From: Al Viro <viro@ZenIV.linux.org.uk>
To: Mike Marshall <hubcap@omnibond.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Stephen Rothwell <sfr@canb.auug.org.au>
Subject: Re: Orangefs ABI documentation
Date: Wed, 10 Feb 2016 21:26:03 +0000 [thread overview]
Message-ID: <20160210212603.GL17997@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20160210164435.GA4950@ZenIV.linux.org.uk>
On Wed, Feb 10, 2016 at 04:44:36PM +0000, Al Viro wrote:
> > That breakage had been introduced between 2.8.5 and 2.8.6 (at some point
> > during the spring of 2012). AFAICS, all versions starting with 2.8.6 are
> > vulnerable...
>
> BTW, what about kill -9 delivered to readdir in progress? There's no
> cancel for those (and AFAICS the daemon will reject cancel on anything
> other than FILE_IO), so what's to stop another thread from picking the
> same readdir slot and getting (daemon-side) two of them spewing into
> the same area of shared memory? Is it simply that daemon-side the shared
> memory on readdir is touched only upon request completion in completely
> serialized process_vfs_requests()? That doesn't seem to be enough -
> suppose the second readdir request completes (daemon-side) first, its results
> get packed into shared memory slot and it is reported to kernel, which
> proceeds to repack and copy that data to userland. In the meanwhile,
> daemon completes the _earlier_ readdir and proceeds to pack its results into
> the same slot of shared memory. Sure, the kernel won't take that (the
> op with the matching tag has been gone already), but the data is stored
> into shared memory *before* writev() on the control device that would pass
> the response to the kernel, so it still gets overwritten. Right under
> decoding readdir()...
>
> Or is there something in the daemon that would guarantee readdir responses
> to happen in the same order in which it had picked the requests? I'm not
> familiar enough with that beast (and overall control flow in there is, er,
> not the most transparent one I've seen), so I might be missing something,
> but I don't see anything obvious that would guarantee such ordering.
>
> Please, clarify.
Two more questions:
* why do we need cancel to be held back while we are going through
ORANGEFS_DEV_REMOUNT_ALL? IOW, why do we need to take request_mutex for
them?
* your ->kill_sb() starts with telling daemon that fs is gone,
then proceeds to evict dentries/inodes. Sure, you don't have page cache
(or that would've been instantly fatal - dirty pages would need to be
written out, for one thing), but why do it in this order? IOW, why not
_start_ with kill_anon_super(), then do the rest of the work?
next prev parent reply other threads:[~2016-02-10 21:26 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-15 21:46 Orangefs ABI documentation Mike Marshall
2016-01-22 7:11 ` Al Viro
2016-01-22 11:09 ` Mike Marshall
2016-01-22 16:59 ` Mike Marshall
2016-01-22 17:08 ` Al Viro
2016-01-22 17:40 ` Mike Marshall
2016-01-22 17:43 ` Al Viro
2016-01-22 18:17 ` Mike Marshall
2016-01-22 18:37 ` Al Viro
2016-01-22 19:07 ` Mike Marshall
2016-01-22 19:21 ` Mike Marshall
2016-01-22 20:04 ` Al Viro
2016-01-22 20:30 ` Mike Marshall
2016-01-23 0:12 ` Al Viro
2016-01-23 1:28 ` Al Viro
2016-01-23 2:54 ` Mike Marshall
2016-01-23 19:10 ` Al Viro
2016-01-23 19:24 ` Mike Marshall
