Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp278582lqp;
        Wed, 22 May 2024 04:35:52 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCV8QpCblGnZTE4lVgWrBAsPghxuTlyeNtPB5lXmPRy4GAFeN2S0U/ZJZTCXujT2P3adozPAUvC4q3q8XwzFieScYoXwwRy2EFcsl0wAVw==
X-Google-Smtp-Source: AGHT+IFmSKVcQ5zyw7lsBYV/1tnzo78p+giZ2X87GNUNF5gSh+Qx3C9cpdM/cp+6UmQ6JAHeazwB
X-Received: by 2002:a17:906:f28e:b0:a59:a857:85ce with SMTP id a640c23a62f3a-a62281c9fa6mr103594566b.52.1716377752531;
        Wed, 22 May 2024 04:35:52 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1716377752; cv=pass;
        d=google.com; s=arc-20160816;
        b=YJxgRMelV2wjhH7eqAF1QKwaZgDV3kpkU+upuUJZro6iBi2mdqn1aC2nybmwBW/C9n
         ouL0ftaE+6kum6ePgPcwr8grWVIirjEHmdnpIEfkrjkpchCfWvNxXNiOrNnJBH8desoi
         BbxFAgT6CwZ+tCksaCerBq525UlZPGZ+E6uvsGKrCuk3+OUDqdGXqCkoYh/9pzCKHLNt
         2rlWHF3dfvfRkPopBzreRsgIql+T67l/ZZzOvA6Z4VVbpik+OAbrIILwUUXDBzk0ruUa
         0dVXYna9pHOt3z/iPckSviZ+lDjR1gj3tok9SVQTuwBpixRxIikZf3aXKzJmEEDVrEy1
         k98w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=myaU8osdTJYm8F/QtH9Tcbp5c5H+ZrqmTXVy/yDgt34=;
        fh=ILPO/jubW2wmMeItWoPQvwnMteVlZhl4BGwRUiDutDg=;
        b=g+tjgpm/vhBXurmClCxTYqKSMc0MLSbJf+aIHLUNZXGzesU/mICKfhnU/67mwiG2Pf
         joQ5lSU7Cbjq+hWBafIUFlqNjojNpP6A6pkN0SIbCBSEx3SRtBoJf3/hNjUWkG4cynUr
         sbixlgQ5YSLLCw8bHudk3Z+PNGbyxYwSIc5hAP9NYsG/jaFoxpMdFGpq0yKDh1PSFuLF
         pE78k5+/MjOsWDNsVs2Tqt7sEk0+ZbJyvUAs3FHKa+AQObKbzj/9A3vC8hs9tKk0tUVm
         fAibhLkraa6/4wvHbuFaVK+dcFZS7dN0gPCPNQtlyWnt5ySO+ZUz443KVAw8SYnl5/yV
         5bsQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=rtBGiEx5;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-186147-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-186147-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Return-Path: <linux-kernel+bounces-186147-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id a640c23a62f3a-a5a17b20e91si1458550966b.335.2024.05.22.04.35.52
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 May 2024 04:35:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-186147-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=rtBGiEx5;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-186147-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-186147-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 467781F2355B
	for <linux.lists.archive@gmail.com>; Wed, 22 May 2024 11:35:52 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7D4D58287D;
	Wed, 22 May 2024 11:35:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="rtBGiEx5"
Received: from out203-205-221-245.mail.qq.com (out203-205-221-245.mail.qq.com [203.205.221.245])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 395947F7FD
	for <linux-kernel@vger.kernel.org>; Wed, 22 May 2024 11:35:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.205.221.245
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1716377746; cv=none; b=hhLHNbquuv2/mkgs7+CCgG2ACA4j1/L4TNAEWo4JeKC/nqQzrzL0FcbedZPqMAUifMLl2eUq+Hg3dDuSE70sISKe6d0J6l3ZiD27lx3F9JhgMgi27c7flIalhUWCqpG4diGyG0Shrgp6keC6A7VsHCBlj95TlXUPwkMwkPqc5rw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1716377746; c=relaxed/simple;
