Please sign in to comment.
splice: fix racy pipe->buffers uses
commit 047fe36 upstream. Dave Jones reported a kernel BUG at mm/slub.c:3474! triggered by splice_shrink_spd() called from vmsplice_to_pipe() commit 35f3d14 (pipe: add support for shrinking and growing pipes) added capability to adjust pipe->buffers. Problem is some paths don't hold pipe mutex and assume pipe->buffers doesn't change for their duration. Fix this by adding nr_pages_max field in struct splice_pipe_desc, and use it in place of pipe->buffers where appropriate. splice_shrink_spd() loses its struct pipe_inode_info argument. Reported-by: Dave Jones <firstname.lastname@example.org> Signed-off-by: Eric Dumazet <email@example.com> Cc: Jens Axboe <firstname.lastname@example.org> Cc: Alexander Viro <email@example.com> Cc: Tom Herbert <firstname.lastname@example.org> Tested-by: Dave Jones <email@example.com> Signed-off-by: Jens Axboe <firstname.lastname@example.org> [bwh: Backported to 3.2: - Adjust context in vmsplice_to_pipe() - Update one more call to splice_shrink_spd(), from skb_splice_bits()] Signed-off-by: Ben Hutchings <email@example.com>
- Loading branch information...
Showing with 35 additions and 25 deletions.