Unverified Commit 44f6f535 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8222 Fix CVE-2023-52672 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zizhi Wo <wozizhi@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/O5U2GEUPG2UDIFK66RNQW7VSK46ZA4VR/ 
Fix CVE-2023-52672.

Lukas Schauer (1):
  pipe: wakeup wr_wait after setting max_usage

Max Kellermann (1):
  fs/pipe: move check to pipe_has_watch_queue()


-- 
2.39.2
 
https://gitee.com/src-openeuler/kernel/issues/I9Q9EU 
 
Link:https://gitee.com/openeuler/kernel/pulls/8222

 

Reviewed-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents b72cff81 80e0afe1

fs/pipe.c

+8 −11
Original line number Diff line number Diff line
@@ -435,12 +435,10 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) 
		goto out;

	}



#ifdef CONFIG_WATCH_QUEUE

	if (pipe->watch_queue) {

	if (pipe_has_watch_queue(pipe)) {

		ret = -EXDEV;

		goto out;

	}

#endif



	/*

	 * If it wasn't empty we try to merge new data into
@@ -1304,6 +1302,11 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) 
	pipe->tail = tail;

	pipe->head = head;



	if (!pipe_has_watch_queue(pipe)) {

		pipe->max_usage = nr_slots;

		pipe->nr_accounted = nr_slots;

	}



	spin_unlock_irq(&pipe->rd_wait.lock);



	/* This might have made more room for writers */
@@ -1321,10 +1324,8 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg) 
	unsigned int nr_slots, size;

	long ret = 0;



#ifdef CONFIG_WATCH_QUEUE

	if (pipe->watch_queue)

	if (pipe_has_watch_queue(pipe))

		return -EBUSY;

#endif



	size = round_pipe_size(arg);

	nr_slots = size >> PAGE_SHIFT;
@@ -1357,8 +1358,6 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg) 
	if (ret < 0)

		goto out_revert_acct;



	pipe->max_usage = nr_slots;

	pipe->nr_accounted = nr_slots;

	return pipe->max_usage * PAGE_SIZE;



out_revert_acct:
@@ -1377,10 +1376,8 @@ struct pipe_inode_info *get_pipe_info(struct file *file, bool for_splice) 


	if (file->f_op != &pipefifo_fops || !pipe)

		return NULL;

#ifdef CONFIG_WATCH_QUEUE

	if (for_splice && pipe->watch_queue)

	if (for_splice && pipe_has_watch_queue(pipe))

		return NULL;

#endif

	return pipe;

}

include/linux/pipe_fs_i.h

+16 −0
Original line number Diff line number Diff line
@@ -124,6 +124,22 @@ struct pipe_buf_operations { 
	bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);

};



/**

 * pipe_has_watch_queue - Check whether the pipe is a watch_queue,

 * i.e. it was created with O_NOTIFICATION_PIPE

 * @pipe: The pipe to check

 *

 * Return: true if pipe is a watch queue, false otherwise.

 */

static inline bool pipe_has_watch_queue(const struct pipe_inode_info *pipe)

{

#ifdef CONFIG_WATCH_QUEUE

	return pipe->watch_queue != NULL;

#else

	return false;

#endif

}



/**

 * pipe_empty - Return true if the pipe is empty

 * @head: The pipe ring head pointer