From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail.efficios.com ([167.114.142.141]:46641 "EHLO
        mail.efficios.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932571AbdKBSyE (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Thu, 2 Nov 2017 14:54:04 -0400
Date: Thu, 2 Nov 2017 18:54:11 +0000 (UTC)
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Alexander Viro <viro@ZenIV.linux.org.uk>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
        George Zhang <georgezhang@vmware.com>,
        Andy king <acking@vmware.com>,
        Dmitry Torokhov <dtor@vmware.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>
Message-ID: <1101795050.2326.1509648851686.JavaMail.zimbra@efficios.com>
In-Reply-To: <20171102184612.GL21978@ZenIV.linux.org.uk>
References: <20171031230038.7476-1-mathieu.desnoyers@efficios.com> <20171102184612.GL21978@ZenIV.linux.org.uk>
Subject: Re: [PATCH 1/1] Fix: vmw_vmci driver get_user_pages_fast error
 handling
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

----- On Nov 2, 2017, at 2:46 PM, Alexander Viro viro@ZenIV.linux.org.uk wrote:

> On Tue, Oct 31, 2017 at 07:00:38PM -0400, Mathieu Desnoyers wrote:
>> Comparing a signed return value against an unsigned num_pages
>> field performs the comparison as "unsigned", and therefore mistakenly
>> considers get_user_pages_fast() errors as success.
> 
> It's worse than that - if you look into the code in question you'll
> see
>                pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
>                        retval);
>                qp_release_pages(produce_q->kernel_if->u.h.header_page,
>                                 retval, false);
>                err = VMCI_ERROR_NO_MEM;
>                goto out;
> with
> static void qp_release_pages(struct page **pages,
>                             u64 num_pages, bool dirty)
> {
>        int i;
> 
>        for (i = 0; i < num_pages; i++) {
>                if (dirty)
>                        set_page_dirty(pages[i]);
> 
>                put_page(pages[i]);
>                pages[i] = NULL;
>        }
> }
> 
> Now, guess what'll happen if you get there with retval being negative?

Well this ought to be a pretty long loop...

> AFAICS, the right fix is something along the lines of
>        if (retval != produce_q->kernel_if->num_pages) {
>                pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
>                        retval);
>		if (retval > 0)
>			qp_release_pages(produce_q->kernel_if->u.h.header_page,
>					 retval, false);
>                err = VMCI_ERROR_NO_MEM;
>                goto out;
>        }
> and similar for the second caller.  Objections?

No objection from me,

Thanks!

Mathieu


-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com