2016-01-23 21:35 ` Mike Marshall
2016-01-23 22:05 ` Al Viro
2016-01-23 21:40 ` Al Viro
2016-01-23 22:36 ` Mike Marshall
2016-01-24 0:16 ` Al Viro
2016-01-24 4:05 ` Al Viro
2016-01-24 22:12 ` Mike Marshall
2016-01-30 17:22 ` Al Viro
2016-01-26 19:52 ` Martin Brandenburg
2016-01-30 17:34 ` Al Viro
2016-01-30 18:27 ` Al Viro
2016-02-04 23:30 ` Mike Marshall
2016-02-06 19:42 ` Al Viro
2016-02-07 1:38 ` Al Viro
2016-02-07 3:53 ` Al Viro
2016-02-07 20:01 ` [RFC] bufmap-related wait logics (Re: Orangefs ABI documentation) Al Viro
2016-02-08 22:26 ` Orangefs ABI documentation Mike Marshall
2016-02-08 23:35 ` Al Viro
2016-02-09 3:32 ` Al Viro
2016-02-09 14:34 ` Mike Marshall
2016-02-09 17:40 ` Al Viro
2016-02-09 21:06 ` Al Viro
2016-02-09 22:25 ` Mike Marshall
2016-02-11 23:36 ` Mike Marshall
2016-02-09 22:02 ` Mike Marshall
2016-02-09 22:16 ` Al Viro
2016-02-09 22:40 ` Al Viro
2016-02-09 23:13 ` Al Viro
2016-02-10 16:44 ` Al Viro
2016-02-10 21:26 ` Al Viro [this message]
2016-02-11 23:54 ` Mike Marshall
2016-02-12 0:55 ` Al Viro
2016-02-12 12:13 ` Mike Marshall
2016-02-11 0:44 ` Al Viro
2016-02-11 3:22 ` Mike Marshall
2016-02-12 4:27 ` Al Viro
2016-02-12 12:26 ` Mike Marshall
2016-02-12 18:00 ` Martin Brandenburg
2016-02-13 17:18 ` Mike Marshall
2016-02-13 17:47 ` Al Viro
2016-02-14 2:56 ` Al Viro
2016-02-14 3:46 ` [RFC] slot allocator - waitqueue use review needed (Re: Orangefs ABI documentation) Al Viro
2016-02-14 4:06 ` Al Viro
2016-02-16 2:12 ` Al Viro
2016-02-16 19:28 ` Al Viro
2016-02-14 22:31 ` Orangefs ABI documentation Mike Marshall
2016-02-14 23:43 ` Al Viro
2016-02-15 17:46 ` Mike Marshall
2016-02-15 18:45 ` Al Viro
2016-02-15 22:32 ` Martin Brandenburg
2016-02-15 23:04 ` Al Viro
2016-02-16 23:15 ` Mike Marshall
2016-02-16 23:36 ` Al Viro
2016-02-16 23:54 ` Al Viro
2016-02-17 19:24 ` Mike Marshall
2016-02-17 20:11 ` Al Viro
2016-02-17 21:17 ` Al Viro
2016-02-17 22:24 ` Mike Marshall
2016-02-17 22:40 ` Martin Brandenburg
2016-02-17 23:09 ` Al Viro
2016-02-17 23:15 ` Al Viro
2016-02-18 0:04 ` Al Viro
2016-02-18 11:11 ` Al Viro
2016-02-18 18:58 ` Mike Marshall
2016-02-18 19:20 ` Al Viro
2016-02-18 19:49 ` Martin Brandenburg
2016-02-18 20:08 ` Mike Marshall
2016-02-18 20:22 ` Mike Marshall
2016-02-18 20:38 ` Mike Marshall
2016-02-18 20:52 ` Al Viro
2016-02-18 21:50 ` Mike Marshall
2016-02-19 0:25 ` Al Viro
2016-02-19 22:11 ` Mike Marshall
2016-02-19 22:22 ` Al Viro
2016-02-20 12:14 ` Mike Marshall
2016-02-20 13:36 ` Al Viro
2016-02-22 16:20 ` Mike Marshall
2016-02-22 21:22 ` Mike Marshall
2016-02-23 21:58 ` Mike Marshall
2016-02-26 20:21 ` Mike Marshall
2016-02-19 22:32 ` Al Viro
2016-02-19 22:45 ` Martin Brandenburg
2016-02-19 22:50 ` Martin Brandenburg
2016-02-18 20:49 ` Al Viro
2016-02-15 22:47 ` Mike Marshall
2016-01-23 22:46 ` write() semantics (Re: Orangefs ABI documentation) Al Viro
2016-01-23 23:35 ` Linus Torvalds
2016-03-03 22:25 ` Mike Marshall
2016-03-04 20:55 ` Mike Marshall
2016-01-22 20:51 ` Orangefs ABI documentation Mike Marshall
2016-01-22 23:53 ` Mike Marshall
2016-01-22 19:54 ` Al Viro
2016-01-22 19:50 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160210212603.GL17997@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=hubcap@omnibond.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=sfr@canb.auug.org.au \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).