* Re: [REVIEW][PATCH 1/3] vfs: In d_path don't call d_dname on a mount point [not found] ` <20131130170226.GZ10323@ZenIV.linux.org.uk> @ 2013-12-02 5:43 ` NeilBrown 2013-12-02 16:23 ` J.Bruce Fields 0 siblings, 1 reply; 2+ messages in thread From: NeilBrown @ 2013-12-02 5:43 UTC (permalink / raw) To: Al Viro, J.Bruce Fields Cc: Aditya Kali, NFS, Containers, Oleg Nesterov, Andy Lutomirski, Eric Dumazet, linux-fsdevel, Linus Torvalds, Eric W. Biederman [-- Attachment #1.1: Type: text/plain, Size: 1647 bytes --] On Sat, 30 Nov 2013 17:02:26 +0000 Al Viro <viro@ZenIV.linux.org.uk> wrote: > BTW, what happens if svc_export_request() ends up with pathname filling > almost all space left, so that qword_add(bpp, blen, pth) right after the > call of d_path() in there overwrites the beginning of d_path() output? > Neil? And while we are at it, handling of overflow in there looks also > looks fishy... In this case the returned *blen will be negative so cache_request() in net/sunrpc/cache.h will return -EAGAIN. cache_read() would then go into a tight loop, trying again and again to create the request, but it will never fit in the buffer. I guess maybe an EINVAL might help there, plus code to skip over impossible requests. Maybe the following. We'd need to double check that no ->cache_request function can fail in a way that is worth retrying, but I doubt they would. Any thoughts Bruce? Thanks, NeilBrown diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c index a72de074172d..a065f827e2a3 100644 --- a/net/sunrpc/cache.c +++ b/net/sunrpc/cache.c @@ -748,7 +748,7 @@ static int cache_request(struct cache_detail *detail, detail->cache_request(detail, crq->item, &bp, &len); if (len < 0) - return -EAGAIN; + return -EINVAL; return PAGE_SIZE - len; } @@ -788,6 +788,11 @@ static ssize_t cache_read(struct file *filp, char __user *buf, size_t count, if (rq->len == 0) { err = cache_request(cd, rq); + if (err == -EINVAL) { + spin_lock(&queue_lock); + list_move(&rp->q.list, &rq->q.list); + spin_unlock(&queue_lock); + } if (err < 0) goto out; rq->len = err; [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 828 bytes --] [-- Attachment #2: Type: text/plain, Size: 171 bytes --] _______________________________________________ Containers mailing list Containers@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/containers ^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [REVIEW][PATCH 1/3] vfs: In d_path don't call d_dname on a mount point 2013-12-02 5:43 ` [REVIEW][PATCH 1/3] vfs: In d_path don't call d_dname on a mount point NeilBrown @ 2013-12-02 16:23 ` J.Bruce Fields 0 siblings, 0 replies; 2+ messages in thread From: J.Bruce Fields @ 2013-12-02 16:23 UTC (permalink / raw) To: NeilBrown Cc: Al Viro, Eric W. Biederman, Serge E. Hallyn, Gao feng, Containers, linux-fsdevel, Aditya Kali, Oleg Nesterov, Andy Lutomirski, Linus Torvalds, Eric Dumazet, NFS On Mon, Dec 02, 2013 at 04:43:59PM +1100, NeilBrown wrote: > On Sat, 30 Nov 2013 17:02:26 +0000 Al Viro <viro@ZenIV.linux.org.uk> wrote: > > > > BTW, what happens if svc_export_request() ends up with pathname filling > > almost all space left, so that qword_add(bpp, blen, pth) right after the > > call of d_path() in there overwrites the beginning of d_path() output? > > Neil? And while we are at it, handling of overflow in there looks also > > looks fishy... > > In this case the returned *blen will be negative so cache_request() in > net/sunrpc/cache.h will return -EAGAIN. > cache_read() would then go into a tight loop, trying again and again to > create the request, but it will never fit in the buffer. > > I guess maybe an EINVAL might help there, plus code to skip over impossible > requests. > Maybe the following. We'd need to double check that no ->cache_request > function can fail in a way that is worth retrying, but I doubt they would. > > Any thoughts Bruce? Yes, the cache_request failures are all similarly fatal overflows. Uh, not sure if I remember how the data structures here work: so userspace is now going to get an -EINVAL on read, and may just end up retrying the read? Or do we hit the "need to release rq" case in cache_read and just discard the request? --b. > > Thanks, > NeilBrown > > > diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c > index a72de074172d..a065f827e2a3 100644 > --- a/net/sunrpc/cache.c > +++ b/net/sunrpc/cache.c > @@ -748,7 +748,7 @@ static int cache_request(struct cache_detail *detail, > > detail->cache_request(detail, crq->item, &bp, &len); > if (len < 0) > - return -EAGAIN; > + return -EINVAL; > return PAGE_SIZE - len; > } > > @@ -788,6 +788,11 @@ static ssize_t cache_read(struct file *filp, char __user *buf, size_t count, > > if (rq->len == 0) { > err = cache_request(cd, rq); > + if (err == -EINVAL) { > + spin_lock(&queue_lock); > + list_move(&rp->q.list, &rq->q.list); > + spin_unlock(&queue_lock); > + } > if (err < 0) > goto out; > rq->len = err; ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-12-02 16:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20131117030653.GA7670@mail.hallyn.com>
[not found] ` <20131118031932.GA17621@mail.hallyn.com>
[not found] ` <52899D09.5080202@cn.fujitsu.com>
[not found] ` <20131118140830.GA22075@mail.hallyn.com>
[not found] ` <20131118180134.GA24156@mail.hallyn.com>
[not found] ` <87k3g5gnuv.fsf@xmission.com>
[not found] ` <20131126181043.GA25492@mail.hallyn.com>
[not found] ` <87siui1z1g.fsf_-_@xmission.com>
[not found] ` <8738mi1yya.fsf_-_@xmission.com>
[not found] ` <20131130061525.GY10323@ZenIV.linux.org.uk>
[not found] ` <20131130170226.GZ10323@ZenIV.linux.org.uk>
2013-12-02 5:43 ` [REVIEW][PATCH 1/3] vfs: In d_path don't call d_dname on a mount point NeilBrown
2013-12-02 16:23 ` J.Bruce Fields
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).