Unverified Commit cf3d0c54 authored by K Prateek Nayak's avatar K Prateek Nayak Committed by Christian Brauner
Browse files

fs/pipe: Limit the slots in pipe_resize_ring() 



Limit the number of slots in pipe_resize_ring() to the maximum value
representable by pipe->{head,tail}. Values beyond the max limit can
lead to incorrect pipe occupancy related calculations where the pipe
will never appear full.

Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarK Prateek Nayak <kprateek.nayak@amd.com>
Link: https://lore.kernel.org/r/20250307052919.34542-2-kprateek.nayak@amd.com


Reviewed-by: default avatarOleg Nesterov <oleg@redhat.com>
Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent 00a7d398

fs/pipe.c

+4 −0
Original line number Diff line number Diff line
@@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) 
	struct pipe_buffer *bufs;

	unsigned int head, tail, mask, n;



	/* nr_slots larger than limits of pipe->{head,tail} */

	if (unlikely(nr_slots > (pipe_index_t)-1u))

		return -EINVAL;



	bufs = kcalloc(nr_slots, sizeof(*bufs),

		       GFP_KERNEL_ACCOUNT | __GFP_NOWARN);

	if (unlikely(!bufs))