fs/pipe: Limit the slots in pipe_resize_ring()

Limit the number of slots in pipe_resize_ring() to the maximum value
representable by pipe->{head,tail}. Values beyond the max limit can
lead to incorrect pipe occupancy related calculations where the pipe
will never appear full.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: K Prateek Nayak <kprateek.nayak@amd.com>
Link: https://lore.kernel.org/r/20250307052919.34542-2-kprateek.nayak@amd.com
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/pipe.c b/fs/pipe.c
index 4d0799e4e7196b02df066520669ddc55fb7a6a19..88e81f84e3eaf887989f1a791ce83987d24c75f8 100644 (file)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
        struct pipe_buffer *bufs;
        unsigned int head, tail, mask, n;
 
+       /* nr_slots larger than limits of pipe->{head,tail} */
+       if (unlikely(nr_slots > (pipe_index_t)-1u))
+               return -EINVAL;
+
        bufs = kcalloc(nr_slots, sizeof(*bufs),
                       GFP_KERNEL_ACCOUNT | __GFP_NOWARN);
        if (unlikely(!bufs))