Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp348497lqp;
        Wed, 22 May 2024 06:33:34 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVRcTDG2EhtHJVytEk6jCJKR76eSkVZzAryY+0wuibgAPaM8T0dLBRtsI+9NNKD4MedU1gaBFeD6IwD9Oq9XfNP5Tw4RLLXFHLdwQtZeg==
X-Google-Smtp-Source: AGHT+IG94lDYWxvDk5lrv5nqAoQg5Pw+jLj/9xE0raLjZVxI9OEtizwJcoRhbvqImFxVlHaDMwLG
X-Received: by 2002:a05:6a00:1824:b0:6f6:7bf1:72cd with SMTP id d2e1a72fcca58-6f6d60cd70amr1902637b3a.11.1716384814415;
        Wed, 22 May 2024 06:33:34 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1716384814; cv=pass;
        d=google.com; s=arc-20160816;
        b=XBtIf9/n4pWo9FY+4PVlFucaAVnhj65OtDLzDsxfNyHBiFleZvjz2eZN7/A0Vo4qRV
         u9xlnadMX6ee5dKdgVYTQRi+BSmHdJIrB7SD2sk67UAiSHiifyC20S9U8LT38EQvAcXa
         T335OLMtkApYeX9WHCOo+6l3ULm1KkebPZw9e9eKAg9cJj4H8FPuzfcbp36gSRBb01nb
         fb9GZ2pxDxH5YTtg/Fez99divx2o7Vrl2gX3YyFn05zXr/0gykF7YBKsUu2ii62f5Fri
         4HttulH+Ur4Iv+p+wzKUPvb3VOXRK8ZE2rYJqSRl8H98Oc6BDONymWP5udyC8l2g8kty
         hUcA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=vrxsPS2YuyWByL3UYPD0p+vm/aRuyKP1SfM0Wi4gs4M=;
        fh=ILPO/jubW2wmMeItWoPQvwnMteVlZhl4BGwRUiDutDg=;
        b=Zv90wKCAMs/Goji+j9XiAT9J8wLRQkAvGNYwxiGYjiF7a6HPKlSfHGTVOfe8k19FEV
         ngDsPn0U26G+CuiAr3rtsZRHF5u47eam7oRxbpb3rIeJ17M8ln9AwGV1nvxFc48/ORDW
         jMw0mhzrdDUKwG+YqMLNslet8eDklJ/DNx+S3cgvlgMsdWM2A8hxMko5yCK1e5iyh+Jz
         /xWPhmn0DyvHOq5KaC7Iie88mLm5KxJHo0ZOB1PDN7Vo6MIWVHQHUtnhpxKEAHDjDHqf
         mKj3TGXtcWtzS4IR0Gt8DN+d9Aoo8bKf+0e8fBPTlE5BIMbYPC0copeaQDWdvX+fajZ/
         TwYg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=haytO6ek;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-186283-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-186283-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Return-Path: <linux-kernel+bounces-186283-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id d2e1a72fcca58-6f4e157fb04si3816904b3a.381.2024.05.22.06.33.34
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 May 2024 06:33:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-186283-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=haytO6ek;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-186283-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-186283-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id B2E6B284B4C
	for <linux.lists.archive@gmail.com>; Wed, 22 May 2024 13:33:33 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id E37C213F452;
	Wed, 22 May 2024 13:33:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="haytO6ek"
Received: from out203-205-251-66.mail.qq.com (out203-205-251-66.mail.qq.com [203.205.251.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1502613D638
	for <linux-kernel@vger.kernel.org>; Wed, 22 May 2024 13:33:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.205.251.66
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1716384807; cv=none; b=D5dQaUI/amAuL+4OAJC2ygg/dGf/6f9isXBHlnZkyAn6NNzXR37zpOK/E1NAPfb1PGzpY4RQvCNLWfwnQS8Z10mYl0oTkbEoDVPc8u//Pf9acHO13aAHASedQg1fjbhU/a/KDCYWKHhj9TjNp7HHhMGhA+xpyK7zndeE4JWdZtc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1716384807; c=relaxed/simple;
