfSCfXZ VwheYY/VirUTYwhvIY+KeCRBU+3X1POo8vvxDXHhhbD9s+1z1AG7IC+SrZk0HAUnY6C0 B0tQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=ZiPHCXrT; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-186065-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-186065-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d2e1a72fcca58-6f4d2b1bad5si12163000b3a.253.2024.05.22.03.42.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 May 2024 03:42:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-186065-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=ZiPHCXrT; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-186065-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-186065-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B54D72838E7 for ; Wed, 22 May 2024 10:42:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C14CD82483; Wed, 22 May 2024 10:42:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="ZiPHCXrT" Received: from out162-62-57-49.mail.qq.com (out162-62-57-49.mail.qq.com [162.62.57.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D237823CB for ; Wed, 22 May 2024 10:42:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.57.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716374564; cv=none; b=fwU9SlJFT2Q/NM/gdPZH8E79zx3WD+HdYqwSSp9UeHE/fukTUsmnjDpYqTJtkAk3sDcDYUgkZNzdhmsA9//LknsznDvJ3smotsQsK3jNozMjyFWQoyK4lPf3zZWRpBVHN6ir9+KARveW9KdU85pkT1s+LiUiZYtWfJ8bhsxUHqg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716374564; c=relaxed/simple; bh=Q7mt6SEDV74V/sWcKYgQGovQph+NX/2+dvUkxUuVVgQ=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=p01EDHmQ5OO4g6tPSKCa9KTQB6DFY8S0zb0TU3AoGYCeKu/9YENcAurJXdywsBgLNMwbohckLpZYEDwq6yQrhFt9TpOb+QnkdtLqSsTMbRpQtLulJ+ZhdyuVvDKNKtx5L3KKYts5V3jSJ9G92vL/jhc2CiCUwkg2YVvcshYuqPM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=ZiPHCXrT; arc=none smtp.client-ip=162.62.57.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1716374256; bh=//B4H6k4q2guLm8x+8aMNL7vMnHQ6Gcoas3TjGr/WV8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ZiPHCXrTwJJlV03QHpzEkdTHeHGvKsPj1jiqN1fgjwciWHyQ+SpnPfabYAEzWf7n5 uL93fplRQMCekND9NhpqZn0HuuwPZUU9CRQ8wZqOLt3VoIOIOxA6gRvgsbqBsw01+u yyYJkUsm/JXene1TrLF61m2hyMtJprzFyNRRtiG0= Received: from pek-lxu-l1.wrs.com ([111.198.228.153]) by newxmesmtplogicsvrszc5-2.qq.com (NewEsmtp) with SMTP id 963118D2; Wed, 22 May 2024 18:37:35 +0800 X-QQ-mid: xmsmtpt1716374255tmbv1k070 Message-ID: X-QQ-XMAILINFO: MW5hkHoBpWXyN8YAOFjOboLa7ZM64hSbsfg+8j6OcTJVQ0nksqYGvyHKnxahiW EXsnU8miIawXsIMi26t0jcC55K3OfaH/is6hHFByM7KthkBlaqwcfT3Pc1E34wuQrg05d1/kjEPY PJedUcDIJaq7opSMknq4tlEOE01kNe7TMA5O4gY9C0zXuxd2xTD6njgvWDv/d/LTGG1nEUTdpreU 225gIJdmHWJ4pCMcS/ud2SUVZg9VM1joEZfqtCrtZl+ix6O5HjNnLGCZSPYuSuSIWUv7IEZwl05h T4X0JC/Nd6ovFaF3bD60xI/RITYL4C9XZtYDjtwmPTQZdzPphbFRcgsmaU93jsUeZF4J82I65J6C eKnC39Gs+K24WF33bnbhh5Gt6dt0QT0VzRy2HEzoe6raR6IvTs3gR14VLMtXZX0W2AFjQsSEi3Wv xb7nzfTumrpT30YgAUclK9EVLwOiWunMjmvwPiaRWsPPgmk+3C5xnY/PuTEdbF2EhKaRjeGNNFyL RM+STueDe6STYjHJem8EyVrAbeVbZE1FZOpfl1BoFqRKtuLSBNemU9rQRFXZ0IgsC64ol4cfwWJd HzdX4ZET+pKdx5xDIiCbRpbSESuqoQ/FsWDvUNPPhmivzjcWHYLC5MwsedbaVCAJAki45bY1M3LF Ztz8UlwICZLUU2cx1UEvYbpioBy7XpYoQFnjgJ6UmyuvgzTW1JCg9IHU5B1CHNdZ4Ev6KOwi0L9I TLXDsyyg9NsqDmSIuSd74Eahz6VXXXLjK9sVCDJBTEl9NslZ2s7JfcilyxwoREUMhA34mTrVacoP TyVM8XALdA/6xFYDrBy+Upx+gjiCJb/N8xfSNxgAswB90WjWstI5AUTY2IL9ior6hN9uzNm1bhPl ltGGkoRxYON2zA2miKfH90MhgpRC52Lz3KmW4OOM+1RFX+SCAUMsP3OMi80RVk8KgQYbpb5G4mJk Xki1LEebw= X-QQ-XMRINFO: Mp0Kj//9VHAxr69bL5MkOOs= From: Edward Adam Davis To: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [fs?] general protection fault in iter_file_splice_write Date: Wed, 22 May 2024 18:37:35 +0800 X-OQ-MSGID: <20240522103734.2146269-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <0000000000002fd2de0618de2e65@google.com> References: <0000000000002fd2de0618de2e65@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit please test null ptr in iter_file_splice_write #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb diff --git a/fs/splice.c b/fs/splice.c index 60aed8de21f8..4dd684184572 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -751,9 +751,9 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out, /* dismiss the fully eaten buffers, adjust the partial one */ tail = pipe->tail; - while (ret) { + while (ret > 0) { struct pipe_buffer *buf = &pipe->bufs[tail & mask]; - if (ret >= buf->len) { + if (ret >= (ssize_t)buf->len) { ret -= buf->len; buf->len = 0; pipe_buf_release(pipe, buf);