	bh=6E1Vo14DL/WXabCdGMv+/2IzKovRUvGkCtlDlixUeCE=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version; b=Lq28O+Hhrd7pkuGErh7SOoh/Lit0tSnbbxlF0xAn/0FWOV7lcZDSJCWgPpc6rHjcFlsykCEvUHLB4NNB+AfelIOWWvTKoX6czk+eKNTvsxvuYL0HSJ0Xfy7/rXAAnH8BYpSs4eXX/nfhh3kRZeMzAA8JuFS7vzLDVesxCceeNEU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=rtBGiEx5; arc=none smtp.client-ip=203.205.221.245
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1716377439; bh=myaU8osdTJYm8F/QtH9Tcbp5c5H+ZrqmTXVy/yDgt34=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=rtBGiEx5Fv0RNZ3HT1KiC4EDY5OdWdGAU+4TyyQdVGu7g6+IBnKM//F/drCq7T7QH
	 69C+Y33si2Uj4YQTIS007S5/T3/h3uo9t5FHgxBii5OSBpK38bfsHcJZiGGc37qL5s
	 CKA0F6e89cUZUVDayoQ+6AnQFgbN8RRckiPXfN5s=
Received: from pek-lxu-l1.wrs.com ([111.198.228.153])
	by newxmesmtplogicsvrszb16-1.qq.com (NewEsmtp) with SMTP
	id 7A52684C; Wed, 22 May 2024 19:30:37 +0800
X-QQ-mid: xmsmtpt1716377437t42779cgm
Message-ID: <tencent_7BA1330A9E431B2B4B071B6B2518BA37BB08@qq.com>
X-QQ-XMAILINFO: NioaTWkRhWwamOJ5gr9in613XOSg2x2ZTZ6AkkDXODq4RxIv188IOk4tfUNZKn
	 ifsI4CkDqMz1P3XciuNQbU9wy6MfDdxn97NDvsXFF/kkyRo9wpyID3tjdpJ+z5ioGGLdKRwAvSN0
	 u1HtUPMo6Rufjh1r36BC6bWnkw8+sXeYNaOzsqOuACoodCmtjQCVq178wQHS/6fVXDRNm2gP/tIf
	 8wvyMRhW8r6EttYWDbrCdDoQ9vvxHF9y99mt5+Iagi9UsoVrZ820+R0T9pzx+mHiJIhZOclVst3H
	 G56+2th8ez7CuU7HP/7R2JwIhQNETmkBIWChiGYzRfyGKXFFYK947b3YLpl4N2OjccX3TNHnHufY
	 drDmenrdZ5sgwtDSV6Od3KxypwdWhycC/+a1YXX90RVfU5jklJg5KpUYnYP0CXs1BY4k0X+qezBi
	 T8KLFiGr382VCcm64AxFVWiIncRlHkWJm3kjxTEDCIIQom0NXVrfBVgPsXsntW+hyqGnhYhkK1Na
	 6LLtDHBJ3emkCKvk+pJmJG39OwCUPInXLS4gkbTyX2JBOr5pIUyy4CeqWe3AhCiY1K8rnKZMjMul
	 8+Z2wYVfnMLum6PDKgihA3YfTewmpnqCF7rfKm3lr9q+whAUMao2qQ0ldRDgIgCe8OUtDagL552f
	 HGHrgtOWESEDm0QCKG+DO8w4nK+y2GYvkSMb3WbbNdPwZ4sl77/phOrFlR27oaI7IoByFj/IkFRT
	 6zYt5nCPAw7mWlxxUVO0QoStkZXXskhBCdpA8TorjODgIus9JawooCr1im3tgpQCV70ED6CZdaH4
	 8M6M9jMG3VcNycNSsGWlT9pv5EzQv9UVv2kOfutOHk5cqNxJdKG1mFAtb1qEI2k4G9ZUKKeRCkqV
	 MNY66QxSgHESj80EJUiCIPzeQIV93r2AFrXAhfrsuHkFB5Kf4CxcnmSG69ihU2eg2M+BFPlFOsPH
	 +ic+CKzXg=
X-QQ-XMRINFO: OWPUhxQsoeAVDbp3OJHYyFg=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] general protection fault in iter_file_splice_write
Date: Wed, 22 May 2024 19:30:37 +0800
X-OQ-MSGID: <20240522113036.2205322-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <0000000000002fd2de0618de2e65@google.com>
References: <0000000000002fd2de0618de2e65@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..db66b8c5fe0d 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,21 +751,25 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		printk("ret: %ld, %s\n", ret, __func__);
+		while (ret > 0) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
-			if (ret >= buf->len) {
-				ret -= buf->len;
-				buf->len = 0;
-				pipe_buf_release(pipe, buf);
-				tail++;
-				pipe->tail = tail;
-				if (pipe->files)
-					sd.need_wakeup = true;
-			} else {
-				buf->offset += ret;
-				buf->len -= ret;
+			if (buf->len > 0) {
+				if (ret >= (ssize_t)buf->len) {
+					ret -= buf->len;
+					buf->len = 0;
+					pipe_buf_release(pipe, buf);
+					tail++;
+					pipe->tail = tail;
+					if (pipe->files)
+						sd.need_wakeup = true;
+				} else {
+					buf->offset += ret;
+					buf->len -= ret;
+					ret = 0;
+				}
+			} else
 				ret = 0;
-			}
 		}
 	}
 done: