Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp1035897lqp;
        Thu, 23 May 2024 07:21:30 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXgofzUVtj0ENm0rm9cXhU5dTlIbMutNcrDEtUsiJYQRf+AiISZXilVV0MMLgs5qnPvxwUgkg1xsOSB1EX2L1ASQXDO0bAyuxAcMsocYg==
X-Google-Smtp-Source: AGHT+IGeDJPC15WFVbJBqCBrquhnawOPaBlKjF1BUhk4piB4oC1d7s7qgpHBdAQAn+ufI/K1kE62
X-Received: by 2002:a05:622a:316:b0:43a:fce1:f520 with SMTP id d75a77b69052e-43f9e1d847dmr64030401cf.65.1716474090523;
        Thu, 23 May 2024 07:21:30 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1716474090; cv=pass;
        d=google.com; s=arc-20160816;
        b=qZL7Ga2CwI4TOcXMFO49+cC8e+eJD1RZE28lxXwv+802jsk+RQ9l4gq2f2VCCmz2SN
         Eq9RvaCAmgaGQHh4SDymuj4n8oY4YPw6rwbobJy9ynSxRGbMlBxK3TlZfpee91bTpiwV
         r5J/zN/ekji9E6kDXMfJB+QQb7hXIeCgjuPNwjuAVE5F0DbQD/fh6iNdpk9Fn/ou7m40
         JDEVW/bla3meNrgxsvvlcWUzlJeNGynae0TZQuxwjsvzOzmI1mVYME0yENfdnvwHR5B1
         e3BwEWXHhQHF1nkaD3bWSeaKt7E8HLhLS8+P/a9wTRl9r9ld9fcExBAJGLKt6B8nUJHe
         kszw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=FplW16AZk2WF+I4r+9I943Mw1CLOL+ZAA7jbZ8gsepM=;
        fh=ILPO/jubW2wmMeItWoPQvwnMteVlZhl4BGwRUiDutDg=;
        b=tLlHgKkHEWZDPTSFbUIarOrxuYAMJgF3xvm+/axciTjzliZ9LMVbAgL0Y4ie+2XQL/
         VHL38i4V/1cTaLbOf2+LWz8DySDbdqnUHxsg3rzUh2ufsSeHpE6I6l/rjFNazuwKmihm
         b3ZpvziYLT+iGXOSewJV2hOSWmWuCwbt7AsW2wxgvwRPDlT2oCN22o7ZCDpQNoWTUmbZ
         ESnptMYl+bLwKcL32ZeBKXDtfP3SmlwUsgl0Bj3HtpN6wQIafbiMAegTcQ04bNgm5MN3
         utB3SWICV9cBfQVMn4JM+0fkD5drdfE9DPQzEBKeNZxP97OHwWrIyiwxXzuhfqinR0Yg
         rKPQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b="Lmb/2VhK";
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-187631-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187631-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Return-Path: <linux-kernel+bounces-187631-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id d75a77b69052e-43e1c2554acsi118237381cf.561.2024.05.23.07.21.30
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 May 2024 07:21:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-187631-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b="Lmb/2VhK";
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-187631-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187631-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3AFAA1C21009
	for <linux.lists.archive@gmail.com>; Thu, 23 May 2024 14:21:30 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1F68514B954;
	Thu, 23 May 2024 14:21:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="Lmb/2VhK"
Received: from out203-205-251-66.mail.qq.com (out203-205-251-66.mail.qq.com [203.205.251.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE4DE1DFF0
	for <linux-kernel@vger.kernel.org>; Thu, 23 May 2024 14:21:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.205.251.66
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1716474081; cv=none; b=TPVUDtmT5Ayexkmluy0SaRBJRellmLpmTHwDmO5s6pHqiZoOf9UUDHn/7D3xizWsuDeFtZNpFOvnL5NwmZToGJODce0TpkVOwO/z5gKDiAZVc/YXNuOQxFGeY3WGqzHycbU+gGyRe7pIMn+t9Zex7TCpAZ9u0MxUFc/lxXbWnMA=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1716474081; c=relaxed/simple;
	bh=4qCvEiqdJkRLC7gxPX8duRxnncXR16Z/mdnMWYsPF20=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version; b=ldAyceuN1vRVvkrpnsMacM0s2I0uBUi/D3qyyTENAm0jGhDyYHtUEQWr+gWY58d5cjqyRhIKmX7GXdgiHOkzbezWVSXmoe6HBGgpyQNyimFZcFzQTpPrdPbX9WQqt/o71zagB6TSPBBpTwDt7XfyBfaBx75+DXnfF9ASetJ7gxk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=Lmb/2VhK; arc=none smtp.client-ip=203.205.251.66
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1716474070; bh=FplW16AZk2WF+I4r+9I943Mw1CLOL+ZAA7jbZ8gsepM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=Lmb/2VhKOfDBMPWAqRjs9AH1rIiuvfq3V3f8Zs2lV5hUcJaJlJpsFItnhfT9X+gJP
	 PRdxQnIeTjTL++Ly0lMSLaSWG+Ikyv6YdRjOPSsSebrQ6rgvIni2IecWb4HZIetKQM
	 SbKO1BTmvHxoDO/IKqomi2ua0KKdXhaNPnuD/5Qc=
Received: from pek-lxu-l1.wrs.com ([111.198.228.153])
	by newxmesmtplogicsvrszb9-1.qq.com (NewEsmtp) with SMTP
	id 33BB6A37; Thu, 23 May 2024 22:12:59 +0800
X-QQ-mid: xmsmtpt1716473579thd68e5lf
Message-ID: <tencent_CAE2ED8ECCF07BB66D902CB16CA894F8EA0A@qq.com>
X-QQ-XMAILINFO: NonMLXQbqcUbSg032T6j9wNsj8KOVM3cvwClygZnLpwzjLVvIuHMwdPElPqT8K
	 XCFu+tALeI4rAEDiT35RsnUikAT25Wn8pbLC8N0CjcVmpTRVDHDk1HLFEdZlkAf0KZeIQ5uDqD85
	 qaN2Aq8UO4LEajS2+p10MRdSOFxSOU8XTiKfgCxpM4oVp+tVBeb93XpWcp5v3obfNGyClnqzUOrV
	 216Ok10yZfE3clnEK38SXnOnomcsVPeFl5K31pHf82IvckR1gPW8F4KX7g56dB5k0HR7xeADYP7M
	 iTVR0fsNfQm98hLNkS6bMZ6BNdB+nZPcEut9Hv0/VLq4fMj+VqubOXHRSDtjOO84yDcVDEqDUdGX
	 1Nwzri9qpWbRfr+hKARAo9r5UT1DL22YIqy1O4X/lwYvgE6tYuN6J0Opp+q5dvacoL5u8S9vpEE0
	 kATAapp9XfnKc72BeHquYjrPItW//r51gXfTeqLg6XAa0ZdXiUaDqRNCcKqKy8mF+7kLLDf5dqMr
	 ET7pN5hao3l1C2p+fD3zTtNxCjlJnl5zJFDsah/YkHTNhzw0S6airuO9CQwMXCUR55oNt5zmECB1
	 6hGDNQ+xDL9R19F5pGdlzQJIAXavRcrBI3yzV0k4oEedUTxiLJaNVQ7UB/aEpjApwRDA+OHc1UDK
	 rP292nvKSNu62bU5yder31VH+HposSV98o4SnpQrlPM2ExF/wlibkOCGz36UiLF6GHtcQtrnrF6v
	 Lg8b8h0TWeJIb4fniW+Fl/uM/iDv6WHYydZpLe5x9ODCHt1XhAwAdpqr/yGlEGQh9xDO3LiQpedv
	 ECnDSiB1KaP9/jATwXG7K9H/zLT/84RA9OpxurF8G/5e5RcLeHFDIeVPzlPa38bKKzsDDSXq+tOQ
	 LdbQI/Z7htSYj20/ZeweK52ueMtDvUn+D9Pzqz/ZK5KocO56TLl6+QRo5mnGyFZA6H8N39sit91K
	 eUSSboF2IKGjSAOQ1VR+DFvn3gRyphrjIGHXmNLrE=
X-QQ-XMRINFO: M/715EihBoGSf6IYSX1iLFg=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+d2125fcb6aa8c4276fd2@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] general protection fault in iter_file_splice_write
Date: Thu, 23 May 2024 22:13:00 +0800
X-OQ-MSGID: <20240523141259.2708676-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <0000000000002fd2de0618de2e65@google.com>
References: <0000000000002fd2de0618de2e65@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

please test null ptr in iter_file_splice_write

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33e02dc69afb

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..2881e9a7e491 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -751,10 +751,19 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 
 		/* dismiss the fully eaten buffers, adjust the partial one */
 		tail = pipe->tail;
-		while (ret) {
+		n = 0;
+		while (ret > 0 && n < nbufs) {
 			struct pipe_buffer *buf = &pipe->bufs[tail & mask];
+			n++;
+			if (!buf->len) {
+				tail++;
+				continue;
+			}
 			if (ret >= buf->len) {
+				printk("ret: %ld, nbufs: %d, buf:%p, buf len: %u, m: %u, t: %u,ring size: %u, t&m: %u, n:%d, %s\n", 
+					ret, nbufs, buf, buf->len, mask, tail, pipe->ring_size, tail & mask, n, __func__);
 				ret -= buf->len;
+				printk("ret: %ld, %s\n", ret, __func__);
 				buf->len = 0;
 				pipe_buf_release(pipe, buf);
 				tail++;