	bh=Xv/FYulD0QFc/ya9QhUeR7ir3gmkdTpmuxRrZBy7UOs=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version; b=imRVylIqWQNVoUJwrsprsP2iGMT/ef3YnzzjNYzfNcnnNF8El5A6+d7LcFC/422wcRWIWYjuOUs9v14gi4aX6LDr2WirSZ9ATSWJCbLs4IGp/DAg0QhmNQ37ckI4qvnua8Q/8gFCXl/Wmpkm0olmA1GfKhIYUMPr8JOdn3DKJW0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=haytO6ek; arc=none smtp.client-ip=203.205.251.66
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1716384796; bh=vrxsPS2YuyWByL3UYPD0p+vm/aRuyKP1SfM0Wi4gs4M=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=haytO6ek9atzfr7G/B9jlyn/lZ9Xg3sYPZe5Si1ivhTXtaq4OmboOsQnCgP3n8b++
	 wCgi8V0Ir81UMCZu+W7mqS7dGulNZeRCk7FeP1eGf0LXKBPCEUQzerid/0DoE+1rhJ
	 pczcfhVJx8soep4/DcoOcykB9Gd7RrKM0krt3yH0=
Received: from pek-lxu-l1.wrs.com ([111.198.228.153])
	by newxmesmtplogicsvrsza10-0.qq.com (NewEsmtp) with SMTP
	id 77935403; Wed, 22 May 2024 21:29:57 +0800
X-QQ-mid: xmsmtpt1716384597t6uh19a26
Message-ID: <tencent_E4796C489550EB0EEEEACD6C797A6F1C2E0A@qq.com>
X-QQ-XMAILINFO: OQhZ3T0tjf0aO645nJ9CGVHc4DLC0e0AxKa2y8H6B7oi2kntCeWKetV27pOkRS
	 ApVHBnCmmAXrcBPDrn6Zpdf9iPWG/NZ+0LYLLqpJ2CWmiJlCuaaVyfmsh9GgACBZeeeJtlY/fi0w
	 8NvmRdvATFoPKtuAEXap5lmiPp/9FLXEk8fsawakzqo9btqzvwYLJVKiG3nMm3dxY3Hi6N8R+MJZ
	 6jFGIyoOTmOnRBN/qJJDJ1nBd8dQBbILHRXNe+Z0laacVJWoTtJd9XOshF3KkM468q/w8StMeew0
	 bJVUuv508R+FwXkJtCIH2oi3GSWPSzvlE4+2yl86BIdtPObcW6fBqYmH8rwLggTc/kJp2vgV3js4
	 vMhdo0xxoXrc9BDwk7F990gRaStsmpJ4Fg9nRffvxuX8CJy7ELdRYejJmcEDjacclhy2yh08Z+01
	 bPiUpZMAfAQC9mkePJwwOTb9/bR9TBpF75U74fV9ipZy6Fg6iBs/tvHpiu1UXwgOdTNhxV1YT0yE
	 4yd82hMNIZUy5oQ9zi4yZY1CzGU3Eh93UdgMq7+ONtKCzhxszdTqkRH6rnKWRIT0umaghCYOnmWF
	 FOkImSIPb0xmbHdjwpkSCbWQn58IlkSQKgVyq7d/n/kD23fC2dAJHDjMpw9hMC1PDrFnMU0M7uAs
	 rSW5IJ/40PUlm9+YJ0ABJJGci02hmODbVWe5JFp2cywgS8tBOugwuHrw1aZyp4JyQZls5k16kTiU
	 wWL+Q6GIgXy/mepZaAp+kq10wx40RWTZnT9cxckH0j+5CUJ2PXeHHXb9YwQWyLku614UJTZI6O5a
	 Ig80KDdfqQNxrrcljeRwYXcfpRhC39GpKTfSGjfkZfhChEhwL/g3b725IA7WhT1S2Z6Ys5Qz+bYV
	 YG44Lk6PrwtRPbHwQkS6RaZjgoKil4K7ONj3laRII/1xO+T2lkigrK7Ci4KsjUjrd5f3pkbPGOA3
	 DtbOR+cYKettWp3OcFBA==
X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] general protection fault in iter_file_splice_write
Date: Wed, 22 May 2024 21:29:57 +0800
X-OQ-MSGID: <20240522132956.2352659-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <0000000000002fd2de0618de2e65@google.com>
References: <0000000000002fd2de0618de2e65@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..cf5d417b5f66 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,9 +751,15 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
-			if (ret >= buf->len) {
+			printk("ret: %ld, nbufs: %d,  buf len: %lu, n: %d, %s\n", ret, nbufs, buf->len, n,  __func__);
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
+			if (ret >= (ssize_t)buf->len) {
 				ret -= buf->len;
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);
@@ -766,6 +772,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 				buf->len -= ret;
 				ret = 0;
 			}
+			n++;
 		}
 	}
 done: